[Mailman-Developers] ARC

Gene Shuman geneshuman at gmail.com
Fri Dec 1 03:23:57 EST 2017 

Hi all,

I'm writing again about the ARC PR that I've been working on that I'd like
to get reviewed & merged.  I've been in touch with Abhilash Raj about this
and he's graciously agreed to put some energy into it when he has time.
But in general, I've put some thought into it, and have come up with a
general plan to streamline this review, to make it as simple as possible
for Abhilash or anybody else with the interest or bandwidth to help.

First the are 4 major components of the review:

- Barry Warsaw did a preliminary review which focused mostly on the code
syntax & organization, and I've correspondently updated the code.  So first
point is verifying this, which should be easy.
- Next  is verifying that the way in which I've approached this problem is
appropriately in line with how mailman is abstractly structured.  Also easy.
- Next again is verifyomg that the documentation is sufficient from a
users(or developers) perspective.  I've recently updated the documentation,
and believe it to be sufficient.  To test this, somebody with possibly
marginal familiarity with ARC needs to just try to setup a Mailman server
with ARC functionality.  This is closely related to the next point.
- Finally is verifying that the code behaves cryptographically correctly

This last point is clearly what most imperatively needs to be right, and
I'll devote a bit of this message towards it.

Honestly, I don't think it should be that difficult for somebody to
convince themselves Mailman is handling ARC correctly, even knowing little
about it.  Depending on the level of paranoia here(any of which are
justifiable,) there are several routes to going about this.  But first an
overview of how this PR implements ARC.

This may be a bit long winded, so hopefully bear with me.  So this PR does
ARC signing & validation via a library of mine, authheaders
<https://pypi.python.org/pypi/authheaders/0.9.2>, which basically
aggregates & passes along email authentication & signing functions to other
libraries.  It's quite simple & its easy to see that it's not modifying the
results its getting from the other libraries.  In particular, with respect
to ARC, its using a fork of the library dkimpy
<https://launchpad.net/dkimpy>.  The fork has passed review, and afaik will
be merged & released any day now.  The fork brings the dkimpy library's ARC
implementation(which I wrote) from 99% compliance with the ARC test suite
<https://github.com/ValiMail/arc_test_suite>(which I also authored), to
100%.  So it's absolutely demonstrably clear that the library that my ARC
Mailman PR is using is cryptographically correct.  The test suite itself
has also been validated from several other directions, so at this point is
authoritative.

In particular, I've worked with the engineer at Google responsible for
their ARC implementation, Brandon Long, on this, and I have also worked in
depth with the major authors of the ARC rfc to clarify the protocol,
illuminate edge cases, and bring the document to completion.  But in
particular, wrt Google, I've personally verified that their ARC
implementation is 100% compliant with the spec & the test suite.  And their
ARC implementation is live and is validating & signing 100% of their email
traffic atm.

So here is my simple proposal for validating the cryptographic validity of
my PR.  Set up a Mailman server with ARC configured properly.  Add some
google email addresses to the outbound list, send a bunch of emails, and
inspect the headers to see that ARC appropriately verifies.  Then take the
same Mailman server and turn of ARC and see that the messages fail.  As a
further step you can set up a nested sequence of Mailman servers, with some
or all or none of them ARC enabled, and then check the results.  I
personally think it is within reason to trust Google as an authority here,
as I've personally followed their development, and know that their
implementation is 100% compliant.

As an additional level of security here, we can combine this with direct
validation fo dkimpy.  I can directly show somebody how to test dkimpy
against the ARC test suite themselves.  I don't think this is necessary, as
I've done it hundreds of times, but in 30m I can help somebody check this
for themselves personally

Another thing to note.  There are tests added to the Mailman test suite
that directly test the crypto.  They aren't comprehensive, but they are
there & they pass.

So to be summarize, I'm perfectly confident that that the ARC
implementation in Mailman is rock solid, as I've personally written the
intermediary layer, the actual ARC implementation in dkimpy, the ARC test
suite, and have been a non-trivial contributor to the specification
itself.

And with any of the above steps necessary for this validation, I'm
available to help.  What ever I can do to make this as painless as
possible, I'm available for.

Now to the next level of paranoia, which is the bottom level, and would
prove beyond a shadow of a doubt that Mailman's ARC implementation is
absolutely cryptographically compliant.  First, a bit about the ARC test
suite.  It's a bunch of yaml files that specifies various messages, edge
cases, etc, and what the output should be.  It's designed abstractly so
that you can test it against any system which is ARC capable, by just
creating a system of translation layers between the test suite & the
software being tested.  It's been tested against dkimpy in such a manner.
It's also been tested against googles ARC implementation, OpenARC, and
others.  It's quite general.

It would be possible to directly run the test suite against Mailman.  This
would be a bit awkward, as its a mail server, as opposed to a library, but
it could be done.  And this literally would be bullet proof evidence that
the system is behaving cryptographically correctly.   However the
translation layer may be a pain to write.  But I haven't put too much
thought into that.

I personally think that the argument that the library, dkimpy, which the
ARC PR is currently using passes test-suite validation is strong enough.
But I'm an expert wrt ARC, and I understand that argument via claims of
expertise aren't really all that valid.

So the bottom line is this.  Either I, or somebody else can wire up some
ARC enabled Mailman servers, point them at Google, and check that things
check out, using Google's ARC implementation as a reference.  And possibly
to demonstrate running the ARC test suite against dkimpy.

The other option is making a harness to directly run the ARC test suite
against mailman.  This is doable, and would be a hassle, but is not out of
the question.  I could likely personally do this, and would happily do so.

Thank you to anybody who has read this far.  Please let me know your
thoughts.  And don't hesitate with any questions about ARC or DMARC, or
other email authentication protocols.  I'm a near encyclopedic resource
about these things at this point, and am happy to share my knowledge.

Looking forward to working with guys!

Regards,
=Gene

More information about the Mailman-Developers mailing list