--- 1/draft-ietf-dmarc-arc-protocol-21.txt 2018-12-12 15:13:09.882032266 -0800
+++ 2/draft-ietf-dmarc-arc-protocol-22.txt 2018-12-12 15:13:09.958034117 -0800
@@ -1,23 +1,23 @@
DMARC Working Group K. Andersen
Internet-Draft LinkedIn
Intended status: Experimental B. Long, Ed.
-Expires: May 11, 2019 Google
+Expires: June 15, 2019 Google
S. Blank, Ed.
Valimail
M. Kucherawy, Ed.
TDP
- November 7, 2018
+ December 12, 2018
Authenticated Received Chain (ARC) Protocol
- draft-ietf-dmarc-arc-protocol-21
+ draft-ietf-dmarc-arc-protocol-22
Abstract
The Authenticated Received Chain (ARC) protocol provides an
authenticated "chain of custody" for a message, allowing each entity
that handles the message to see what entities handled it before, and
to see what the message's authentication assessment was at each step
in the handling.
ARC allows Internet Mail Handlers to attach assertions of message
@@ -39,21 +39,21 @@
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on May 11, 2019.
+ This Internet-Draft will expire on June 15, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
@@ -967,21 +967,21 @@
EXAMPLE:
none
fail
fail
local_policy
arc=pass as[2].d=d2.example as[2].s=s2
as[1].d=d1.example as[1].s=s3
- remote-ip[1]=10.10.10.13
+ remote-ip[1]=2001:DB8::1A
In the above example DMARC XML reporting fragment, data relating to
specific validated ARC Sets are enumerated using array syntax (eg,
"as[2]" means AS header field with instance value of 2). d2.example
is the Sealing domain for ARC Set #2 (i=2) and d1.example is the
Sealing domain for ARC Set #1 (i=1).
Depending on the reporting practices of intermediate message
@@ -997,21 +997,24 @@
Such information is also included in existing non-ARC related header
fields such as the "Received" header fields.
9. Security Considerations
The Security Considerations of [RFC6376] and [I-D-7601bis] apply
directly to this specification.
As with other domain authentication technologies (such as SPF, DKIM,
and DMARC), ARC makes no claims about the semantic content of
- messages.
+ messages. A received message with an ARC chain provides evidence (at
+ instance N) that: The sealing domain (ARC-Seal d=) processed a
+ message with this body, determined the reported ARC-Authentication-
+ Results, and the ARC chain 1..N-1.
9.1. Increased Header Field Size
Inclusion of Authenticated Received Chains into messages may cause
issues for older or constrained MTAs due to increased total header
field size. Large header field blocks, in general, may cause
failures to deliver or other outage scenarios for such MTAs. ARC
itself would not cause problems.
9.2. DNS Operations
@@ -1093,44 +1096,36 @@
Code: "none", "pass", "fail"
Specification: this document 2.2
Status: active
10.2. Email Authentication Methods Registry Update
This draft adds several new items to the Email Authentication Methods
registry, most recently defined in [I-D-7601bis]:
o Method: arc
- Definition: this document
+ Definition: this document section 6
ptype: smtp
Property: remote-ip
- Value: IP address of originating SMTP connection
+ Value: IP address (v4 or v6) of originating SMTP connection
Status: active
Version: 1
o Method: arc
- Definition: this document
+ Definition: this document section 6
ptype: header
Property: oldest-pass
Value: The instance id of the oldest validating AMS, or 0 if they
all pass (see Section 5.2)
Status: active
Version: 1
- o Method: dkim
- Definition: [I-D-7601bis]
- ptype: header
- Property: s
- Value: value of signature "s" tag
- Status: active
- Version: 1
-
10.3. Definitions of the ARC header fields
This specification adds three new header fields to the "Permanent
Message Header Field Registry", as follows:
o Header field name: ARC-Seal
