From nobody Mon Oct 1 19:35:58 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E3D3127B92; Mon, 1 Oct 2018 19:35:48 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dmarc@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.85.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dmarc@ietf.org Message-ID: <153844774858.22393.5731119064076806577@ietfa.amsl.com> Date: Mon, 01 Oct 2018 19:35:48 -0700 Archived-At: Subject: [dmarc-ietf] I-D Action: draft-ietf-dmarc-arc-protocol-17.txt X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2018 02:35:49 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain-based Message Authentication, Reporting & Conformance WG of the IETF. Title : Authenticated Received Chain (ARC) Protocol Authors : Kurt Andersen Brandon Long Seth Blank Murray Kucherawy Filename : draft-ietf-dmarc-arc-protocol-17.txt Pages : 38 Date : 2018-10-01 Abstract: The Authenticated Received Chain (ARC) protocol provides an authenticated "chain of custody" for a message, allowing each entity that handles the message to see what entities handled it before, and to see what the message's authentication assessment was at each step in the handling. ARC allows Internet Mail Handlers to attach assertions of message authentication assessment to individual messages. As messages traverse ARC-enabled Internet Mail Handlers, additional ARC assertions can be attached to messages to form ordered sets of ARC assertions that represent the authentication assessment at each step of message handling paths. ARC-enabled Internet Mail Handlers can process sets of ARC assertions to inform message disposition decisions, to identify Internet Mail Handlers that might break existing authentication mechanisms, and to convey original authentication assessments across trust boundaries. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-17 https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-protocol-17 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-protocol-17 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Oct 1 19:42:40 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53264127B92 for ; Mon, 1 Oct 2018 19:42:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vDB4Xs1l0o8m for ; Mon, 1 Oct 2018 19:42:36 -0700 (PDT) Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9C8C127148 for ; Mon, 1 Oct 2018 19:42:35 -0700 (PDT) Received: by mail-lj1-x242.google.com with SMTP id f8-v6so373746ljk.1 for ; Mon, 01 Oct 2018 19:42:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=gQRt9XPqdYWkTVmzOJRraSypV65B+zfD9IaLeqPYl/M=; b=TC2P/m+UNkt+t/9dRFyYEqZO23ysq6Fl7OpeBL8WH3nIE5dvCHzuLHCoxUWSr0XHln f7wa7kobW6bwNYrvdX5h+eeTk9jcfF9kU0a/aNoluMxAncJytr39V9QjsWb0BAcJcVhY V8LZXqdCzf82RcDQyGI75GTJ5A02m5smG5Jnc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=gQRt9XPqdYWkTVmzOJRraSypV65B+zfD9IaLeqPYl/M=; b=AMaKvDHH3WZ5uvBAbHfdArf7gtcRjBDAOWxOVtuZNjqJ/xtAtPosTg8vvIORxqCPYI O2s5YN9mju/ldL8pjL7Ww3SaT3qJQ/iQnH21mhn7wFOce1gSPgvxtSyKsum9NpJZc9/w vsGs7klnBKIWMjZOACO9myGotPbxc1VW4shF2G1k5jwvc6+SPIwivQH1PK+e5lkVg6pY wHwP07s0vYNd/wGteYw5eREKt30pEU3VE8iKt6WDA1OffUa+jpA0+9XPbClgBfd0I2GF bnnPevqG5/RaelsKr8ewGYzXpRIYEPVitN56Ec2fEqH9/7esd12l8YRb95pTu6ZHjGSl IHlQ== X-Gm-Message-State: ABuFfojYiIGQb4nGP9lncZfbYV+hPk43jcRYuDoQ5w/z0g6rnAfrbCgj SB6m7nqNlUmgPFdjg5zYGV4CngdXvOtyDsnGWO46kvbcaOM= X-Google-Smtp-Source: ACcGV60QLKzB3our5HK5DP9aCB4dYaEknh0JB3x7IiidBuLknx6rdGzHCmNsQlyYHHkjUfHZl5MTgAFt6ff7TOLv1Rc= X-Received: by 2002:a2e:20da:: with SMTP id g87-v6mr7012864lji.88.1538448153601; Mon, 01 Oct 2018 19:42:33 -0700 (PDT) MIME-Version: 1.0 References: <153844774886.22393.9673808794999075654.idtracker@ietfa.amsl.com> <182F03B8-F63E-4FE5-8C6A-E5BC2E29D003@linkedin.com> In-Reply-To: <182F03B8-F63E-4FE5-8C6A-E5BC2E29D003@linkedin.com> From: Kurt Andersen Date: Mon, 1 Oct 2018 19:42:16 -0700 Message-ID: To: "dmarc@ietf.org" , tjw ietf Content-Type: multipart/alternative; boundary="000000000000b37a13057735dffb" Archived-At: Subject: [dmarc-ietf] Post-WGLC revision draft-ietf-dmarc-arc-protocol-17 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2018 02:42:38 -0000 --000000000000b37a13057735dffb Content-Type: text/plain; charset="UTF-8" This version incorporates all of the feedback received during the WGLC with the exception of generating new examples for Appendix B. As such it should be good to progress to the next round toward the Editors' desk. Note that there is one small tweak which may cause some former implementation mismatch. When recording the sending IP address for message, we previously had tagged it as smtp.client-ip; but to clarify that this is machine to machine and not PII, the name was changed to smtp.remote-ip. Otherwise there are no substantive changes to the protocol. Following the suggestions made by Dave Crocker, I've attempted to further clarify some of the language pertaining to "authentication assessment" being the operative element being conveyed through the ARC chain of header fields. --Kurt Name: draft-ietf-dmarc-arc-protocol Revision: 17 Title: Authenticated Received Chain (ARC) Protocol Document date: 2018-10-01 Group: dmarc Pages: 38 URL: https://www.ietf.org/internet-drafts/draft-ietf-dmarc-arc-protocol-17.txt Status: https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/ Htmlized: https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-17 Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-protocol Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-protocol-17 --000000000000b37a13057735dffb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
This version incorporates all o= f the feedback received during the WGLC with the exception of generating ne= w examples for Appendix B. As such it should be good to progress to the nex= t round toward the Editors' desk.

<= /div>
Note that there is one small tweak which ma= y cause some former implementation mismatch. When recording the sending IP = address for message, we previously had tagged it as smtp.client-ip; but to = clarify that this is machine to machine and not PII, the name was changed t= o smtp.remote-ip.

Otherwise there are no substantive changes to the protocol. Fol= lowing the suggestions made by Dave Crocker, I've attempted to further = clarify some of the language pertaining to "authentication assessment&= quot; being the operative element being conveyed through the ARC chain of h= eader fields.

--Kurt

Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-ietf-dmarc-arc-prot= ocol
Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A017
Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Authenticated Received Chain (ARC)= Protocol
Document date:=C2=A0 2018-10-01
Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 dmarc
Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 38
URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 https://www.ietf.org/internet-drafts/draft-ietf-dmarc-ar= c-protocol-17.txt
Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/
Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0http= s://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-17
Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-protocol<= br> Diff:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-dmarc-arc-prot= ocol-17


--000000000000b37a13057735dffb-- From nobody Tue Oct 2 10:57:04 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A2C9130DC2; Tue, 2 Oct 2018 10:56:57 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dmarc@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.85.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dmarc@ietf.org Message-ID: <153850301720.5141.17445290974852649921@ietfa.amsl.com> Date: Tue, 02 Oct 2018 10:56:57 -0700 Archived-At: Subject: [dmarc-ietf] I-D Action: draft-ietf-dmarc-arc-protocol-18.txt X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2018 17:56:57 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain-based Message Authentication, Reporting & Conformance WG of the IETF. Title : Authenticated Received Chain (ARC) Protocol Authors : Kurt Andersen Brandon Long Seth Blank Murray Kucherawy Filename : draft-ietf-dmarc-arc-protocol-18.txt Pages : 37 Date : 2018-10-02 Abstract: The Authenticated Received Chain (ARC) protocol provides an authenticated "chain of custody" for a message, allowing each entity that handles the message to see what entities handled it before, and to see what the message's authentication assessment was at each step in the handling. ARC allows Internet Mail Handlers to attach assertions of message authentication assessment to individual messages. As messages traverse ARC-enabled Internet Mail Handlers, additional ARC assertions can be attached to messages to form ordered sets of ARC assertions that represent the authentication assessment at each step of message handling paths. ARC-enabled Internet Mail Handlers can process sets of ARC assertions to inform message disposition decisions, to identify Internet Mail Handlers that might break existing authentication mechanisms, and to convey original authentication assessments across trust boundaries. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-18 https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-protocol-18 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-protocol-18 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Oct 2 10:59:22 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C47151311D5 for ; Tue, 2 Oct 2018 10:59:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wEAUQLxlvv1T for ; Tue, 2 Oct 2018 10:59:13 -0700 (PDT) Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC29913120B for ; Tue, 2 Oct 2018 10:59:12 -0700 (PDT) Received: by mail-lj1-x242.google.com with SMTP id p89-v6so2616965ljb.3 for ; Tue, 02 Oct 2018 10:59:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SDWtnRRGRaj+78Ma18OIlrK7xrGKkGRwBXpzyHYdq68=; b=HrWMztYo3CAwssOorX+woVsroiOlHGDVHPcnY0n2HHEJ3Ib7PEDs8h1/M062aRVxGV r9hgr103j66l3Ezc6HhIwP8v8+yBWHoMWla3WW8z3xW0lpgIcX/a+GyOQ3NJWyg8aoeb vb9BsmYsWvQAHoEZTAEaeaMCABGG+THYOO74k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SDWtnRRGRaj+78Ma18OIlrK7xrGKkGRwBXpzyHYdq68=; b=bOGmtfeHLG8b7deCC8n/8hL7GzQnHl5B/8fXCczdjA8ojak++wqifqCbAHCdt+O/XR MEJeCS8ht52yWIXeYOLFvT37gq8oqfYnbZ6J9EPhEH5cIg4u1MrojQe9pQTHch0HU0vC Ugl23Ozs1GBlaPNhhuYFNBDWwsMKnChtBwiZCtbC4+DvowCslchqPjW7an1Hl+FCx5t6 rwySJ4av1mHtXHT3ssxv7hSDr/LQA0b4ihlJ7565jI9nivfSDaMcYBDEW94CS7bauykR a5AbCuZvog6RB6nh/yXlwciZvP0/dD76VdUcNseJmbtTSqz5d6PVySvx27VMRM5A0iuf Gzjg== X-Gm-Message-State: ABuFfoj/nvLHLbYq/y4u5y8JqncPza+8Y0G0xGuAldtplXkaODnUGGsS 5WlhyU+s9BHYcHfqKKAawsZz3uCkIMWDomuHk5I+CQ== X-Google-Smtp-Source: ACcGV60JdBu36Nx3BOFVzDJGrkfyipwrbfRG6/S81rdc4xXSLubemsdWG9FLxNUG5SRsKLlz2aZJE6F4czz49CI5F4s= X-Received: by 2002:a2e:6f0c:: with SMTP id k12-v6mr10350558ljc.66.1538503150679; Tue, 02 Oct 2018 10:59:10 -0700 (PDT) MIME-Version: 1.0 References: <632BBFED-9C50-4F4E-9A93-95EFC3D84AF3@gmail.com> In-Reply-To: From: Kurt Andersen Date: Tue, 2 Oct 2018 10:58:49 -0700 Message-ID: To: Barry Leiba , "dmarc@ietf.org" Cc: tjw ietf , Seth Blank , dmarc-chairs@ietf.org Content-Type: multipart/alternative; boundary="000000000000c84d3d057742ad9f" Archived-At: Subject: Re: [dmarc-ietf] ARC spec, post-WGLC X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2018 17:59:20 -0000 --000000000000c84d3d057742ad9f Content-Type: text/plain; charset="UTF-8" Done - this version fixes some nits identified during shepherd review by Tim W. --Kurt A new version of I-D, draft-ietf-dmarc-arc-protocol-18.txt has been successfully submitted by Kurt Andersen and posted to the IETF repository. Name: draft-ietf-dmarc-arc-protocol Revision: 18 Title: Authenticated Received Chain (ARC) Protocol Document date: 2018-10-02 Group: dmarc Pages: 37 URL: https://www.ietf.org/internet-drafts/draft-ietf-dmarc-arc-protocol-18.txt Status: https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/ Htmlized: https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-18 Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-protocol Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-protocol-18 On Tue, Oct 2, 2018 at 8:03 AM Barry Leiba wrote: > Yes, please do; versions are cheap. > > b > > On Tue, Oct 2, 2018 at 10:27 AM Kurt Andersen wrote: > >> Barry, >> >> I now have a version which corrects the various typos that Tim spotted >> and eschews referring to 7601, leaving it entirely up to the Editors to >> replace the reference to 7601bis with whatever number they end up assigning >> to that document. If you wish, I can publish said version. >> >> --Kurt >> > --000000000000c84d3d057742ad9f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Done - this version fixes some nits identified during shep= herd review by Tim W.

--Kurt

A new versi= on of I-D, draft-ietf-dmarc-arc-protocol-18.txt
has been successfully = submitted by Kurt Andersen and posted to the
IETF repository.
Name:= draft-ietf-dmarc-arc-protocol
Revision: 18
Title: Authenticated Received Ch= ain (ARC) Protocol
Document date: 2018-10-02
Group: dmarc
Pages: 37
=
URL:=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0https://www.ietf.org/internet-drafts/draft-ietf-dmarc-arc-protocol-18.= txt
Status:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0https://datatracker.ietf= .org/doc/draft-ietf-dmarc-arc-protocol/
Htmlized:=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-18
Html= ized:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0https://datatracker.ietf.org/doc/html/draft-iet= f-dmarc-arc-protocol
Diff:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0https://www.ietf.org/rfcdiff?url2=3Ddraft-ie= tf-dmarc-arc-protocol-18


On = Tue, Oct 2, 2018 at 8:03 AM Barry Leiba <barryleiba@computer.org> wrote:
Yes, please do; versions are cheap.
b

O= n Tue, Oct 2, 2018 at 10:27 AM Kurt Andersen <kurta@drkurt.com> wrote:
Barry,

I now h= ave a version which corrects the various typos that Tim spotted and eschews= referring to 7601, leaving it entirely up to the Editors to replace the re= ference to 7601bis with whatever number they end up assigning to that docum= ent. If you wish, I can publish said version.

