idnits 2.17.1 draft-ietf-appsawg-rrvs-header-field-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 19, 2014) is 3632 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'NTP' -- Obsolete informational reference (is this intentional?): RFC 7001 (ref. 'AUTHRES') (Obsoleted by RFC 7601) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Mills 3 Internet-Draft Yahoo! Inc. 4 Intended status: Standards Track M. Kucherawy 5 Expires: October 21, 2014 Facebook, Inc. 6 April 19, 2014 8 The Require-Recipient-Valid-Since Header Field and SMTP Service 9 Extension 10 draft-ietf-appsawg-rrvs-header-field-11 12 Abstract 14 This document defines an extension for the Simple Mail Transfer 15 Protocol called RRVS, to provide a method for senders to indicate to 16 receivers a point in time when the the ownership of the target 17 mailbox was known to the sender. This can be used to detect changes 18 of mailbox ownership, and thus prevent mail from being delivered to 19 the wrong party. This document also defines a header field called 20 Require-Recipient-Valid-Since that can be used to tunnel the request 21 through servers that do not support the extension. 23 The intended use of these facilities is on automatically generated 24 messages, such as account statements or password change instructions, 25 that might contain sensitive information, though it may also be 26 useful in other applications. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on October 21, 2014. 45 Copyright Notice 47 Copyright (c) 2014 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 64 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 5 65 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5 66 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 6 67 3.3. Timestamps . . . . . . . . . . . . . . . . . . . . . . . . 6 68 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6 69 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 7 70 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 8 71 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 9 72 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 9 73 5.2.1. Design Choices . . . . . . . . . . . . . . . . . . . . 10 74 5.3. Clock Synchronization . . . . . . . . . . . . . . . . . . 11 75 6. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 11 76 6.1. Header Field Conversion . . . . . . . . . . . . . . . . . 12 77 7. Header Field with Multiple Recipients . . . . . . . . . . . . 13 78 8. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 13 79 8.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 14 80 8.2. Single-Recipient Aliases . . . . . . . . . . . . . . . . . 14 81 8.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 14 82 8.4. Confidential Forwarding Addresses . . . . . . . . . . . . 15 83 8.5. Suggested Mailing List Enhancements . . . . . . . . . . . 15 84 9. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 15 85 10. Digital Signatures . . . . . . . . . . . . . . . . . . . . . . 16 86 11. Authentication-Results Definitions . . . . . . . . . . . . . . 16 87 12. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 88 12.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 17 89 12.2. Header Field Example . . . . . . . . . . . . . . . . . . . 18 90 12.3. Authentication-Results Example . . . . . . . . . . . . . . 18 91 13. Security Considerations . . . . . . . . . . . . . . . . . . . 18 92 13.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 18 93 13.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 19 94 13.3. False Sense of Security . . . . . . . . . . . . . . . . . 19 95 13.4. Reassignment of Mailboxes . . . . . . . . . . . . . . . . 19 96 14. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 20 97 14.1. The Trade-Off . . . . . . . . . . . . . . . . . . . . . . 20 98 14.2. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 20 99 14.3. Envelope Recipients . . . . . . . . . . . . . . . . . . . 20 100 14.4. Risks with Use . . . . . . . . . . . . . . . . . . . . . . 21 101 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 102 15.1. SMTP Extension Registration . . . . . . . . . . . . . . . 21 103 15.2. Header Field Registration . . . . . . . . . . . . . . . . 21 104 15.3. Enhanced Status Code Registration . . . . . . . . . . . . 21 105 15.4. Authentication Results Registration . . . . . . . . . . . 22 106 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 107 16.1. Normative References . . . . . . . . . . . . . . . . . . . 23 108 16.2. Informative References . . . . . . . . . . . . . . . . . . 24 109 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 24 111 1. Introduction 113 Email addresses sometimes get reassigned to a different person. For 114 example, employment changes at a company can cause an address used 115 for an ex-employee to be assigned to a new employee, or a mail 116 service provider (MSP) might expire an account and then let someone 117 else register for the local-part that was previously used. Those who 118 sent mail to the previous owner of an address might not know that it 119 has been reassigned. This can lead to the sending of email to the 120 correct address, but the wrong recipient. This situation is of 121 particular concern with transactional mail related to purchases, 122 online accounts, and the like. 124 What is needed is a way to indicate an attribute of the recipient 125 that will distinguish between the previous owner of an address and 126 its current owner, if they are different. Further, this needs to be 127 done in a way that respects privacy. 129 The mechanisms specified here allow the sender of the mail to 130 indicate how "old" the address assignment is expected to be. In 131 effect, the sender is saying, "I know that the intended recipient was 132 using this address at this point in time. I don't want this message 133 delivered to anyone else" A receiving system can then compare this 134 information against the point in time at which the address was 135 assigned to its current user. If the assignment was made later than 136 the point in time indicated in the message, there is a good chance 137 the current user of the address is not the correct recipient. The 138 receiving system can then prevent delivery and, preferably, notify 139 the original sender of the problem. 