I only know about one configuration, my own. I was respond to Murray, who suggested escalation might be performed in some context. Maybe so, but it does not matter. Evaluators are free to evaluate as many signatures as they wish, and to use them as they wish. Non-aligned signatures are completely irrelevant to DMARC's purposes, so evaluation of them should be optional and reporting about them should be deprecated.
Even after evaluation, the effort to summarize, transmit, and process these reports will have costs that are proportional to the design complexity. Designing for 100 or more simultaneous signatures creates more complexity than designing for 10, and designing for 10 creates more complexity than designing for 1. We should not impose costs on all participants when we can only speculate about whether benefits actually accrue. I have proposed language for both the core document and the reporting document which reflects this philosophy. The core changes were in issue 2. The reporting changes were in a previous email. I guess I need to put the latter into an issue so that the text is not lost. Doug On Sat, Nov 5, 2022 at 10:52 AM Brotman, Alex <[email protected]> wrote: > > > Are you aware of any evaluators who selectively escalate signatures? I'm > not, and I expect they do so to gather as much domain-based data as > possible. I'm not saying they don't exist, but I would imagine there > aren't many, and the numbers will dwindle. > > Are you suggesting the spec should limit the number of signatures > evaluated, or reported? If it's evaluated, I think that's the core > document. If it's reported, the "hard work" of evaluation has already been > completed. Ignoring any privacy implications, I would think the domain > owner may want to know who else is signing messages that is using their > domain. > > -- > Alex Brotman > Sr. Engineer, Anti-Abuse & Messaging Policy > Comcast > ------------------------------ > *From:* dmarc <[email protected]> on behalf of Douglas Foster < > [email protected]> > *Sent:* Saturday, November 5, 2022 9:08:45 AM > *To:* IETF DMARC WG <[email protected]> > *Subject:* Re: [dmarc-ietf] Aggregate report signature requirements > > (Changed the subject to return to the primary topic.) > > Certainly, non-aligned signatures may be important to some evaluators, but > that falls into the category of local policy, which I am not obligated to > disclose. An evaluator may choose to reject a message even though it > produces DMARC PASS, or he may choose to accept a message even though it > fails to produce DMARC PASS. DMARC allows a domain owner to influence this > decision by ensuring his messages produce SPF PASS and DMARC PASS at the > first hop. SPF data (server identity, MailFrom identity, and SPF results) > indicate whether the message was received directly or not, and aligned DKIM > scope IDs indicate where a message apparently originated. I am not > obligated to give the domain owner information that will help him reverse > engineer my filtering logic. I send him a DMARC report to help him > produce DMARC PASS, and that is what he should do to influence my > disposition in his favor. > > If a message loses authentication in transit, this becomes a secondary > trust and authentication issue between the evaluator and the submitting > server. The domain owner cannot know if the authentication loss > happened for innocent or malicious reasons, cannot know if the original > message was desired by the recipient, and consequently is not a party to > the problem. He may want to use signatures to reverse-engineer the > message flow path, but the effort is not likely to be productive and more > importantly is not a DMARC goal. > > Most importantly, this is about respect for evaluators. You would be > offended if I announced, "Security is really important to me, so I expect > you to take a weekend job driving for Uber so that you can pay the monthly > fee for my security service." You would be even more offended if I said > that my neighborhood did not have a crime problem but I wanted you to fund > my security service anyway. In the same way, it is wrong to ask > evaluators to do unnecessary work on every message, simply because there is > a long shot possibility that the extra work might be useful to some domain > owner, in some undefinable way, on some random occasion. This is waste, > and it is as rude to the evaluator as it would be for me to ask you to fund > my security service. > > Doug > > > > > > On Fri, Nov 4, 2022 at 9:47 PM Murray S. Kucherawy <[email protected]> > wrote: > > On Fri, Nov 4, 2022 at 4:18 AM Douglas Foster < > [email protected]> wrote: > > Maybe the problem is that John has trademarked "weak" to mean "L=0", so I > will use "poorly constructed". DKIM "works" because malicious actors have > found easier ways to attack than using an intermediary MTA to alter a > message without breaking the signature. This may not always be the case, > and signature construction practices lack consistency, making many of them > vulnerable if mischief occurs. Nonetheless, well-constructed > signatures are a guidance issue, so I have no problem with putting it in a > guidance document, as long as one is actually written. > > > I'm actually trying to remember what "weak" was supposed to mean. It > could refer to a number of different things, anything from not following > DKIM's signing recommendations to unacceptably small keys to "l=0". We > probably should be specific, or stop using it. > > But right now, we are not moving toward the goal because the players have > left the field. The questions before the group are: > > - Do non-aligned signatures provide any benefit to domain owners? > > > I suggest that the answer is "maybe". DKIM only really tells you > something when the signature passes; at that point you can conclude that > the message definitely either came from or passed through whatever domain > generated the signature. A failing signature tells you nothing, given the > myriad ways a perfectly valid signature on a properly handled message can > still be invalidated. > > A receiver can thus make decisions based on the (possibly empty) set of > domains for which passing signatures were present on a message. Imagine > for a moment the existence of a globally accepted spam filtering service; a > passing signature from that operator might compel a receiver to increase > its regard for such a message. > > Or maybe I host my domain at some highly reputable mailbox provider, or > engage a commercial bulk emailing service. A receiver might see a valid > signature from my domain on there as well as one from the service, and > develop filtering decisions based on that combination. One of those > domains is not aligned, yet possibly valuable. > > - If those benefits exist, do they add sufficient value to justify the > burden on thousands of evaluators to perform extra work on many millions of > incoming messages? > > > Again, "maybe". Operators are free to make their own filtering choices. > > I built an open source reputation system based on DKIM some years ago, and > it was somewhat effective. This pre-dated DMARC; all it cared about was > the perceived reputation of whoever signed the message (for valid > signatures), and then it made filtering decisions based on the data it had > collected to that point. That suggests to me that the concept we're > discussing here isn't something DMARC should be trying to tackle. At most, > I suggest saying DMARC verifiers should be aware that whatever their DKIM > verifiers pass them (via A-R or other means) is what they get; if the DKIM > verifier is not sufficiently specific in what it considers satisfactory, > pick a different verifier. > > I would also recommend reviewing Section 5.4 (and in particular 5.4.1) of > the DKIM RFC, as it talks about which header fields are important to cover > in the signature. Any signature that doesn't cover that starts to become > "weak" in that it's possible to alter some of the content or intent of the > message without invalidating the signature. It also talks about which > things one ought not include for fear of spurious invalidation. > > > Some members believe that unaligned signature information might be useful > to somebody sometime. Unfortunately, no one has been able or willing to > document a scenario where any such benefit has been obtained by any domain > owner at any time. The silence is awkward. > > Perhaps these nonaligned signatures are an unnecessary burden on both > evaluators and domain owners. > > Can someone defend the status quo? If not, can we have consensus to > change it? > > > How'd I do? :-) > > -MSK, participating > > >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
