I'm pulling the arc-discuss list back off the distribution for this message (and it's probably a good idea to alert people when you add a new mailing list to an ongoing discussion).
Kurt's original message asked whether the DMARC working group... 1. ...wants to work on the ARC spec, using https://datatracker.ietf.org/doc/draft-andersen-arc/ as a starting point, and 2. ...also wants to work on ARC usage recommendations, using https://datatracker.ietf.org/doc/draft-jones-arc-usage/ as a starting point. It certainly seems that the working group is interested in discussing ARC, as I can judge from the discussion in the short time since Kurt's proposal. So let's go back and get a proper answer: Does anyone object to having the DMARC working group take on this work? Does anyone object to using the two documents above as starting points for that work? Does anyone have an alternative proposal? Please respond to this list, <[email protected]>, by 20 May. Barry, for the DMARC chairs On Wed, May 11, 2016 at 11:29 AM, Kurt Andersen (b) <[email protected]> wrote: > On Wed, May 11, 2016 at 7:00 AM, Murray S. Kucherawy <[email protected]> > wrote: >> >> On Wed, May 11, 2016 at 4:55 AM, Alessandro Vesely <[email protected]> wrote: >>> >>> It would be silly to deny that ARC is about indirect mail flows. The >>> reason it >>> is perceived to be in the wrong camp is that DMARC focuses on originators >>> of >>> email, while ARC requires no changes for them. A possible tweak is to >>> introduce an ARC-0, zero for originator, an optional ARC set with i=0: >> >> >> Perhaps I'm misunderstanding, but doesn't an i=0 ARC set represent a >> verification by the originator of its own mail? > > > The concept of an AS[0] set of headers was debated and deemed, as suggested > by Murray, to just be a repetition of the DKIM signature assertion. As such, > it doesn't really add any utility. There have been suggestions on the > arc-discuss list that, perhaps, AS[0] could be used as an assertion "on > behalf of" some other domain that the message submitter was known to the > sending ADMD (as mentioned below under "authenticated identity"). The > biggest problem with that, is whether anyone should trust such purported > authentication claims. I doubt that anyone with minimal exposure to security > issues would find that appealing. > >>> >>> ARC-0 is substantially equivalent to a weak signature. The ARC-Seal >>> field >>> proves that the originator was involved. ARC-Message-Signature is >>> expected to >>> be broken by forwarders. ARC-Authentication-Results may contain just an >>> auth >>> stanza, with a possibly redacted authenticated identity. >> >> >> Doesn't the i=1 ARC set also prove the originator was involved? > > > Yes, AS[1] testifies to the Authenticated-Results of receiving the message > from the originator. > > --Kurt > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc > _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