--Ku= rt
--000000000000c84d3d057742ad9f-- From nobody Mon Oct 22 22:51:17 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3621212F1AC; Mon, 22 Oct 2018 22:51:09 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dmarc@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.87.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dmarc@ietf.org Message-ID: <154027386917.13737.3386094696643998303@ietfa.amsl.com> Date: Mon, 22 Oct 2018 22:51:09 -0700 Archived-At: Subject: [dmarc-ietf] I-D Action: draft-ietf-dmarc-arc-usage-06.txt X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2018 05:51:10 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain-based Message Authentication, Reporting & Conformance WG of the IETF. Title : Recommended Usage of the Authenticated Received Chain (ARC) Authors : Steven Jones Kurt Andersen John Rae-Grant J. Trent Adams Filename : draft-ietf-dmarc-arc-usage-06.txt Pages : 17 Date : 2018-10-22 Abstract: The Authentication Received Chain (ARC) provides an authenticated "chain of custody" for a message, allowing each entity that handles the message to see what entities handled it before, and to see what the message's authentication assessment was at each step in the handling. But the specification does not indicate how the entities handling these messages should interpret or utilize ARC results in making decisions about message disposition. This document will provide guidance in these areas. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-usage/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dmarc-arc-usage-06 https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-usage-06 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-usage-06 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Oct 22 23:09:39 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56E7912F1AC for ; Mon, 22 Oct 2018 23:09:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=crash.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eb-EmJi9VtH4 for ; Mon, 22 Oct 2018 23:09:36 -0700 (PDT) Received: from segv.crash.com (segv.crash.com [IPv6:2001:470:1:1e9::4415]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93E7D130DED for ; Mon, 22 Oct 2018 23:09:36 -0700 (PDT) Received: from [172.23.117.28] ([216.52.21.1]) (authenticated bits=0) by segv.crash.com (8.15.2/8.15.2/cci-colo-1.7) with ESMTPSA id w9N69LqG031774 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 23 Oct 2018 06:09:34 GMT (envelope-from smj@crash.com) DKIM-Filter: OpenDKIM Filter v2.10.3 segv.crash.com w9N69LqG031774 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crash.com; s=201506-2k; t=1540274976; bh=b4qtgb477ZBLyyu/e2IPkgcZG0/ViFgnnl78OPspor4=; h=To:From:Subject:Date; b=Ug+V04kmvzIRAPPdbt+VvScZV4oN6h3gKOs2l3CMAlEDHXt0x+gF4MhFapgje8MUh 7XijX2PpYu1b9zlRS2zMrcLmu+h8r6JVcDAh7SjNSUTllNGu4uWa6V+XpiVN81fJfg PA901wfd+IIrGr9efXqMyAw/+J56RiJWNfvwKzI38qSkXh986MdjqMOQ12uNKW3z5t 6KZf4M52wqqtamhA0D2v8mqlDAm40M4bjAghZqBSuE1L2o5f7mibXM2XLxAom3me6Q BLpr/g/SWJG2OiqgfEz6NNwpkNsNLiRv/uulhS5Vlcubg0AzmnR76s8xxSeOcYU8OB P3M1OB91l1fTA== X-Authentication-Warning: segv.crash.com: Host [216.52.21.1] claimed to be [172.23.117.28] To: dmarc@ietf.org From: Steven M Jones Message-ID: <90535677-7c53-1698-e803-3c0869b29c20@crash.com> Date: Mon, 22 Oct 2018 23:09:21 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (segv.crash.com [72.52.75.15]); Tue, 23 Oct 2018 06:09:34 +0000 (UTC) Archived-At: Subject: [dmarc-ietf] New version of draft-ietf-dmarc-arc-usage posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2018 06:09:39 -0000 Greetings, I've submitted the changes to the "ARC Usage" I-D that I had on-hand, primarily because the previous version was going to expire on October 25th, and the I-D freeze for IETF103 was going to occur this evening. That deadline was extended by 24 hours, but I opted not to push it (further)... Consider this a reminder that your questions and suggestions are welcome. New version: https://tools.ietf.org/html/draft-ietf-dmarc-arc-usage-06 Diff from -05 to -06: https://tools.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-usage-06.txt Yes, I know I missed updating a couple things. Yes, some formatting is off because I uploaded the XML instead of the TXT version. We'll fix 'em in the next rev. Thanks, --Steve. From nobody Mon Oct 22 23:40:06 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5700E130E89; Mon, 22 Oct 2018 23:40:04 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Barry Leiba To: X-Test-IDTracker: no X-IETF-IDTracker: 6.87.1 Auto-Submitted: auto-generated Precedence: bulk Cc: tjw.ietf@gmail.com, Barry Leiba , Tim Wicinski , dmarc@ietf.org, iesg-secretary@ietf.org, dmarc-chairs@ietf.org Message-ID: <154027680434.13737.8267147644928446830.idtracker@ietfa.amsl.com> Date: Mon, 22 Oct 2018 23:40:04 -0700 Archived-At: Subject: [dmarc-ietf] Publication has been requested for draft-ietf-dmarc-arc-protocol-18 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2018 06:40:05 -0000 Barry Leiba has requested publication of draft-ietf-dmarc-arc-protocol-18 as Experimental on behalf of the DMARC working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/ From nobody Tue Oct 23 03:58:43 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E40D7127598 for ; Tue, 23 Oct 2018 03:58:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=dY9P9xtn; dkim=pass (2048-bit key) header.d=kitterman.com header.b=c9LU9g1p Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z_pVCI49R-n for ; Tue, 23 Oct 2018 03:58:39 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7233130E02 for ; Tue, 23 Oct 2018 03:58:38 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803e; t=1540292315; h=from : to : subject : date : message-id : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=qf9TxPLy1n5ERw9F9DT2e0F/ZUL5F45M3SAYbIHa7dk=; b=dY9P9xtn4OAg0UDFCs8m75rtb6XThNIYSYE695VGd5FyzBdieBbPo039 y5L/gq2K7FruDA914oyxR4lpPpiXDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803r; t=1540292315; h=from : to : subject : date : message-id : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=qf9TxPLy1n5ERw9F9DT2e0F/ZUL5F45M3SAYbIHa7dk=; b=c9LU9g1pHJ5vUmKLnbgcXuCyW0VaujDHojww1DCI3mngm6tmyQJ4h1Ax gYBlMpnoON8VbI/IIbAP3wj1pbZYsM53itMVaIT+a00IvJCH0aPJ1utcZK oHNT/N6/rMYsISLShZhaoco+IsoxgHMyvcAvhEZwRS1bCra8A2y9T1KLKC WJZpKxP9kJhv6KAUL7PwSL+HhrqzwWGgFP0SLuOZD6MQRN2UVAytxBD5Dx UxfqSqv9LAojji2d0L8AzZqgyIbIz0PtLXwgyeqME9VF5pedhKGMMls8ik zO1CD1iYLjgmexWw0yUnSrD0WEJ1did9LqhFSrezE/5y9r2JvDCeHQ== Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 822D7C400B5 for ; Tue, 23 Oct 2018 05:58:35 -0500 (CDT) From: Scott Kitterman To: dmarc@ietf.org Date: Tue, 23 Oct 2018 06:58:33 -0400 Message-ID: <57062925.Z3iaeiTUnW@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-158-generic; KDE/4.13.3; x86_64; ; ) MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Archived-At: Subject: [dmarc-ietf] ARC Crypto Algorithm Selection X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2018 10:58:41 -0000 I've started looking at updating dkimpy to align to the current versions of the specification. Last time I looked at this particular issue, ARC could use any algorithm that DKIM uses. As I recall, that was once of the stimuli for the DCRUP working group (to avoid having rsa-sha1 be valid for ARC by obsoleting it in DKIM). It looks like this discussion has been moved to a new draft, https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-01 (although the reference is wrong, https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-02 is current. Unfortunately, I don't find any actual guidance on what algorithms are currently used. Secion 6, Phases of Algorithm Evolution, gives some process (which seriously needs revision - I thought we all knew flag days don't work at Internet scale), but no actual guidance. DKIM, as updated by the DCRUP work, has two valid crypto algorithms: rsa-sha256 ed25119-sha256 One has been obsoleted: rsa-sha1 Which among those is valid for ARC and how do I know? Scott K From nobody Tue Oct 23 08:07:55 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 76B5A1286E7; Tue, 23 Oct 2018 08:07:47 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.87.1 Auto-Submitted: auto-generated Precedence: bulk CC: tjw.ietf@gmail.com, Barry Leiba , draft-ietf-dmarc-arc-protocol@ietf.org, Tim Wicinski , dmarc@ietf.org, alexey.melnikov@isode.com, dmarc-chairs@ietf.org Reply-To: ietf@ietf.org Sender: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Reply-To: ietf@ietf.org Message-ID: <154030726741.31325.18068939197691810125.idtracker@ietfa.amsl.com> Date: Tue, 23 Oct 2018 08:07:47 -0700 Archived-At: Subject: [dmarc-ietf] Last Call: (Authenticated Received Chain (ARC) Protocol) to Experimental RFC X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2018 15:07:48 -0000 The IESG has received a request from the Domain-based Message Authentication, Reporting & Conformance WG (dmarc) to consider the following document: - 'Authenticated Received Chain (ARC) Protocol' as Experimental RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2018-11-06. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract The Authenticated Received Chain (ARC) protocol provides an authenticated "chain of custody" for a message, allowing each entity that handles the message to see what entities handled it before, and to see what the message's authentication assessment was at each step in the handling. ARC allows Internet Mail Handlers to attach assertions of message authentication assessment to individual messages. As messages traverse ARC-enabled Internet Mail Handlers, additional ARC assertions can be attached to messages to form ordered sets of ARC assertions that represent the authentication assessment at each step of message handling paths. ARC-enabled Internet Mail Handlers can process sets of ARC assertions to inform message disposition decisions, to identify Internet Mail Handlers that might break existing authentication mechanisms, and to convey original authentication assessments across trust boundaries. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/ballot/ No IPR declarations have been submitted directly on this I-D. From nobody Tue Oct 23 08:24:41 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C5A0130E01 for ; Tue, 23 Oct 2018 08:24:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vFjr_lzXQ867 for ; Tue, 23 Oct 2018 08:24:37 -0700 (PDT) Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A541812F18C for ; Tue, 23 Oct 2018 08:24:36 -0700 (PDT) Received: by mail-lf1-x130.google.com with SMTP id d7-v6so1483009lfi.2 for ; Tue, 23 Oct 2018 08:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PU5cOxFFRoPZYPhvmrfmXTxSqcY4ePGQ9slzMXKj+P0=; b=YxAZmDPKd7v9ozIyj9RJWAu+C+/1kAsW5yde9/ECNJbYRDCuyOi0x463bQfjXiiP7S uuuveMyk964lwN2vkS1UL24MZ+VW9C0mgw+flUesRx188WbsCvOcJufHDVxQJNuJ0AXo iWMbEEgUnZ3JIcolQdGvBpqTXC2h0uhNec0t8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PU5cOxFFRoPZYPhvmrfmXTxSqcY4ePGQ9slzMXKj+P0=; b=TIt5udBgAaG1Fe6BLvd4unmAilu0pMjxwdX0ruvTCans0SxploN1ViJsHJfgfqzTxk 4NBM1Vph/M19tG9pn+ylSFOpZhPAdt+3u+f32bHdtwkN/h/0+Jr5GYnaqSJ/OaRjspbh csFxT6chyZGAJO8G0kEPViLzROQDYASiDJB//m2NYm7ZBCYwiarFi/09XHZX8pJHG9k+ AqS9ubMRldsfIue6FYTnUyS8gXP7cCf/S1oesCLEdGzMxN/Tsj0uMjllv2/BVB2c3tyT 9cHkLnnnAmuJYV1svDu3WbCBBb5C32+knERC2gEMKW1tsTjzEXAbHd9FSIKzIHTzjKlV y3LQ== X-Gm-Message-State: ABuFfoioAK1yIeQcNW9YvkUsdE6upLmluoqqO1ol08XAqZg4pQHIN6ma H6V5vb1sAMOwtnan3Wwv+vRUvP2zG4Pay1ZQCzd5F7+6tm8= X-Google-Smtp-Source: ACcGV62lJURYqVG4Pk5d4XssaiNeTRoDdr0m15OKEbDBOmcCibyNWDnZs/b5pKWtG4lU+f6ah0wr4tLoDlLjberijto= X-Received: by 2002:a19:d408:: with SMTP id l8-v6mr13222595lfg.25.1540308274414; Tue, 23 Oct 2018 08:24:34 -0700 (PDT) MIME-Version: 1.0 References: <57062925.Z3iaeiTUnW@kitterma-e6430> In-Reply-To: <57062925.Z3iaeiTUnW@kitterma-e6430> From: "Kurt Andersen (b)" Date: Tue, 23 Oct 2018 08:24:13 -0700 Message-ID: To: Scott Kitterman Cc: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="0000000000008a9f940578e6f7d2" Archived-At: Subject: Re: [dmarc-ietf] ARC Crypto Algorithm Selection X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2018 15:24:40 -0000 --0000000000008a9f940578e6f7d2 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 23, 2018 at 3:58 AM Scott Kitterman wrote: > Last time I looked at this particular issue, ARC could use any algorithm > that > DKIM uses. Still correct. > As I recall, that was once of the stimuli for the DCRUP working > group (to avoid having rsa-sha1 be valid for ARC by obsoleting it in DKIM). > I don't think that ARC drove the DCRUP work as much as the desire to get badness officially obsoleted :-) > It looks like this discussion has been moved to a new draft, > https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-01 (although the > reference is wrong, > https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-02 > is current. > Yes that's correct. > Unfortunately, I don't find any actual guidance on what algorithms are > currently used. Any that are valid for DKIM - see first sentence above. > Secion 6, Phases of Algorithm Evolution, gives some process > (which seriously needs revision - I thought we all knew flag days don't > work > at Internet scale), but no actual guidance. > Correct - we've deferred any real attention on this until we got the ARC protocol document nailed down. With the request to publish being a few hours old now from Barry, this might be an excellent topic to pursue next :-) > DKIM, as updated by the DCRUP work, has two valid crypto algorithms: > > rsa-sha256 > ed25119-sha256 > > One has been obsoleted: > > rsa-sha1 > > Which among those is valid for ARC and how do I know? > The same ones that are valid for DKIM (as updated by DCRUP). What we haven't worked out is how to handle mixed algorithm chains. --Kurt --0000000000008a9f940578e6f7d2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Oct 23= , 2018 at 3:58 AM Scott Kitterman <sklist@kitterman.com> wrote:
Last time I looked at this particular issue, ARC could use any algorith= m that
DKIM uses.

Still correct.
=C2=A0<= /div>
=C2=A0 As I recall, that was once of th= e stimuli for the DCRUP working
group (to avoid having rsa-sha1 be valid for ARC by obsoleting it in DKIM).=

I don't think that ARC drove the D= CRUP work as much as the desire to get badness officially obsoleted :-)
=C2=A0
It looks like this discus= sion has been moved to a new draft,
https://tools.ietf.org/html/draft-ietf-dm= arc-arc-multi-01 (although the
reference is wrong, https://tools.ietf.org/= html/draft-ietf-dmarc-arc-multi-02
is current.

Yes that's correct.
=C2=A0
Unfortunately, I don'= t find any actual guidance on what algorithms are
currently used.=C2=A0

Any that are valid fo= r DKIM - see first sentence above.
=C2=A0
Secion 6, Phases of Algorithm Evolution, gives some process =
(which seriously needs revision - I thought we all knew flag days don't= work
at Internet scale), but no actual guidance.

=
Correct - we've deferred any real attention on this until we got t= he ARC protocol document nailed down. With the request to publish being a f= ew hours old now from Barry, this might be an excellent topic to pursue nex= t :-)
=C2=A0
DKIM, as updated= by the DCRUP work, has two valid crypto algorithms:

rsa-sha256
ed25119-sha256

One has been obsoleted:

rsa-sha1

Which among those is valid for ARC and how do I know?
=
The same ones that are valid for DKIM (as updated by DCRUP).= What we haven't worked out is how to handle mixed algorithm chains.

--Kurt=C2=A0
--0000000000008a9f940578e6f7d2-- From nobody Tue Oct 23 08:25:21 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63CE0130E5D for ; Tue, 23 Oct 2018 08:25:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlxK-EK4UCRw for ; Tue, 23 Oct 2018 08:25:17 -0700 (PDT) Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6F5712F18C for ; Tue, 23 Oct 2018 08:25:16 -0700 (PDT) Received: by mail-ot1-x336.google.com with SMTP id z15so1744388otm.12 for ; Tue, 23 Oct 2018 08:25:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DVoM8hcpNqXKiGSgK/ApRX23wgq66uadGuDWYJfTzYs=; b=E4VAtTLoyo1kCB0nadj3LE1sBSFg/RnbmKNRR7NWop0QmiwD17LohLJef3xSvR5ZZ6 i1k6DX4co9+jHiTdUb41RnJG/aKlbbY+zICja/1XuXRfrmv9LpFBodpU+hOcB0zo1P8Y U0KBjH/+SiMnfKGKjANZV5M30m3XakYc0wcJ/nSU/owGoeUI+dy5fZ8GZTexyRI5QuHF aqxSXKDF14IvuJNpYdiF4ywSqg9nSS2if50ZgVOkVjwVSwGJnHuA6IWEPakYWQpPiR1G UwZXGAV7D6zns3RDvmWPP0UjUe7Bx9s6wHmZ3o0po8sWAoTsQntX7ARrj8CyL11srKsA 64Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DVoM8hcpNqXKiGSgK/ApRX23wgq66uadGuDWYJfTzYs=; b=kq+yCBqWxOA2FxrxSh6rVaPqpxlMPTXuF03K2J4ZYzE/HME5YkLeYHlB+lbf0pC6Qi KYwfJaduGlNjILAH2j7De9u5sm2I1HzFHevBDGdATWtggwFFp5/JrgttWdf6OLo0Sfmr O5K9rI9RCQEEJr34USeOUwDsGl7zrwIhe0BDRqSPBhqwmTWMgwWGWLGnvgxnhP0ag1ww v6WOkEfC3RTrLCjt8P6JkDm5tjvqtcgjsYwAOZhT7XYT6NoUwDPBMXX1suESPWhnPg0A InU21YlVg+Y/OmigmDv5YjIXXh5C9Qnsis1L6kgzCDuvIldmTqe0Hx9Rf1y4uoYeqQ1c TeUg== X-Gm-Message-State: ABuFfogRhyYdd3RufgS4TWR9SMcMia2Rtz8MJebXwbM6/zSj45WkiSdw h1aKbLAny7QPEY1xI7ZPSbLGBYmWwB5KcPe1fLZ4Vu0h X-Google-Smtp-Source: ACcGV60I+ftLgFfqt1pXrWtcB19wO7MbxDxiqJS4lLK5iA+DOZMJsWKh4LFN/wkXM4F0i99ilhZ7skCqKz3/hnB9qxI= X-Received: by 2002:a9d:2cf9:: with SMTP id e54mr32935123otd.150.1540308315987; Tue, 23 Oct 2018 08:25:15 -0700 (PDT) MIME-Version: 1.0 References: <57062925.Z3iaeiTUnW@kitterma-e6430> In-Reply-To: <57062925.Z3iaeiTUnW@kitterma-e6430> From: Seth Blank Date: Tue, 23 Oct 2018 08:25:03 -0700 Message-ID: To: Scott Kitterman Cc: dmarc@ietf.org Content-Type: multipart/alternative; boundary="00000000000004fccf0578e6faff" Archived-At: Subject: Re: [dmarc-ietf] ARC Crypto Algorithm Selection X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2018 15:25:19 -0000 --00000000000004fccf0578e6faff Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ARC inherits all the DKIM mechanisms by reference. So whatever=E2=80=99s va= lid for DKIM (the list you provided) is what=E2=80=99s valid for ARC. On Tue, Oct 23, 2018 at 03:58 Scott Kitterman wrote: > I've started looking at updating dkimpy to align to the current versions > of > the specification. > > Last time I looked at this particular issue, ARC could use any algorithm > that > DKIM uses. As I recall, that was once of the stimuli for the DCRUP > working > group (to avoid having rsa-sha1 be valid for ARC by obsoleting it in DKIM= ). > > It looks like this discussion has been moved to a new draft, > https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-01 (although the > reference is wrong, > https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-02 > is current. > > Unfortunately, I don't find any actual guidance on what algorithms are > currently used. Secion 6, Phases of Algorithm Evolution, gives some > process > (which seriously needs revision - I thought we all knew flag days don't > work > at Internet scale), but no actual guidance. > > DKIM, as updated by the DCRUP work, has two valid crypto algorithms: > > rsa-sha256 > ed25119-sha256 > > One has been obsoleted: > > rsa-sha1 > > Which among those is valid for ARC and how do I know? > > Scott K > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > --00000000000004fccf0578e6faff Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ARC inherits all the DKIM mechanisms by reference. So whatever=E2=80=99s va= lid for DKIM (the list you provided) is what=E2=80=99s valid for ARC.
On Tue, Oct 23, 2018 at 03:58 Sco= tt Kitterman <sklist@kitterman.c= om> wrote:
I've started = looking at updating dkimpy to align to the current versions of
the specification.

