On May 2, 2014, at 2:28 PM, Fred Baker (fred) <fred@xxxxxxxxx> wrote: > On May 2, 2014, at 2:13 PM, John Levine <johnl@xxxxxxxxx> wrote: > >> We've been running that experiment for at least a year. Surprise! > > Good to hear. Obviously not the area I’m looking at hardest. > > If we’re having the level of problems that seem to be being reported in this thread, it would appear that we haven’t learned much from the experiment. I take it that the draft Doug Otis mentions is part of the mitigation discussion. Dear Fred, The original TPA draft is more than 2 years old. Murray wanted a DKIM specific version and I approved of him making modifications while explaining important elements. It seemed reasonable to assume the idea would be carried forward in his capable hands, but modifications to Murray's version made a chain-of-trust approach impossible to deploy. After expressing dismay, Murray indicated detrimental changes were to satisfy IESG requirements imposed before publication. I have spent years running similar DNS schemes at much higher scale updated against millions of world-wide inputs every few minutes. Systems we run provide the opposite of an authorization, where the greatest problem is enduring deliberate DDoS attack. The system works well having very low overhead even with rather short TTLs. IESG concerns are ironic, since they expressed none regarding SPF macros. Fortunately, this SPF feature is moribund for the most part, although RFC makes it appear to be a fully supported feature. To revive the original TPA idea to give it a second chance, a few of us will make an effort to structure TPA more generically and perhaps assuage initial IESG concerns by having TPA signaled in DMARC records, provided the DMARC group is willing. Most spoofing affects financial transactions. No third-party should really interfere with Author domain policy requests aimed at protecting their recipients from harm. Pete Resnick has taken a quick look at this issue and is convinced it can be solved using a cryptographically secured authorization token able to survive normal mailing-list flattening. While conceptually, such a mechanism is possible, it would involve specialized handling of messages whose structure would depend on destination in addition to author domains used by DMARC whose authentication has been obfuscated by message flattening. Bad actors are fairly proficient at quickly modulating their attack. Momentarily valid "override" tokens envisioned by Pete requires other features to prevent massive replay of "pseudo-authenticated" messages likely requiring extensive change to tens of thousands of affected third-party services. Users are quick to abandon systems that permit spoofing. In Asia, there is a high number of compromised user systems dwarfing problems seen by Yahoo. IMHO, TPA in conjunction with DMARC feedback should enable user friendly "compromised" notification feedback having a low level of noise, and offer satisfactory protection without any modification to third-party services. Of course, Author domains will need to offer recipients the necessary input to permit the following of a chain-of-trust. Regards, Douglas Otis