141 The primary application is transactional mail (such as account 142 information, password change requests, and other automatically 143 generated messages) rather than user-authored content. However, it 144 may be useful in other contexts; for example, a personal address book 145 could record the time an email address was added to it, and thus use 146 that time with this extension. 148 Because the use cases for this extension are strongly tied to privacy 149 issues, attention to the Security Considerations (Section 13) and the 150 Privacy Considerations (Section 14), is particularly important. 151 Note, especially, the limitation described in Section 13.3. 153 2. Definitions 155 For a description of the email architecture, consult [EMAIL-ARCH]. 157 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 158 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 159 document are to be interpreted as described in [KEYWORDS]. 161 3. Description 163 To address the problem described in Section 1, a mail sending client 164 (usually an automated agent) needs to indicate to the server to which 165 it is connecting that it expects the destination address of the 166 message to have been under continuous ownership (see Section 9) since 167 a specified point time. That specified time would be the time when 168 the intended recipient gave the address to the message author, or 169 perhaps a more recent time when the intended recipient reconfirmed 170 ownership of the address with the sender. 172 Two mechanisms are defined here: an extension to the Simple Mail 173 Transfer Protocol [SMTP] and a new message header field. The SMTP 174 extension permits strong assurance of enforcement by confirming 175 support at each handling step for a message, and the option to demand 176 support at all nodes in the handling path of the message (and 177 returning of the message to the originator otherwise). The header 178 field can be used when the Message Delivery Agent (MDA) supports this 179 function, but an intermediary system between the sending system and 180 the MDA does not. However, the header field does not provide the 181 same strong assurance described above, and is more prone to exposure 182 of private information (see Section 14.1). 184 The SMTP extension is called "RRVS" (Require Recipient Valid Since), 185 and adds a parameter to the SMTP "RCPT" command that indicates the 186 most recent point in time when the message author believed the 187 destination mailbox to be under the continuous ownership of a 188 specific party. Similarly, the Require-Recipient-Valid-Since header 189 field includes an intended recipient coupled with a timestamp 190 indicating the same thing. 192 3.1. The 'RRVS' SMTP Extension 194 Extensions to SMTP are described in Section 2.2 of [SMTP]. 196 The name of the extension is "RRVS", an abbreviation of "Require 197 Recipient Valid Since". Servers implementing the SMTP extension 198 advertise an additional EHLO keyword of "RRVS", which has no 199 associated parameters, introduces no new SMTP commands, and does not 200 alter the MAIL command. 202 A Message Transfer Agent (MTA) implementing RRVS can transmit or 203 accept one new parameter to the RCPT command. An MDA can also accept 204 this new parameter. The parameter is "RRVS", and the value is a 205 timestamp expressed as a "date-time" as defined in [DATETIME], with 206 the added restriction that a "time-secfrac" MUST NOT be used. The 207 timestamp MAY optionally be followed by a semi-colon character and a 208 letter (known as the "no-support action") indicating the action to be 209 taken when a downstream MTA is discovered that does not support the 210 extension. Valid actions are "R" (reject; the default) and "C" 211 (continue). 213 Formally, the new parameter and its value are defined as follows: 215 rrvs-param = "RRVS=" date-time [ ";" ( "C" / "R" ) ] 217 Accordingly, this extension increases the maximum command length for 218 the RCPT command by 33 characters. 220 The meaning of this extension, when used, is described in 221 Section 5.1. 223 3.2. The 'Require-Recipient-Valid-Since' Header Field 225 The general constraints on syntax and placement of header fields in a 226 message are defined in Internet Message Format [MAIL]. 228 Using Augmented Backus-Naur Form [ABNF], the syntax for the field is: 230 rrvs = "Require-Recipient-Valid-Since:" addr-spec ";" date-time 231 CRLF 233 "date-time" is defined in Section 3.3, and "addr-spec" is defined in 234 Section 3.4.1, of [MAIL]. 236 3.3. Timestamps 238 The header field version of this protocol has a different format for 239 the date and time expression than the SMTP extension does. This is 240 because message header fields use a format to express time and date 241 that is specific to message header fields, and this is consistent 242 with that usage. 244 Use of both date and time is done to be consistent with how current 245 implementations typically store the timestamp, and to make it easy to 246 include the time zone. In practice, granularity beyond the date may 247 or may not be useful. 249 4. Use By Generators 251 When a message is generated whose content is sufficiently sensitive 252 that an author or author's Administrative Management Domain (ADMD; 253 see [EMAIL-ARCH]) wishes to protect against misdelivery using this 254 protocol, it determines for each recipient mailbox on the message a 255 timestamp at which it last confirmed ownership of that mailbox. It 256 then applies the SMTP extension when sending the message to its 257 destination. 