Last time I looked at this particular issue, ARC could use any algorithm th= at
DKIM uses.=C2=A0 As I recall, that was once of the stimuli for the DCRUP wo= rking
group (to avoid having rsa-sha1 be valid for ARC by obsoleting it in DKIM).=

It looks like this discussion has been moved to a new draft,
https://tools.ietf.org/html/draft-ietf-dm= arc-arc-multi-01 (although the
reference is wrong, https://tools.ietf.org/= html/draft-ietf-dmarc-arc-multi-02
is current.

Unfortunately, I don't find any actual guidance on what algorithms are =
currently used.=C2=A0 Secion 6, Phases of Algorithm Evolution, gives some p= rocess
(which seriously needs revision - I thought we all knew flag days don't= work
at Internet scale), but no actual guidance.

DKIM, as updated by the DCRUP work, has two valid crypto algorithms:

rsa-sha256
ed25119-sha256

One has been obsoleted:

rsa-sha1

Which among those is valid for ARC and how do I know?

Scott K

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
--00000000000004fccf0578e6faff-- From nobody Tue Oct 23 09:23:53 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 997E0130ECF for ; Tue, 23 Oct 2018 09:23:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=kXkqqSFh; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=ARp2hQY3 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xwuzXXjKkWXK for ; Tue, 23 Oct 2018 09:23:49 -0700 (PDT) Received: from ftp.catinthebox.net (ntbbs.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id E1BC1130EB0 for ; Tue, 23 Oct 2018 09:23:48 -0700 (PDT) DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2617; t=1540311825; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=z+7sbPSS+TP5L1dV6wolNzPeAUo=; b=kXkqqSFhf14HS6d5D2jrkFXarqNXc5stw/gXeq7KrLMwZtc3crhiHQ/jJ8RhCH MCgcVWsCTkIKAvC1btfPkN4lLDiYn5qjQW/GrQ44pI3MkKpzMAYLqa5zATa/CXfp foR7zhDqUKGDmzPdUVvWnv4ggo3HEvecvQ3XntiUBSi0Q= Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Tue, 23 Oct 2018 12:23:45 -0400 Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer); Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 115457959.155996.8924; Tue, 23 Oct 2018 12:23:44 -0400 DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2617; t=1540311762; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=5VSicWC jLDpQgqyIedkZEc/4xG6jIsN7Li9cHKnbM4k=; b=ARp2hQY3ZZN2LLmKputOpaq LfmQrOaUd12AbnGM4sZNURvUvCTF4F1oB0Rfl5Nalh/3ZJUQ/JPHoZnpB1ouCyUS YjsV3M1qEEW1QW0s1jFGi9ENtC0k8ZBKQAx1UevzSj+N6lzBLAt9ANVhm0L2uvMD UqcIRQ2cRGDcibeYho3A= Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Tue, 23 Oct 2018 12:22:42 -0400 Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 4151774875.9.213576; Tue, 23 Oct 2018 12:22:41 -0400 Message-ID: <5BCF4B0E.7080909@isdg.net> Date: Tue, 23 Oct 2018 12:23:42 -0400 From: Hector Santos Reply-To: hsantos@isdg.net Organization: Santronics Software, Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1 MIME-Version: 1.0 To: dmarc@ietf.org References: <57062925.Z3iaeiTUnW@kitterma-e6430> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] ARC Crypto Algorithm Selection X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2018 16:23:52 -0000 In my view, ARC, as an "Experimental Status" (and still in design) proposal *should* include support for all valid DKIM STD hashing methods, including rsa-hash1, and I agree, should not be the impetus for removing sha1 support in DKIM implementations. Until a DKIM implementation is "ready" to a) consider DCRUP and b) add support for ed25119-sha256 (which comes with a considerable technical barrier), rsa-sha1 is still going to be available and used by pure DKIM STD implementations for the foreseeable future (a long time). I haven't been seeing many messages in my logs showing rsa-ed25119 DKIM signings, in today's logs so far, not one. -- HLS On 10/23/2018 11:24 AM, Kurt Andersen (b) wrote: > On Tue, Oct 23, 2018 at 3:58 AM Scott Kitterman > wrote: > > Last time I looked at this particular issue, ARC could use any > algorithm that > DKIM uses. > > > Still correct. > > As I recall, that was once of the stimuli for the DCRUP working > group (to avoid having rsa-sha1 be valid for ARC by obsoleting it > in DKIM). > > > I don't think that ARC drove the DCRUP work as much as the desire to > get badness officially obsoleted :-) > > It looks like this discussion has been moved to a new draft, > https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-01 > (although the > reference is wrong, > https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-02 > is current. > > > Yes that's correct. > > Unfortunately, I don't find any actual guidance on what algorithms > are > currently used. > > > Any that are valid for DKIM - see first sentence above. > > Secion 6, Phases of Algorithm Evolution, gives some process > (which seriously needs revision - I thought we all knew flag days > don't work > at Internet scale), but no actual guidance. > > > Correct - we've deferred any real attention on this until we got the > ARC protocol document nailed down. With the request to publish being a > few hours old now from Barry, this might be an excellent topic to > pursue next :-) > > DKIM, as updated by the DCRUP work, has two valid crypto algorithms: > > rsa-sha256 > ed25119-sha256 > > One has been obsoleted: > > rsa-sha1 > > Which among those is valid for ARC and how do I know? > > > The same ones that are valid for DKIM (as updated by DCRUP). What we > haven't worked out is how to handle mixed algorithm chains. > > --Kurt > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > From nobody Tue Oct 23 12:36:23 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BEB5130DCF for ; Tue, 23 Oct 2018 12:36:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wizmail.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4tFPsotpWKg for ; Tue, 23 Oct 2018 12:36:19 -0700 (PDT) Received: from wizmail.org (wizmail.org [IPv6:2a00:1940:107::2:0:0]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BAE4129BBF for ; Tue, 23 Oct 2018 12:36:18 -0700 (PDT) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=wizmail.org; s=r201803; t=1540323379; b=QkaEZ2fyF9f90NB7BSCzfU0TlSp6Jw9NrB9+ebWeQ1F3oMUhDWnqopd2EqlDCT0LSQCfI+HfL5 s8okCQxSmq1Wn2LsJR60iPEMUT+aW4YKks1MGnDflFbuPYqrOXk5pTm5EgmWvVlMitWCjW0hAv 8MQL+7OsifJ9SBZYF1tImC0=; ARC-Authentication-Results: i=1; wizmail.org; iprev=pass (vgate18.wizint.net) smtp.remote-ip=2a00:1940:107::1:2f:0; auth=pass (PLAIN) smtp.auth=jgh@wizmail.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=wizmail.org; s=r201803; t=1540323379; bh=92Yp//5weaI3kvGRh7dKOnhb3a7qFY4cjc3rqS6rsxY=; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:To:Subject:DKIM-Signature; b=YueYHS5hWAMEbl3yEpx8X0gcG6/4JthpsGWGKNWMoOje287ibGWww/qUs1JXIK85GIh+wIJAFp or6AGKR/ZWB5PbPm7Hq260TrtRMJdN2o7fPzoxsMXxb3m+XUvdXOWHhdHQIOuvx/oky7HdLVEV /93LVx/Nadmqmr9yzmxQxpI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=wizmail.org ; s=r201803; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:To:Subject:From:Sender:Reply-To: Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=vYU/lktZQzxS65OWxL8pZSVHteygMaoYIt6fQjUDsrE=; b=V lZd4y/N3Xg6gYC4F13P88NTpOSJk9uCvbTOFZfJDdEmyZ5rAzjUe8EtIOq0NtnGsa2EUNmckztkZj iS9fJQsRH5agMB0adSFCiusYWvk/EuHIScFRGHdr+A3lfFeRWEWErXkS6ZmgxW2h0bHqumknbx078 ufrzJIJqyktZCilc=; Authentication-Results: wizmail.org; iprev=pass (vgate18.wizint.net) smtp.remote-ip=2a00:1940:107::1:2f:0; auth=pass (PLAIN) smtp.auth=jgh@wizmail.org Received: from vgate18.wizint.net ([2a00:1940:107::1:2f:0] helo=lap.dom.ain) by wizmail.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91.115) id 1gF2TQ-0008E2-Gh for dmarc@ietf.org (return-path ); Tue, 23 Oct 2018 19:36:16 +0000 To: dmarc@ietf.org References: <90535677-7c53-1698-e803-3c0869b29c20@crash.com> From: Jeremy Harris Openpgp: preference=signencrypt Autocrypt: addr=jgh@wizmail.org; prefer-encrypt=mutual; keydata= xsBNBFWABsQBCADTFfb9EHGGiDel/iFzU0ag1RuoHfL/09z1y7iQlLynOAQTRRNwCWezmqpD p6zDFOf1Ldp0EdEQtUXva5g2lm3o56o+mnXrEQr11uZIcsfGIck7yV/y/17I7ApgXMPg/mcj ifOTM9C7+Ptghf3jUhj4ErYMFQLelBGEZZifnnAoHLOEAH70DENCI08PfYRRG6lZDB09nPW7 vVG8RbRUWjQyxQUWwXuq4gQohSFDqF4NE8zDHE/DgPJ/yFy+wFr2ab90DsE7vOYb42y95keK tTBp98/Y7/2xbzi8EYrXC+291dwZELMHnYLF5sO/fDcrDdwrde2cbZ+wtpJwtSYPNvVxABEB AAHNJkplcmVteSBIYXJyaXMgKG5vbmUpIDxqZ2hAd2l6bWFpbC5vcmc+wsB7BBMBAgAlAhsD BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVYAYBAIZAQAKCRC85YyM5B8y34iFB/9wozIY RogNdY1aejFFixb6++y4b1riyjMvWEULeEzDlQ0lMT6Z3PxXhZILD4y4aP7Kzx0ozXa5qaKy 41EAPKQoPipnRAH04QytJbIERvz8Tot/LeCVKUc0G9DVxOPBD03czTgqgz4EjV2qvnLF+rTU 0YBevrNCluKosGSd+3RvLWVu0hBhn9pELKfXJNSQXZb+TpHDhSDZ/gCrglBEOhA6YWbDb/4g z+5TFKdk+B++iAQZSHv7zISabjN+BPYgI47A+MU4JycoXaAUnMc0l5ba6fGNaIrzruE4aAZr lP5o+7mlU9Mm0QJqdqYxYPAiplJGrZv+YXH1fp5ueEK3l+NGzsBNBFWABsQBCADphLHaKToR uR/E7THerBiCjDatwCaETOKOTY2zRBQpaQ32p/F2XIGLS8Cc27+grZSKQ6ZX0ZN47O+AFyFH F8DH90IXZFpJR3Rb8zgXT8jnLX08DM31eECZHnRzFhGlOmq6WAUlqB3GKCPUCY2c4eTRXyoX LteTxrXCYoj45y/YmvlZrlonBNjPBAyHiO/LNz+V7fZtNsN7N/XGrnLbcdNfNd+SD1ENmbLJ 8RvyymxguTyB/ka9JdjHHIoQEJ6L166B3hhfCHpt8iC0GPZkti9IMl0NoJ029jJm3Jq1qEce EBn5H5QMGn6Fq64iXwTsO1TMNUwpWx8pjvV7wVIxjI8ZABEBAAHCwF8EGAECAAkFAlWABsQC GwwACgkQvOWMjOQfMt9N6Af8CS2CTrMQFdhkGEtBXmL4ifD8UHFkBRBGmM8ZL2fWUBTZXT8m rdRMOK6tcPnKWaCvWvKr0knt970j/DyAgFmH8hgOi3yctigFecVDjjilAeCJMq38s1tYKYiL DbBdHWtdkA9uHZwq3lfd3QxcEEO3QamQF+dO7h8gAOXlG+po87Hm+E0wz4swIB8+S37Jzrx9 uu0LSFDfJCTK+TIKGa5Un8LxPxyq9WnnNDh72zK7BiRidk/s40KcNod83NM4Hn/sbGfyLa8s S0F3ME0S+ocSMOiu/ZHHOiwpLYNbwTJ7stZxGsrguWeT9P+amxbA/YlK95LedstwvN+WcHZ7 d++Arg== Message-ID: Date: Tue, 23 Oct 2018 20:36:12 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <90535677-7c53-1698-e803-3c0869b29c20@crash.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Pcms-Received-Sender: vgate18.wizint.net ([2a00:1940:107::1:2f:0] helo=lap.dom.ain) with esmtpsa Archived-At: Subject: Re: [dmarc-ietf] New version of draft-ietf-dmarc-arc-usage posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2018 19:36:22 -0000 On 23/10/2018 07:09, Steven M Jones wrote: > Consider this a reminder that your questions and suggestions are welcome. > > New version: https://tools.ietf.org/html/draft-ietf-dmarc-arc-usage-06 How about another subsection 5.x saying when Originating ADMDs should take any ARC action? For starting a new ARC chain I assume the answer is normally "don't" - but perhaps there is an exception when a message is already DKIM-signed, or when SPF for it would be invalidated by forwarding (despite it being in-theory a local ADMD source)? -- Cheers, Jeremy From nobody Wed Oct 24 08:59:57 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A463D130FD9 for ; Wed, 24 Oct 2018 08:59:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.653 X-Spam-Level: X-Spam-Status: No, score=-0.653 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, PP_MIME_FAKE_ASCII_TEXT=0.999, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YdM4VCv7xL6P for ; Wed, 24 Oct 2018 08:59:47 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70417130FC7 for ; Wed, 24 Oct 2018 08:59:47 -0700 (PDT) Received: (qmail 77362 invoked by uid 100); 24 Oct 2018 15:59:46 -0000 Date: 24 Oct 2018 15:59:46 -0000 Message-ID: From: "John Levine" To: dmarc@ietf.org Organization: Taughannock Networks References: <57062925.Z3iaeiTUnW@kitterma-e6430><57062925.Z3iaeiTUnW@kitterma-e6430> Cleverness: some X-Newsreader: trn 4.0-test77 (Sep 1, 2010) Originator: johnl@iecc.com (John Levine) Archived-At: Subject: Re: [dmarc-ietf] ARC Crypto Algorithm Selection X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2018 15:59:55 -0000 In article , Seth Blank wrote: >ARC inherits all the DKIM mechanisms by reference. So whatever’s valid for >DKIM (the list you provided) is what’s valid for ARC. >> DKIM, as updated by the DCRUP work, has two valid crypto algorithms: >> >> rsa-sha256 >> ed25119-sha256 I would defer working on this until we clarify how algorithm switching will work. One place that ARC differs from DKIM is that many DKIM signatures are OK but you can only have one ARC seal per forward. In draft-ietf-dmarc-arc-multi-02 we say how I think it can work, but it's not quite backward compatible. R's, John -- Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly From nobody Wed Oct 24 12:38:29 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A919130DF0; Wed, 24 Oct 2018 12:38:28 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Tim Draegen To: X-Test-IDTracker: no X-IETF-IDTracker: 6.87.1 Auto-Submitted: auto-generated Precedence: bulk Cc: Tim Draegen , dmarc@ietf.org, iesg-secretary@ietf.org, tim@dmarcian.com, dmarc-chairs@ietf.org Message-ID: <154040990829.6939.13932884328466589315.idtracker@ietfa.amsl.com> Date: Wed, 24 Oct 2018 12:38:28 -0700 Archived-At: Subject: [dmarc-ietf] Publication has been requested for draft-ietf-dmarc-rfc7601bis-03 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2018 19:38:28 -0000 Tim Draegen has requested publication of draft-ietf-dmarc-rfc7601bis-03 as Proposed Standard on behalf of the DMARC working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-dmarc-rfc7601bis/ From nobody Wed Oct 24 14:19:16 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5920126CC7 for ; Wed, 24 Oct 2018 14:19:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQvarvAfBfmI for ; Wed, 24 Oct 2018 14:19:11 -0700 (PDT) Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 893F812777C for ; Wed, 24 Oct 2018 14:19:11 -0700 (PDT) Received: by mail-lf1-x12e.google.com with SMTP id w16-v6so3003920lfc.0 for ; Wed, 24 Oct 2018 14:19:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=73RSDHFn1CbfrvODwCmY1/uSgaDc2mdU/cjSpmLmI0A=; b=PPR0YTpuDgxnsZgVjrE/SMObGlQlXziPzqy1XryQXi6tRoKyZOeK1tIH6prpnQIsow P4HoMAtfsMpT92s2ObZCg3fOVcbDZKNkcCp6hTLUo2Er5Jv64MMH1AgPmFKFfMxtaOJ5 u6D/gQ+Nfm7jQHR1/dZRxnjLHS+ROfT6wPXZw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=73RSDHFn1CbfrvODwCmY1/uSgaDc2mdU/cjSpmLmI0A=; b=HgYbsilWPu87EotUD+zWkuJ5J0O9SWgzOhS8PGmw636xTzFKrOgCotpyS5qnfgp2oh 7a/XeE/qMqgZT5K77gmPhGtWaMVaBYxKFjbMqs46j75wXcUqkZoZjEovJzoefpDbP3bw IdHMrQN8FDqFjDYLSsZqEfETZw3PwHBLJbGfRQOt0X7BKwvU+nisnXveNdkJiCjJ3+t5 lygIbSzmuWFnd2Vy6+5GGA/nPUkAQPG9qszloveKwrQpIYm5WHJZUzWpV4x+swsKb1yC 4z0pywgn0e2dNKEWJiFZEJEImfiYoAJIvCKaBv/P1rhFQK5gPz3XAtchk3lThOpPzZ1E gTPA== X-Gm-Message-State: AGRZ1gLxTcRReqWzVxvM88LHst3IgWEzRDwi0HGS9nb8UFWJmDpHzPFq xytSJRCd4aXrNUhAce7ICxVwaiEpzbzLHds+xtxqKCengOw= X-Google-Smtp-Source: AJdET5f1NrnlSP4QtFrOqCMsvd1DLzWQFSoUMrHVbvH33w7gOsAGWFADLo9LFrFuaLp2b3OjmkKUOJqsF4rgdXkhzkw= X-Received: by 2002:a19:750a:: with SMTP id y10mr4061501lfe.43.1540415949628; Wed, 24 Oct 2018 14:19:09 -0700 (PDT) MIME-Version: 1.0 References: <20180811033840.Horde.i6llD-AtvgzyNIjbhTs-nkS@webmail.aegee.org> <98aff90a-2198-854f-f1e6-85fd704cb7d1@tana.it> <20180817214834.Horde.DNYi60aPTo_sOKr7o3ilPra@webmail.aegee.org> <2c60b8bf-fec7-3a72-4bcc-3f2416e6f8b1@tana.it> <20180820193206.Horde.U24zQJh_TH-uC-4hxrcs2fw@webmail.aegee.org> <6e31890d3b63091a1d731fd70c2bfc217dc4f45b.camel@aegee.org> <5BC4A48C.3080302@isdg.net> In-Reply-To: <5BC4A48C.3080302@isdg.net> From: Kurt Andersen Date: Wed, 24 Oct 2018 14:18:48 -0700 Message-ID: To: hsantos=40isdg.net@dmarc.ietf.org Cc: ietf-dkim@ietf.org, "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="0000000000007bfd010579000949" Archived-At: Subject: Re: [dmarc-ietf] [Ietf-dkim] DKIM-Signature: r=y and MLM X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2018 21:19:15 -0000 --0000000000007bfd010579000949 Content-Type: text/plain; charset="UTF-8" On Mon, Oct 15, 2018 at 7:30 AM Hector Santos wrote: > The rewrite should be the last thing to consider, and if it does > rewrite, it should replace the original author domain strong policy > with its own strong policy. > > For example, the ietf.org mailing list has begun to rewrite and it > replaces the 5322.From with a dmarc.ietf.org domain, adds a new > X-Original-From header and resigns the message using an ietf.org > signer domain: > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; > s=ietf1; > t=1537415189; bh=TJWGUVdPL8OTY+HJnUzpBRd52OaKfWjFqS68Cby0s/M=; > h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe: > List-Archive:List-Post:List-Help:List-Subscribe:From; > b=..... > X-Original-From: Hector Santos > From: Hector Santos > > What it should do is: > > 1) It should use a 1st party signature using d=dmarc.ietf.org to > match the new author domain dmarc.ietf.org. > > 2) It should has hash bind the X-Original-From header to the > signature. Since DKIM recommends not to bind "X-" headers, > a non "X-" header should be used, i.e. "Original-From:". This > means adding the header to the 'h=" field to avoid potential > mail resend exploits using different unprotected Original-from: > fields. > > 3) and finally, the dmarc.ietf.org domain should have its own > DMARC p=reject policy to effectively replace the one it > circumvented with the submission. > I don't understand why it is necessarily a bad thing to fall back to the org domain (ietf.org) as this example shows. I also don't understand how your suggestion would work to handle a mixture of restrictive policies (some quarantine, some reject) with a single _ dmarc.dmarc.ietf.org record unless there is some trick DNS responder magic going on (and that won't work well for cached responses anyway). --Kurt --0000000000007bfd010579000949 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Oct 15= , 2018 at 7:30 AM Hector Santos <hsantos=3D40isdg.net@dmarc.ietf.org> wrote:

<elided earlier part of the message>
=C2=A0
The rewrite should be the last thing to consider, and if it does
rewrite, it should replace the original author domain strong policy
with its own strong policy.

For example, the ietf.org mailing list has begun to rewrite and it
replaces the 5322.From with a dmarc.ietf.org domain, adds a new
X-Original-From header and resigns the message using an ietf.org
signer domain:

=C2=A0 =C2=A0DKIM-Signature: v=3D1; a=3Drsa-sha256; c=3Drelaxed/simple; d= =3Dietf.or= g;
s=3Dietf1;
=C2=A0 =C2=A0 =C2=A0 t=3D1537415189; bh=3DTJWGUVdPL8OTY+HJnUzpBRd52OaKfWjFq= S68Cby0s/M=3D;
=C2=A0 =C2=A0 =C2=A0 h=3DDate:To:References:In-Reply-To:Subject:List-Id:Lis= t-Unsubscribe:
=C2=A0 =C2=A0 =C2=A0 List-Archive:List-Post:List-Help:List-Subscribe:From;<= br> =C2=A0 =C2=A0 =C2=A0 b=3D.....
=C2=A0 =C2=A0 X-Original-From: Hector Santos <hsantos@isdg.net>
=C2=A0 =C2=A0 From: Hector Santos <hsantos=3D40isdg.net@dmarc.ietf.org>

What it should do is:

=C2=A0 =C2=A01) It should use a 1st party signature using d=3Ddmarc.ietf.org to
=C2=A0 =C2=A0 =C2=A0 match the new author domain dmarc.ietf.org.

=C2=A0 =C2=A02) It should has hash bind the X-Original-From header to the =C2=A0 =C2=A0 =C2=A0 signature.=C2=A0 Since DKIM recommends not to bind &qu= ot;X-" headers,
=C2=A0 =C2=A0 =C2=A0 a non "X-" header should be used, i.e. "= ;Original-From:".=C2=A0 This
=C2=A0 =C2=A0 =C2=A0 means adding the header to the 'h=3D" field t= o avoid potential
=C2=A0 =C2=A0 =C2=A0 mail resend exploits using different unprotected Origi= nal-from:
=C2=A0 =C2=A0 =C2=A0 fields.

=C2=A0 =C2=A03) and finally, the dmarc.ietf.org domain should have its own<= br> =C2=A0 =C2=A0 =C2=A0 DMARC p=3Dreject policy to effectively replace the one= it
=C2=A0 =C2=A0 =C2=A0 circumvented with the submission.

I don't understand why it is necessarily a bad thing to= fall back to the org domain (ietf.org) as = this example shows.

I also don't understand ho= w your suggestion would work to handle a mixture of restrictive policies (s= ome quarantine, some reject) with a single _dmarc.dmarc.ietf.org record unless there is some trick DNS res= ponder magic going on (and that won't work well for cached responses an= yway).

--Kurt=C2=A0
--0000000000007bfd010579000949-- From nobody Wed Oct 24 16:20:02 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACEDD129BBF for ; Wed, 24 Oct 2018 16:20:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=F9cn04dj; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=R/xKHZZo Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xfw7PunzE7KE for ; Wed, 24 Oct 2018 16:19:58 -0700 (PDT) Received: from ntbbs.winserver.com (ntbbs.santronics.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2ABE912F1A5 for ; Wed, 24 Oct 2018 16:19:58 -0700 (PDT) DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2410; t=1540423193; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=wCvnWUo4lNMs2PI2QRnf0zO4Ewo=; b=F9cn04djceltOD4G7eqOq9Crh4GLZkRStAN+ckHNioqbihjUDZPv9bsBLawoCe vJ8FWON+/QMb5u4Smbu6oCVIMEmziAgrM2zUK5R3+xO37sdEz9W58rOROuI4ykQT Dw3d0bOmwYYhrwHz/vMrbcunX6j+U/RT0RkSiI9bzHn1o= Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Wed, 24 Oct 2018 19:19:53 -0400 Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer); Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 226824686.155996.5496; Wed, 24 Oct 2018 19:19:52 -0400 DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2410; t=1540423127; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=0HwgVC6 FUsLgSfM3LDkwMgmPbZNv2AIvesA6jbApuIs=; b=R/xKHZZowFfdFh9W8/w/oFn BTsKzQjvUnx1JTI+fvS8pw/fdIz0pk56mKzwZL4pCTlWZHWrfrw1k41mO+DqHVzu yYEt0RwrlIMYvNZm/48pLhHRExeXGm5x+SZf4O6nDAGut2Fvn34C0MIZkh9M8/Y5 FnGmCjstXM4ocXDlaE14= Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Wed, 24 Oct 2018 19:18:47 -0400 Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 4263139218.9.218972; Wed, 24 Oct 2018 19:18:46 -0400 Message-ID: <5BD0FE17.5090300@isdg.net> Date: Wed, 24 Oct 2018 19:19:51 -0400 From: Hector Santos Reply-To: hsantos@isdg.net Organization: Santronics Software, Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1 MIME-Version: 1.0 To: Kurt Andersen CC: ietf-dkim@ietf.org, "dmarc@ietf.org" References: <20180811033840.Horde.i6llD-AtvgzyNIjbhTs-nkS@webmail.aegee.org> <98aff90a-2198-854f-f1e6-85fd704cb7d1@tana.it> <20180817214834.Horde.DNYi60aPTo_sOKr7o3ilPra@webmail.aegee.org> <2c60b8bf-fec7-3a72-4bcc-3f2416e6f8b1@tana.it> <20180820193206.Horde.U24zQJh_TH-uC-4hxrcs2fw@webmail.aegee.org> <6e31890d3b63091a1d731fd70c2bfc217dc4f45b.camel@aegee.org> <5BC4A48C.3080302@isdg.net> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] [Ietf-dkim] DKIM-Signature: r=y and MLM X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2018 23:20:01 -0000 On 10/24/2018 5:18 PM, Kurt Andersen wrote: > On Mon, Oct 15, 2018 at 7:30 AM Hector Santos > > What it should do is: > > 1) It should use a 1st party signature using d=dmarc.ietf.org > to match the new author domain dmarc.ietf.org > > 2) It should has hash bind the X-Original-From header to the > signature. Since DKIM recommends not to bind "X-" headers, > a non "X-" header should be used, i.e. "Original-From:". This > means adding the header to the 'h=" field to avoid potential > mail resend exploits using different unprotected Original-from: > fields. > > 3) and finally, the dmarc.ietf.org domain should have its own > DMARC p=reject policy to effectively replace the one it > circumvented with the submission. > > I don't understand why it is necessarily a bad thing to fall back to > the org domain (ietf.org ) as this example shows. Because DKIM policy security was lost with the rewrite transaction. Since the list agent took responsibility by performing a rewrite on a protected domain, it is reasonable to assume it would can restore the protection using its own secured list agent domain. Without it, it leaves a security hole with the unprotected "X-Original-From" which it does not hash bind to the new signature. > I also don't understand how your suggestion would work to handle a > mixture of restrictive policies (some quarantine, some reject) with a > single _dmarc.dmarc.ietf.org record > unless there is some trick DNS responder magic going on (and that > won't work well for cached responses anyway). If I follow your comment, the specific rewrite list agent domain can have its own strong p=reject or quarantine. I don't see that as a problem. It would not matter what the original author domain restrictive policy was. It doesn't have to match. The original domain was protected with a strong policy. The MLM rather than reject the submission, ignored the policy and rewrote the 5322.From. It does this only for p=reject policies. I have not check if it does it for p=quarantine. The rewrite should be done with a strong policy of its own to restore the original submission and author domain protection. The should also be a new first party signature (aligned). At a minimum, the distributed message should bind the the altered header so that replays can be avoided. -- HLS From nobody Thu Oct 25 04:03:32 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11F58130E29 for ; Thu, 25 Oct 2018 04:03:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJUZySoGOvz4 for ; Thu, 25 Oct 2018 04:03:28 -0700 (PDT) Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 4A117127333 for ; Thu, 25 Oct 2018 04:03:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1540465407; d=isode.com; s=june2016; i=@isode.com; bh=v9egTM/cSxmEDsDHT7zbnrGwUm8t4i07+MZWCxAvQSs=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=eZvx1ADU211UPlSWNBrKiAAk7LDOP7WMOWq1zzvTs50h4mL381cvuWrN/lXwXPYCin2fjk x7Hehc6po4z3RfMWB9SvJnbkpVGyc9QBzfZ4OVRaYrdZmr5VgNjCF2QvgblgPE8DLoOtzP y/a6XT7WcIRl0QwpkvoKHbSsiDmO5WA=; Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id ; Thu, 25 Oct 2018 12:03:27 +0100 To: dmarc@ietf.org From: Alexey Melnikov Message-ID: <3eea2f77-8aea-4f49-80f3-d96b639c378a@isode.com> Date: Thu, 25 Oct 2018 12:03:02 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-transfer-encoding: quoted-printable Archived-At: Subject: [dmarc-ietf] AD review of draft-ietf-dmarc-rfc7601bis-03.txt X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 11:03:30 -0000 Hi, I've started IETF LC on the document, as my comments are really minor: 1) I am not sure that deleted IANA registry descriptions (when compared=20 to RFC 7601) is the best way, considering that this document obsoletes=20 RFC 7601. I think it would be better to just keep the text and add a=20 sentence saying that it is unchanged from RFC 7601. But I am happy to=20 hear what IESG has to say about this. 2) The following took really long time to verify for correctness: Section 2.5 says about authserv-id: =C2=A0 Note that in an EAI-formatted message, this identifier may be =C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0 expressed in UTF-8. So I decided to check whether this statement is actually true. authserv-id is defined in Section 2.2 as: =C2=A0 authserv-id =3D value =C2=A0 "value" is as defined in Section 5.1 of [MIME]. Section 5.1 of RFC 2045: =C2=A0=C2=A0 value :=3D token / quoted-string "token" doesn't allow UTF-8 (I think), but quoted-strings does, if=20 updated by RFC 6532. So, can I suggest that in Section 2.2, the following clarification is made: OLD: "value" is as defined in Section 5.1 of [MIME]. NEW: "value" is as defined in Section 5.1 of [MIME], with "quoted-string"=20 updated as specified in RFC 6532. Best Regards, Alexey From nobody Thu Oct 25 04:42:45 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F387130E37 for ; Thu, 25 Oct 2018 04:42:44 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: X-Test-IDTracker: no X-IETF-IDTracker: 6.87.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <154046776431.16354.10167967721898242672.idtracker@ietfa.amsl.com> Date: Thu, 25 Oct 2018 04:42:44 -0700 From: IETF Secretariat Archived-At: Subject: [dmarc-ietf] Milestones changed for dmarc WG X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 11:42:44 -0000 Changed milestone "Complete Authenticated Received Chain (ARC) protocol spec", resolved as "Done". URL: https://datatracker.ietf.org/wg/dmarc/about/ From nobody Thu Oct 25 04:52:17 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B51130E37 for ; Thu, 25 Oct 2018 04:52:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60LgLadP2f9X for ; Thu, 25 Oct 2018 04:52:13 -0700 (PDT) Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 44CE21286E3 for ; Thu, 25 Oct 2018 04:52:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1540468332; d=isode.com; s=june2016; i=@isode.com; bh=q5ekGbb/0uGEi4iVkFQYT7qFzkYOaMn6Mlz5EwLofc8=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=RZQMSXh02sPnHx6HjyKEHZLo8M67LoxQJHgIcB/l6fIiUa92PfhyjL1GuwSGmrIt0i3JAG kiPEtlObXefw7sggSb0UajBxZLMD/cTlB9+XOAuFDIUzmjCyvAbSZBpfFdvvtVmXIKJVFj vLeFi7IOofVWtBxN5mVPVo8EmYXlGpg=; Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id ; Thu, 25 Oct 2018 12:52:12 +0100 To: dmarc@ietf.org From: Alexey Melnikov Message-ID: <0c273037-69c0-a37f-7cf6-6c9a90ad3291@isode.com> Date: Thu, 25 Oct 2018 12:51:45 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-transfer-encoding: quoted-printable Archived-At: Subject: [dmarc-ietf] AD review of draft-ietf-dmarc-arc-protocol-18 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 11:52:15 -0000 I've reviewed recent changes and they look like an improvement over=20 earlier versions. I have a few minor comments: 1) I think several references need to be reclassified as Normative: =C2=A0=C2=A0 [I-D-7601bis] =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Kucherawy, M., "Message Header Field for Indicating =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Message Authentication Status", February 2018, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 . I am pretty sure this document is a Normative reference for ARC. Please=20 move it to Normative references. =C2=A0=C2=A0 [draft-levine-eaiauth] =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Levine, J., "E-mail Authentication for Internationalized =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Mail", August 2018, . This also looks like a Normative reference. E.g. see the text in Section=20 4.1.4 of this draft. 2) I am glad that broken examples from Appendix B were removed, but I=20 would like to have some examples in the document. Is somebody working on=20 generating these? Thank you, Alexey From nobody Thu Oct 25 05:43:59 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 21E9712F1AB; Thu, 25 Oct 2018 05:43:52 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.87.1 Auto-Submitted: auto-generated Precedence: bulk CC: draft-ietf-dmarc-rfc7601bis@ietf.org, Tim Draegen , dmarc@ietf.org, alexey.melnikov@isode.com, tim@dmarcian.com, dmarc-chairs@ietf.org Reply-To: ietf@ietf.org Sender: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Reply-To: ietf@ietf.org Message-ID: <154047143209.16346.15313646515633169869.idtracker@ietfa.amsl.com> Date: Thu, 25 Oct 2018 05:43:52 -0700 Archived-At: Subject: [dmarc-ietf] Last Call: (Message Header Field for Indicating Message Authentication Status) to Proposed Standard X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 12:43:52 -0000 The IESG has received a request from the Domain-based Message Authentication, Reporting & Conformance WG (dmarc) to consider the following document: - 'Message Header Field for Indicating Message Authentication Status' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2018-11-08. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies a message header field called Authentication- Results for use with electronic mail messages to indicate the results of message authentication efforts. Any receiver-side software, such as mail filters or Mail User Agents (MUAs), can use this header field to relay that information in a convenient and meaningful way to users or to make sorting and filtering decisions. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-dmarc-rfc7601bis/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-dmarc-rfc7601bis/ballot/ No IPR declarations have been submitted directly on this I-D. From nobody Thu Oct 25 07:15:47 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF795128A6E for ; Thu, 25 Oct 2018 07:15:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.102 X-Spam-Level: X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=abaCJj2b; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=eKdluRlc Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5b7iNuBdyFnO for ; Thu, 25 Oct 2018 07:15:43 -0700 (PDT) Received: from listserv.winserver.com (news.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id A9605124408 for ; Thu, 25 Oct 2018 07:15:42 -0700 (PDT) DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=270; t=1540476935; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=I7G9IslMXXFU5vZ5D73bADuwHe0=; b=abaCJj2bPbLSPkHrThuWX1c7rIiFNR0uYys+FIZLmsVNEe5y1c5Lx1uOGiUVW8 cVbDTyXrnt/HU1lsUeG3Sa1WppX22L3ket+3cwXXgMtnRojWcDgZfNIWT+9TNYgA 3x5b2TbdXf7+xCyoqVz7iORjI0Izy+p7g1hlqL3WkUeCg= Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Thu, 25 Oct 2018 10:15:35 -0400 Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer); Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 280565658.155996.1216; Thu, 25 Oct 2018 10:15:34 -0400 DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=270; t=1540476870; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=n4VuCRG 312WLz0Px2iTEmZg19rBroMqr+TDm5YpZVQA=; b=eKdluRlcohhcjTGff2mK87Y KosQzdRy+1TVDgU+655epYDAM3ZpbTvFXe4OeknyQwj341d+kCfx4gpzWSNaoTLf AlIusbPXoC9s2Vi/FjB+E3KM96QUbyn2Ov8Kz+18/K8AVWovH+jTJjiOAjAlEuR8 phP+gIyY1uoIMbNQvR2c= Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Thu, 25 Oct 2018 10:14:30 -0400 Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 21915391.9.223148; Thu, 25 Oct 2018 10:14:29 -0400 Message-ID: <5BD1D008.30908@isdg.net> Date: Thu, 25 Oct 2018 10:15:36 -0400 From: Hector Santos Reply-To: hsantos@isdg.net Organization: Santronics Software, Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1 MIME-Version: 1.0 To: dmarc@ietf.org References: <0c273037-69c0-a37f-7cf6-6c9a90ad3291@isode.com> In-Reply-To: <0c273037-69c0-a37f-7cf6-6c9a90ad3291@isode.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] AD review of draft-ietf-dmarc-arc-protocol-18 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 14:15:45 -0000 On 10/25/2018 7:51 AM, Alexey Melnikov wrote: > 2) I am glad that broken examples from Appendix B were removed, but I > would like to have some examples in the document. Is somebody working > on generating these? +1. Especially examples of DMARC. -- HLS From nobody Thu Oct 25 08:15:12 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43785130DE5 for ; Thu, 25 Oct 2018 08:15:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_mmUaug_ivd for ; Thu, 25 Oct 2018 08:15:08 -0700 (PDT) Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5C8E127133 for ; Thu, 25 Oct 2018 08:15:07 -0700 (PDT) Received: by mail-lj1-x232.google.com with SMTP id c4-v6so8593187lja.4 for ; Thu, 25 Oct 2018 08:15:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1s350obrnbFmbTAErj6Zr+wvgpEPYuXskxc0wHu8Lsk=; b=V4OQpeQPEiDhwK4JdXT/48EOIzMTYVmndHqfyL+xRTvcTaz5jyq2WoswIOcpB97nCV AmoQXY0+le360x8tuBrju1YsVnqc5RDfUxqFb7pKyUJ/o+e5Xd9pIUIuhEDVP+vgP+aX +VGW7/BYbOJumKbmDLFBpLrjxIZEv9VxJvsxI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1s350obrnbFmbTAErj6Zr+wvgpEPYuXskxc0wHu8Lsk=; b=fSangbo7/d4iUPpydFMy1sHrvu50D98PlbsfiL/7xLCYFltDfP5rLzFThgsgOWL5i0 NxRCsWpfgihAtbTJxpM8FDnKYSWrFCHCGVluG9a52grEG2GUApRHx6oTKQrAezu2UKNw o+PQu2cNHWVM9tlviy8PrLd0nGcJo0j67LkptibDGegKhZHep1I3AcxvzBT7/wIYCW25 9IG9NswnO4dMOH5Cznx450dKGkpG7Cp4ARCtit2gynlJI3dFB7J7WH9DwlhznA/aEbw3 j4HhnvHyx+hTYGwkpm8jxp5vEFPoxsAbMmng+wRHYHcMvCxOaity6fDMXJVraiKLjvQK qI/A== X-Gm-Message-State: AGRZ1gI0YwigzvXcgdwfR6VDkOV9cKLR3AfQADMPtFKmHY6lIhqeNma+ twK5/uNEkl+qP3dmnDaedhKtALghqsqZaIdf+N44zLyXdnk= X-Google-Smtp-Source: AJdET5de7jpSCcqw0RdwPHPHDRxH5MRdESli5dTSZHev4GSXGVjTsRNqKipBTYqRFvxnv27Pkgy6y7Hp20XszZsnExo= X-Received: by 2002:a2e:5b1d:: with SMTP id p29-v6mr1577752ljb.176.1540480505845; Thu, 25 Oct 2018 08:15:05 -0700 (PDT) MIME-Version: 1.0 References: <0c273037-69c0-a37f-7cf6-6c9a90ad3291@isode.com> In-Reply-To: <0c273037-69c0-a37f-7cf6-6c9a90ad3291@isode.com> From: "Kurt Andersen (b)" Date: Thu, 25 Oct 2018 08:14:43 -0700 Message-ID: To: Alexey Melnikov Cc: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="00000000000055b75105790f11af" Archived-At: Subject: Re: [dmarc-ietf] AD review of draft-ietf-dmarc-arc-protocol-18 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 15:15:10 -0000 --00000000000055b75105790f11af Content-Type: text/plain; charset="UTF-8" On Thu, Oct 25, 2018 at 4:52 AM Alexey Melnikov wrote: > I've reviewed recent changes and they look like an improvement over > earlier versions. I have a few minor comments: > > 1) I think several references need to be reclassified as Normative: > > [I-D-7601bis] > Kucherawy, M., "Message Header Field for Indicating > Message Authentication Status", February 2018, > draft-ietf-dmarc-rfc7601bis/>. > > I am pretty sure this document is a Normative reference for ARC. Please > move it to Normative references. > > [draft-levine-eaiauth] > Levine, J., "E-mail Authentication for Internationalized > Mail", August 2018, draft-levine-appsarea-eaiauth-03>. > > This also looks like a Normative reference. E.g. see the text in Section > 4.1.4 of this draft. > Both of these are indeed normative in usage, but I was under the impression that one could not refer to I-Ds as normative. > 2) I am glad that broken examples from Appendix B were removed, but I > would like to have some examples in the document. Is somebody working on > generating these? > Yes, work is in progress. It is really hard to do "fake" signing of non-existent IP and domains with real production software. That has been the hangup. --Kurt --00000000000055b75105790f11af Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Oct 25= , 2018 at 4:52 AM Alexey Melnikov <alexey.melnikov@isode.com> wrote:
I've reviewed recent changes and they look like an improv= ement over
earlier versions. I have a few minor comments:

