draft-ietf-acme-email-smime-13.txt   rfc8823.txt 
Network Working Group A. Melnikov Internet Engineering Task Force (IETF) A. Melnikov
Internet-Draft Isode Ltd Request for Comments: 8823 Isode Ltd
Intended status: Informational November 20, 2020 Category: Informational April 2021
Expires: May 24, 2021 ISSN: 2070-1721
Extensions to Automatic Certificate Management Environment for end-user Extensions to Automatic Certificate Management Environment for End-User
S/MIME certificates S/MIME Certificates
draft-ietf-acme-email-smime-13
Abstract Abstract
This document specifies identifiers and challenges required to enable This document specifies identifiers and challenges required to enable
the Automated Certificate Management Environment (ACME) to issue the Automated Certificate Management Environment (ACME) to issue
certificates for use by email users that want to use S/MIME. certificates for use by email users that want to use S/MIME.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on May 24, 2021. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8823.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Conventions Used in This Document . . . . . . . . . . . . . . 3 2. Conventions Used in This Document
3. Use of ACME for issuing end-user S/MIME certificates . . . . 3 3. Use of ACME for Issuing End-User S/MIME Certificates
3.1. ACME challenge email . . . . . . . . . . . . . . . . . . 5 3.1. ACME "Challenge" Email
3.2. ACME response email . . . . . . . . . . . . . . . . . . . 7 3.2. ACME "Response" Email
3.3. Generating encryption only or signing only S/MIME 3.3. Generating Encryption-Only or Signing-Only S/MIME
certificates . . . . . . . . . . . . . . . . . . . . . . 9 Certificates
4. Internationalization Considerations . . . . . . . . . . . . . 9 4. Internationalization Considerations
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5. IANA Considerations
5.1. ACME Identifier Type . . . . . . . . . . . . . . . . . . 10 5.1. ACME Identifier Type
5.2. ACME Challenge Type . . . . . . . . . . . . . . . . . . . 10 5.2. ACME Challenge Type
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 7. References
7.1. Normative References . . . . . . . . . . . . . . . . . . 12 7.1. Normative References
7.2. Informative References . . . . . . . . . . . . . . . . . 14 7.2. Informative References
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 15 Acknowledgements
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15 Author's Address
1. Introduction 1. Introduction
ACME [RFC8555] is a mechanism for automating certificate management ACME [RFC8555] is a mechanism for automating certificate management
on the Internet. It enables administrative entities to prove on the Internet. It enables administrative entities to prove
effective control over resources like domain names, and automates the effective control over resources like domain names, and it automates
process of generating and issuing certificates. the process of generating and issuing certificates.
This document describes an extension to ACME for use by S/MIME. This document describes an extension to ACME for use by S/MIME.
Section 3 defines extensions for issuing end-user S/MIME [RFC8550] Section 3 defines extensions for issuing end-user S/MIME [RFC8550]
certificates. certificates.
This document aims to support both: This document aims to support both:
1. A Mail User Agent (MUA) which has built in ACME client aware of 1. A Mail User Agent (MUA) that has a built-in ACME client that is
the extension described in this document. (We will call such aware of the extension described in this document. (We will call
ACME clients "ACME-email-aware") Such MUA can present nice User such MUAs "ACME-email-aware".) Such an MUA can present a nice
Interface to the user and automate certificate issuance. user interface to the user and automate certificate issuance.
2. A MUA which is not ACME aware, with a separate ACME client 2. An MUA that is not ACME aware, with a separate ACME client
implemented in a command line tool or as a part of a website. implemented in a command-line tool or as a part of a website.
While S/MIME certificate issuance is not going to be as painless While S/MIME certificate issuance is not going to be as painless
as in the case of the ACME-email-aware MUA, the extra burden on a as in the case of the ACME-email-aware MUA, the extra burden on a
user is going to be minimal. user is going to be minimal.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Use of ACME for issuing end-user S/MIME certificates 3. Use of ACME for Issuing End-User S/MIME Certificates
ACME [RFC8555] defines a "dns" Identifier Type that is used to verify ACME [RFC8555] defines a "dns" identifier type that is used to verify
that a particular entity has control over a domain or specific that a particular entity has control over a domain or specific
service associated with the domain. In order to be able to issue service associated with the domain. In order to be able to issue
end-user S/MIME certificates, ACME needs a new Identifier Type that end-user S/MIME certificates, ACME needs a new identifier type that
proves ownership of an email address. proves ownership of an email address.
This document defines a new Identifier Type "email" which corresponds This document defines a new identifier type, "email", which
to an email address. The address can be all ASCII [RFC5321] or corresponds to an email address. The address can be all ASCII
internationalized [RFC6531]; when an internationalized email address [RFC5321] or internationalized [RFC6531]; when an internationalized
is used, the domain part can contain both U-labels and A-labels email address is used, the domain part can contain both U-labels and
[RFC5890]. This can be used with S/MIME or other similar service A-labels [RFC5890]. This can be used with S/MIME or another similar
that requires possession of a certificate tied to an email address. service that requires possession of a certificate tied to an email
address.
Any identifier of type "email" in a newOrder request MUST NOT have a Any identifier of type "email" in a newOrder request MUST NOT have a
wildcard ("*") character in its value. wildcard ("*") character in its value.