259 In cases where the outgoing MTA does not support the extension, the 260 header field defined above can be used to pass the request through 261 that system. However, use of the header field is only a "best- 262 effort" approach to solving the stated goals, and it has some 263 shortcomings: 265 1. The positive confirmation of support at each handling node, with 266 the option to return the message to the originator when end-to- 267 end support cannot be confirmed, will be unavailable; 269 2. The protocol is focused on affecting delivery (that is, the 270 transaction) rather than on content, and therefore use of a 271 header field in the content is generally inappropriate; 273 3. The mechanism cannot be used with multiple recipients without 274 unintentionally exposing information about one recipient to the 275 others (see Section 7; and 277 4. There is a risk of the timestamp parameter being inadvertently 278 forwarded, automatically or intentionally by the user (since user 279 agents might not reveal the presence of the header field), and 280 therefore exposed to unintended recipients. (See Section 14.4.) 282 Thus, the header field format MUST NOT be used unless the originator 283 or relay has specific knowledge that the receiving MDA or an 284 intermediary MTA will apply it properly. In any case, it SHOULD NOT 285 be used for the multi-recipient case. 287 Use of the header field mechanism is further restricted by the 288 practices described in Section 7.2 of [SMTP], Section 3.6.3 of 289 [MAIL], and Section 7 of this document. 291 5. Handling By Receivers 293 If a receiver implements this specification, then there are two 294 possible evaluation paths: 296 1. The sending client uses the extension, and so there was an RRVS 297 parameter on a RCPT TO command in the SMTP session and the 298 parameters of interest are taken only from there (and the header 299 field, if present, is disregarded); or 301 2. The sending client does not use the extension, so the RRVS 302 parameter was not present on the RCPT TO commands in the SMTP 303 session, but the corresponding header field might be present in 304 the message. 306 When the continuous ownership test fails for transient reasons (such 307 as an unavailable database or other condition that is likely 308 temporary), normal transient failure handling for the message is 309 applied. 311 If the continuous ownership test cannot be completed because the 312 necessary datum (the mailbox creation or reassignment date/time) was 313 not recorded, the MDA doing the evaluation selects a date and time to 314 use that is the latest possible point in time at which the mailbox 315 could have been created or reassigned. For example, this might be 316 the earliest of all recorded mailbox creation/reassignment 317 timestamps, or the time when the host was first installed. If no 318 reasonable substitute for the timestamp can be selected, the MDA 319 rejects the message using an SMTP reply code, preferably with an 320 enhanced mail system status code (see Section 15.3), that indicates 321 the test cannot be completed. A message originator can then decide 322 whether to reissue the message without RRVS protection, or find 323 another way to reach the mailbox owner. 325 5.1. SMTP Extension Used 327 For an MTA supporting the SMTP extension, the requirement is to 328 continue enforcement of RRVS during the relaying process to the next 329 MTA or the MDA. 331 A receiving MTA or MDA that implements the SMTP extension declared 332 above and observes an RRVS parameter on a RCPT TO command checks 333 whether the current owner of the destination mailbox has held it 334 continuously, far enough back to include the given point in time, and 335 delivers it unless that check returns in the negative. Specifically, 336 an MDA will do the following before continuing with delivery: 338 1. Ignore the parameter if the named mailbox is known to be a role 339 account as listed in Mailbox Names For Common Services, Roles And 340 Functions [ROLES]. 342 2. If the address is not known to be a role account, and if that 343 address has not been under continuous ownership since the 344 timestamp specified in the extension, return a 550 error to the 345 RCPT command. (See also Section 15.3.) 347 5.1.1. Relays 349 An MTA that does not make mailbox ownership checks, such as an MTA 350 positioned to do SMTP ingress at an organizational boundary, SHOULD 351 relay the RRVS extension parameter to the next MTA or MDA so that it 352 can be processed there. 354 For the SMTP extension, the optional RRVS parameter defined in 355 Section 5.1 indicates the action to be taken when relaying a message 356 to another MTA that does not advertise support for this extension. 357 When this is the case and the no-support action was not specified or 358 is "R" (reject), the MTA handling the message MUST reject the message 359 by: 361 1. returning a 550 error to the DATA command, if synchronous service 362 is being provided to the SMTP client that introduced the message; 363 or 365 2. generating a [DSN] to indicate to the originator of the message 366 that the non-delivery occurred, and terminating further relay 367 attempts. 369 An enhanced mail system status code is defined for such rejections in 370 Section 15.3. 372 See Section 8.2 for additional discussion. 374 When relaying, an MTA MUST preserve the no-support action if it was 375 used by the SMTP client. 377 5.2. Header Field Used 379 A receiving system that implements this specification, upon receiving 380 a message bearing a Require-Recipient-Valid-Since header field when 381 no corresponding RRVS SMTP extension was used, checks whether the 382 destination mailbox owner has held it continuously, far enough back 383 to include the given date-time, and delivers it unless that check 384 returns in the negative. Expressed as a sequence of steps: 386 1. Extract those Require-Recipient-Valid-Since fields from the 387 message that contain a recipient for which no corresponding RRVS 388 SMTP extension was used. 390 2. Discard any such fields that match any of these criteria: 392 * are syntactically invalid; 393 * name a role account as listed in [ROLES]; 395 * the "addr-spec" portion does not match a current recipient, as 396 listed in the RCPT TO commands in the SMTP session; or 398 * the "addr-spec" portion does not refer to a mailbox handled 399 for local delivery by this ADMD. 401 3. For each field remaining, determine if the named address has been 402 under continuous ownership since the corresponding timestamp. If 403 it has not, reject the message. 