<?xml version="1.0" encoding="utf-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.2.9 -->

<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC5598 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5598.xml">
<!ENTITY RFC2119 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC7489 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7489.xml">
<!ENTITY RFC7960 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7960.xml">
<!ENTITY SELF "[I-D.ARC-MULTI]">
]>

<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>

<rfc ipr="trust200902" docName="draft-ietf-dmarc-arc-multi-03" category="exp">

  <front>
    <title abbrev="ARC-Multi">Using Multiple Signing Algorithms with the ARC (Authenticated Received Chain) Protocol</title>

    <author initials="K." surname="Andersen" fullname="Kurt Andersen">
      <organization>LinkedIn</organization>
      <address>
        <postal>
          <street>1000 West Maude Ave</street>
          <city>Sunnyvale</city>
          <region>California</region>
          <code>94085</code>
          <country>US</country>
        </postal>
        <email>kurta@linkedin.com</email>
      </address>
    </author>
    <author initials="S." surname="Blank" fullname="Seth Blank" role="editor">
      <organization>ValiMail</organization>
      <address>
        <postal>
          <street>Montgomery</street>
          <city>San Francisco</city>
          <region>California</region>
          <country>US</country>
        </postal>
        <email>seth@valimail.com</email>
      </address>
    </author>
    <author initials="J." surname="Levine" fullname="John Levine" role="editor">
      <organization>Taughannock Networks</organization>
      <address>
        <postal>
          <street>PO Box 727</street>
          <city>Trumansburg</city>
          <region>New York</region>
          <country>US</country>
        </postal>
        <email>standards@taugh.com</email>
      </address>
    </author>

    <date year="2019" month="March"/>

    <area>art</area>
    <workgroup>DMARC Working Group</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<t>The Authenticated Received Chain (ARC) protocol creates a mechanism whereby a
series of handlers of an email message can conduct authentication of the email
message as it passes among them on the way to its destination.</t>

<t>Initial development of ARC has been done with a single allowed signing
algorithm, but parallel work in the DCRUP working group
(https://datatracker.ietf.org/wg/dcrup/about/) is expanding the supported
algorithms. This specification defines how to extend ARC for multiple signing
algorithms.</t>



    </abstract>


  </front>

  <middle>


<section anchor="intro" title="Introduction">

<t>The Authenticated Received Chain (ARC) protocol adds a traceable chain of 
signatures that cover the handling of an email message through a chain of
intermediary handlers.</t>

<t>Initial development of ARC has been done with a single allowed signing
algorithm, but parallel work in the DCRUP working group
(https://datatracker.ietf.org/wg/dcrup/about/) is expanding the supported
algorithms. This specification defines how to extend ARC for multiple signing
algorithms.</t>

</section>
<section anchor="overview" title="Overview">

<t>In order to phase in new signing algorithms, this specification identifies how
signers and validators process ARC sets found in email messages.</t>

</section>
<section anchor="definitions-and-terminology" title="Definitions and Terminology">

<t>This section defines terms used in the rest of the document.</t>

<t>The capitalized key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”,
“SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be
interpreted as described in <xref target="RFC2119"/>.</t>

<t>Because many of the core concepts and definitions are found in <xref target="RFC5598"/>,
readers should to be familiar with the contents of <xref target="RFC5598"/>, and in
particular, the potential roles of intermediaries in the delivery of email and 
the problems <xref target="RFC7960"/> created by the initial DMARC <xref target="RFC7489"/> .</t>

</section>
<section anchor="alt-sign" title="Supporting Alternate Signing Algorithms">

<t>During a period where multiple algorithms are allowed, all of the statements in
the ARC spec which refer to “exactly one set of ARC headers per instance” need
to be understood as “at least one set per instance and no more than one set per
instance per algorithm”.</t>

</section>
<section anchor="general-approach" title="General Approach">

<section anchor="signers" title="Signers">

<t>There is a separate independent signing chain for each signing algorithm.
Hence, when creating an ARC signature, a signer MUST include only other
signatures that use the same algorithm as the signature being created.</t>

<t>Wnen signing a message with no previous ARC signatures, signers MUST sign using
all supported algorithms.</t>

<t>A signer MUST continue the longest ARC chain(s) in a message with all
algorithms that it supports.  That is, if at least one of the longest chains
uses an algorithm that a signer supports, the signer continues the chain(s).
If none of the longest chains in a message use an algorithm supported by a
signer, the signer MUST NOT extend any chains, even if a shorter chain does use
a supported algorithm.</t>

</section>
<section anchor="validators" title="Validators">

<t>A validator MUST use the longest ARC chain(s) on the message.
If a validator cannot interpret the signing algorithm on any of the longest chains,
validation fails, evven if a shorter chain does use a supported algorithm.</t>

<t>If there is more than one longest chain, the overall result reported can be that of of any of
the validations.  The result used when extending an ARC chain MUST be the result
from validating that chain.</t>

