I cannot support the current draft because it creates new problems without sufficiently solving the old ones.
The PSL is subject to two types of errors: - Landing too high, causing False Pass on non-affiliated domains - Landing too low, causing False Fail or False NoPolicy on domains that are actually affiliated. False Pass presents the greater threat. While it could occur on any type of non-strict alignment, the primary concern is False Pass on sibling alignment. The bottom-up-first-stop tree walk attempts to solve the problem of False Pass by using an algorithm that will often land too low, causing False Fail. Nonetheless, it fails to solve the whole problem because evaluators are still at risk from private registries that publish a DMARC policy with strict alignment but without a PSD tag. The proposed tree walk has other problems, because it changes an organization's relaxed alignment boundary every time that a policy is added or removed. It also means that domain owners must ensure that their policies and their configuration produce the correct result whether the evaluator is using RFC 7489 or DMARCbis. The PSL security problem is caused by relaxed alignment itself. To be secure, relaxed alignment requires a certainty about organization boundaries which we cannot yet provide. The appropriate response is to eliminate sibling authentication. This change would provide immediate protection for evaluators, with minimal changes to their running code. For implementations that have an adequate DMARC exception process, sibling authentication can be permitted for specific message sources using local policy. With this change in place, the differences between PSL lookup and Tree Walk becomes much less important. My data indicates that sibling authentication is so lightly used that we will see minimal disruption to legitimate traffic, much less disruption than will occur from the proposed tree walk. I am hoping that Google can provide more specific data about the use of sibling authentication under different DMARC disposition policies. As long as the parent-child and child-parent forms of relaxed alignment are permitted, we need an explicit tagging mechanism which gives the domain owner full control over alignment boundaries and eliminates uncertainty about the domain owner's intent. Parent-child and child-parent authentication will be important for as long as SPF-alignment is necessary. For DKIM signatures, I am not convinced that relaxed alignment should be necessary even though it has some current use because it is allowed. A domain owner who wants to maximize deliverability should maximize evaluator trust in the message authentication. Maximizing trust means that the message should be DKIM signed, and should be signed with strict alignment. Our document should steer people in those directions. The DARA draft, which has much to contribute about the forwarding problem, already moves us in that direction by requiring exact-match signatures. Doug Foster
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