405 4. RECOMMENDED: If local delivery is being performed, remove all 406 instances of this field prior to delivery to a mailbox; if the 407 message is being forwarded, remove those instances of this header 408 field that were not discarded by step 2 above. 410 Handling proceeds normally upon completion of the above steps if 411 rejection has not been performed. 413 The final step is not mandatory as not all mail handling agents are 414 capable of stripping away header fields, and there are sometimes 415 reasons to keep the field intact such as debugging or presence of 416 digital signatures that might be invalidated by such a change. See 417 Section 10 for additional discussion. 419 If a message is to be rejected within the SMTP protocol itself 420 (versus generating a rejection message separately), servers 421 implementing this protocol SHOULD also implement the SMTP extension 422 described in Enhanced Mail System Status Codes [ESC] and use the 423 enhanced status codes described in Section 15.3 as appropriate. 425 Implementation by this method is expected to be transparent to non- 426 participants, since they would typically ignore this header field. 428 This header field is not normally added to a message that is 429 addressed to multiple recipients. The intended use of this field 430 involves an author seeking to protect transactional or otherwise 431 sensitive data intended for a single recipient, and thus generating 432 independent messages for each individual recipient is normal 433 practice. See Section 7 for further discussion and restrictions. 435 5.2.1. Design Choices 437 The presence of the address in the field content supports the case 438 where a message bearing this header field is forwarded. The specific 439 use case is as follows: 441 1. A user subscribes to a service "S" on date "D" and confirms an 442 email address at the user's current location, "A"; 444 2. At some later date, the user intends to leave the current 445 location, and thus creates a new mailbox elsewhere, at "B"; 447 3. The user configures address "A" to forward to "B"; 449 4. "S" constructs a message to "A" claiming that address was valid 450 at date "D" and sends it to "A"; 452 5. The receiving MTA for "A" determines that the forwarding in 453 effect was created by the same party that owned the mailbox 454 there, and thus concludes the continuous ownership test has been 455 satisfied; 457 6. If possible, the MTA for "A" removes this header field from the 458 message, and in either case, forwards it to "B"; 460 7. On receipt at "B", either the header field has been removed, or 461 the header field does not refer to a current envelope recipient, 462 and in either case delivers the message. 464 Section 8 discusses some interesting use cases, such as the case 465 where "B" above results in further forwarding of the message. 467 SMTP has never required any correspondence between addresses in the 468 RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a 469 message, which is why the header field defined here contains the 470 recipient address to which the timestamp applies. 472 5.3. Clock Synchronization 474 The timestamp portion of this specification supports a precision at 475 the seconds level. Although uncommon, it is not impossible for a 476 clock at either a generator or a receiver to be incorrect, leading to 477 an incorrect result in the RRVS evaluation. 479 To minimize the risk of such incorrect results, both generators and 480 receivers implementing this specification MUST use a standard clock 481 synchronization protocol such as [NTP] to synchronize to a common 482 clock. 484 6. Relaying Without RRVS Support 486 When a message is received using the SMTP extension defined here but 487 will not be delivered locally (that is, it needs to be relayed 488 further), the MTA to which the relay will take place might not be 489 compliant with this specification. Where the MTA in possession of 490 the message observes it is going to relay the message to an MTA that 491 does not advertise this extension, it needs to choose one of the 492 following actions: 494 1. Decline to relay the message further, preferably generating a 495 Delivery Status Notification [DSN] to indicate failure 496 (RECOMMENDED); 498 2. Downgrade the data thus provided in the SMTP extension to a 499 header field, as described in Section 6.1 below (SHOULD NOT 500 unless the conditions in that section are satisfied, and only 501 when the previous option is not available); or 503 3. Silently continue with delivery, dropping the protection offered 504 by this protocol. 506 Using other than the first option needs to be avoided unless there is 507 specific knowledge that further relaying with the degraded 508 protections thus provided does not introduce undue risk. 510 6.1. Header Field Conversion 512 If an SMTP server ("B") receives a message bearing one or more 513 Require-Recipient-Valid-Since from a client ("A"), presumably because 514 "A" does not support the SMTP extension, and needs to relay the 515 corresponding message on to another server ("C") (thereby becoming a 516 client), and "C" advertises support for the SMTP extension, "B" 517 SHOULD delete the header field(s) and instead relay this information 518 by making use of the SMTP extension. Note that such modification of 519 the header might affect later validation of the header upon delivery; 520 for example, a hash of the modified header would produce a different 521 result. This might be a valid cause for some operators to skip this 522 delete operation. 524 Conversely, if "B" has received a mailbox timestamp from "A" using 525 the SMTP extension for which it must now relay the message on to "C", 526 but "C" does not advertise the SMTP extension, and "B" does not 527 reject the message because rejection was specifically declined by the 528 client (see Section 5.1.1), "B" SHOULD add a Require-Recipient-Valid- 529 Since header field matching the mailbox to which relaying is being 530 done, and the corresponding valid-since timestamp for it, if it has 531 prior information that the eventual MDA or another intermediate MTA 532 supports this mechanism and will be able to process the header field 533 as described in this specification. 535 The admonitions about very cautious use of the header field described 536 in Section 4 apply to this relaying mechanism as well. If multiple 537 mailbox timestamps are received from "A", the admonitions in 538 Section 7 also apply. 540 7. Header Field with Multiple Recipients 542 Numerous issues arise when using the header field form of this 543 extension, particularly when multiple recipients are specified for a 544 single message resulting in multiple fields each with a distinct 545 address and timestamp. 547 Because of the nature of SMTP, a message bearing a multiplicity of 548 Require-Recipient-Valid-Since header fields could result in a single 549 delivery attempt for multiple recipients (in particular, if two of 550 the recipients are handled by the same server), and if any one of 551 them fails the test, the delivery fails to all of them; it then 552 becomes necessary to do one of the following: 554 o reject the message on completion of the DATA phase of the SMTP 555 session, which is a rejection of delivery to all recipients; or 557 o accept the message on completion of DATA, and then generate a 558 Delivery Status Notification [DSN] message for each of the failed 559 recipients. 561 Additional complexity arises when a message is sent to two 562 recipients, "A" and "B", presumably with different timestamps, both 563 of which are then redirected to a common address "C". The author is 564 not necessarily aware of the current or past ownership of mailbox 565 "C", or indeed that "A" and/or "B" have been redirected. This might 566 result in either or both of the two deliveries failing at "C", which 567 is likely to confuse the message author, who (as far as the author is 568 aware) never sent a message to "C" in the first place. 570 Finally, there is an obvious concern with the fan-out of a message 571 bearing the timestamps of multiple users; tight control over the 572 handling of the timestamp information is very difficult to assure as 573 the number of handling agents increases. 575 8. Special Use Addresses 577 In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to 578 request generation of DSNs, and related information to allow such 579 reports to be maximally useful. Section 5.2.7 of that document 580 explored the issue of the use of that extension where the recipient 581 is a mailing list. This extension has similar concerns which are 582 covered here following that document as a model. 584 For all cases described below, a receiving MTA SHOULD NOT introduce 585 RRVS in either form (SMTP extension or header field) if the message 586 did not arrive with RRVS in use. This would amount to second- 587 guessing of the message originator's intention and might lead to an 588 undesirable outcome. 590 8.1. Mailing Lists 592 Delivery to a mailing list service is considered a final delivery. 593 Where this protocol is in use, it is evaluated as per any normal 594 delivery: If the same mailing list has been operating in place of the 595 specified recipient mailbox since at least the timestamp given as the 596 RRVS parameter, the message is delivered to the list service 597 normally, and is otherwise not delivered. 599 It is important, however, that the participating MDA passing the 600 message to the list service needs to omit the RRVS parameter in 601 either form (SMTP extension or header field) when doing so. The 602 emission of a message from the list service to its subscribers 603 constitutes a new message not covered by the previous transaction. 605 8.2. Single-Recipient Aliases 607 Upon delivery of an RRVS-protected message to an alias (acting in 608 place of a mailbox) that results in relaying of the message to a 609 single other destination, the usual RRVS check is performed. The 610 continuous ownership test here might succeed if, for example, a 611 conventional user inbox was replaced with an alias on behalf of that 612 same user, and the time when this was done is recorded in a way that 613 can be queried by the relaying MTA. 615 If the relaying system also performs some kind of step where 616 ownership of the new destination address is confirmed, it SHOULD 617 apply RRVS using the later of that timestamp and the one that was 618 used inbound. This also allows for changes to the alias without 619 disrupting the protection offered by RRVS. 621 If the relaying system has no such time records related to the new 622 destination address, the RRVS SMTP extension is not used on the 623 relaying SMTP session, and the header field relative to the local 624 alias is removed, in accordance with Section 5. 626 8.3. Multiple-Recipient Aliases 628 Upon delivery of an RRVS-protected message to an alias (acting in 629 place of a mailbox) that results in relaying of the message to 630 multiple other destinations, the usual RRVS check is performed as in 631 Section 8.2. The MTA expanding such an alias then decides which of 632 the options enumerated in that section is to be applied for each new 633 recipient. 635 8.4. Confidential Forwarding Addresses 637 In the above cases, the original author could receive message 638 rejections, such as DSNs, from the ultimate destination, where the 639 RRVS check (or indeed, any other) fails and rejection is warranted. 640 This can reveal the existence of a forwarding relationship between 641 the original intended recipient and the actual final recipient. 643 Where this is a concern, the initial delivery attempt is to be 644 treated like a mailing list delivery, with RRVS evaluation done and 645 then all RRVS information removed from the message prior to relaying 646 it to its true destination. 