A new challenge type "email-reply-00" is used with "email" Identifier A new challenge type, "email-reply-00", is used with the "email"
Type, which provides proof that an ACME client has control over an identifier type, which provides proof that an ACME client has control
email address. over an email address.
The process of issing an S/MIME certificate works as follows. Note The process of issuing an S/MIME certificate works as follows. Note
that the ACME client can be a standalone application (if the MUA is that the ACME client can be a standalone application (if the MUA is
not ACME-email-aware) or can be a component of the MUA. not ACME-email-aware) or can be a component of the MUA.
1. An end-user initiates issuance of an S/MIME certificate for one 1. An end user initiates issuance of an S/MIME certificate for one
of her email addresses. This might be done using email client of their email addresses. This might be done by using an email
UI, by running a command line tool, by visiting a Certificate client UI, by running a command-line tool, by visiting a
Authority web page, etc. This document doesn't prescribe certificate authority web page, etc. This document doesn't
specific UI used to initiate S/MIME certificate issuance or prescribe a specific UI used to initiate S/MIME certificate
where the ACME client is located. issuance or where the ACME client is located.
2. The ACME-email-aware client component begins the certificate 2. The ACME-email-aware client component begins the certificate
issuance process by sending a POST request to the server's issuance process by sending a POST request to the server's
newOrder resource, including the identifier of type "email". newOrder resource, including the identifier of type "email".
See Section 7.4 of [RFC8555] for more details. See Section 7.4 of [RFC8555] for more details.
3. The ACME server responds to the POST request, including an 3. The ACME server responds to the POST request, including an
"authorizations" URL for the requested email address. The ACME "authorizations" URL for the requested email address. The ACME
client then retrieves information about the corresponding client then retrieves information about the corresponding
"email-reply-00" challenge as specified in Section 7.5 of "email-reply-00" challenge, as specified in Section 7.5 of
[RFC8555]. The "token" field of the corresponding challenge [RFC8555]. The "token" field of the corresponding challenge
object (from the "challenges" array) contains token-part2. object (from the "challenges" array) contains token-part2.
token-part2 should contain at least 128 bits of entropy. The token-part2 should contain at least 128 bits of entropy. The
"type" field of the challenge object is "email-reply-00". The "type" field of the challenge object is "email-reply-00". The
challenge object also contains the "from" field, with the email challenge object also contains the "from" field, with the email
address that would be used in the From header field of the address that would be used in the From header field of the
"challenge" email message (see the next step). "challenge" email message (see the next step).
An example Challenge object might look like this: An example challenge object might look like this:
{ {
"type": "email-reply-00", "type": "email-reply-00",
"url": "https://example.com/acme/chall/ABprV_B7yEyA4f", "url": "https://example.com/acme/chall/ABprV_B7yEyA4f",
"from": "acme-challenge+2i211oi1204310@example.com", "from": "acme-challenge+2i211oi1204310@example.com",
"token": "DGyRejmCefe7v4NfDGDKfA" "token": "DGyRejmCefe7v4NfDGDKfA"
} }
4. After responding to the authorization request the ACME server 4. After responding to the authorization request, the ACME server
generates another token and a "challenge" email message with the generates another token and a "challenge" email message with the
subject "ACME: <token-part1>", where <token-part1> is the subject "ACME: <token-part1>", where <token-part1> is the
base64url encoded [RFC4648] form of the token. The ACME server base64url-encoded [RFC4648] form of the token. The ACME server
MUST generate a fresh token for each S/MIME issuance request MUST generate a fresh token for each S/MIME issuance request
(authorization request), and token-part1 MUST contain at least (authorization request), and token-part1 MUST contain at least
128 bits of entropy. The "challenge" email message structure is 128 bits of entropy. The "challenge" email message structure is
described in more details in Section 3.1. described in more details in Section 3.1.
5. The MUA retrieves and parses the "challenge" email message. If 5. The MUA retrieves and parses the "challenge" email message. If
the MUA is ACME-email-aware, it ignores any "challenge" email the MUA is ACME-email-aware, it ignores any "challenge" email
that is not expected, e.g. if there is no ACME certificate that is not expected, e.g., if there is no ACME certificate
issuance pending. The ACME-email-aware MUA also ignores any issuance pending. The ACME-email-aware MUA also ignores any
"challenge" email that has the Subject header field which "challenge" email that has the Subject header field that
indicates that it is an email reply, e.g. a subject starting indicates that it is an email reply, e.g., a subject starting
with the reply prefix "Re:". with the reply prefix "Re:".
6. The ACME client concatenates "token-part1" (received over email) 6. The ACME client concatenates "token-part1" (received over email)
and "token-part2" (received over HTTPS [RFC2818]) to create the and "token-part2" (received over HTTPS [RFC2818]) to create the
ACME "token", calculates keyAuthorization (as per Section 8.1 of ACME "token" and calculates keyAuthorization (as per Section 8.1
[RFC8555]), then returns the base64url encoded SHA-256 digest of [RFC8555]). Then, it returns the base64url-encoded SHA-256
[FIPS180-4] of the key authorization. The MUA returns the digest [RFC6234] of the key authorization. The MUA returns the
base64url encoded SHA-256 digest obtained from the ACME client base64url-encoded SHA-256 digest obtained from the ACME client
in the body of a "response" email message. The "response" email in the body of a "response" email message. The "response" email
message structure is described in more details in Section 3.2. message structure is described in more details in Section 3.2.
If the MUA is ACME-email-aware, it MUST NOT respond to the same If the MUA is ACME-email-aware, it MUST NOT respond to the same
"challenge" email more than once. "challenge" email more than once.
7. Once the MUA sends the "response" email, the ACME client 7. Once the MUA sends the "response" email, the ACME client
notifies the ACME server by POST to the challenge URL ("url" notifies the ACME server by POST to the challenge URL ("url"
field). field).
8. The ACME client can start polling the authorization URL (using 8. The ACME client can start polling the authorization URL (using
POST-as-GET requests) to see if the ACME server received and POST-as-GET requests) to see if the ACME server received and
validated the "response" email message. (See Section 7.5.1 of validated the "response" email message. (See Section 7.5.1 of
[RFC8555] for more details.) If the "status" field of the [RFC8555] for more details.) If the "status" field of the
challenge switches to "valid", then the ACME client can proceed challenge switches to "valid", then the ACME client can proceed
with request finalization. The Certificate Signing Request with request finalization. The Certificate Signing Request
(CSR) MUST indicate the exact same set of requested identifiers (CSR) MUST indicate the exact same set of requested identifiers
as the initial newOrder request. For an identifier of type as the initial newOrder request. For an identifier of type
"email", the PKCS#10 [RFC2986] CSR MUST contain the requested "email", the PKCS#10 [RFC2986] CSR MUST contain the requested
email address in an extensionRequest attribute [RFC2985] email address in an extensionRequest attribute [RFC2985]
requesting a subjectAltName extension. (Such email address MUST requesting a subjectAltName extension. The email address MUST
also match the From header field value of the "response" email also match the From header field value of the "response" email
message.) message.
9. In order to request generation of signing only or encryption 9. In order to request generation of signing-only or encryption-
only S/MIME certificates (as opposed to requesting generation of only S/MIME certificates (as opposed to requesting generation of
S/MIME certificates suitable for both), the CSR needs to include S/MIME certificates suitable for both), the CSR needs to include
the key usage extension (see Section 4.4.2 of [RFC8550]. This the key usage extension (see Section 4.4.2 of [RFC8550]). This
is described in more details in Section 3.3. is described in more details in Section 3.3.
10. If a request to finalize an order is successful, the ACME server 10. If a request to finalize an order is successful, the ACME server
will return a 200 (OK) with an updated order object. If the will return a 200 (OK) with an updated order object. If the
certificate is issued successfully, i.e. if the order "status" certificate is issued successfully, i.e., if the order "status"
is "valid", then the ACME client can download the issued S/MIME is "valid", then the ACME client can download the issued S/MIME
certificate from the URL specified in the "certificate" field. certificate from the URL specified in the "certificate" field.
3.1. ACME challenge email 3.1. ACME "Challenge" Email
A "challenge" email message MUST have the following structure: A "challenge" email message MUST have the following structure:
1. The message Subject header field has the following syntax: "ACME: 1. The Subject header field has the following syntax: "ACME: <token-
<token-part1>", where the prefix "ACME:" is followed by folding part1>", where the prefix "ACME:" is followed by folding white
white space (FWS, see [RFC5322]) and then by <token-part1>, which space (FWS; see [RFC5322]) and then by <token-part1>, which is
is the base64url encoded first part of the ACME token that MUST the base64url-encoded first part of the ACME token that MUST be
be at least 128 bits long after decoding. Due to the recommended at least 128 bits long after decoding. Due to the recommended
78-octet line length limit in [RFC5322], the subject line can be 78-octet line-length limit in [RFC5322], the subject line can be
folded, so whitespaces (if any) within the <token-part1> MUST be folded, so white spaces (if any) within the <token-part1> MUST be
ignored. [RFC2231] encoding of the message Subject header field ignored. [RFC2231] encoding of the Subject header field MUST be
MUST be supported, and when used, only the "UTF-8" and "US-ASCII" supported, and, when used, only the "UTF-8" and "US-ASCII"
charsets are allowed: other charsets MUST NOT be used. US-ASCII charsets are allowed; other charsets MUST NOT be used. The US-
charset SHOULD be used. ASCII charset SHOULD be used.
2. The From header field MUST be the same email address as specified 2. The From header field MUST be the same email address as specified
in the "from" field of the challange object. in the "from" field of the challenge object.
3. The To header field MUST be the email address of the entity that 3. The To header field MUST be the email address of the entity that
requested the S/MIME certificate to be generated. requested the S/MIME certificate to be generated.
4. The message MAY contain a Reply-To and/or CC header fields. 4. The message MAY contain a Reply-To and/or CC header field.
5. The message MUST include the "Auto-Submitted: auto-generated" 5. The message MUST include the Auto-Submitted header field with the
header field [RFC3834]. To aid in debugging (and in for some value "auto-generated" [RFC3834]. To aid in debugging (and, for
implementations to make automated processing easier) the "Auto- some implementations, to make automated processing easier), the
Submitted" header field SHOULD include the "type=acme" parameter. Auto-Submitted header field SHOULD include the "type=acme"
It MAY include other optional parameters as allowed by the syntax parameter. It MAY include other optional parameters, as allowed
of the Auto-Submitted header field. by the syntax of the Auto-Submitted header field.
6. In order to prove authenticity of a challenge message, it MUST be 6. In order to prove authenticity of a challenge message, it MUST be
signed using either DKIM [RFC6376] or S/MIME [RFC8551]. signed using either DomainKeys Identified Mail (DKIM) [RFC6376]
or S/MIME [RFC8551].
If DKIM signing is used, the resulting DKIM-Signature header
field MUST contain the "h=" tag that includes at least "From",
"Sender", "Reply-To", "To", "CC", "Subject", "Date", "In-
Reply-To", "References", "Message-ID", "Auto-Submitted",
"Content-Type", and "Content-Transfer-Encoding" header fields.
The DKIM-Signature header field's "h=" tag SHOULD also include
"Resent-Date", "Resent-From", "Resent-To", "Resent-Cc", "List-
Id", "List-Help", "List-Unsubscribe", "List-Subscribe", "List-
Post", "List-Owner", "List-Archive" and "List-Unsubscribe-
Post" header fields. The domain from the "d=" tag of DKIM-
Signature header field MUST be the same as the domain from the
From header field of the "challenge" email.
If S/MIME signing is used, the certificate corresponding to * If DKIM signing is used, the resulting DKIM-Signature header
the signer MUST have rfc822Name subjectAltName extension with field MUST contain the "h=" tag that includes at least the
the value equal to the From header field email address of the From, Sender, Reply-To, To, CC, Subject, Date, In-Reply-To,
References, Message-ID, Auto-Submitted, Content-Type, and
Content-Transfer-Encoding header fields. The DKIM-Signature
header field's "h=" tag SHOULD also include the Resent-Date,
Resent-From, Resent-To, Resent-Cc, List-Id, List-Help, List-
Unsubscribe, List-Subscribe, List-Post, List-Owner, List-
Archive, and List-Unsubscribe-Post header fields. The domain
from the "d=" tag of the DKIM-Signature header field MUST be
the same as the domain from the From header field of the
"challenge" email. "challenge" email.
* If S/MIME signing is used, the certificate corresponding to
the signer MUST have an rfc822Name subjectAltName extension
with the value equal to the From header field email address of
the "challenge" email.
7. The body of the challenge message is not used for automated 7. The body of the challenge message is not used for automated
processing, so it can be any media type. (However there are processing, so it can be any media type. (However, there are
extra requirements on S/MIME signing, if used. See below.) extra requirements on S/MIME signing, if used. See below.)
Typically it is text/plain or text/html containing a human- Typically, it is text/plain or text/html containing a human-
readable explanation of the purpose of the message. If S/MIME readable explanation of the purpose of the message. If S/MIME
signing is used to prove authenticity of the challenge message, signing is used to prove authenticity of the challenge message,
then the multipart/signed or "application/pkcs7-mime; smime- then the multipart/signed or "application/pkcs7-mime; smime-
type=signed-data;" media type should be used. Either way, it type=signed-data;" media type should be used. Either way, it
MUST use S/MIME header protection. MUST use S/MIME header protection.
An email client compliant with this specification that detects that a An email client compliant with this specification that detects that a
particular "challenge" email fails validation described above MUST particular "challenge" email fails the validation described above
ignore the challenge and thus will not generate any "response" email. MUST ignore the challenge and thus will not generate a "response"
To aid in debugging such failed validations SHOULD be logged. email. To aid in debugging, such failed validations SHOULD be
logged.
An example ACME "challenge" email (note that for simplicity DKIM Here is an example of an ACME "challenge" email (note that, for
related header fields are not included). simplicity, DKIM-related header fields are not included).
Auto-Submitted: auto-generated; type=acme Auto-Submitted: auto-generated; type=acme
Date: Sat, 5 Dec 2020 10:08:55 +0100 Date: Sat, 5 Dec 2020 10:08:55 +0100
Message-ID: <A2299BB.FF7788@example.org> Message-ID: <A2299BB.FF7788@example.org>
From: acme-generator@example.org From: acme-generator@example.org
To: alexey@example.com To: alexey@example.com
Subject: ACME: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME= Subject: ACME: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME=
Content-Type: text/plain Content-Type: text/plain
MIME-Version: 1.0 MIME-Version: 1.0
This is an automatically generated ACME challenge for email address This is an automatically generated ACME challenge for email address
"alexey@example.com". If you haven't requested an S/MIME "alexey@example.com". If you haven't requested an S/MIME
certificate generation for this email address, be very afraid. certificate generation for this email address, be very afraid.
If you did request it, your email client might be able to process If you did request it, your email client might be able to process
this request automatically, or you might have to paste the first this request automatically, or you might have to paste the first
token part into an external program. token part into an external program.