Applicable protocol: mail
Status: Experimental
Author/Change controller: IETF
Specification document(s): this document
@@ -1704,28 +1700,28 @@
message and others which have not:
Return-Path:
Received: from example.org (example.org [208.69.40.157])
by gmail.example with ESMTP id d200mr22663000ykb.93.1421363207
for ; Thu, 14 Jan 2015 15:02:40 -0800 (PST)
Received: from segv.d1.example (segv.d1.example [72.52.75.15])
by lists.example.org (8.14.5/8.14.5) with ESMTP id t0EKaNU9010123
for ; Thu, 14 Jan 2015 15:01:30 -0800 (PST)
(envelope-from jqd@d1.example)
-Received: from [10.10.10.131] (w-x-y-z.dsl.static.isp.com [w.x.y.z])
+Received: from [2001:DB8::1A] (w-x-y-z.dsl.static.isp.example [w.x.y.z])
(authenticated bits=0)
by segv.d1.example with ESMTP id t0FN4a8O084569;
Thu, 14 Jan 2015 15:00:01 -0800 (PST)
(envelope-from jqd@d1.example)
-Received: from mail-ob0-f188.google.example (mail-ob0-f188.google.example
- [208.69.40.157]) by clochette.example.org with ESMTP id
- d200mr22663000ykb.93.1421363268
+Received: from mail-ob0-f188.google.example
+ (mail-ob0-f188.google.example [208.69.40.157]) by
+ clochette.example.org with ESMTP id d200mr22663000ykb.93.1421363268
for ; Thu, 14 Jan 2015 15:03:15 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; cv=pass; d=clochette.example.org; s=
clochette; t=12345; b=CU87XzXlNlk5X/yW4l73UvPUcP9ivwYWxyBWcVrRs7
+HPx3K05nJhny2fvymbReAmOA9GTH/y+k9kEc59hAKVg==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=
clochette.example.org; h=message-id:date:from:to:subject; s=
clochette; t=12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZY
LQ=; b=o71vwyLsK+Wm4cOSlirXoRwzEvi0vqIjd/2/GkYFYlSd/GGfKzkAgPqxf
K7ccBMP7Zjb/mpeggswHjEMS8x5NQ==
ARC-Authentication-Results: i=3; clochette.example.org; spf=fail
@@ -1741,34 +1737,34 @@
ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=gmail.example; s=20120806; t=
12345; b=Zpukh/kJL4Q7Kv391FKwTepgS56dgHIcdhhJZjsalhqkFIQQAJ4T9BE
8jjLXWpRNuh81yqnT1/jHn086RwezGw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=
gmail.example; h=message-id:date:from:to:subject; s=20120806; t=
12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZYLQ=; b=CVoG44
cVZvoSs2mMig2wwqPaJ4OZS5XGMCegWqQs1wvRZJS894tJM0xO1RJLgCPsBOxdA5
9WSqI9s9DfyKDfWg==
ARC-Authentication-Results: i=2; gmail.example; spf=fail
smtp.from=jqd@d1.example; dkim=fail (512-bit key)
- header.i=@example.org; dmarc=fail; arc=pass (as.1.lists.example.org=pass,
- ams.1.lists.example.org=pass)
+ header.i=@example.org; dmarc=fail; arc=pass
+ (as.1.lists.example.org=pass, ams.1.lists.example.org=pass)
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=lists.example.org; s=dk-lists;
t=12345; b=TlCCKzgk3TrAa+G77gYYO8Fxk4q/Ml0biqduZJeOYh6+0zhwQ8u/
lHxLi21pxu347isLSuNtvIagIvAQna9a5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
lists.example.org; h=message-id:date:from:to:subject; s=
dk-lists; t=12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZYL
Q=; b=DsoD3n3hiwlrN1ma8IZQFgZx8EDO7Wah3hUjIEsYKuShRKYB4LwGUiKD5Y
yHgcIwGHhSc/4+ewYqHMWDnuFxiQ==
-ARC-Authentication-Results: i=1; lists.example.org; spf=pass smtp.mfrom=jqd@d1.example;
- dkim=pass (512-bit key) header.i=@d1.example;
- dmarc=pass
+ARC-Authentication-Results: i=1; lists.example.org; spf=pass
+ smtp.mfrom=jqd@d1.example; dkim=pass (512-bit key)
+ header.i=@d1.example; dmarc=pass
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=d1.example; h=
message-id:date:from:to:subject; s=origin2015; bh=bIxxaeIQvmOBdT
AitYfSNFgzPP4=; b=qKjd5fYibKXWWIcMKCgRYuo1vJ2fD+IAQPjX+uamXIGY2Q
0HjQ+Lq3/yHzG3JHJp6780/nKQPOWt2UDJQrJkEA==
Message-ID: <54B84785.1060301@d1.example>
Date: Thu, 14 Jan 2015 15:00:01 -0800
From: John Q Doe
To: arc@dmarc.example
Subject: [List 2] Example 1