648 8.5. Suggested Mailing List Enhancements 650 Mailing list services could store the timestamp at which a subscriber 651 was added to a mailing list. This specification could then be used 652 in conjunction with that information in order to restrict list 653 traffic to the original subscriber, rather than a different person 654 now in possession of an address under which the original subscriber 655 was added to the list. Upon receiving a rejection caused by this 656 specification, the list service can remove that address from further 657 distribution. 659 A mailing list service that receives a message containing the header 660 field defined here needs to remove it from the message prior to 661 redistributing it, limiting exposure of information regarding the 662 relationship between the message's author and the mailing list. 664 9. Continuous Ownership 666 For the purposes of this specification, an address is defined as 667 having been under continuous ownership since a given date-time if a 668 message sent to the address at any point since the given date would 669 not go to anyone except the owner at that given date-time. That is, 670 while an address may have been suspended or otherwise disabled for 671 some period, any mail actually delivered would have been delivered 672 exclusively to the same owner. It is presumed that some sort of 673 relationship exists between the message sender and the intended 674 recipient. Presumably there has been some confirmation process 675 applied to establish this ownership of the receiver's mailbox; 676 however, the method of making such determinations is a local matter 677 and outside the scope of this document. 679 Evaluating the notion of continuous ownership is accomplished by 680 doing any query that establishes whether the above condition holds 681 for a given mailbox. 683 Determining continuous ownership of a mailbox is a local matter at 684 the receiving site. The only possible answers to the continuous- 685 ownership-since question are "yes", "no", and "unknown"; the action 686 to be taken in the "unknown" case is a matter of local policy. 688 For example, when control of a domain name is transferred, the new 689 domain owner might be unable to determine whether the owner of the 690 subject address has been under continuous ownership since the stated 691 date if the mailbox history is not also transferred (or was not 692 previously maintained). It will also be "unknown" if whatever 693 database contains mailbox ownership data is temporarily unavailable 694 at the time a message arrives for delivery. In this latter case, 695 typical SMTP temporary failure handling is appropriate. 697 To avoid exposing account details unnecessarily, if the address 698 specified has had one continuous owner since it was created, any 699 confirmation date SHOULD be considered to pass the test, even if that 700 date is earlier than the account creation date. This is further 701 discussed in Section 13. 703 10. Digital Signatures 705 This protocol mandates removal of the header field (when used) upon 706 delivery in all but exceptional circumstances. If a message with the 707 header field were digitally signed in a way that included the header 708 field, altering a message in this way would invalidate the signature. 709 However, the header field is strictly for tunneling purposes and 710 should be regarded by the rest of the transport system as purely 711 trace information. 713 Accordingly, the header field MUST NOT be included in the content 714 covered by digital signatures. 716 11. Authentication-Results Definitions 718 [AUTHRES] defines a mechanism for indicating, via a header field, the 719 results of message authentication checks. Section 15 registers RRVS 720 as a new method that can be reported in this way, and corresponding 721 result names. The possible result names and their meanings are as 722 follows: 724 none: The message had no recipient mailbox timestamp associated with 725 it, either via the SMTP extension or header field method; this 726 protocol was not in use. 728 unknown: At least one form of this protocol was in use, but 729 continuous ownership of the recipient mailbox could not be 730 determined. 732 temperror: At least one form of this protocol was in use, but some 733 kind of error occurred during evaluation that was transient in 734 nature; a later retry will likely produce a final result. 736 permerror: At least one form of this protocol was in use, but some 737 kind of error occurred during evaluation that was not recoverable; 738 a later retry will not likely produce a final result. 740 pass: At least one form of this protocol was in use, and the 741 destination mailbox was confirmed to have been under continuous 742 ownership since the timestamp thus provided. 744 fail: At least one form of this protocol was in use, and the 745 destination mailbox was confirmed not to have been under 746 continuous ownership since the timestamp thus provided. 748 Where multiple recipients are present on a message, multiple results 749 can be reported using the mechanism described in [AUTHRES]. 751 12. Examples 753 In the following examples, "C:" indicates data sent by an SMTP 754 client, and "S:" indicates responses by the SMTP server. Message 755 content is CRLF terminated, though these are omitted here for ease of 756 reading. 758 12.1. SMTP Extension Example 760 C: [connection established] 761 S: 220 server.example.com ESMTP ready 762 C: EHLO client.example.net 763 S: 250-server.example.com 764 S: 250 RRVS 765 C: MAIL FROM: 766 S: 250 OK 767 C: RCPT TO: RRVS=2014-04-03T23:01:00Z 768 S: 550 5.7.17 receiver@example.com is no longer valid 769 C: QUIT 770 S: 221 So long! 772 12.2. Header Field Example 774 C: [connection established] 775 S: 220 server.example.com ESMTP ready 776 C: HELO client.example.net 777 S: 250 server.example.com 778 C: MAIL FROM: 779 S: 250 OK 780 C: RCPT TO: 781 S: 250 OK 782 C: DATA 783 S: 354 Ready for message content 784 C: From: Mister Sender 785 To: Miss Receiver 786 Subject: Are you still there? 787 Date: Fri, 28 Jun 2013 18:01:01 +0200 788 Require-Recipient-Valid-Since: receiver@example.com; 789 Sat, 1 Jun 2013 09:23:01 -0700 791 Are you still there? 792 . 793 S: 550 5.7.17 receiver@example.com is no longer valid 794 C: QUIT 795 S: 221 So long! 797 12.3. Authentication-Results Example 799 An example use of the Authentication-Results header field used to 800 yield the results of an RRVS evaluation: 802 Authentication-Results: mx.example.com; rrvs=pass 803 smtp.rcptto=user@example.com 805 This indicates that the message arrived addressed to the mailbox 806 user@example.com, the continuous ownership test was applied with the 807 provided timestamp, and the check revealed that test was satisfied. 808 The timestamp is not revealed. 810 13. Security Considerations 812 13.1. Abuse Countermeasures 814 The response of a server implementing this protocol can disclose 815 information about the age of an existing email mailbox. 816 Implementation of countermeasures against probing attacks is 817 RECOMMENDED. For example, an operator could track appearance of this 818 field with respect to a particular mailbox and observe the timestamps 819 being submitted for testing; if it appears a variety of timestamps is 820 being tried against a single mailbox in short order, the field could 821 be ignored and the message silently discarded. This concern is 822 discussed further in Section 14. 824 13.2. Suggested Use Restrictions 826 If the mailbox named in the field is known to have had only a single 827 continuous owner since creation, or not to have existed at all (under 828 any owner) prior to the date specified in the field, then the field 829 SHOULD be silently ignored and normal message handling applied so 830 that this information is not disclosed. Such fields are likely the 831 product of either gross error or an attack. 833 A message author using this specification might restrict inclusion of 834 the header field such that it is only done for recipients known also 835 to implement this specification, in order to reduce the possibility 836 of revealing information about the relationship between the author 837 and the mailbox. 839 If ownership of an entire domain is transferred, the new owner may 840 not know what addresses were assigned in the past by the prior owner. 841 Hence, no address can be known not to have had a single owner, or to 842 have existed (or not) at all. In this case, the "unknown" result is 843 likely appropriate. 845 13.3. False Sense of Security 847 Senders implementing this protocol likely believe their content is 848 being protected by doing so. It has to be considered, however, that 849 receiving systems might not implement this protocol correctly, or at 850 all. Furthermore, use of RRVS by a sending system constitutes 851 nothing more than a request to the receiving system; that system 852 could choose not to prevent delivery for some local policy, legal or 853 operational reason, which compromises the security the sending system 854 believed was a benefit to using RRVS. This could mean the timestamp 855 information involved in the protocol becomes inadvertently revealed. 857 This concern lends further support to the notion that senders would 858 do well to avoid using this protocol other than when sending to 859 known, trusted receivers. 861 13.4. Reassignment of Mailboxes 863 This specification is a direct response to the risks involved with 864 reassignment or recycling of email addresses, an inherently dangerous 865 practice. It is typically expected that email addresses will not 866 have a high rate of turnover or ownership change. 868 It is RECOMMENDED to have a substantial period of time between 869 mailbox owners during which the mailbox accepts no mail, giving 870 message generators an opportunity to detect that the previous owner 871 is no longer at that address. 873 14. Privacy Considerations 875 14.1. The Trade-Off 877 That some MSPs allow for expiration of account names when they have 878 been unused for a protracted period forces a choice between two 879 potential types of privacy vulnerabilities, one of which presents 880 significantly greater threats to users than the other. Automatically 881 generated mail is often used to convey authentication credentials 882 that can potentially provide access to extremely sensitive 883 information. Supplying such credentials to the wrong party after a 884 mailbox ownership change could allow the previous owner's data to be 885 exposed without his or her authorization or knowledge. In contrast, 886 the information that may be exposed to a third party via the proposal 887 in this document is limited to information about the mailbox history. 888 Given that MSPs have chosen to allow transfers of mailbox ownership 889 without the prior owner's involvement, the information leakage from 890 the extensions specified here creates far lower overall risk than the 891 potential for delivering mail to the wrong party. 893 14.2. Probing Attacks 895 As described above, use of this extension or header field in probing 896 attacks can disclose information about the history of the mailbox. 897 The harm that can be done by leaking any kind of private information 898 is difficult to predict, so it is prudent to be sensitive to this 899 sort of disclosure, either inadvertently or in response to probing by 900 an attacker. It bears restating, then, that implementing 901 countermeasures to abuse of this capability needs strong 902 consideration. 904 14.3. Envelope Recipients 906 The email To and Cc header fields are not required to be populated 907 with addresses that match the envelope recipient set, and Cc may even 908 be absent. However, the algorithm in Section 3 requires that this 909 header field contain a match for an envelope recipient in order to be 910 actionable. As such, use of this specification can reveal some or 911 all of the original intended recipient set to any party that can see 912 the message in transit or upon delivery. 