[Docs] [txt|pdf|xml] [Tracker] [WG] [Email] [Nits]

Versions: 00 01 02 03

DMARC Working Group                                          K. Andersen
Internet-Draft                                                  LinkedIn
Intended status: Experimental                              S. Blank, Ed.
Expires: July 26, 2018                                          ValiMail
                                                          J. Levine, Ed.
                                                    Taughannock Networks
                                                        January 22, 2018


 Using Multiple Signing Algorithms with the ARC (Authenticated Received
                            Chain) Protocol
                     draft-ietf-dmarc-arc-multi-00

Abstract

   The Authenticated Received Chain (ARC) protocol creates a mechanism
   whereby a series of handlers of an email message can conduct
   authentication of the email message as it passes among them on the
   way to its destination.

   Initial development of ARC has been done with a single allowed
   signing algorithm, but parallel work in the DCRUP working group
   (https://datatracker.ietf.org/wg/dcrup/about/) is expanding the
   supported algorithms.  This specification defines how to extend ARC
   for multiple signing algorithms.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 26, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.




Andersen, et al.          Expires July 26, 2018                 [Page 1]


Internet-Draft                  ARC-Multi                   January 2018


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Definitions and Terminology . . . . . . . . . . . . . . . . .   3
   4.  Supporting Alternate Signing Algorithms . . . . . . . . . . .   3
   5.  General Approach  . . . . . . . . . . . . . . . . . . . . . .   3
     5.1.  Signers . . . . . . . . . . . . . . . . . . . . . . . . .   3
     5.2.  Validators  . . . . . . . . . . . . . . . . . . . . . . .   3
   6.  Phases of Algorithm Evolution . . . . . . . . . . . . . . . .   3
     6.1.  Introductory Period . . . . . . . . . . . . . . . . . . .   3
     6.2.  Co-Existence Period . . . . . . . . . . . . . . . . . . .   4
     6.3.  Deprecation Period  . . . . . . . . . . . . . . . . . . .   4
     6.4.  Obsolescence Period . . . . . . . . . . . . . . . . . . .   4
   7.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   4
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     10.1.  Normative References . . . . . . . . . . . . . . . . . .   4
     10.2.  Informative References . . . . . . . . . . . . . . . . .   6
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   7
   Appendix B.  Comments and Feedback  . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   The Authenticated Received Chain (ARC) protocol adds a traceable
   chain of signatures that cover the handling of an email message
   through a chain of intermediary handlers.

   Initial development of ARC has been done with a single allowed
   signing algorithm, but parallel work in the DCRUP working group
   (https://datatracker.ietf.org/wg/dcrup/about/) is expanding the
   supported algorithms.  This specification defines how to extend ARC
   for multiple signing algorithms.






Andersen, et al.          Expires July 26, 2018                 [Page 2]


Internet-Draft                  ARC-Multi                   January 2018


2.  Overview

   In order to phase in new signing algorithms, this specification
   identifies how signers and validators MUST process ARC sets found in
   email messages.

3.  Definitions and Terminology

   This section defines terms used in the rest of the document.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Because many of the core concepts and definitions are found in
   [RFC5598], readers SHOULD to be familiar with the contents of
   [RFC5598], and in particular, the potential roles of intermediaries
   in the delivery of email.

4.  Supporting Alternate Signing Algorithms

   During a period where multiple algorithms are allowed, all of the
   statements in the ARC spec which refer to "exactly one set of ARC
   headers per instance" need to be understood as "at least one set per
   instance and no more than one set per instance per algorithm".

5.  General Approach

5.1.  Signers

   Signers MUST initiate ARC signing of messages with all supported
   algorithms that they are capable of using.

   Signers MUST continue ARC chains with all supported algorithms that
   they are capable of using.

5.2.  Validators

   Validators MUST use the longest ARC chain on the message for which
   they can interpret the signing algorithm.

6.  Phases of Algorithm Evolution

6.1.  Introductory Period

   Intermediaries MUST be able to validate ARC chains built with either
   algorithm but MAY create ARC sets with either (or both) algorithm.




Andersen, et al.          Expires July 26, 2018                 [Page 3]


Internet-Draft                  ARC-Multi                   January 2018


   The introductory period should be at least six (6) months.

6.2.  Co-Existence Period

   Intermediaries MUST be able to validate ARC chains build with either
   algorithm and MUST create ARC sets with both algorithms.  Chains
   ending with either algorithm may be used for the result.

6.3.  Deprecation Period

   ARC sets built with algorithms that are being deprecated MAY be
   considered valid within an ARC chain, however, intermediaries MUST
   NOT create additional sets with the deprecated algorithm.

   The deprecation period should be at least two (2) years.

6.4.  Obsolescence Period

   ARC sets built with algorithms that are obsolete MUST NOT be
   considered valid within an ARC chain.  Intermediaries MUST NOT create
   any sets with any obsoleted algorithm.

7.  Privacy Considerations

   No unique privacy considerations are introduced by this specification
   beyond those of the base [ARC-DRAFT-11] protocol.

8.  IANA Considerations

   No new IANA considerations are introduced by this specification.

9.  Security Considerations

   No new security considerations are introduced by this specification
   beyond those of the base [ARC-DRAFT-11] protocol.

10.  References

10.1.  Normative References

   [RFC1345]  Simonsen, K., "Character Mnemonics and Character Sets",
              RFC 1345, DOI 10.17487/RFC1345, June 1992,
              <https://www.rfc-editor.org/info/rfc1345>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.



Andersen, et al.          Expires July 26, 2018                 [Page 4]


Internet-Draft                  ARC-Multi                   January 2018


   [RFC2142]  Crocker, D., "Mailbox Names for Common Services, Roles and
              Functions", RFC 2142, DOI 10.17487/RFC2142, May 1997,
              <https://www.rfc-editor.org/info/rfc2142>.