1) I think several references need to be reclassified as Normative:

=C2=A0=C2=A0=C2=A0 [I-D-7601bis]
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 Kucherawy, M., "Message Header Field for Indicating
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 Message Authentication Status", February 2018,
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 <https://datatracker.ietf.org/doc/
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 draft-ietf-dmarc-rfc7601bis/>.

I am pretty sure this document is a Normative reference for ARC. Please move it to Normative references.

=C2=A0=C2=A0=C2=A0 [draft-levine-eaiauth]
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 Levine, J., "E-mail Authentication for Internationalized
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 Mail", August 2018, <https://tools.ietf.org/html/<= br> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 draft-levine-appsarea-eaiauth-03>.

This also looks like a Normative reference. E.g. see the text in Section 4.1.4 of this draft.

Both of these are = indeed normative in usage, but I was under the impression that one could no= t refer to I-Ds as normative.=C2=A0
=C2=A0
2) I am glad that broken examples from Appendix B were remove= d, but I
would like to have some examples in the document. Is somebody working on generating these?

Yes, work is in progr= ess. It is really hard to do "fake" signing of non-existent IP an= d domains with real production software. That has been the hangup.

--Kurt=C2=A0
--00000000000055b75105790f11af-- From nobody Thu Oct 25 10:42:38 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7214B130F03 for ; Thu, 25 Oct 2018 10:42:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UzZkhT5tkJE6 for ; Thu, 25 Oct 2018 10:42:29 -0700 (PDT) Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4613130E16 for ; Thu, 25 Oct 2018 10:42:28 -0700 (PDT) Received: by mail-lf1-x12f.google.com with SMTP id m18-v6so7460823lfl.11 for ; Thu, 25 Oct 2018 10:42:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:from:date:message-id:subject:to; bh=NlYTPIcug8mqfEbOPgEDtVudJufmouTM7nXtuzL3Sx0=; b=P8Qj4tyEYrDgNoS/wly1Yqm9Olqi3viFJet+MVV76uzqt6THxMqnUspHT4GSwaGjPf 72NxMC9NJaBC/DSy01kT7BKtbyUNkjgH6CuxMdGkvP7vaf0DT+N8yLBaDFUG2YugCGKK dQH2jVZ+EbDi9EeK92ArtBVBFM80jsy+ijpLk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=NlYTPIcug8mqfEbOPgEDtVudJufmouTM7nXtuzL3Sx0=; b=OkwjAq9VxDpBpxvF08h46UYOtZdav1qYHXHVmLJyJ5Qh7Rbgywz/51Lmoxeg3bdlgc IkfX0Ka7gNPzlxoi/w3niwSfWD3V5i4oolV6IDB4felJX2lP6XxPpsTIFOOojqYGa8Ix XODTHsKQ53TknB8Ib272xj2uDmEsMHxbiqVjNuO/sZJCpmYqo7/u/Qoe+IHzLFc0YmRK 49FwuAGxCfcLjGmCFsXvaZ8VuwXvt6gQgfIWoANsM8PclcXKXEkaPFZ87wtDLUYr2jdZ yXv8ueHT569Ftpr0RIT/3+GeKG25NEU6OWmWd1cboV24xGhZaTMHrX7nqTbX6iAcWjVy TU2g== X-Gm-Message-State: AGRZ1gKBI0a/YTdukhUeRfThd8+QUy1qtyz5mBuTolGUM9wTeAsi1s7V 3pakN0+5/AjMAK3PYcHyC5YAraemsP0cjwO3+NuIvm0xo6ne7w== X-Google-Smtp-Source: AJdET5f4g+LUXtOeBA1Fev7xwPQsfvi8YH1uDmE2sf/0DgrtqqjHw3de9XF6VBho4iLkV70TbELcVjt1snZ6pCXYVRA= X-Received: by 2002:a19:f514:: with SMTP id j20-v6mr109787lfb.13.1540489346256; Thu, 25 Oct 2018 10:42:26 -0700 (PDT) MIME-Version: 1.0 From: Kurt Andersen Date: Thu, 25 Oct 2018 10:42:04 -0700 Message-ID: To: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="00000000000043a4f20579112004" Archived-At: Subject: [dmarc-ietf] Request to accept a new I-D into the WG work items X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 17:42:36 -0000 --00000000000043a4f20579112004 Content-Type: text/plain; charset="UTF-8" I'd like to recommend that we (DMARC-WG) accept https://tools.ietf.org/html/draft-kitterman-dmarc-psd-00 into our work queue. It aligns with our charter already. --Kurt Andersen --00000000000043a4f20579112004 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'd like to recommend that we (DMARC-= WG) accept=C2=A0https://tools.ietf.org/html/draft-kitterman-dmarc-psd-00 into= our work queue. It aligns with our charter already.
=
--Kurt Andersen
--00000000000043a4f20579112004-- From nobody Thu Oct 25 11:39:08 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF3B1130E90 for ; Thu, 25 Oct 2018 11:39:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=JFAJPBcv; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=gQvTZydL Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4jC1J-Ymji9Z for ; Thu, 25 Oct 2018 11:39:04 -0700 (PDT) Received: from mail.santronics.com (ntbbs.santronics.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2047A130E41 for ; Thu, 25 Oct 2018 11:39:04 -0700 (PDT) DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=562; t=1540492736; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=y404YNFcd/1GE5Yhb6TQ/daObT4=; b=JFAJPBcv2uPNDk5eN0ltJuL4GhkN54QWLBiNCHAAbVT7CSlBjG9/PWdOS3VEUW ShwJZsd5ybDRfaWGiUCz/3gS8rJaK7Me735xcTXg8Hz3bD76T5HgPhWHI71rVRvz MhQaw23Nyt9PNLH8Xhs6alZPTV5FpbhDwHr5Pi6WgADC8= Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Thu, 25 Oct 2018 14:38:56 -0400 Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer); Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 296366000.155996.7204; Thu, 25 Oct 2018 14:38:54 -0400 DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=562; t=1540492670; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=5X0x4Uu LPuiCm5uoiUpjBnvRzN4tdEl1XKq/oh0qLr0=; b=gQvTZydL6pj2m9tQoxEUTZp oVk6/+vfP21kNRcCc5fcW4ceJrDYcTCDmjXEOuNjm8Cc4SRxFUMF+m3cFzPJsNVE J3GDjtLO1dwGF0iKKXuP8PPZ6M8T+lVhMuiVlv5Efgp/SIjpCDXAOSv4tFFuacAg d1FicGwgILBzSjFDKYG8= Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Thu, 25 Oct 2018 14:37:50 -0400 Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 37715813.9.221336; Thu, 25 Oct 2018 14:37:49 -0400 Message-ID: <5BD20DC2.30802@isdg.net> Date: Thu, 25 Oct 2018 14:38:58 -0400 From: Hector Santos Reply-To: hsantos@isdg.net Organization: Santronics Software, Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1 MIME-Version: 1.0 To: dmarc@ietf.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] Request to accept a new I-D into the WG work items X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 18:39:07 -0000 On 10/25/2018 1:42 PM, Kurt Andersen wrote: > I'd like to recommend that we (DMARC-WG) accept > https://tools.ietf.org/html/draft-kitterman-dmarc-psd-00 into our work > queue. It aligns with our charter already. > > --Kurt Andersen +1 I would also suggest to use the document proposal (and subsequent WG discussions) to help codify sub-domain alignment ambiguities in DMARC (rfc7489, section 3.1, 3.1.1 and 3.1.2) between the identities: Author Domain, Signer Domain, and Return Path Domain and how this proposal applies. -- HLS From nobody Thu Oct 25 12:41:07 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C451E130EA7 for ; Thu, 25 Oct 2018 12:41:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZL_3gRPQ_nXy for ; Thu, 25 Oct 2018 12:41:03 -0700 (PDT) Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D19A130E6E for ; Thu, 25 Oct 2018 12:41:03 -0700 (PDT) Received: by mail-ot1-x32f.google.com with SMTP id m15so8881091otl.7 for ; Thu, 25 Oct 2018 12:41:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=dhMYQ1JvoAVdHnvlUCiQ1b7jk0Nr4IJY43nXOjXwB74=; b=YMPyMLOtnvECeg5PWQEfxq77La/0QehCbfvpDcw+lFtke2hPwzt1TmgvFCWW+q2Ccx NNmD5O15hJ/0h5Zb2AdG+TN9e6nEtHcAnu4yHBZa44voEQlj5SqmMP48DGy1vnrk8Cze y38EnJeyjiuiLgPEQBce9vE25GirssyxPLfzdz6JMznLFTDUnxEmBsQa1jNoRzHEBpMY lkEpZzHh36PffPQc1atKV6GgF09MsBesAt9f7f1cg9A6frlCGuuhD6wr2AYJsWvIeYGP cwoVpMW0iLPeN36oWePIwx9tDjb2i3sbw3u3cgGuIzKufWDTQaefZDjCZpQ39rv2OeJg 5aCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=dhMYQ1JvoAVdHnvlUCiQ1b7jk0Nr4IJY43nXOjXwB74=; b=iL1jurjC5VrPe0NvI8vgD9C0OazAQgedEU8SlpFYvitX6nz4Krtyv7K8ooyhkkz4wq rQz/oLJ22WORH3rZgtwLAW9oVVbl7/k6gFJvxMuUR6PsV6pDFZzyP4zhuXgdc8JlkbfI H2d4QXOOquFJA5ao7JBjftUO6G0T++T8EIBNio/OLKDGjuQlIkUfFOvcDIlY6wGY5Cu0 gARMo6i5ArIqvLXXVHXRFAZdnZR4012D2nyo7ZxCkYh/h6f6AHX4DqkRCRpX3QXkxd60 H9t7f+K+UsYxGdfA2sOLLQcqUQ+5PA0nrxUrqqwCj5QuyIq665dVfTFo2Xa53cM3hK9c hexg== X-Gm-Message-State: AGRZ1gIA7Tx29l7wyLj3S2tUXHg85msA/PfyANBo0mqH9WD2/d8J9RuB YbriufR3dYc09aQBpSGxL+6Ihs77CBfpwY0MYwbVmcYVHqU= X-Google-Smtp-Source: AJdET5c/VH7eVy3JQhOByHG/EbkJXxMhDbA20Q0Ul4uVc6Axj/CbeiHc+s/0S+0bqSiND/rZe/ZpxbroZbQ8A3k9Bok= X-Received: by 2002:a9d:7850:: with SMTP id c16mr380805otm.175.1540496462129; Thu, 25 Oct 2018 12:41:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Seth Blank Date: Thu, 25 Oct 2018 12:40:45 -0700 Message-ID: To: IETF DMARC WG Content-Type: multipart/alternative; boundary="0000000000006742fb057912c854" Archived-At: Subject: Re: [dmarc-ietf] Request to accept a new I-D into the WG work items X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 19:41:06 -0000 --0000000000006742fb057912c854 Content-Type: text/plain; charset="UTF-8" I concur. This is an important work item for the group, and fits cleanly into Phase 3 of our charter. On Thu, Oct 25, 2018 at 10:42 AM Kurt Andersen wrote: > I'd like to recommend that we (DMARC-WG) accept > https://tools.ietf.org/html/draft-kitterman-dmarc-psd-00 into our work > queue. It aligns with our charter already. > > --Kurt Andersen > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > --0000000000006742fb057912c854 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I concur. This is an important work item = for the group, and fits cleanly into Phase 3 of our charter.

