Are you aware of any evaluators who selectively escalate signatures? I'm not, and I expect they do so to gather as much domain-based data as possible. I'm not saying they don't exist, but I would imagine there aren't many, and the numbers will dwindle.
Are you suggesting the spec should limit the number of signatures evaluated, or reported? If it's evaluated, I think that's the core document. If it's reported, the "hard work" of evaluation has already been completed. Ignoring any privacy implications, I would think the domain owner may want to know who else is signing messages that is using their domain. -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast ________________________________ From: dmarc <dmarc-boun...@ietf.org> on behalf of Douglas Foster <dougfoster.emailstanda...@gmail.com> Sent: Saturday, November 5, 2022 9:08:45 AM To: IETF DMARC WG <dmarc@ietf.org> Subject: Re: [dmarc-ietf] Aggregate report signature requirements (Changed the subject to return to the primary topic.) Certainly, non-aligned signatures may be important to some evaluators, but that falls into the category of local policy, which I am not obligated to disclose. An evaluator may choose to reject a message even though it produces DMARC PASS, or he may choose to accept a message even though it fails to produce DMARC PASS. DMARC allows a domain owner to influence this decision by ensuring his messages produce SPF PASS and DMARC PASS at the first hop. SPF data (server identity, MailFrom identity, and SPF results) indicate whether the message was received directly or not, and aligned DKIM scope IDs indicate where a message apparently originated. I am not obligated to give the domain owner information that will help him reverse engineer my filtering logic. I send him a DMARC report to help him produce DMARC PASS, and that is what he should do to influence my disposition in his favor. If a message loses authentication in transit, this becomes a secondary trust and authentication issue between the evaluator and the submitting server. The domain owner cannot know if the authentication loss happened for innocent or malicious reasons, cannot know if the original message was desired by the recipient, and consequently is not a party to the problem. He may want to use signatures to reverse-engineer the message flow path, but the effort is not likely to be productive and more importantly is not a DMARC goal. Most importantly, this is about respect for evaluators. You would be offended if I announced, "Security is really important to me, so I expect you to take a weekend job driving for Uber so that you can pay the monthly fee for my security service." You would be even more offended if I said that my neighborhood did not have a crime problem but I wanted you to fund my security service anyway. In the same way, it is wrong to ask evaluators to do unnecessary work on every message, simply because there is a long shot possibility that the extra work might be useful to some domain owner, in some undefinable way, on some random occasion. This is waste, and it is as rude to the evaluator as it would be for me to ask you to fund my security service. Doug On Fri, Nov 4, 2022 at 9:47 PM Murray S. Kucherawy <superu...@gmail.com<mailto:superu...@gmail.com>> wrote: On Fri, Nov 4, 2022 at 4:18 AM Douglas Foster <dougfoster.emailstanda...@gmail.com<mailto:dougfoster.emailstanda...@gmail.com>> wrote: Maybe the problem is that John has trademarked "weak" to mean "L=0", so I will use "poorly constructed". DKIM "works" because malicious actors have found easier ways to attack than using an intermediary MTA to alter a message without breaking the signature. This may not always be the case, and signature construction practices lack consistency, making many of them vulnerable if mischief occurs. Nonetheless, well-constructed signatures are a guidance issue, so I have no problem with putting it in a guidance document, as long as one is actually written. I'm actually trying to remember what "weak" was supposed to mean. It could refer to a number of different things, anything from not following DKIM's signing recommendations to unacceptably small keys to "l=0". We probably should be specific, or stop using it. But right now, we are not moving toward the goal because the players have left the field. The questions before the group are: - Do non-aligned signatures provide any benefit to domain owners? I suggest that the answer is "maybe". DKIM only really tells you something when the signature passes; at that point you can conclude that the message definitely either came from or passed through whatever domain generated the signature. A failing signature tells you nothing, given the myriad ways a perfectly valid signature on a properly handled message can still be invalidated. A receiver can thus make decisions based on the (possibly empty) set of domains for which passing signatures were present on a message. Imagine for a moment the existence of a globally accepted spam filtering service; a passing signature from that operator might compel a receiver to increase its regard for such a message. Or maybe I host my domain at some highly reputable mailbox provider, or engage a commercial bulk emailing service. A receiver might see a valid signature from my domain on there as well as one from the service, and develop filtering decisions based on that combination. One of those domains is not aligned, yet possibly valuable. - If those benefits exist, do they add sufficient value to justify the burden on thousands of evaluators to perform extra work on many millions of incoming messages? Again, "maybe". Operators are free to make their own filtering choices. I built an open source reputation system based on DKIM some years ago, and it was somewhat effective. This pre-dated DMARC; all it cared about was the perceived reputation of whoever signed the message (for valid signatures), and then it made filtering decisions based on the data it had collected to that point. That suggests to me that the concept we're discussing here isn't something DMARC should be trying to tackle. At most, I suggest saying DMARC verifiers should be aware that whatever their DKIM verifiers pass them (via A-R or other means) is what they get; if the DKIM verifier is not sufficiently specific in what it considers satisfactory, pick a different verifier. I would also recommend reviewing Section 5.4 (and in particular 5.4.1) of the DKIM RFC, as it talks about which header fields are important to cover in the signature. Any signature that doesn't cover that starts to become "weak" in that it's possible to alter some of the content or intent of the message without invalidating the signature. It also talks about which things one ought not include for fear of spurious invalidation. Some members believe that unaligned signature information might be useful to somebody sometime. Unfortunately, no one has been able or willing to document a scenario where any such benefit has been obtained by any domain owner at any time. The silence is awkward. Perhaps these nonaligned signatures are an unnecessary burden on both evaluators and domain owners. Can someone defend the status quo? If not, can we have consensus to change it? How'd I do? :-) -MSK, participating
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc