draft-ietf-dmarc-arc-multi-00.txt   draft-ietf-dmarc-arc-multi-01.txt 
DMARC Working Group K. Andersen DMARC Working Group K. Andersen
Internet-Draft LinkedIn Internet-Draft LinkedIn
Intended status: Experimental S. Blank, Ed. Intended status: Experimental S. Blank, Ed.
Expires: July 26, 2018 ValiMail Expires: September 20, 2018 ValiMail
J. Levine, Ed. J. Levine, Ed.
Taughannock Networks Taughannock Networks
January 22, 2018 March 19, 2018
Using Multiple Signing Algorithms with the ARC (Authenticated Received Using Multiple Signing Algorithms with the ARC (Authenticated Received
Chain) Protocol Chain) Protocol
draft-ietf-dmarc-arc-multi-00 draft-ietf-dmarc-arc-multi-01
Abstract Abstract
The Authenticated Received Chain (ARC) protocol creates a mechanism The Authenticated Received Chain (ARC) protocol creates a mechanism
whereby a series of handlers of an email message can conduct whereby a series of handlers of an email message can conduct
authentication of the email message as it passes among them on the authentication of the email message as it passes among them on the
way to its destination. way to its destination.
Initial development of ARC has been done with a single allowed Initial development of ARC has been done with a single allowed
signing algorithm, but parallel work in the DCRUP working group signing algorithm, but parallel work in the DCRUP working group
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 26, 2018. This Internet-Draft will expire on September 20, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Definitions and Terminology . . . . . . . . . . . . . . . . . 3 3. Definitions and Terminology . . . . . . . . . . . . . . . . . 3
4. Supporting Alternate Signing Algorithms . . . . . . . . . . . 3 4. Supporting Alternate Signing Algorithms . . . . . . . . . . . 3
5. General Approach . . . . . . . . . . . . . . . . . . . . . . 3 5. General Approach . . . . . . . . . . . . . . . . . . . . . . 3
5.1. Signers . . . . . . . . . . . . . . . . . . . . . . . . . 3 5.1. Signers . . . . . . . . . . . . . . . . . . . . . . . . . 3
5.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 3 5.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 4
6. Phases of Algorithm Evolution . . . . . . . . . . . . . . . . 3 6. Phases of Algorithm Evolution . . . . . . . . . . . . . . . . 4
6.1. Introductory Period . . . . . . . . . . . . . . . . . . . 3 6.1. Introductory Period . . . . . . . . . . . . . . . . . . . 4
6.2. Co-Existence Period . . . . . . . . . . . . . . . . . . . 4 6.2. Co-Existence Period . . . . . . . . . . . . . . . . . . . 4
6.3. Deprecation Period . . . . . . . . . . . . . . . . . . . 4 6.3. Deprecation Period . . . . . . . . . . . . . . . . . . . 4
6.4. Obsolescence Period . . . . . . . . . . . . . . . . . . . 4 6.4. Obsolescence Period . . . . . . . . . . . . . . . . . . . 4
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 4 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 4
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
9. Security Considerations . . . . . . . . . . . . . . . . . . . 4 9. Security Considerations . . . . . . . . . . . . . . . . . . . 5
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
10.1. Normative References . . . . . . . . . . . . . . . . . . 4 10.1. Normative References . . . . . . . . . . . . . . . . . . 5
10.2. Informative References . . . . . . . . . . . . . . . . . 6 10.2. Informative References . . . . . . . . . . . . . . . . . 5
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 7 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 6
Appendix B. Comments and Feedback . . . . . . . . . . . . . . . 7 Appendix B. Comments and Feedback . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction 1. Introduction
The Authenticated Received Chain (ARC) protocol adds a traceable The Authenticated Received Chain (ARC) protocol adds a traceable
chain of signatures that cover the handling of an email message chain of signatures that cover the handling of an email message
through a chain of intermediary handlers. through a chain of intermediary handlers.
Initial development of ARC has been done with a single allowed Initial development of ARC has been done with a single allowed
signing algorithm, but parallel work in the DCRUP working group signing algorithm, but parallel work in the DCRUP working group
(https://datatracker.ietf.org/wg/dcrup/about/) is expanding the (https://datatracker.ietf.org/wg/dcrup/about/) is expanding the
supported algorithms. This specification defines how to extend ARC supported algorithms. This specification defines how to extend ARC
for multiple signing algorithms. for multiple signing algorithms.
2. Overview 2. Overview
In order to phase in new signing algorithms, this specification In order to phase in new signing algorithms, this specification
identifies how signers and validators MUST process ARC sets found in identifies how signers and validators process ARC sets found in email
email messages. messages.
3. Definitions and Terminology 3. Definitions and Terminology
This section defines terms used in the rest of the document. This section defines terms used in the rest of the document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in
[RFC2119].
Because many of the core concepts and definitions are found in Because many of the core concepts and definitions are found in
[RFC5598], readers SHOULD to be familiar with the contents of [RFC5598], readers should to be familiar with the contents of
[RFC5598], and in particular, the potential roles of intermediaries [RFC5598], and in particular, the potential roles of intermediaries
in the delivery of email. in the delivery of email and the problems [RFC7960] created by the
initial DMARC [RFC7489] .
4. Supporting Alternate Signing Algorithms 4. Supporting Alternate Signing Algorithms
During a period where multiple algorithms are allowed, all of the During a period where multiple algorithms are allowed, all of the
statements in the ARC spec which refer to "exactly one set of ARC statements in the ARC spec which refer to "exactly one set of ARC
headers per instance" need to be understood as "at least one set per headers per instance" need to be understood as "at least one set per
instance and no more than one set per instance per algorithm". instance and no more than one set per instance per algorithm".
5. General Approach 5. General Approach
5.1. Signers 5.1. Signers
Signers MUST initiate ARC signing of messages with all supported There is a separate independent signing chain for each signing
algorithms that they are capable of using. algorithm. Hence, when creating an ARC signature, a signer MUST
include only other signatures that use the same algorithm as the
signature being created.
Signers MUST continue ARC chains with all supported algorithms that Wnen signing a message with no previous ARC signatures, signers MUST
they are capable of using. sign using all supported algorithms.
A signer MUST continue the longest ARC chain(s) in a message with all
algorithms that it supports. That is, if at least one of the longest
chains uses an algorithm that a signer supports, the signer continues
the chain(s). If none of the longest chains in a message use an
algorithm supported by a signer, the signer MUST NOT extend any
chains, even if a shorter chain does use a supported algorithm.
5.2. Validators 5.2. Validators
Validators MUST use the longest ARC chain on the message for which A validator MUST use the longest ARC chain(s) on the message. If a
they can interpret the signing algorithm. validator cannot interpret the signing algorithm on any of the
longest chains, validation fails, evven if a shorter chain does use a
supported algorithm.
If there is more than one longest chain, the overall result reported
can be that of of any of the validations. The result used when
extending an ARC chain MUST be the result from validating that chain.
6. Phases of Algorithm Evolution 6. Phases of Algorithm Evolution
6.1. Introductory Period 6.1. Introductory Period
Intermediaries MUST be able to validate ARC chains built with either Intermediaries MUST be able to validate ARC chains built with either
algorithm but MAY create ARC sets with either (or both) algorithm. algorithm but MAY create ARC sets with either (or both) algorithm.
The introductory period should be at least six (6) months. The introductory period should be at least six (6) months.
skipping to change at page 4, line 45 skipping to change at page 5, line 18
9. Security Considerations 9. Security Considerations
No new security considerations are introduced by this specification No new security considerations are introduced by this specification
beyond those of the base [ARC-DRAFT-11] protocol. beyond those of the base [ARC-DRAFT-11] protocol.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC1345] Simonsen, K., "Character Mnemonics and Character Sets",
RFC 1345, DOI 10.17487/RFC1345, June 1992,
<https://www.rfc-editor.org/info/rfc1345>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2142] Crocker, D., "Mailbox Names for Common Services, Roles and
Functions", RFC 2142, DOI 10.17487/RFC2142, May 1997,
<https://www.rfc-editor.org/info/rfc2142>.
[RFC2606] Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS
Names", BCP 32, RFC 2606, DOI 10.17487/RFC2606, June 1999,
<https://www.rfc-editor.org/info/rfc2606>.
[RFC3463] Vaudreuil, G., "Enhanced Mail System Status Codes",
RFC 3463, DOI 10.17487/RFC3463, January 2003,
<https://www.rfc-editor.org/info/rfc3463>.
[RFC4686] Fenton, J., "Analysis of Threats Motivating DomainKeys
Identified Mail (DKIM)", RFC 4686, DOI 10.17487/RFC4686,
September 2006, <https://www.rfc-editor.org/info/rfc4686>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<https://www.rfc-editor.org/info/rfc5226>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/info/rfc5234>.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008,
<https://www.rfc-editor.org/info/rfc5321>.
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
DOI 10.17487/RFC5322, October 2008,
<https://www.rfc-editor.org/info/rfc5322>.
[RFC5585] Hansen, T., Crocker, D., and P. Hallam-Baker, "DomainKeys
Identified Mail (DKIM) Service Overview", RFC 5585,
DOI 10.17487/RFC5585, July 2009,
<https://www.rfc-editor.org/info/rfc5585>.
[RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598,
DOI 10.17487/RFC5598, July 2009, DOI 10.17487/RFC5598, July 2009,
<https://www.rfc-editor.org/info/rfc5598>. <https://www.rfc-editor.org/info/rfc5598>.
[RFC5863] Hansen, T., Siegel, E., Hallam-Baker, P., and D. Crocker,
"DomainKeys Identified Mail (DKIM) Development,
Deployment, and Operations", RFC 5863,
DOI 10.17487/RFC5863, May 2010,
<https://www.rfc-editor.org/info/rfc5863>.
[RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
"DomainKeys Identified Mail (DKIM) Signatures", STD 76,
RFC 6376, DOI 10.17487/RFC6376, September 2011,
<https://www.rfc-editor.org/info/rfc6376>.
[RFC6377] Kucherawy, M., "DomainKeys Identified Mail (DKIM) and
Mailing Lists", BCP 167, RFC 6377, DOI 10.17487/RFC6377,
September 2011, <https://www.rfc-editor.org/info/rfc6377>.
[RFC6651] Kucherawy, M., "Extensions to DomainKeys Identified Mail
(DKIM) for Failure Reporting", RFC 6651,
DOI 10.17487/RFC6651, June 2012,
<https://www.rfc-editor.org/info/rfc6651>.
[RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for
Authorizing Use of Domains in Email, Version 1", RFC 7208,
DOI 10.17487/RFC7208, April 2014,
<https://www.rfc-editor.org/info/rfc7208>.
[RFC7601] Kucherawy, M., "Message Header Field for Indicating
Message Authentication Status", RFC 7601,
DOI 10.17487/RFC7601, August 2015,
<https://www.rfc-editor.org/info/rfc7601>.
10.2. Informative References 10.2. Informative References
[ARC-DRAFT-11] [ARC-DRAFT-11]
Andersen, K., Long, B., and S. Jones, "Authenticated Andersen, K., Long, B., and S. Jones, "Authenticated
Received Chain (ARC) Protocol (I-D-11)", n.d., Received Chain (ARC) Protocol (I-D-11)", n.d.,
<https://tools.ietf.org/html/ <https://tools.ietf.org/html/
draft-ietf-dmarc-arc-protocol-11>. draft-ietf-dmarc-arc-protocol-11>.
[ENHANCED-STATUS]
"IANA SMTP Enhanced Status Codes", n.d.,
<http://www.iana.org/assignments/smtp-enhanced-status-
codes/smtp-enhanced-status-codes.xhtml>.
[RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", RFC 6982,
DOI 10.17487/RFC6982, July 2013,
<https://www.rfc-editor.org/info/rfc6982>.
[RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based [RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
Message Authentication, Reporting, and Conformance Message Authentication, Reporting, and Conformance
(DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015, (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
<https://www.rfc-editor.org/info/rfc7489>. <https://www.rfc-editor.org/info/rfc7489>.
[RFC7960] Martin, F., Ed., Lear, E., Ed., Draegen. Ed., T., Zwicky, [RFC7960] Martin, F., Ed., Lear, E., Ed., Draegen. Ed., T., Zwicky,
E., Ed., and K. Andersen, Ed., "Interoperability Issues E., Ed., and K. Andersen, Ed., "Interoperability Issues
between Domain-based Message Authentication, Reporting, between Domain-based Message Authentication, Reporting,
and Conformance (DMARC) and Indirect Email Flows", and Conformance (DMARC) and Indirect Email Flows",
RFC 7960, DOI 10.17487/RFC7960, September 2016, RFC 7960, DOI 10.17487/RFC7960, September 2016,
skipping to change at page 7, line 41 skipping to change at page 6, line 30
LinkedIn LinkedIn
1000 West Maude Ave 1000 West Maude Ave
Sunnyvale, California 94085 Sunnyvale, California 94085
US US
Email: kurta@linkedin.com Email: kurta@linkedin.com
Seth Blank (editor) Seth Blank (editor)
ValiMail ValiMail
Montgomery Montgomery
San Francisco San Francisco, California
US US
Email: seth@valimail.com Email: seth@valimail.com
John Levine (editor) John Levine (editor)
Taughannock Networks Taughannock Networks
PO Box 727 PO Box 727
Trumansburg Trumansburg, New York
US US
Email: standards@taugh.com Email: standards@taugh.com
 End of changes. 20 change blocks. 
113 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/