On Thu, Oct 25, 2018 at 10= :42 AM Kurt Andersen <kurta@drkurt.c= om> wrote:
=
I'd like to recommend that we (DMARC-WG) accept=C2=A0<= a href=3D"https://tools.ietf.org/html/draft-kitterman-dmarc-psd-00" target= =3D"_blank">https://tools.ietf.org/html/draft-kitterman-dmarc-psd-00 in= to our work queue. It aligns with our charter already.

--Kurt Andersen
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
--0000000000006742fb057912c854-- From nobody Thu Oct 25 20:05:02 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C04AD130DC5 for ; Thu, 25 Oct 2018 20:05:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aszi6QGTkTN4 for ; Thu, 25 Oct 2018 20:04:59 -0700 (PDT) Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F3CA12D4EA for ; Thu, 25 Oct 2018 20:04:59 -0700 (PDT) Received: by mail-lf1-x133.google.com with SMTP id h192so3428755lfg.3 for ; Thu, 25 Oct 2018 20:04:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nqFnx4fEnWGfShXkr6z/lJjfSm0tQpBoaEh3so0kb3I=; b=SkLFXZjMwKqQaTBUcR1l117hZ/RySQ6KpHASSb+PiQbG7Bxm05OW9iLkbVhLlFtkho sxcBNKJaPB61QpbGRbW5b4T7B3p+mrfMci/uZ0pi1eSCERGJ3dX5AyKUiN/m9zueAobL 5EEkBhzuX0PgT2DNUZHH0hriprjh5Xm21F/vG3vQZ7i1UDr7v6eBAGZnYqGXPpWlIrHL X/KyFZk306XDIT9UW1QMZG44cU3VWuKpTwjVsr2cfS7EXOBGAd68m96IIOdE4QP0Bmcm 6MogHT5mBjOk8dycbjBpt8nZuvFKQrbNe3lp9W/Qa9ckkv14dQNhEJAUj+imv2JquN2e eVjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nqFnx4fEnWGfShXkr6z/lJjfSm0tQpBoaEh3so0kb3I=; b=FXPenCqmVzMF4g6fA4bydm9EM8pQIroFNrMQS03RL+jdj1xnqk3vJpfqquDoROah3m +o1vrkEM4qjXqbKuHDlT7LnkE4A+ToHXmymmlKM2MLTC8OZOjEuYEA5VSs7uFRYnTO58 ggHValOGC8KkRFECED/PN+6E9Z6uTzStMNm6gVoXDCIzrgDODB0nqhc/yzt1UHI35KJ2 mO/at35aBFbjVelVpNTzZs8OJkTMRg1T55SOlhzeyJfH5+Gu6KCyhHKIbcJ5B+/0kePU 20wT3xG7BGi0/SKn9eZik84UcEaqvnwuBlLq5lTbK8LLaotJ9G/ZpFUY77dfGIq9fOWx 2szw== X-Gm-Message-State: AGRZ1gJpve/4KpHqfpCI4bmLUDUuk5tMawLYs4CGAcXLbnKx70znAnLQ y3oON0c3P30y8tndlxIymYMROXEOzdAv5WX7dXk= X-Google-Smtp-Source: AJdET5ft2uUOIHpu0ef1fOLbdZSVELdD+Y4nYoy5E8BW30/4Si1v1WFDQcbbX3l/ZH9LAU+NLnt2mzqUHZgecPVY3j4= X-Received: by 2002:a19:d612:: with SMTP id n18-v6mr951692lfg.4.1540523096969; Thu, 25 Oct 2018 20:04:56 -0700 (PDT) MIME-Version: 1.0 References: <0c273037-69c0-a37f-7cf6-6c9a90ad3291@isode.com> In-Reply-To: From: "Murray S. Kucherawy" Date: Thu, 25 Oct 2018 20:04:44 -0700 Message-ID: To: "" Cc: Alexey Melnikov , IETF DMARC WG Content-Type: multipart/alternative; boundary="000000000000f697ba057918fb07" Archived-At: Subject: Re: [dmarc-ietf] AD review of draft-ietf-dmarc-arc-protocol-18 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Oct 2018 03:05:01 -0000 --000000000000f697ba057918fb07 Content-Type: text/plain; charset="UTF-8" On Thu, Oct 25, 2018 at 8:15 AM Kurt Andersen (b) wrote: > > Both of these are indeed normative in usage, but I was under the > impression that one could not refer to I-Ds as normative. > At least 7601bis will be an RFC at the same time as this one is, if not sooner. I don't know what the plans are for the other one. > >> 2) I am glad that broken examples from Appendix B were removed, but I >> would like to have some examples in the document. Is somebody working on >> generating these? >> > > Yes, work is in progress. It is really hard to do "fake" signing of > non-existent IP and domains with real production software. That has been > the hangup. > You can do that with OpenARC, I believe. You don't need an IP address to seal something. -MSK --000000000000f697ba057918fb07 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Oct 25, 2018 at 8:15 AM Kurt Andersen (b) <kboth@drkurt.com> wrote:

Both of these are indeed normative in usage, bu= t I was under the impression that one could not refer to I-Ds as normative.= =C2=A0

At least 7601bis w= ill be an RFC at the same time as this one is, if not sooner.=C2=A0 I don&#= 39;t know what the plans are for the other one.

= =C2=A0
2) I am glad that broken example= s from Appendix B were removed, but I
would like to have some examples in the document. Is somebody working on generating these?

Yes, work is in progr= ess. It is really hard to do "fake" signing of non-existent IP an= d domains with real production software. That has been the hangup.

You can do that with OpenARC, I b= elieve.=C2=A0 You don't need an IP address to seal something.
=

-MSK
--000000000000f697ba057918fb07-- From nobody Fri Oct 26 17:33:44 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89304130E0C for ; Fri, 26 Oct 2018 17:33:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.5 X-Spam-Level: X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORGrCmmpU8g0 for ; Fri, 26 Oct 2018 17:33:41 -0700 (PDT) Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11792128B14 for ; Fri, 26 Oct 2018 17:33:40 -0700 (PDT) Received: by mail-yb1-xb2f.google.com with SMTP id i78-v6so1209206ybg.0 for ; Fri, 26 Oct 2018 17:33:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XySsxVEnEEisLKpEpIMS5zaKHOOmocP4yw/8vObBwIA=; b=v6otLhn4uC12UhiIVqk57GLPK3j4MB0iTAGKw0YhH90i5LqGj5XNq6Xeip4bIh8z/d ka8Uuwuiv/X59ig6iKwH8AuUL8PnYYCxpRBw/TChohIRnIOUaSMRTyP9U5FAism5B/0O tl5TO176LqR3D0XOTb//TpKMR5NjOvrxz6NXxkiHpSpFhfn/Z2s8r2l+4eOs17yluHJL 5KcislSKNo7b/8nY1tYvzRcCCWIk1n7BU+oWK8HdemOUrXjLZ8AauTdEF7X9nOVG8fTv twd4Ox4Mr8V6EpNBqhQ6Jbqfok6LCVP6u9BOrQq2PtDwjwzMurSNTPKze7cPCHwBqUoc L3gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XySsxVEnEEisLKpEpIMS5zaKHOOmocP4yw/8vObBwIA=; b=cwr4Ihfb3qsEqEJRPpoxE3QQqCoi52Zi+1dqSugEk+qKByGpGaMJoYreaaI1V4DqHp d/V8bV5+uBs1o9FawlJHlqe2gYBYwh+kWV8fqRxOoRVkOfgGHwKEcphkarmiDtJjJq/S YYFaIMvDusO8TxJhEjOsCHjyGnEdd/HGWm0Bp/MI9SC+5yVQXPND42iLN8po7WSltAxq ZmWF4fFlLryOY/P4x29F96lQRfsASGknyP+KsaiyWdD+Z0PmViCkTa5a+TF2jSE1iz8S e+mGSm5JbtQFCBlAJg0Ublj7SVx9Dcnu7JpXr7P9XTrqDZVJkn6TeKyirFVmR4tGl+5Z Sxww== X-Gm-Message-State: AGRZ1gK7a0v5yb/JWzLEGzfh0hmeU6pTzgANhsRK2al7BKOgS9nsQ1Uk ddyJtNwXGjxSHHEofKNfAeHgWlphfeSN6xnYQhnqCUoBrLOL X-Google-Smtp-Source: AJdET5djPiEtSJt2HkgOVcWLJAvLJNZzArRLRHCAHEd4RQJIR763orJaEoF3nCJLLINoh7kU9RI3bE4W16z83x7ZlnY= X-Received: by 2002:a25:b8f:: with SMTP id 137-v6mr5675132ybl.50.1540600419425; Fri, 26 Oct 2018 17:33:39 -0700 (PDT) MIME-Version: 1.0 References: <3eea2f77-8aea-4f49-80f3-d96b639c378a@isode.com> In-Reply-To: <3eea2f77-8aea-4f49-80f3-d96b639c378a@isode.com> From: Brandon Long Date: Fri, 26 Oct 2018 17:33:27 -0700 Message-ID: To: Alexey Melnikov Cc: IETF DMARC WG Content-Type: multipart/alternative; boundary="000000000000be2a0705792afc3d" Archived-At: Subject: Re: [dmarc-ietf] AD review of draft-ietf-dmarc-rfc7601bis-03.txt X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2018 00:33:44 -0000 --000000000000be2a0705792afc3d Content-Type: text/plain; charset="UTF-8" should authserv-id bet a dot-atom instead? That seems to be the main uses I see, as a domain, and that would allow UTF-8. I don't know how bad that is compared to a token, and clearly that doesn't allow a quoted-string, so I guess it would likely need to be authserv-id = dot-atom-text / quoted-string except that dot-atom-text isn't the same as token.. it allows "?" / "=" / in particular, and I guess atext doesn't allow . on the ends ... = could be problematic with some parsers given the prevalence of = in the rest of the header. I guess the alternative is to define a utf8-token that was VCHAR instead, ie: utf8-token := 1* with VCHAR updated by rfc 6532 to allow utf-8. Or do we say that rfc 2045 should have been updated to VCHAR? Probably a bit annoying to do that. Brandon On Thu, Oct 25, 2018 at 4:03 AM Alexey Melnikov wrote: > Hi, > > I've started IETF LC on the document, as my comments are really minor: > > 1) I am not sure that deleted IANA registry descriptions (when compared > to RFC 7601) is the best way, considering that this document obsoletes > RFC 7601. I think it would be better to just keep the text and add a > sentence saying that it is unchanged from RFC 7601. But I am happy to > hear what IESG has to say about this. > > 2) The following took really long time to verify for correctness: > > Section 2.5 says about authserv-id: > > Note that in an EAI-formatted message, this identifier may be > expressed in UTF-8. > > So I decided to check whether this statement is actually true. > authserv-id is defined in Section 2.2 as: > > authserv-id = value > > "value" is as defined in Section 5.1 of [MIME]. > > > Section 5.1 of RFC 2045: > > value := token / quoted-string > > "token" doesn't allow UTF-8 (I think), but quoted-strings does, if > updated by RFC 6532. > > So, can I suggest that in Section 2.2, the following clarification is made: > > OLD: > > "value" is as defined in Section 5.1 of [MIME]. > > NEW: > > "value" is as defined in Section 5.1 of [MIME], with "quoted-string" > updated as specified in RFC 6532. > > > Best Regards, > > Alexey > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > --000000000000be2a0705792afc3d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
should authserv-id bet a dot-atom instead?=C2=A0 That seem= s to be the main uses I see, as a domain, and that would allow UTF-8.
<= br>
I don't know how bad that is compared to a token, and cle= arly that doesn't allow a quoted-string, so I guess it would likely nee= d to be
authserv-id =3D dot-atom-text / quoted-string
<= br>
except that dot-atom-text isn't the same as token.. it al= lows "?" / "=3D" / in particular, and I guess atext doe= sn't allow . on the ends ...
=3D could be problematic with so= me parsers given the prevalence of =3D in the rest of the header.

I guess the alternative is to define a utf8-token that was VCHAR= instead, ie:

utf8-token :=3D 1*<VCHAR except SPACE, CTLs, or tsp= ecials>

with VCHAR updated by rfc 6532 to allow utf-8.

Or = do we say that rfc 2045 should have been updated to VCHAR?=C2=A0 Probably a= bit annoying to do that.

Brandon

On Thu, Oct 25, 2018 at 4:03 A= M Alexey Melnikov <alexey.m= elnikov@isode.com> wrote:
Hi= ,

I've started IETF LC on the document, as my comments are really minor:<= br>
1) I am not sure that deleted IANA registry descriptions (when compared to RFC 7601) is the best way, considering that this document obsoletes
RFC 7601. I think it would be better to just keep the text and add a
sentence saying that it is unchanged from RFC 7601. But I am happy to
hear what IESG has to say about this.

2) The following took really long time to verify for correctness:

Section 2.5 says about authserv-id:

=C2=A0=C2=A0 Note that in an EAI-formatted message, this identifier may be<= br> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0 expressed in UTF-8.

So I decided to check whether this statement is actually true.
authserv-id is defined in Section 2.2 as:

=C2=A0=C2=A0 authserv-id =3D value

=C2=A0=C2=A0 "value" is as defined in Section 5.1 of [MIME].


Section 5.1 of RFC 2045:

=C2=A0=C2=A0=C2=A0 value :=3D token / quoted-string

"token" doesn't allow UTF-8 (I think), but quoted-strings doe= s, if
updated by RFC 6532.

So, can I suggest that in Section 2.2, the following clarification is made:=

OLD:

"value" is as defined in Section 5.1 of [MIME].

NEW:

"value" is as defined in Section 5.1 of [MIME], with "quoted= -string"
updated as specified in RFC 6532.


