Extensions to Automatic Certificate Management Environment for email TLS
Isode Ltd14 Castle MewsHamptonMiddlesexTW12 2NPUKAlexey.Melnikov@isode.comACMEIMAPSMTPPOP3
This document specifies identifiers and challenges required to enable
the Automated Certificate Management Environment (ACME) to issue
certificates for use by TLS email services.
is a mechanism for automating certificate
management on the Internet. It enables administrative entities to
prove effective control over resources like domain names, and
automates the process of generating and issuing certificates.
This document describes extensions to ACME for use by email services.
defines extensions for how email services
(such as SMTP, IMAP and POP3) can get certificates for use with TLS.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in
.SMTP (including SMTP Submission ), IMAP and
POP3 servers
use TLS to provide server identity authentication, data confidentiality and integrity services.
Such TLS protected email services either use STARTTLS command or run on a separate TLS-protected port
.
defines several challenge types that can be extended for use by email services.
This document also defines some new challenge types specific to SMTP, IMAP and POP3.
In order to use these challenges JWS object used by
is extended. The following extra requirements are in addition to requirements on JWS objects sent in ACME
defined in Section 6.2 of :
"service" JWS header parameter MUST be included. See for more details.
"port" JWS header parameter SHOULD be included. See for more details.
If this JWS header parameter is not included, the default assigned IANA port for the corresponding
"service" is assumed.
The "service" field in JSON payload specifies the service for which TLS server certificate should be issued.
Valid values come from "Service Names and Transport Protocol Port Numbers" IANA registry
<https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml>.
ACME servers compliant with this specification MUST support (in particular see Section 4 of that document).
[[This parameter might have applicability beyond email services.]]The "port" field in JSON payload specifies the TCP port number where the corresponding
service is running. ACME server MAY check that the TCP port corresponds to the requested
"service", for example that the port is the assigned default IANA port for the service.
[[This parameter might have applicability beyond email services.]]"dns-email-00" is very similar to "dns-01" defined in Section 8.4 of .The difference between processing of "dns-email-00" and "dns-01" are listed below:
The TXT record used to validate this challenge is _<port>._<service>._acme-challenge.<domain>.
For example, for domain "example.com" and IMAPS service running on port 993, the TXT record name is
_993._imaps._acme-challenge.example.com. For domain "example.net" and IMAP service running on port 143,
the TXT record name is _143._imap._acme-challenge.example.next.
For "capability-smtp-00" challenge, ACME client (== SMTP server)
constructs a key authorization from the "token" value provided in the challenge
and the client's account key. The client then computes the SHA-256
digest of the key authorization. SMTP server than
returns the base64url encoding of this digest as a value of the "ACME" EHLO capability. For example:
The ACME SMTP extension is formerly defined in .Similarly, "capability-imap-00" challenge, ACME client (== IMAP server)
constructs a key authorization from the "token" value provided in the challenge
and the client's account key. The client then computes the SHA-256
digest of the key authorization. IMAP server than
returns the base64url encoding of this digest as a value of the "ACME" capability:
Similarly, "capability-pop-00" challenge, ACME client (== POP3 server)
constructs a key authorization from the "token" value provided in the challenge
and the client's account key. The client then computes the SHA-256
digest of the key authorization. POP3 server than
returns the base64url encoding of this digest as a value of the "ACME" capability
in response to CAPA command :
The ACME SMTP service extension is defined as follows:
The textual name of this extension is "ACME for SMTP".
The EHLO keyword value associated with this extension is "ACME".
The EHLO keyword has a single required parameter which is a base64url encoded SHA-256 hash, which is 44 octets in length.
This extension doesn't define any new SMTP verbs.
This extension doesn't add any new parameters to
MAIL FROM or RCPT TO commands.
The ACME extension is valid for the submission service
(default port number 587) or its version running directly over TLS
("submissions" service, default port number 465)
.
[[This section should be empty before publication]]
Should the same certificate be allowed to be used on both IMAP (143) and IMAPS (993) ports?
(These ports have different service names associated with them.
Is 1 service/port per ACME certificate a restriction imposed by this document?)
Maybe if the ACME server sees a request for port 143 (or 993), it can include SRV-ID for the
other port, if it can verify that both are running? (How can this be done reliably?)
Many email servers don't allow different certificates
to be configured for different ports they are listening on.
The cleanest way is to change "service" to "services", change "port" to "ports" and make both of them arrays.Add support for LMTP (RFC 2033)?
IANA is requested to register the following ACME challenge types that are used with Identifier Type "dns":
"dns-email", "capability-smtp", "capability-imap" and "capability-pop". The reference for all of them is this document.
Security Considerations from relevant to the DNS challenge type are also relevant to "dns-email".
Automatic Certificate Management Environment (ACME)
Certificates in PKI using X.509 (PKIX) are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certificate authorities in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. Today, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a certification authority (CA) and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation.
Secure Hash Standard (SHS)National Institute of Standards and Technology