On May 2, 2014, at 2:28 PM, Fred Baker (fred) <fred(_at_)cisco(_dot_)com> wrote:
On May 2, 2014, at 2:13 PM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:
We've been running that experiment for at least a year. Surprise!
Good to hear. Obviously not the area I’m looking at hardest.
If we’re having the level of problems that seem to be being reported in this
thread, it would appear that we haven’t learned much from the experiment. I
take it that the draft Doug Otis mentions is part of the mitigation
discussion.
Dear Fred,
The original TPA draft is more than 2 years old. Murray wanted a DKIM specific
version and I approved of him making modifications while explaining important
elements. It seemed reasonable to assume the idea would be carried forward in
his capable hands, but modifications to Murray's version made a chain-of-trust
approach impossible to deploy. After expressing dismay, Murray indicated
detrimental changes were to satisfy IESG requirements imposed before
publication.
I have spent years running similar DNS schemes at much higher scale updated
against millions of world-wide inputs every few minutes. Systems we run
provide the opposite of an authorization, where the greatest problem is
enduring deliberate DDoS attack. The system works well having very low
overhead even with rather short TTLs. IESG concerns are ironic, since they
expressed none regarding SPF macros. Fortunately, this SPF feature is moribund
for the most part, although RFC makes it appear to be a fully supported feature.
To revive the original TPA idea to give it a second chance, a few of us will
make an effort to structure TPA more generically and perhaps assuage initial
IESG concerns by having TPA signaled in DMARC records, provided the DMARC group
is willing. Most spoofing affects financial transactions. No third-party
should really interfere with Author domain policy requests aimed at protecting
their recipients from harm.
Pete Resnick has taken a quick look at this issue and is convinced it can be
solved using a cryptographically secured authorization token able to survive
normal mailing-list flattening. While conceptually, such a mechanism is
possible, it would involve specialized handling of messages whose structure
would depend on destination in addition to author domains used by DMARC whose
authentication has been obfuscated by message flattening.
Bad actors are fairly proficient at quickly modulating their attack.
Momentarily valid "override" tokens envisioned by Pete requires other features
to prevent massive replay of "pseudo-authenticated" messages likely requiring
extensive change to tens of thousands of affected third-party services. Users
are quick to abandon systems that permit spoofing.
In Asia, there is a high number of compromised user systems dwarfing problems
seen by Yahoo. IMHO, TPA in conjunction with DMARC feedback should enable user
friendly "compromised" notification feedback having a low level of noise, and
offer satisfactory protection without any modification to third-party services.
Of course, Author domains will need to offer recipients the necessary input to
permit the following of a chain-of-trust.
Regards,
Douglas Otis