Best Regards,

Alexey



_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
--000000000000be2a0705792afc3d-- From nobody Sat Oct 27 07:44:19 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8E4128C65 for ; Sat, 27 Oct 2018 07:44:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.752 X-Spam-Level: X-Spam-Status: No, score=-1.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=54BFPwh1; dkim=pass (1536-bit key) header.d=taugh.com header.b=nEnI71ra Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cLONrq8hJTE for ; Sat, 27 Oct 2018 07:44:16 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4C63124BAA for ; Sat, 27 Oct 2018 07:44:15 -0700 (PDT) Received: (qmail 82217 invoked from network); 27 Oct 2018 14:44:14 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=14126.5bd479be.k1810; bh=gGY6IcpBdkbnVjbd/Zm4l8ODgypgJwlsmUjQk8sYnQw=; b=54BFPwh1vNm/Xz2eId+pyyCLZhMyJYModuG0YrVtlKmaLRRIz0qMCtG2KT+c239XLfaqchi1xTD3mmyKNqbceqdtXgO0BEAZuy2NO+QTUqznAjbWkbl85TFZ4HEh4DdIymQ5OQ7KQet1TlGwsY7D4qMpegUUQDOuc993YaJJU3xpgAESjorUo+Sa2nZW/AlXm2G+qZp4J0bT0dUjcJnlL3JqQM4zZLUivalo6zkzC3kNK0D/FRn4QPHs3yv8vjGn DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=14126.5bd479be.k1810; bh=gGY6IcpBdkbnVjbd/Zm4l8ODgypgJwlsmUjQk8sYnQw=; b=nEnI71ra1e9zr109rAS8ci0UHIJJ6Fbo8nDPqAgi9zJMXZfD23yq2/PAkjj8SfH33Hk3p8n4e7Gsym0g5PEetdo6MYt0ZBf1HEg5EQ2DM+IlcMdKQl4O5+vjLFIpH1sASrP7Sep0n9zEpfytfkkPvRKEs8pxrp7z4k4SOiWJ1nPXtlsxPs8F8pJ1cN8Kj/ZkPn6trmyJLYEDveNOuG1g4rovYiAdZtzR6uZ/1BqEv0m9YnQ5C60GBvPHNtIhSVNZ Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 27 Oct 2018 14:44:14 -0000 Received: by ary.qy (Postfix, from userid 501) id 6892B200728CF9; Sat, 27 Oct 2018 10:44:12 -0400 (EDT) Date: 27 Oct 2018 10:44:12 -0400 Message-Id: <20181027144414.6892B200728CF9@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: superuser@gmail.com In-Reply-To: Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] AD review of draft-ietf-dmarc-arc-protocol-18 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2018 14:44:18 -0000 In article you write: >-=-=-=-=-=- >At least 7601bis will be an RFC at the same time as this one is, if not >sooner. I don't know what the plans are for the other one. Also see Scott's LC comment on 7601bis. There's a bunch of stuff in 7601 not in the new draft, so 7601bis is really an update, not a replacement for 7601. R's, JOhn From nobody Sat Oct 27 09:20:38 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2025130DF1 for ; Sat, 27 Oct 2018 09:20:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.751 X-Spam-Level: X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=okTvRIaA; dkim=pass (1536-bit key) header.d=taugh.com header.b=mK2iiTNt Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M2fHL7v-Hthe for ; Sat, 27 Oct 2018 09:20:36 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAFE6127332 for ; Sat, 27 Oct 2018 09:20:35 -0700 (PDT) Received: (qmail 13707 invoked from network); 27 Oct 2018 16:20:33 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=357d.5bd49051.k1810; bh=ItCimo1vYsSehkmqhhr8vhMSg95gGZ6t1CYfivtNcY0=; b=okTvRIaA80c5RIUAKKbfHw5o74bmt7eQZ5vCyIFpDdsl+YukgWy1saEucp8l+lhdLKkhch7xQTeM7cNjA/Vdj7yAxK0pLsQjMep7ijY59hh6z2cSmmiCI6PeoAmQf0dc/ax5APRXKtJMXpD/oNDmIbQfo1ajdgbojMDG8TLqSA4C4e4e0mRJSbKT5KCCx32YYU9dRdfM8Sut3C3EXwOuik8KQ28WDsYidcTgeP/v3dKAsgljkvKJwkIAIw+bGfim DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=357d.5bd49051.k1810; bh=ItCimo1vYsSehkmqhhr8vhMSg95gGZ6t1CYfivtNcY0=; b=mK2iiTNtwTVSk3tZDCs8ATPYci8G/pC5gFizYWqFocN8z3oqK+SbNS1bE7NO9wdFXPRmyiKUZoV/Bi1so1t4QTeEjgMlEX5c+goNS26gT6HT9s7nvt5Etqstp6MBPrnZumN07/iGl1OMF/qUM/v21qy1fZrgf26Rq9mLFPZX466cQPldEaJZFV0R3gk5/MaXG2FIl49CJyagwAZ+c+KlRTombxhhxcYgGLEgLfis0iyRCFGEJwaj8WAVJ989igoW Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 27 Oct 2018 16:20:33 -0000 Received: by ary.qy (Postfix, from userid 501) id 1C98620072999E; Sat, 27 Oct 2018 12:20:32 -0400 (EDT) Date: 27 Oct 2018 12:20:32 -0400 Message-Id: <20181027162033.1C98620072999E@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: alexey.melnikov@isode.com In-Reply-To: <3eea2f77-8aea-4f49-80f3-d96b639c378a@isode.com> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] AD review of draft-ietf-dmarc-rfc7601bis-03.txt X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2018 16:20:37 -0000 In article <3eea2f77-8aea-4f49-80f3-d96b639c378a@isode.com> you write: >   Note that in an EAI-formatted message, this identifier may be >         expressed in UTF-8. > >So I decided to check whether this statement is actually true. Oops. >OLD: > >"value" is as defined in Section 5.1 of [MIME]. > >NEW: > >"value" is as defined in Section 5.1 of [MIME], with "quoted-string" >updated as specified in RFC 6532. That seems the smallest adequate fix. In general EAI allows UTF-8 in fields that humans look at, but not ones just for computers like message-IDs. The alternative would be to leave the old text and add a note that says in the common case that the identifier is a domain name, IDNs are represented as A-labels. R's, John From nobody Sat Oct 27 13:04:11 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B87C130D7A for ; Sat, 27 Oct 2018 13:04:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.751 X-Spam-Level: X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=cfgwjf0v; dkim=pass (1536-bit key) header.d=taugh.com header.b=n76eYSzA Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vly8uywX05Bu for ; Sat, 27 Oct 2018 13:04:07 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51F82130E0A for ; Sat, 27 Oct 2018 13:04:07 -0700 (PDT) Received: (qmail 15791 invoked from network); 27 Oct 2018 20:04:06 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=3da4.5bd4c4b6.k1810; bh=aedhNF3Yql1xgCfrT9ubqG91cCXYlifeCV3YIcRabIw=; b=cfgwjf0vobS03fzKWvRfPz+/aQz2U5/X1O3oWpHrCt8L8hq9RRvVy4vPRR6d517h48T/QKEQ4v4dWQBb9uH+fTC7REsFvzlfo7bdr5/XJFlVWYl0cNuyFZ+HBkTf78L76Q5ZaqLdnT/G9VnF6SNT9+cO9zYWdotg/eS28Yf/KAdr/kD0P4o27ENCoatYoDtWG2QqlYUTGBmw7i8KH6sapYq/zjEH9+iS/njpcKVLZlTOIzTcNe9ryKxGNnfrd7Q7 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=3da4.5bd4c4b6.k1810; bh=aedhNF3Yql1xgCfrT9ubqG91cCXYlifeCV3YIcRabIw=; b=n76eYSzAOCaRt3mTMEpK4u+2teVJXVuBowvOldTK02W9KA7UEEyLyNsxfKQI9GEXlZJJspspX02xSOexHCs9RgoKy5N9ag5c6/OwnS0E7Id+03xbVS1D75GaXJtoHAacvj5gI6Amy2+VN/u/TzerQ4M9ft+GUlBI5wjfqhJMhKjNnxHDdkAqwwPSD/vDXL2wohpx4y70Di+4YORvnwD8WrkqKBayxxMI2VRLJk4husVB4f4AFvQrQlQqc2ikCoWi Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 27 Oct 2018 20:04:06 -0000 Received: by ary.qy (Postfix, from userid 501) id 09F7120072CE14; Sat, 27 Oct 2018 16:04:05 -0400 (EDT) Date: 27 Oct 2018 16:04:05 -0400 Message-Id: <20181027200406.09F7120072CE14@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: kurta@drkurt.com In-Reply-To: Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Request to accept a new I-D into the WG work items X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2018 20:04:09 -0000 In article you write: >I'd like to recommend that we (DMARC-WG) accept >https://tools.ietf.org/html/draft-kitterman-dmarc-psd-00 into our work >queue. It aligns with our charter already. OK with me. I'd like a clearer explanation of what problem it solves, but that should be fixable. From nobody Sat Oct 27 14:54:38 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDFBF1277D2 for ; Sat, 27 Oct 2018 14:54:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.651 X-Spam-Level: X-Spam-Status: No, score=-1.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHKfBJTeep-4 for ; Sat, 27 Oct 2018 14:54:34 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 913F01274D0 for ; Sat, 27 Oct 2018 14:54:34 -0700 (PDT) Received: (qmail 59285 invoked by uid 100); 27 Oct 2018 21:54:32 -0000 Date: 27 Oct 2018 21:54:32 -0000 Message-ID: From: "John Levine" To: dmarc@ietf.org Organization: Taughannock Networks References: <90535677-7c53-1698-e803-3c0869b29c20@crash.com><90535677-7c53-1698-e803-3c0869b29c20@crash.com> Cleverness: some X-Newsreader: trn 4.0-test77 (Sep 1, 2010) Originator: johnl@iecc.com (John Levine) Archived-At: Subject: Re: [dmarc-ietf] New version of draft-ietf-dmarc-arc-usage posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2018 21:54:37 -0000 In article , Jeremy Harris wrote: >> New version: https://tools.ietf.org/html/draft-ietf-dmarc-arc-usage-06 > >How about another subsection 5.x saying when Originating ADMDs should >take any ARC action? For starting a new ARC chain I assume the answer >is normally "don't" - but perhaps there is an exception when a message >is already DKIM-signed, or when SPF for it would be invalidated by >forwarding (despite it being in-theory a local ADMD source)? Seems to me that's pretty simple: you should add an ARC seal when you do something that might break DMARC validation, which means modifying the contents of the message (breaks DKIM) or remailing a message (breaks SPF.) It is my impression that if your message already has a local A-R header, it's a good candidate for adding an ARC seal. If not, it probably isn't even though you could in principle add your own A-R which only has arc=none. R's, John -- Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly From nobody Sun Oct 28 15:29:55 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B81112870E for ; Sun, 28 Oct 2018 15:29:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9033i3b_083 for ; Sun, 28 Oct 2018 15:29:52 -0700 (PDT) Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B62A1127332 for ; Sun, 28 Oct 2018 15:29:51 -0700 (PDT) Received: by mail-lf1-x132.google.com with SMTP id d7-v6so4616752lfi.2 for ; Sun, 28 Oct 2018 15:29:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jh95tlkk/22Bsc1IclJFqDXkF7ECDzqhHjrJl9yd/fc=; b=XUskcZXCe2CJthntC8mlNYIBLiVm1j5+VjYeXyoad4S0kex+Z+RZwjp1pujX+Lubxe N5X2DaxICD3+2B/Ze8d8+0TO0TRDK8vtvIe9HS7hB4lC2aBCEJedh4JRNA843Bup/Ney l3wP1CJLLwVJD0mvFUnPaHXhXKphieJKnenxuWCI2y/qyOa7swsBg8edBeR+sTXT7Fi0 PpshrTq5iGqf1i7Hyd0KdcEXw18hVbH+8363wcTmVljJMz8pSZGQ0uQMzOEJiQpU32oJ BmUjKFcex5srF7bP1edoKIGxeZruW+P6uoiFozwOJ2jjpdvkW0wgyb5pDC/ul9CXWk96 YdMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jh95tlkk/22Bsc1IclJFqDXkF7ECDzqhHjrJl9yd/fc=; b=rzi7IbujrVvtjkMaukQhEGt589F1llVMqq2l75zubWYgIUMo17mNYddTfM3Efes22t ojy4xBCz9bYTDPRQ7v4GUfsTDkoYsItq23YdyGvymXg3XQb8OQH286FKq1eIuDZY3Uvj 9HAHXg3VHOkyuMy11Lv7jfFMNGxDJV1EHtU50mxq5sDRVtlxHxCypbf1Dqrhakiyp79+ 7QDrTVuvVyN0x/coRpzvNnCY+AE+tDZ3/3NV8tFXg422NbdfF04QCt/UGUseHZXunl8G BdOel+62SRQGHY5mc6aG6xydCqXxdHYy7E0xTuydo3UK8tCO0eYFe3JRwFRmdf2ZD9fH jvvw== X-Gm-Message-State: AGRZ1gLDu1pImb8VTVllLrKPTumY56o9OEbkEV8zw9IUZEFhWbd4ET/T s4QcTyxF892ZwGkpfzqz7T5+Z+3ygvIWTYD9T5vM4A== X-Google-Smtp-Source: AJdET5dCwmTabuh0Mb1Y5sie45IcroNb+jm82Vp4rMj4eSJkaroJJVKuwwqFi2mT2UtUPlF9OHg/v/E1oZABU5in4fk= X-Received: by 2002:a19:2102:: with SMTP id h2-v6mr6409591lfh.119.1540765789774; Sun, 28 Oct 2018 15:29:49 -0700 (PDT) MIME-Version: 1.0 References: <20181027144414.6892B200728CF9@ary.qy> In-Reply-To: <20181027144414.6892B200728CF9@ary.qy> From: "Murray S. Kucherawy" Date: Sun, 28 Oct 2018 15:29:35 -0700 Message-ID: To: John Levine Cc: IETF DMARC WG Content-Type: multipart/alternative; boundary="00000000000094e8f80579517d70" Archived-At: Subject: Re: [dmarc-ietf] AD review of draft-ietf-dmarc-arc-protocol-18 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Oct 2018 22:29:54 -0000 --00000000000094e8f80579517d70 Content-Type: text/plain; charset="UTF-8" On Sat, Oct 27, 2018 at 7:44 AM John Levine wrote: > In article A@mail.gmail.com> you write: > >-=-=-=-=-=- > >At least 7601bis will be an RFC at the same time as this one is, if not > >sooner. I don't know what the plans are for the other one. > > Also see Scott's LC comment on 7601bis. There's a bunch of stuff in 7601 > not > in the new draft, so 7601bis is really an update, not a replacement for > 7601. > Well, I don't think it was the intent to do an update, so I'm going to have to go review that. I still think it will ship before ARC does, rendering Kurt's question moot anyway. -MSK --00000000000094e8f80579517d70 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sat, Oct 27, 2018 at 7:44 AM John Levine <johnl@taugh.com> wrote:
In article <CAL0qLwZ9x4tZhMFWr= CGN4LNxTCHbSDMRJGAECuAJoev7VnGj=3DA@mail.gmail.com> you write:
>-=3D-=3D-=3D-=3D-=3D-
>At least 7601bis will be an RFC at the same time as this one is, if not=
>sooner.=C2=A0 I don't know what the plans are for the other one.
Also see Scott's LC comment on 7601bis.=C2=A0 There's a bunch of st= uff in 7601 not
in the new draft, so 7601bis is really an update, not a replacement for 760= 1.

Well, I don't think it was the i= ntent to do an update, so I'm going to have to go review that.

<= /div>
I still think it will ship before ARC does, rendering Kurt's = question moot anyway.