914 For a message destined to a single recipient, this is unlikely to be 915 a concern, which is one of the reasons use of this specification on 916 multi-recipient messages is discouraged. 918 14.4. Risks with Use 920 MDAs might not implement the recommendation to remove the header 921 field defined here when messages are delivered, either out of 922 ignorance or due to error. Since user agents often do not render all 923 of the header fields present, the message could be forwarded to 924 another party that would then inadvertently have the content of this 925 header field. 927 A bad actor may detect use of either form of the RRVS protocol and 928 interpret it as an indication of high value content. 930 15. IANA Considerations 932 15.1. SMTP Extension Registration 934 Section 2.2.2 of [MAIL] sets out the procedure for registering a new 935 SMTP extension. IANA is requested to register the SMTP extension 936 using the details provided in Section 3.1 of this document. 938 15.2. Header Field Registration 940 IANA is requested to add the following entry to the Permanent Message 941 Header Field Names registry, as per the procedure found in 942 [IANA-HEADERS]: 944 Header field name: Require-Recipient-Valid-Since 945 Applicable protocol: mail ([MAIL]) 946 Status: Standard 947 Author/Change controller: IETF 948 Specification document(s): [this document] 949 Related information: 950 Requesting review of any proposed changes and additions to 951 this field is recommended. 953 15.3. Enhanced Status Code Registration 955 IANA is requested to register the following in the Enumerated Status 956 Codes table of the Simple Mail Transfer Protocol (SMTP) Enhanced 957 Status Codes Registry: 959 Code: X.7.17 960 Sample Text: Mailbox owner has changed 961 Associated basic status code: 5XX 962 Description: This status code is returned when a message is 963 received with a Require-Recipient-Valid-Since 964 field or RRVS extension and the receiving 965 system is able to determine that the intended 966 recipient mailbox has not been under 967 continuous ownership since the specified date. 968 Reference: [this document] 969 Submitter: M. Kucherawy 970 Change controller: IESG 972 Code: X.7.18 973 Sample Text: Domain owner has changed 974 Associated basic status code: 5XX 975 Description: This status code is returned when a message is 976 received with a Require-Recipient-Valid-Since 977 field or RRVS extension and the receiving 978 system wishes to disclose that the owner of 979 the domain name of the recipient has changed 980 since the specified date. 981 Reference: [this document] 982 Submitter: M. Kucherawy 983 Change controller: IESG 985 Code: X.7.19 986 Sample Text: RRVS test cannot be completed 987 Associated basic status code: 5XX 988 Description: This status code is returned when a message is 989 received with a Require-Recipient-Valid-Since 990 field or RRVS extension and the receiving 991 system cannot complete the requested 992 evaluation because the required timestamp was 993 not recorded. The message originator needs to 994 decide whether to reissue the message without 995 RRVS protection. 996 Reference: [this document] 997 Submitter: M. Kucherawy 998 Change controller: IESG 1000 15.4. Authentication Results Registration 1002 IANA is requested to register the following in the "Email 1003 Authentication Methods" Registry: 1005 Method: rrvs 1007 Specifying Document: [this document] 1009 ptype: smtp 1011 Property: rcptto 1013 Value: envelope recipient 1015 Status: active 1017 Version: 1 1019 IANA is also requested to register the following in the "Email 1020 Authentication Result Names" Registry: 1022 Codes: none, unknown, temperror, permerror, pass, fail 1024 Defined: [this document] 1026 Auth Method(s): rrvs 1028 Meaning: Section 11 of [this document] 1030 Status: active 1032 16. References 1034 16.1. Normative References 1036 [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for 1037 Syntax Specifications: ABNF", RFC 5234, January 2008. 1039 [DATETIME] Klyne, G. and C. Newman, "Date and Time on the 1040 Internet: Timestamps", RFC 3339, July 2002. 1042 [IANA-HEADERS] Klyne, G., Nottingham, M., and J. Mogul, 1043 "Registration Procedures for Message Header Fields", 1044 BCP 90, RFC 3864, September 2004. 1046 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 1047 Requirement Levels", BCP 14, RFC 2119, March 1997. 1049 [MAIL] Resnick, P., "Internet Message Format", RFC 5322, 1050 October 2008. 1052 [NTP] Mills, D., Martin, J., Ed., Burbank, J., and W. 1054 Kasch, "Network Time Protocol Version 4: Protocol and 1055 Algorithms Specification", RFC 5905, June 2010. 1057 [ROLES] Crocker, D., "Mailbox Names For Common Services, 1058 Roles And Functions", RFC 2142, May 1997. 1060 [SMTP] Klensin, J., "Simple Mail Transfer Protocol", 1061 RFC 5321, October 2008. 1063 16.2. Informative References 1065 [AUTHRES] Kucherawy, M., "Message Header Field for Indicating 1066 Message Authentication Status", RFC 7001, 1067 September 2013. 1069 [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message 1070 Format for Delivery Status Notifications", RFC 3464, 1071 January 2003. 1073 [DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP) 1074 Service Extension for Delivery Status Notifications 1075 (DSNs)", RFC 3461, January 2003. 1077 [EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598, 1078 July 2009. 1080 [ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", 1081 RFC 3463, January 2003. 1083 Appendix A. Acknowledgments 1085 Erling Ellingsen proposed the idea. 1087 Reviews and comments were provided by Michael Adkins, Kurt Andersen, 1088 Eric Burger, Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, 1089 John Levine, Alexey Melnikov, Jay Nancarrow, Hector Santos, Gregg 1090 Stefancik, Ed Zayas, (others) 1092 Authors' Addresses 1094 William J. Mills 1095 Yahoo! Inc. 1097 EMail: wmills_92105@yahoo.com 1098 Murray S. Kucherawy 1099 Facebook, Inc. 1100 1 Hacker Way 1101 Menlo Park, CA 94025 1102 USA 1104 EMail: msk@fb.com