Figure 1 Figure 1
3.2. ACME response email 3.2. ACME "Response" Email
A valid "response" email message MUST have the following structure: A valid "response" email message MUST have the following structure:
1. The message Subject header field is formed as a reply to the ACME 1. The Subject header field is formed as a reply to the ACME
"challenge" email (see Section 3.1). Its syntax is the same as "challenge" email (see Section 3.1). Its syntax is the same as
that of the challenge message except that it may be prefixed by a that of the challenge message except that it may be prefixed by a
US-ASCII reply prefix (typically "Re:") and folding white space US-ASCII reply prefix (typically "Re:") and FWS (see [RFC5322]),
(FWS, see [RFC5322]), as is normal in reply messages. When as is normal in reply messages. When parsing the subject, ACME
parsing the subject, ACME servers MUST decode [RFC2231] encoding servers MUST decode [RFC2231] encoding (if any), and then they
(if any) and then they can ignore any prefix before the "ACME:" can ignore any prefix before the "ACME:" label.
label.
2. The From: header field contains the email address of the user 2. The From header field contains the email address of the user that
that is requesting S/MIME certificate issuance. is requesting S/MIME certificate issuance.
3. The To: header field of the response contains the value from the 3. The To header field of the response contains the value from the
Reply-To: header field from the challenge message (if set) or Reply-To header field from the challenge message (if set).
from the From: header field of the challenge message otherwise. Otherwise, it contains the value from the From header field of
the challenge message.
4. The Cc: header field is ignored if present in the "response" 4. The Cc header field is ignored if present in the "response" email
email message. message.
5. The In-Reply-To: header field SHOULD be set to the Message-ID 5. The In-Reply-To header field SHOULD be set to the Message-ID
header field of the challenge message according to rules in header field of the challenge message according to rules in
Section 3.6.4 of [RFC5322]. Section 3.6.4 of [RFC5322].
6. List-* header fields [RFC4021][RFC8058] MUST be absent (i.e., the 6. List-* header fields [RFC4021][RFC8058] MUST be absent (i.e., the
reply can't come from a mailing list) reply can't come from a mailing list).
7. The media type of the "response" email message is either text/ 7. The media type of the "response" email message is either text/
plain or multipart/alternative [RFC2046] containing text/plain as plain or multipart/alternative [RFC2046], containing text/plain
one of the alternatives. (Note that the requirement to support as one of the alternatives. (Note that the requirement to
multipart/alternative is to allow use of ACME-unaware MUAs which support multipart/alternative is to allow use of ACME-unaware
can't always generate pure text/plain, e.g. if they reply to a MUAs, which can't always generate pure text/plain, e.g., if they
text/html). The text/plain body part (whether or not it is reply to a text/html). The text/plain body part (whether or not
inside multipart/alternative) MUST contain a block of lines it is inside multipart/alternative) MUST contain a block of lines
starting with the line "-----BEGIN ACME RESPONSE-----", followed starting with the line "-----BEGIN ACME RESPONSE-----", followed
by one or more line containing the base64url-encoded SHA-256 by one or more lines containing the base64url-encoded SHA-256
digest [FIPS180-4] of the key authorization, calculated from digest [RFC6234] of the key authorization, calculated from
concatenated token-part1 (received over email) and token-part2 concatenated token-part1 (received over email) and token-part2
(received over HTTPS), as outlined in the 5th bullet in (received over HTTPS), as outlined in the 5th bullet in
Section 3. (Note that each line of text/plain is terminated by Section 3. (Note that each line of text/plain is terminated by
CRLF. Bare LFs or bare CRs are not allowed.) Due to historical CRLF. Bare LFs or bare CRs are not allowed.) Due to historical
line length limitations in email, line endings (CRLFs) can be line-length limitations in email, line endings (CRLFs) can be
freely inserted in the middle of the encoded digest, so they MUST freely inserted in the middle of the encoded digest, so they MUST
be ignored when processing it.) The final line of the encoded be ignored when processing it. The final line of the encoded
digest is followed by a line containing "-----END ACME digest is followed by a line containing:
RESPONSE-----". Any text before and after this block is ignored.
For example such text might explain what to do with it for ACME- -----END ACME RESPONSE-----
unaware clients.
Any text before and after this block is ignored. For example,
such text might explain what to do with it for ACME-unaware
clients.
8. There is no need to use any Content-Transfer-Encoding other than 8. There is no need to use any Content-Transfer-Encoding other than
7bit for the text/plain body part. Use of Quoted-Printable or 7bit for the text/plain body part. Use of quoted-printable or
base64 in a "response" email message is not necessary and should base64 in a "response" email message is not necessary and should
be avoided, though it is permitted. be avoided, though it is permitted.
9. In order to prove authenticity of a response message, it MUST be 9. In order to prove authenticity of a response message, it MUST be
DKIM [RFC6376] signed. The resulting DKIM-Signature header field DKIM [RFC6376] signed. The resulting DKIM-Signature header field
MUST contain the "h=" tag that includes at least "From", MUST contain the "h=" tag that includes at least the From,
"Sender", "Reply-To", "To", "CC", "Subject", "Date", "In-Reply- Sender, Reply-To, To, CC, Subject, Date, In-Reply-To, References,
To", "References", "Message-ID", "Content-Type" and "Content- Message-ID, Content-Type, and Content-Transfer-Encoding header
Transfer-Encoding" header fields. The DKIM-Signature header fields. The DKIM-Signature header field's "h=" tag SHOULD also
field's "h=" tag SHOULD also include "Resent-Date", "Resent- include the Resent-Date, Resent-From, Resent-To, Resent-Cc, List-
From", "Resent-To", "Resent-Cc", "List-Id", "List-Help", "List- Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-
Unsubscribe", "List-Subscribe", "List-Post", "List-Owner", "List- Owner, List-Archive, and List-Unsubscribe-Post header fields.
Archive" and "List-Unsubscribe-Post" header fields. The domain The domain from the "d=" tag of DKIM-Signature header field MUST
from the "d=" tag of DKIM-Signature header field MUST be the same be the same as the domain from the From header field of the
as the domain from the From header field of the "response" email. "response" email.
Example ACME "response" email (note that for simplicity DKIM related Here is an example of an ACME "response" email (note that, for
header fields are not included). simplicity, DKIM-related header fields are not included).
Date: Sat, 5 Dec 2020 12:01:45 +0100 Date: Sat, 5 Dec 2020 12:01:45 +0100
Message-ID: <111-22222-3333333@example.com> Message-ID: <111-22222-3333333@example.com>
In-Reply-To: <A2299BB.FF7788@example.org> In-Reply-To: <A2299BB.FF7788@example.org>
From: alexey@example.com From: alexey@example.com
To: acme-generator@example.org To: acme-generator@example.org
Subject: Re: ACME: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME= Subject: Re: ACME: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME=
Content-Type: text/plain Content-Type: text/plain
MIME-Version: 1.0 MIME-Version: 1.0
-----BEGIN ACME RESPONSE----- -----BEGIN ACME RESPONSE-----
LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowy LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowy
jxAjEuX0= jxAjEuX0=
-----END ACME RESPONSE----- -----END ACME RESPONSE-----
Figure 2 Figure 2
3.3. Generating encryption only or signing only S/MIME certificates 3.3. Generating Encryption-Only or Signing-Only S/MIME Certificates
ACME extensions specified in this document can be used to request ACME extensions specified in this document can be used to request
signing only or encryption only S/MIME certificates. signing-only or encryption-only S/MIME certificates.
In order to request signing only S/MIME certificate, the CSR MUST In order to request signing-only S/MIME certificates, the CSR MUST
include the key usage extension with digitalSignature and/or include the key usage extension with digitalSignature and/or
nonRepudiation bits set. nonRepudiation bits set and no other bits set.
In order to request encryption only S/MIME certificate, the CSR MUST In order to request encryption-only S/MIME certificates, the CSR MUST
include the key usage extension with keyEncipherment and/or include the key usage extension with keyEncipherment or keyAgreement
keyAgreement bits set. bits set and no other bits set.
Presence of both of the above sets of key usage bits, as well as Presence of both of the above sets of key usage bits in the CSR, as
absence of key usage extension in the CSR, signals to ACME server to well as absence of the key usage extension in the CSR, signals to the
issue an S/MIME certificate suitable for both signing and encryption. ACME server to issue an S/MIME certificate suitable for both signing
and encryption.
4. Internationalization Considerations 4. Internationalization Considerations
[RFC8616] updated/clarified use of DKIM with Internationalized Email [RFC8616] updated/clarified use of DKIM with internationalized email
addresses [RFC6531]. Please consult RFC 8616 in regards to any addresses [RFC6531]. Please consult [RFC8616] in regards to any
changes that need to be implemented. changes that need to be implemented.
Use of non ASCII characters in left hand sides of Internationalized Use of non-ASCII characters in left-hand sides of internationalized
Email addresses requires putting Internationalized Email Addresses in email addresses requires putting internationalized email addresses in
X.509 Certificates [RFC8398]. X.509 certificates [RFC8398].
5. IANA Considerations 5. IANA Considerations
5.1. ACME Identifier Type 5.1. ACME Identifier Type
IANA is requested to register a new Identifier type in the "ACME IANA has registered a new identifier type in the "ACME Identifier
Identifier Types" registry defined in Section 9.7.7 of [RFC8555] with Types" registry defined in Section 9.7.7 of [RFC8555] with Label
Label "email" and a Reference to [RFCXXXX], [RFC5321] and [RFC6531]. "email" and a Reference to this document, [RFC5321], and [RFC6531].
The new Identifier Type corresponds to an (all ASCII) email address The new identifier type corresponds to an (all ASCII) email address
[RFC5321] or Internationalized Email addresses [RFC6531]. [RFC5321] or internationalized email addresses [RFC6531].
5.2. ACME Challenge Type 5.2. ACME Challenge Type
IANA is also requested to register a new entry in the "ACME IANA has registered a new entry in the "ACME Validation Methods"
Validation Methods" registry defined in Section 9.7.8 of [RFC8555]. registry defined in Section 9.7.8 of [RFC8555]. This entry is as
This entry is as follows: follows:
+----------------+-----------------+------+-----------+ +================+=================+======+===========+
| Label | Identifier Type | ACME | Reference | | Label | Identifier Type | ACME | Reference |
+================+=================+======+===========+
| email-reply-00 | email | Y | RFC 8823 |
+----------------+-----------------+------+-----------+ +----------------+-----------------+------+-----------+
| email-reply-00 | email | Y | [RFCXXXX] |
+----------------+-----------------+------+-----------+ Table 1
6. Security Considerations 6. Security Considerations
Please see Security Considerations of [RFC8555] for general security Please see the Security Considerations section of [RFC8555] for
considerations related to use of ACME. This challenge/response general security considerations related to the use of ACME. This
protocol demonstrates that an entity that controls the private key challenge/response protocol demonstrates that an entity that controls
(corresponding to the public key in the certificate) also controls the private key (corresponding to the public key in the certificate)
the named email account. The ACME server is confirming that the also controls the named email account. The ACME server is confirming
requested email address belongs to the entity that requested the that the requested email address belongs to the entity that requested
certificate, but this makes no claim to correctness or fitness-for- the certificate, but this makes no claim to address correctness or
purpose of the address. It such claims are needed they must be fitness for purpose. If such claims are needed, they must be
obtained by some other mechanism. obtained by some other mechanism.
The security of the "email-reply-00" challenge type depends on the The security of the "email-reply-00" challenge type depends on the
security of the email system. A third party that can read and reply security of the email system. A third party that can read and reply
to user's email messages (by possessing a user's password or a secret to user's email messages (by possessing a user's password or a secret
derived from it that can give read and reply access, such as derived from it that can give read and reply access, such as
"password equivalent" information; or by being given permissions to "password equivalent" information, or by being given permissions to
act on a user's behalf using email delegation feature common in some act on a user's behalf using email delegation features common in some
email systems) can request S/MIME certificates using the protocol email systems) can request S/MIME certificates using the protocol
specified in this document and is indistinguishable from the email specified in this document and is indistinguishable from the email
account owner. This has several possible implications: account owner. This has several possible implications:
1. an entity that compromised an email account would be able to 1. An entity that compromised an email account would be able to
request S/MIME certificates using the protocol specified in this request S/MIME certificates using the protocol specified in this
document and such entity couldn't be distinguished from the document, and such entity couldn't be distinguished from the
legitimate email account owner (unless some external sources of legitimate email account owner (unless some external sources of
information are consulted); information are consulted).
2. for email addresses with legitimate shared access/control by 2. For email addresses with legitimate shared access/control by
multiple users, any such user would be able to request S/MIME multiple users, any such user would be able to request S/MIME
certificates using the protocol specified in this document and certificates using the protocol specified in this document; such
such requests can't be attributed to a specific user without requests can't be attributed to a specific user without
consulting external systems (such as IMAP/SMTP access logs); consulting external systems (such as IMAP/SMTP access logs).
3. the protocol specified in this document is not suitable for use 3. The protocol specified in this document is not suitable for use
with email addresses associated with mailing lists [RFC5321]. with email addresses associated with mailing lists [RFC5321].
While it is not always possible to guarantee that a particular While it is not always possible to guarantee that a particular S/
S/MIME certificate request is not from a mailing list address, MIME certificate request is not from a mailing list address,
prohibition on inclusion of List-* header fields helps prohibition on inclusion of List-* header fields helps
Certificate Issuers to handle most common cases. certificate issuers to handle most common cases.
An email system in its turn depends on DNS. A third party that can An email system in its turn depends on DNS. A third party that can
manipulate DNS MX records for a domain might be able to redirect manipulate DNS MX records for a domain might be able to redirect an
email and can get (at least temporary) read and reply access to it. email and can get (at least temporary) read and reply access to it.
Similar considerations apply to DKIM TXT records in DNS. Use of Similar considerations apply to DKIM TXT records in DNS. Use of
DNSSEC by email system administrators is recommended to avoid making DNSSEC by email system administrators is recommended to avoid making
it easy to spoof DNS records affecting email system. However use of it easy to spoof DNS records affecting an email system. However, use
DNSSEC is not ubiquitous at the time of publishing of this document, of DNSSEC is not ubiquitous at the time of publishing of this
so it is not required here. Also, many existing systems that rely on document, so it is not required here. Also, many existing systems
verification of ownership of an email address, for example 2 factor that rely on verification of ownership of an email address -- for
authentication systems used by banks or traditional certificate example, 2-factor authentication systems used by banks or traditional
issuance systems send email messages to email addresses, expecting certificate issuance systems -- send email messages to email
the owner to click on the link supplied in them (or to reply to a addresses, expecting the owner to click on the link supplied in them
message), without requiring use of DNSSEC. So the risk of not (or to reply to a message), without requiring use of DNSSEC. So the
requiring DNSSEC is presumed acceptable in this document. risk of not requiring DNSSEC is presumed acceptable in this document.
An ACME email challenge message can be forged by an attacker. As per An ACME email challenge message can be forged by an attacker. As per
requirements on an ACME-email-aware MUA specified in Section 3, the requirements on an ACME-email-aware MUA specified in Section 3, the
MUA will not respond to requests it is not expecting. Even if the MUA will not respond to requests it is not expecting. Even if the
attacker causes the erroneous "response" email to go to an attacker- attacker causes the erroneous "response" email to go to an attacker-
controlled email address, very little information is leaked -- the controlled email address, very little information is leaked -- the
SHA-256 hash of the key authorization, not the key authorization SHA-256 hash of the key authorization would be leaked, not the key
itself, so no parts of the token or the the account key thumbprint authorization itself, so no parts of the token or the account key
are leaked. thumbprint are leaked.
An attacker that can read the "response" email has only one chance to An attacker that can read the "response" email has only one chance to
guess the token-part2. Even if the attacker can guess it right, it guess the token-part2. Even if the attacker can guess it right, it
still needs to know the ACME account key to be able to make use of still needs to know the ACME account key to be able to make use of
the intercepted SHA-256 hash of the key authorization. the intercepted SHA-256 hash of the key authorization.
Also see Security Considerations section of [RFC6376] for details on Also see the Security Considerations section of [RFC6376] for details
how DKIM depends on the DNS and the respective vulnerabilities this on how DKIM depends on the DNS and the respective vulnerabilities
dependence has. this dependence has.
7. References 7. References
7.1. Normative References 7.1. Normative References
[FIPS180-4]
National Institute of Standards and Technology, "Secure
Hash Standard (SHS)", FIPS PUB 180-4, August 2015,
<https://csrc.nist.gov/publications/detail/fips/180/4/
final>.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, Extensions (MIME) Part Two: Media Types", RFC 2046,
DOI 10.17487/RFC2046, November 1996, DOI 10.17487/RFC2046, November 1996,
<https://www.rfc-editor.org/info/rfc2046>. <https://www.rfc-editor.org/info/rfc2046>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 13, line 18 skipping to change at line 579
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
DOI 10.17487/RFC5322, October 2008, DOI 10.17487/RFC5322, October 2008,
<https://www.rfc-editor.org/info/rfc5322>. <https://www.rfc-editor.org/info/rfc5322>.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010, RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>. <https://www.rfc-editor.org/info/rfc5890>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.
[RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed., [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
"DomainKeys Identified Mail (DKIM) Signatures", STD 76, "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
RFC 6376, DOI 10.17487/RFC6376, September 2011, RFC 6376, DOI 10.17487/RFC6376, September 2011,
<https://www.rfc-editor.org/info/rfc6376>. <https://www.rfc-editor.org/info/rfc6376>.
[RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized
Email", RFC 6531, DOI 10.17487/RFC6531, February 2012, Email", RFC 6531, DOI 10.17487/RFC6531, February 2012,
<https://www.rfc-editor.org/info/rfc6531>. <https://www.rfc-editor.org/info/rfc6531>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8398] Melnikov, A., Ed. and W. Chuang, Ed., "Internationalized [RFC8398] Melnikov, A., Ed. and W. Chuang, Ed., "Internationalized
Email Addresses in X.509 Certificates", RFC 8398, Email Addresses in X.509 Certificates", RFC 8398,
DOI 10.17487/RFC8398, May 2018, DOI 10.17487/RFC8398, May 2018,
<https://www.rfc-editor.org/info/rfc8398>. <https://www.rfc-editor.org/info/rfc8398>.
[RFC8550] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ [RFC8550] Schaad, J., Ramsdell, B., and S. Turner, "Secure/
Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
Certificate Handling", RFC 8550, DOI 10.17487/RFC8550, Certificate Handling", RFC 8550, DOI 10.17487/RFC8550,
April 2019, <https://www.rfc-editor.org/info/rfc8550>. April 2019, <https://www.rfc-editor.org/info/rfc8550>.
skipping to change at page 15, line 5 skipping to change at line 632
[RFC4021] Klyne, G. and J. Palme, "Registration of Mail and MIME [RFC4021] Klyne, G. and J. Palme, "Registration of Mail and MIME
Header Fields", RFC 4021, DOI 10.17487/RFC4021, March Header Fields", RFC 4021, DOI 10.17487/RFC4021, March
2005, <https://www.rfc-editor.org/info/rfc4021>. 2005, <https://www.rfc-editor.org/info/rfc4021>.
[RFC8058] Levine, J. and T. Herkula, "Signaling One-Click [RFC8058] Levine, J. and T. Herkula, "Signaling One-Click
Functionality for List Email Headers", RFC 8058, Functionality for List Email Headers", RFC 8058,
DOI 10.17487/RFC8058, January 2017, DOI 10.17487/RFC8058, January 2017,
<https://www.rfc-editor.org/info/rfc8058>. <https://www.rfc-editor.org/info/rfc8058>.
Appendix A. Acknowledgements Acknowledgements
Thank you to Andreas Schulze, Gerd v. Egidy, James A. Baker, Ben Thank you to Andreas Schulze, Gerd v. Egidy, James A. Baker, Ben
Schwartz, Peter Yee, Hilarie Orman, Michael Jenkins, Barry Leiba, Schwartz, Peter Yee, Hilarie Orman, Michael Jenkins, Barry Leiba,
Fraser Tweedale, Daniel Kahn Gillmor and Benjamin Kaduk for Fraser Tweedale, Daniel Kahn Gillmor, and Benjamin Kaduk for their
suggestions, comments, and corrections on this document. suggestions, comments, and corrections of this document.
Author's Address Author's Address
Alexey Melnikov Alexey Melnikov
Isode Ltd Isode Ltd
14 Castle Mews 14 Castle Mews
Hampton, Middlesex TW12 2NP Hampton, Middlesex
UK TW12 2NP
United Kingdom
EMail: alexey.melnikov@isode.com Email: alexey.melnikov@isode.com
 End of changes. 95 change blocks. 
253 lines changed or deleted 265 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/