[dmarc-discuss] A bit quiet?

Roland Turner roland.turner at trustsphere.com
Thu Oct 22 22:48:13 PDT 2015


The question is not who you trust - ARC doesn't directly change that - but how you reliably automate determining whether the message was forwarded only by people that you trust. At present, you have to dig through Received: headers, infer per-forwarder internal structure and behaviour and, frequently, guess. ARC addresses that problem, not the one you're asking about.


The amount of discussion to date about specific historical whitelist proposals is neither here nor there. The question is whether ARC's degree of support for reliable automatic chain-of-custody assessment provides a material improvement for a group of receivers interoperating with a group of forwarders. So long as the answer to that question is yes, then this is progress. I'd suggest that:

  *   large receivers are generally keen to implement things that materially improve their ability to separate wheat from chaff (ARC does this if it's implemented by any significant subset of mailing-list operators), and
  *   at least some of the mailing-list operators whose discomfort with DMARC interoperation is the need to disrupt long-traditional norms (leaving From: unchanged but tagging Subject:, stripping multiparts, adding footers, ...) will be willing to perform ARC processing on messages on the way in, in order to interoperate without giving up traditional mailing-list operations.

If these are both true, then ARC is a clear benefit.


- Roland




[http://www.trustsphere.com/images/signatures/trustsphere.png]<https://www.trustsphere.com>     Roland Turner | Labs Director
Singapore | M: +65 96700022
roland.turner at trustsphere.com<mailto:roland.turner at trustsphere.com>




________________________________
From: dmarc-discuss <dmarc-discuss-bounces at dmarc.org> on behalf of Scott Kitterman via dmarc-discuss <dmarc-discuss at dmarc.org>
Sent: Friday, 23 October 2015 12:31
To: DMARC Discussion List
Subject: Re: [dmarc-discuss] A bit quiet?

If I trust the sender enough to override DMARC policy results, what more does ARC add?

I thought we'd already discussed the idea of the non-scalability of whitelists to death. Absent a trusted sender whitelist, what can you do with ARC?

Scott K

On October 22, 2015 11:03:59 PM EDT, Roland Turner via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:

Broadly, yes. You'd need to trust the entire chain of ARC-signing forwarders of course.


- Roland



[http://www.trustsphere.com/images/signatures/trustsphere.png]<https://www.trustsphere.com>     Roland Turner | Labs Director
Singapore | M: +65 96700022
roland.turner at trustsphere.com<mailto:roland.turner at trustsphere.com>




________________________________
From: dmarc-discuss <dmarc-discuss-bounces at dmarc.org> on behalf of Scott Kitterman via dmarc-discuss <dmarc-discuss at dmarc.org>
Sent: Friday, 23 October 2015 10:42
To: DMARC Discussion List
Subject: Re: [dmarc-discuss] A bit quiet?

Okay. If I implement ARC as a receiver, then I ignore p=reject from Senders I trust not to lie to me if it passes ARC?

Scott K

On October 22, 2015 10:15:24 PM EDT, Roland Turner via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:

ARC provides a standardised, software-implementable, means for trustworthy forwarders to implement chain-of-custody records and therefore for receivers to reliably and simply automate assessments about messages received through trustworthy paths that are currently both generally too complicated to make other than by hand and - for longer forwarding chains than author->list->recipient - depend upon trusting untrustworthy data from several hops upstream.

The decisions about who to trust remain more-or-less those which receivers already make, ARC extends the distance that that trust can be algorithmically extended. An untrusted bad guy gains nothing, except against a naive receiver who imagines that ARC is magic. See also naive receivers assuming that SPF passing meant that a message was not spam. Likewise DKIM passing. Likewise DMARC passing. The important change here is that, in addition to incorporating an assessment of the trustworthines!
 s of the
author and/or the last hop, assessments of the trustworthiness of forwarders enter the picture.

- Roland


        Roland Turner | Labs Director
Singapore | M: +65 96700022
roland.turner at trustsphere.com



________________________________

From: dmarc-discuss <dmarc-discuss-bounces at dmarc.org> on behalf of Scott Kitterman via dmarc-discuss <dmarc-discuss at dmarc.org>
Sent: Friday, 23 October 2015 04:44
To: dmarc-discuss at dmarc.org
Subject: Re: [dmarc-discuss] A bit quiet?

On October 22, 2015 1:19:51 PM EDT, Franck Martin via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:
The fun is moving to ARC

https://dmarc.org/2015/10/global-mailbox-providers-deploying-dmarc-to-protect-users/


How does that actually help? At least as I read the draft, anyone can make up a 'bad' message and an associated made up DKIM signature and then add their ARC stamp claiming the signature was valid when the message arrived?

Scott K

________________________________

dmarc-discuss mailing list
dmarc-discuss at dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)

________________________________

dmarc-discuss mailing list
dmarc-discuss at dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20151023/c74815b6/attachment-0001.html>


More information about the dmarc-discuss mailing list