draft-ietf-acme-email-smime-09.txt   draft-ietf-acme-email-smime-10.txt 
Network Working Group A. Melnikov Network Working Group A. Melnikov
Internet-Draft Isode Ltd Internet-Draft Isode Ltd
Intended status: Informational October 27, 2020 Intended status: Informational October 27, 2020
Expires: April 30, 2021 Expires: April 30, 2021
Extensions to Automatic Certificate Management Environment for end-user Extensions to Automatic Certificate Management Environment for end-user
S/MIME certificates S/MIME certificates
draft-ietf-acme-email-smime-09 draft-ietf-acme-email-smime-10
Abstract Abstract
This document specifies identifiers and challenges required to enable This document specifies identifiers and challenges required to enable
the Automated Certificate Management Environment (ACME) to issue the Automated Certificate Management Environment (ACME) to issue
certificates for use by email users that want to use S/MIME. certificates for use by email users that want to use S/MIME.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 8, line 45 skipping to change at page 8, line 45
legitimate email account owner (unless some external sources of legitimate email account owner (unless some external sources of
information are consulted); information are consulted);
2. for email addresses with legitimate shared access/control by 2. for email addresses with legitimate shared access/control by
multiple users, any such user would be able to request S/MIME multiple users, any such user would be able to request S/MIME
certificates using the protocol specified in this document and certificates using the protocol specified in this document and
such requests can't be attributed to a specific user without such requests can't be attributed to a specific user without
consulting external systems (such as IMAP/SMTP access logs); consulting external systems (such as IMAP/SMTP access logs);
3. protocol specified in this document is not suitable for use with 3. protocol specified in this document is not suitable for use with
email addresses associated with mailing lists [RFC5321]. email addresses associated with mailing lists [RFC5321]. While
it is not always possible to guarantee that a particular S/MIME
certificate request is not from a mailing list address,
prohibition on inclusion of List-* header fields helps
Certificate Issuers to handle most common cases.
An email system in its turn depends on DNS. A third party that can An email system in its turn depends on DNS. A third party that can
manipulate DNS MX records for a domain might be able to redirect manipulate DNS MX records for a domain might be able to redirect
email and can get (at least temporary) read and reply access to it. email and can get (at least temporary) read and reply access to it.
Similar considerations apply to SPF and DMARC TXT records in DNS. Similar considerations apply to SPF and DMARC TXT records in DNS.
Use of DNSSEC by email system administrators is recommended to avoid Use of DNSSEC by email system administrators is recommended to avoid
easy spoofing of DNS records affecting email system. making it easy to spoof DNS records affecting email system. However
use of DNSSEC is not ubiquitous at the time of publishing of this
document, so it is not required here. Also, many existing systems
that rely on verification of ownership of an email address, for
example 2 factor authentication systems used by banks or traditional
certificate issuance systems send email messages to email addresses,
expecting the owner to click on the link supplied in them (or to
reply to a message), without requiring use of DNSSEC. So the risk of
not requiring DNSSEC is presumed acceptable in this document.
7. Normative References 7. Normative References
[FIPS180-4] [FIPS180-4]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard (SHS)", FIPS PUB 180-4, August 2015, Hash Standard (SHS)", FIPS PUB 180-4, August 2015,
<https://csrc.nist.gov/publications/detail/fips/180/4/ <https://csrc.nist.gov/publications/detail/fips/180/4/
final>. final>.
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
 End of changes. 3 change blocks. 
3 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/