   [RFC2606]  Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS
              Names", BCP 32, RFC 2606, DOI 10.17487/RFC2606, June 1999,
              <https://www.rfc-editor.org/info/rfc2606>.

   [RFC3463]  Vaudreuil, G., "Enhanced Mail System Status Codes",
              RFC 3463, DOI 10.17487/RFC3463, January 2003,
              <https://www.rfc-editor.org/info/rfc3463>.

   [RFC4686]  Fenton, J., "Analysis of Threats Motivating DomainKeys
              Identified Mail (DKIM)", RFC 4686, DOI 10.17487/RFC4686,
              September 2006, <https://www.rfc-editor.org/info/rfc4686>.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <https://www.rfc-editor.org/info/rfc5226>.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <https://www.rfc-editor.org/info/rfc5234>.

   [RFC5321]  Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
              DOI 10.17487/RFC5321, October 2008,
              <https://www.rfc-editor.org/info/rfc5321>.

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              <https://www.rfc-editor.org/info/rfc5322>.

   [RFC5585]  Hansen, T., Crocker, D., and P. Hallam-Baker, "DomainKeys
              Identified Mail (DKIM) Service Overview", RFC 5585,
              DOI 10.17487/RFC5585, July 2009,
              <https://www.rfc-editor.org/info/rfc5585>.

   [RFC5598]  Crocker, D., "Internet Mail Architecture", RFC 5598,
              DOI 10.17487/RFC5598, July 2009,
              <https://www.rfc-editor.org/info/rfc5598>.

   [RFC5863]  Hansen, T., Siegel, E., Hallam-Baker, P., and D. Crocker,
              "DomainKeys Identified Mail (DKIM) Development,
              Deployment, and Operations", RFC 5863,
              DOI 10.17487/RFC5863, May 2010,
              <https://www.rfc-editor.org/info/rfc5863>.



Andersen, et al.          Expires July 26, 2018                 [Page 5]


Internet-Draft                  ARC-Multi                   January 2018


   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              <https://www.rfc-editor.org/info/rfc6376>.

   [RFC6377]  Kucherawy, M., "DomainKeys Identified Mail (DKIM) and
              Mailing Lists", BCP 167, RFC 6377, DOI 10.17487/RFC6377,
              September 2011, <https://www.rfc-editor.org/info/rfc6377>.

   [RFC6651]  Kucherawy, M., "Extensions to DomainKeys Identified Mail
              (DKIM) for Failure Reporting", RFC 6651,
              DOI 10.17487/RFC6651, June 2012,
              <https://www.rfc-editor.org/info/rfc6651>.

   [RFC7208]  Kitterman, S., "Sender Policy Framework (SPF) for
              Authorizing Use of Domains in Email, Version 1", RFC 7208,
              DOI 10.17487/RFC7208, April 2014,
              <https://www.rfc-editor.org/info/rfc7208>.

   [RFC7601]  Kucherawy, M., "Message Header Field for Indicating
              Message Authentication Status", RFC 7601,
              DOI 10.17487/RFC7601, August 2015,
              <https://www.rfc-editor.org/info/rfc7601>.

10.2.  Informative References

   [ARC-DRAFT-11]
              Andersen, K., Long, B., and S. Jones, "Authenticated
              Received Chain (ARC) Protocol (I-D-11)", n.d.,
              <https://tools.ietf.org/html/
              draft-ietf-dmarc-arc-protocol-11>.

   [ENHANCED-STATUS]
              "IANA SMTP Enhanced Status Codes", n.d.,
              <http://www.iana.org/assignments/smtp-enhanced-status-
              codes/smtp-enhanced-status-codes.xhtml>.

   [RFC6982]  Sheffer, Y. and A. Farrel, "Improving Awareness of Running
              Code: The Implementation Status Section", RFC 6982,
              DOI 10.17487/RFC6982, July 2013,
              <https://www.rfc-editor.org/info/rfc6982>.

   [RFC7489]  Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
              Message Authentication, Reporting, and Conformance
              (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
              <https://www.rfc-editor.org/info/rfc7489>.





Andersen, et al.          Expires July 26, 2018                 [Page 6]


Internet-Draft                  ARC-Multi                   January 2018


   [RFC7960]  Martin, F., Ed., Lear, E., Ed., Draegen. Ed., T., Zwicky,
              E., Ed., and K. Andersen, Ed., "Interoperability Issues
              between Domain-based Message Authentication, Reporting,
              and Conformance (DMARC) and Indirect Email Flows",
              RFC 7960, DOI 10.17487/RFC7960, September 2016,
              <https://www.rfc-editor.org/info/rfc7960>.

10.3.  URIs

   [1] mailto:dmarc@ietf.org

Appendix A.  Acknowledgements

   This draft is the work of DMARC Working Group.

   Grateful appreciation is extended to the people who provided feedback
   through the discuss mailing list.

Appendix B.  Comments and Feedback

   Please address all comments, discussions, and questions to
   dmarc@ietf.org [1].

Authors' Addresses

   Kurt Andersen
   LinkedIn
   1000 West Maude Ave
   Sunnyvale, California  94085
   US

   Email: kurta@linkedin.com


   Seth Blank (editor)
   ValiMail
   Montgomery
   San Francisco
   US

   Email: seth@valimail.com










Andersen, et al.          Expires July 26, 2018                 [Page 7]


Internet-Draft                  ARC-Multi                   January 2018


   John Levine (editor)
   Taughannock Networks
   PO Box 727
   Trumansburg
   US

   Email: standards@taugh.com












































Andersen, et al.          Expires July 26, 2018                 [Page 8]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/