-MSK

--00000000000094e8f80579517d70-- From nobody Tue Oct 30 10:53:02 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4948130D7A for ; Tue, 30 Oct 2018 10:53:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.901 X-Spam-Level: X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CggF5TRbb2td for ; Tue, 30 Oct 2018 10:52:59 -0700 (PDT) Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10949127333 for ; Tue, 30 Oct 2018 10:52:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=gamma; t=1540921977; bh=Fy41Vj20qBa9PjKTbJg8Gz2BMP1GGgIc3rqsKOyz56g=; l=332; h=To:References:From:Date:In-Reply-To; b=BpfMOgzjA8oKCR/m336bQGFvz36cVlYsQp5zYDBgaVbJuJOUCAf6YLaB58UHUOMUN EyRpAoB6DuJGgBCmHN3CPGwhss0Yg/VjqNnZjp76QAdhNf7hwH9txLi1cahR2o8lsO u1VvWGjDYwBCWElTurb8wO98DBuuu+6P9u7wiO7cKUl0jNl+qOON+Ps2zhWAt Authentication-Results: tana.it; auth=pass (details omitted) Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Tue, 30 Oct 2018 18:52:57 +0100 id 00000000005DC077.000000005BD89A79.00001BF0 To: IETF DMARC WG References: <3eea2f77-8aea-4f49-80f3-d96b639c378a@isode.com> From: Alessandro Vesely Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00 Message-ID: <8ae3804d-8fc1-1670-e451-1e2a5153f790@tana.it> Date: Tue, 30 Oct 2018 18:52:57 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] AD review of draft-ietf-dmarc-rfc7601bis-03.txt X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Oct 2018 17:53:01 -0000 On Sat 27/Oct/2018 02:33:27 +0200 Brandon Long wrote: > should authserv-id bet a dot-atom instead?  That seems to be the main uses I > see, as a domain, and that would allow UTF-8. That was also discussed at the time of rfc5451bis: https://www.ietf.org/mail-archive/web/apps-discuss/current/msg09122.html Best Ale -- From nobody Tue Oct 30 11:47:34 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E5B3130DCD for ; Tue, 30 Oct 2018 11:47:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=QfUe6J//; dkim=pass (2048-bit key) header.d=kitterman.com header.b=jFcvzD00 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOYH4AMvkFPj for ; Tue, 30 Oct 2018 11:47:32 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0FD9127333 for ; Tue, 30 Oct 2018 11:47:32 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803e; t=1540925251; h=date : in-reply-to : references : mime-version : content-type : content-transfer-encoding : subject : to : from : message-id : date : subject : from; bh=1Jg+sN25HQxVDFOW2jlQKpP7JI9Qc/I3qAHDF6sGECQ=; b=QfUe6J//4IPFNp3yCdKWw85JP4UxolhcLkl6SH9grEK2RdqXhqgkmNxq 2lTTzGr2wpY1l1PDiGo8qHGgzQHPCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803r; t=1540925251; h=date : in-reply-to : references : mime-version : content-type : content-transfer-encoding : subject : to : from : message-id : date : subject : from; bh=1Jg+sN25HQxVDFOW2jlQKpP7JI9Qc/I3qAHDF6sGECQ=; b=jFcvzD00R/r50GrIzO2UdgTghasAKE8S5R3U9B8F7n/4Y1JREH8+12jm v9ETOpPzmGW/oMRB61lIY6W5x1/vu6Z0tFAq5v0ZFAt0cse9f8HbklskLj C5gRwa3xficBU4kXc+Q9P4xp5xBhabarlwH99J/Qx+C4oc6tc6yZ9yJvaZ znD5rXR2Ojmt3SbnoZD8fYv48w0Y3voVe+5JSeaIl3+niyJOTzK37mGk11 Y5uphmNzEhMuIeo5ipQ/EomRNr9ZQWv1rJM3dyZPVraEmwEvzjF+JAmCOd wNf6JdNq8BE0Qxz2hvVkI0c0C++Ud7A5OAEq72zmhIc5NaO5E67tyg== Received: from [10.114.157.227] (mobile-166-170-29-135.mycingular.net [166.170.29.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 47B99C4027F; Tue, 30 Oct 2018 13:47:31 -0500 (CDT) Date: Tue, 30 Oct 2018 18:47:23 +0000 In-Reply-To: <154046776431.16354.10167967721898242672.idtracker@ietfa.amsl.com> References: <154046776431.16354.10167967721898242672.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dmarc@ietf.org From: Scott Kitterman Message-ID: <82509274-BC89-495B-BD94-6D1F7846D8CA@kitterman.com> Archived-At: Subject: Re: [dmarc-ietf] Milestones changed for dmarc WG X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Oct 2018 18:47:34 -0000 Is this milestone really done? The protocol document references draft-ietf= -dmarc-arc-multi, which isn't done yet=2E Doesn't it need to be done too b= efore this gets checked off (there is no separate milestone for multi)=2E Scott K On October 25, 2018 11:42:44 AM UTC, IETF Secretariat wrote: >Changed milestone "Complete Authenticated Received Chain (ARC) protocol >spec", resolved as "Done"=2E From nobody Wed Oct 31 10:28:16 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DFFF129C6A for ; Wed, 31 Oct 2018 10:28:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=F8fTm5iY; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ocgiRhRw Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utstC30kIKpD for ; Wed, 31 Oct 2018 10:28:12 -0700 (PDT) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70F93128CE4 for ; Wed, 31 Oct 2018 10:28:12 -0700 (PDT) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 9C0E7220B1; Wed, 31 Oct 2018 13:28:11 -0400 (EDT) Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Wed, 31 Oct 2018 13:28:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= message-id:from:to:mime-version:content-transfer-encoding :content-type:in-reply-to:date:references:subject; s=fm1; bh=era LxjBnXbDN7OV10qHePePd26zum4DRohopoAITTik=; b=F8fTm5iYeRy5/rhqRVS T2vuQ83+AlGmRVExJes1b8sNQAQClQbfQn4JcsQXCePXw4nITXm+j4jwRHyjJ1IB ejSgBRbSkXYyreGPkraaJa+NZJZfkKtkWfd1MRPEwcsg/4LDWtnbUHAGn0yKqvhB UE4Axk0exDuMIsGjotVukUSUJfpJn+5qPcbglQNqBv60MWc2U+avZ+GpttAWyb37 RKRXoSOJ2Bvu563wIbNtccXazKK5vHEzHxyx/oiDDPFFDmTVeYU/K1FLAZ8PuI+R LFaJBkkqu77wS0jEpiBqeZzO9m1LvjPf4RsUMkRrC6ND1J0AkMCEbR1cEl/G/mCB nmQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=eraLxjBnXbDN7OV10qHePePd26zum4DRohopoAITT ik=; b=ocgiRhRwrK4KCwj7Gwiu1Rr5Zt7vdqBbveKf5/nVypHojL+7EvJA+WjdS PLDOnB8JRfwaVirI1KNL8RAayp5h5Rfaw8e30Nu6MRMGhb2qlykmX639vc9Bi5Ob excreCRBf8WxXoVPLxwHjrM3oEG0TX0lzl4zASb+hI8orEXy82iYzvW2uBDC/mkv ERyn1vNhJIHTdlKSNR4y6IEcGgXGdfeaoD65/oDn12uHosSdPe+SmR4avbxwgQPY jb4f6jNv2CCq9cTErq7vnXxUJG+rhlAMgSRMJtasL05wdAHnzLX4/1chJj99aZhw Zm0UEib7bL2mYyIhXhbDY5nXfPghw== X-ME-Sender: X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 99) id 496979E12E; Wed, 31 Oct 2018 13:28:11 -0400 (EDT) Message-Id: <1541006891.2139436.1561232200.58DBE76E@webmail.messagingengine.com> From: Alexey Melnikov To: Scott Kitterman , dmarc@ietf.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-63008d4f In-Reply-To: <82509274-BC89-495B-BD94-6D1F7846D8CA@kitterman.com> Date: Wed, 31 Oct 2018 17:28:11 +0000 References: <154046776431.16354.10167967721898242672.idtracker@ietfa.amsl.com> <82509274-BC89-495B-BD94-6D1F7846D8CA@kitterman.com> Archived-At: Subject: Re: [dmarc-ietf] Milestones changed for dmarc WG X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2018 17:28:14 -0000 Hi Scott, On Tue, Oct 30, 2018, at 6:47 PM, Scott Kitterman wrote: > Is this milestone really done? The protocol document references draft- > ietf-dmarc-arc-multi, which isn't done yet. Doesn't it need to be done > too before this gets checked off (there is no separate milestone for > multi). This might have been me too eager to mark it as done. But I prefer a separate milestone for arc-multi anyway. Best Regards, Alexey > Scott K > > On October 25, 2018 11:42:44 AM UTC, IETF Secretariat reply@ietf.org> wrote: > >Changed milestone "Complete Authenticated Received Chain (ARC) protocol > >spec", resolved as "Done". > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc From nobody Wed Oct 31 10:49:39 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 71CCA130DC2; Wed, 31 Oct 2018 10:49:37 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Linda Dunbar To: Cc: dmarc@ietf.org, draft-ietf-dmarc-rfc7601bis.all@ietf.org, ietf@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.87.2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <154100817740.5314.5936662570396773189@ietfa.amsl.com> Date: Wed, 31 Oct 2018 10:49:37 -0700 Archived-At: Subject: [dmarc-ietf] Opsdir last call review of draft-ietf-dmarc-rfc7601bis-03 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2018 17:49:38 -0000 Reviewer: Linda Dunbar Review result: Ready I have been assigned to review draft-ietf-dmarc-rfc7601bis-03 on behalf of the ops directorate. This document specifies a message header field called Authentication-Results for use with electronic mail messages to indicate the results of message authentication efforts. The document is written very clear. The only question I have is if the mechanism described in the document are actually used by popular mail-server, such as Microsoft Outlook? Thank you, Linda Dunbar From nobody Wed Oct 31 10:56:42 2018 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D91B130DC2; Wed, 31 Oct 2018 10:56:33 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Rifaat Shekh-Yusef To: Cc: dmarc@ietf.org, draft-ietf-dmarc-rfc7601bis.all@ietf.org, ietf@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.87.2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <154100859354.5360.795312478907721541@ietfa.amsl.com> Date: Wed, 31 Oct 2018 10:56:33 -0700 Archived-At: Subject: [dmarc-ietf] Secdir last call review of draft-ietf-dmarc-rfc7601bis-03 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2018 17:56:34 -0000 Reviewer: Rifaat Shekh-Yusef Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Section 7.1. Forged Header Fields In addition to a recommended solution, this section has list a potential alternative solutions which the document then states that it is not appropriate for this document to specify which mechanism should be used. Since an implementer is not expected to do anything with this information, it might be more appropriate for this to be moved to an appendix at the end of document. Section 7.2. Misleading Results, First paragraph, last sentence "In particular, this issue is not resolved by forged header field removal discussed above." which seems to be in conflict with the following statement from section 5: "For simplicity and maximum security, a border MTA could remove all instances of this header field on mail crossing into its trust boundary." Section 7.2. Misleading Results, Second paragraph "Hence, MUAs and downstream filters must take some care with use of this header even after possibly malicious headers are scrubbed." How do you expect an MUA or downstream filter to act on "take some care"? Can you elaborate on that? 7.3. Header Field Position This section explains that headers fields are *not* guaranteed to be in a specific order. The section then states that "there will be *some* indication..." Since the order is not guaranteed, what do you expect an implementer to take away from this? 7.8. Intentionally Malformed Header Fields This is a general issue with any header. Is there anything specific to this header that an implementer should pay attention to? Regards, Rifaat From nobody Wed Oct 31 11:04:55 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE1E1129C6A for ; Wed, 31 Oct 2018 11:04:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.751 X-Spam-Level: X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=7a/IEJoM; dkim=pass (1536-bit key) header.d=taugh.com header.b=exEX/w16 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbWSDAgpbRwF for ; Wed, 31 Oct 2018 11:04:52 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 849301271FF for ; Wed, 31 Oct 2018 11:04:52 -0700 (PDT) Received: (qmail 68602 invoked from network); 31 Oct 2018 18:04:51 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=10bf5.5bd9eec3.k1810; bh=mxjUpYF0HhU52gFoKt+csrckB4kcsOPaXDHt/mxugyE=; b=7a/IEJoMBWmfYIVObcWzTBKoGnezJr0gyJTsWoLKytRa9Owm4OzjIspLQDkqo9QDbukGovvU4r1PLzSUw/ApQm1g7h8wFtnw3C5Lzrm7Vea8SVZ37sfZKfcagt7LN9qESCs5sUtNt32dR1FpxeUTTaL5/ksWIv/F2RKaCCfo8SWonuCmb/5hwMxi2F+T3wCG40fPhrVFTq5pXyUl/toGI+pu7rSI/l1Ss9eHuStBK/dRk9CpBUNh8WryMTCwvfsS DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=10bf5.5bd9eec3.k1810; bh=mxjUpYF0HhU52gFoKt+csrckB4kcsOPaXDHt/mxugyE=; b=exEX/w160yoJs8chxdJR7eCpitZj1AWRJYFd6dEzWUU1PQLiZh4IW3IEoKXLQpGAqQhl1yKRaII3Hepvdi5bMbAakpBqSeyWPfWB2d2uVQTiITY5yAFZgMgIRkQEWkr4xaQ1xcvqbCdmkd2YgpaMjvp4ZJptKoMV3xRU1TMNbEPAgj6ktbPmNfVC6lB2yJIlXDhIE8Y0Omdd6hc8u3m86bPPtT9SbipXGamOTLIdRhUIk2d0SckjtzbdNYeAmKjZ Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 31 Oct 2018 18:04:50 -0000 Received: by ary.qy (Postfix, from userid 501) id 7BCB32007D4B6C; Wed, 31 Oct 2018 14:04:50 -0400 (EDT) Date: 31 Oct 2018 14:04:50 -0400 Message-Id: <20181031180450.7BCB32007D4B6C@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: sklist@kitterman.com In-Reply-To: <82509274-BC89-495B-BD94-6D1F7846D8CA@kitterman.com> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Milestones changed for dmarc WG X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2018 18:04:54 -0000 In article <82509274-BC89-495B-BD94-6D1F7846D8CA@kitterman.com> you write: >Is this milestone really done? The protocol document references draft-ietf-dmarc-arc-multi, which >isn't done yet. Doesn't it need to be done too before this gets checked off (there is no separate >milestone for multi). I gather there are practical issues: we don't see any way to do algorithm rotation in a way that is backward compatible with existing implemntations, and we'd like to publish something that matches the running code. R's, John From nobody Wed Oct 31 22:27:05 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16ABA123FFD for ; Wed, 31 Oct 2018 22:27:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=tV0Z5Oa9; dkim=pass (2048-bit key) header.d=kitterman.com header.b=einG4a04 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2iXWEgcH7ux4 for ; Wed, 31 Oct 2018 22:27:01 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B36B130E18 for ; Wed, 31 Oct 2018 22:27:00 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803e; t=1541050018; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=RjIFfbskHs7artUrbEtVZWC5Pl36gN0nU4Mg/lTK4k8=; b=tV0Z5Oa9tf6qCuXmg/JomxB8gmvFbnSq+RBnKIVbKBMM1ftClT/CxQtq JIs4ho51z8NB/+dmCkyPhlRyAWWYAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803r; t=1541050018; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=RjIFfbskHs7artUrbEtVZWC5Pl36gN0nU4Mg/lTK4k8=; b=einG4a049dikjew3M+KM79P5CG5ibNE51/jPA6XQIl9LFo4NEBxn93RS MeZE2byNrBsrGAk/wILFgAOPK19f42R0zl73YwTo9LMSYXRMpyN0V6tUUW UHXU0iZSqpGGMjhOt6JK4d0VMuz3ubsJBFW+LI+Pga4tlF5JHxnRyAk20R DIsfRytmA5ux4/iJLnfNifU90pUPD3cc7QY6tgWo8/4P2GNx0fSUBeWxrQ XR6AN1wbuNpFCLUrotgUCBDBAbraAfVwZyy9LnxFeORQjyUgtb0NBu6kHP v+xe1L/Wky/WE+dbGo3KtXOUQs6ct2rZguIoDFxRWZ0CEd5UBbtSHQ== Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 9DBEEC4016F for ; Thu, 1 Nov 2018 00:26:58 -0500 (CDT) From: Scott Kitterman To: dmarc@ietf.org Date: Thu, 01 Nov 2018 01:26:57 -0400 Message-ID: <1640642.kk4O4a0i58@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-158-generic; KDE/4.13.3; x86_64; ; ) In-Reply-To: <20181031180450.7BCB32007D4B6C@ary.qy> References: <20181031180450.7BCB32007D4B6C@ary.qy> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Archived-At: Subject: Re: [dmarc-ietf] Milestones changed for dmarc WG X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Nov 2018 05:27:03 -0000 On Wednesday, October 31, 2018 02:04:50 PM John Levine wrote: > In article <82509274-BC89-495B-BD94-6D1F7846D8CA@kitterman.com> you write: > >Is this milestone really done? The protocol document references > >draft-ietf-dmarc-arc-multi, which isn't done yet. Doesn't it need to be > >done too before this gets checked off (there is no separate milestone for > >multi). > > I gather there are practical issues: we don't see any way to do > algorithm rotation in a way that is backward compatible with existing > implemntations, and we'd like to publish something that matches the > running code. I think -18 of the protocol document does that reasonably well. I reviewed dkimpy with a view towards updating it from roughly -08 to -18 and it didn't need a lot of changes. I did skip oldest-pass and related stuff since, per my last call comment, it seems superfluous as well as not extending the API to include passing in the connect IP address to include that, but there's no interoperability issue there. Dkimpy 0.9.0 should interoperate with other -18 implementations. Whether we leave this marked done and add a new one for multi or re-open this one, I don't care. We ought to have some kind of milestone open against the residual work though. Scott K From nobody Wed Oct 31 23:06:22 2018 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94930130DCD for ; Wed, 31 Oct 2018 23:06:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=mfdr4bbq; dkim=pass (2048-bit key) header.d=kitterman.com header.b=UGr8xlgz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lU3Q6lQry0ZM for ; Wed, 31 Oct 2018 23:06:18 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95613130DFD for ; Wed, 31 Oct 2018 23:06:18 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803e; t=1541052375; h=from : to : subject : date : message-id : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=i2Kjgm/SpBQGES4Um5hdtkOXrhk+57psRD9F5OfqiDU=; b=mfdr4bbquxGpGoMHxBEUrEvC8v2V6be2v+SqnDz6HTwVOoyfuzhZS5kq FNh3JiFZFDDKMGSPxqYNhLJJfrd9DQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803r; t=1541052375; h=from : to : subject : date : message-id : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=i2Kjgm/SpBQGES4Um5hdtkOXrhk+57psRD9F5OfqiDU=; b=UGr8xlgzIi22LAaxZJNSChpSBITC5Fp7m6S3vqbxM5kPsV8VDHXfZsyM wuGMsF/Yizeu5iohrUp4qn/Qu/j8wX1KzRwdAlRTnEqUtDvc7P/IvDzMxT co7I9K9e3hhOFnupV+vX7ey5EsBpVSJ1gnacx6KDETutCawj0xw2h+eRx7 1MNr7NekqS7exu2E4TYg9uURhnVgloFEKRVDI9RlTvkWrOsACLkelgbBmA t9gqQ3j5+ZxVA8l+dZXCSlOWhgvYQATGT43V227hWNPyFwf9OHvWBsHEdq 6Gewz5MpoRrsBVOhBUpr21F5yK5NEOC+La83VDeZ0n3q64/CM8qLqw== Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 08F50C40230 for ; Thu, 1 Nov 2018 01:06:15 -0500 (CDT) From: Scott Kitterman To: dmarc@ietf.org Date: Thu, 01 Nov 2018 02:06:08 -0400 Message-ID: <9957335.dUWMaE32Bo@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-158-generic; KDE/4.13.3; x86_64; ; ) MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Archived-At: Subject: [dmarc-ietf] ARC Multi Proposal X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Nov 2018 06:06:21 -0000 Originally, draft-ietf-dmarc-arc-protocol-00, ARC could use any signing algorithm supported by DKIM (which at the time were rsa-sha1 and rsa-sha256). This was later reduced to rsa-sha256. In the mean-time, DKIM dropped rsa-sha1 (RFC 8301) and ed25519-sha256 was added (RFC 8463). In DKIM, the status of the algorithm requirements is: Signers MUST implement and SHOULD sign using rsa-sha256. Verifiers MUST implement rsa-sha256. (RFC 6376 as updated by RFC 8301) Signers SHOULD implement and verifiers MUST implement the Ed25519-SHA256 algorithm. (RFC 8463 DKIM also says: 3.3.4. Other Algorithms Other algorithms MAY be defined in the future. Verifiers MUST ignore any signatures using algorithms that they do not implement. DKIM RFCs don't give any more advice than that. It's left to operators to decide which algorithm to use (in the world where all RFCs are instantly implemented and deployed, it would be appropriate to sign only ed25519-sha256, but in reality we all know not to do that). My personal experience with ed25519-sha256 signing indicates that DKIM implementers reliably considered the implications of 3.3.4 and it's safe to assume adding a new signature algorithm is unlikely to have backward compatibility implications. ARC places some potential constraints on multi-algorithm support: 4.2. ARC Set An "ARC Set" is a single collection of three ARC header fields (AAR, AMS, and AS). ARC header fields of an ARC Set share the same "instance" value. This requirement is the core of the problem that ARC multi needs to address. I think we can define our way out of this relatively easily: State that ARC uses all the algorithms used by DKIM (RFC 6376 as updated) - Section 3.3. Add an expansion of the definition of an ARC set: If there are two AMS and AS signatures with the same instance (ARC i=) values that have different a= (algorithm), s= (selector), and b= (header hash) values, but are otherwise the same, then that is a single ARC set. I believe that's it. It's backward compatible with existing implementations since all existing ARC implementations should be ignoring rsa-sha1 and ed25519-sha256 for ARC purposes. When ARC implementations are updated to support ARC multi, they can use the expanded definition for identifying an ARC set with no changes needed to the underlying ARC processing. It supports algorithm transition the same way DKIM does, no special rules needed. It's up to the receiver (as always) to decide what input they trust and can use. It avoids all the timing/flag day complexity that's in the current draft (and we know can never work). Does it have to be any harder than that? Scott K