</section>
</section>
<section anchor="phases-of-algorithm-evolution" title="Phases of Algorithm Evolution">

<section anchor="introductory-period" title="Introductory Period">

<t>Intermediaries MUST be able to validate ARC chains built with either algorithm
but MAY create ARC sets with either (or both) algorithm.</t>

<t>The introductory period should be at least six (6) months.</t>

</section>
<section anchor="co-existence-period" title="Co-Existence Period">

<t>Intermediaries MUST be able to validate ARC chains build with either algorithm
and MUST create ARC sets with both algorithms.  Chains ending with either
algorithm may be used for the result.</t>

</section>
<section anchor="deprecation-period" title="Deprecation Period">

<t>ARC sets built with algorithms that are being deprecated MAY be considered
valid within an ARC chain, however, intermediaries MUST NOT create additional
sets with the deprecated algorithm.</t>

<t>The deprecation period should be at least two (2) years.</t>

</section>
<section anchor="obsolescence-period" title="Obsolescence Period">

<t>ARC sets built with algorithms that are obsolete MUST NOT be considered
valid within an ARC chain. Intermediaries MUST NOT create any
sets with any obsoleted algorithm.</t>

</section>
</section>
<section anchor="privacy-considerations" title="Privacy Considerations">

<t>No unique privacy considerations are introduced by this specification beyond those
of the base <xref target="ARC-DRAFT-23"/> protocol.</t>

</section>
<section anchor="iana-considerations" title="IANA Considerations">

<t>No new IANA considerations are introduced by this specification.</t>

</section>
<section anchor="sec-con" title="Security Considerations">

<t>No new security considerations are introduced by this specification beyond those
of the base <xref target="ARC-DRAFT-23"/> protocol.</t>

</section>


  </middle>

  <back>

    <references title='Normative References'>

&RFC5598;
&RFC2119;


    </references>

    <references title='Informative References'>

&RFC7489;
&RFC7960;
<reference anchor="ARC-DRAFT-23" target="https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-23">
  <front>
    <title>Authenticated Received Chain (ARC) Protocol (I-D-23)</title>
    <author initials="K." surname="Andersen" fullname="Kurt Andersen">
      <organization></organization>
    </author>
    <author initials="B." surname="Long" fullname="Brandon Long">
      <organization></organization>
    </author>
    <author initials="S." surname="Jones" fullname="Steven Jones">
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>


    </references>


<section anchor="acknowledgements" title="Acknowledgements">

<t>This draft is the work of DMARC Working Group.</t>

<t>Grateful appreciation is extended to the people who provided feedback through the discuss
mailing list.</t>

</section>
<section anchor="comments-and-feedback" title="Comments and Feedback">

<t>Please address all comments, discussions, and questions to <eref target="mailto:dmarc@ietf.org">dmarc@ietf.org</eref>.</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAH/EgVwAA+1ZbW8buRH+zl/B2l9sQJId3+USC4dDFNtJnPitfrngUBQB
tUtJhFekjuRKUQ3/9z4z3F2tZKeXXot+aoBE+zKc93lmZtPtdkU0sdB9eReM
HcvzsohmVmh5Y8aWHgyKsfMmTqZBLvAj40TLwfWR3BmUuLTRZCrqXF7rTJs5
Lo4mythdeeVddJkrhBoOvZ736UyXmYvcZVZNITH3ahS7RsdRN58qn3Xp75Ro
uvs/iBx8+/Jg/8Uh3YltGaKy+RdVOIvn0ZdaCDPzfBniwf7+4f6BUF6rvlQ+
isW4L4/PSdPPzt+TJe+9K2fiftGXpzZqb3XsHpMGIpTDqQnBOItXJ7fvBEzq
S/11JkTmchztyxI6vhYz05f4sy0zZWUZNAR5tZQ7ZiRVUcilDrvSeTlRYSIn
2msoLbsSfkgXwfno9ShUd8sp30gi6NNhXNYkfRaT65GCOwIo6vfpUCIXCiFw
vi8k/+lWv1IaC4pPPTmwufZB2+ZF8vun0sen75yHnWfG3uv8dPU0QB0Nb7zY
39+Xn3WI8lyVOVJgrhuazMRlX96U1i7nqlg993rMPj1ShRk5b41aHXE5FDn8
cf/1y9az0kYPTnc3zTM9Vaboy3torN4UrJyxvcxNn7f5piffFsrebxh8o5G4
6y/Y2l+h2DkEPLH23Nk4dlPtl5tGIvDvvLKZCZn7PkOfGuUd1Rssic5vWhqg
6ht40dDttw392JNnem6s3rD0o5vYzTds6q0qxxNlrcvu5YWOC9REeGL21aV8
677KVwevNsy+9eVU2TAs/fiJ0Rd6IX8Duz9vMtW18nl4E0lJNlpY56cqAlEo
u6/fHb18efi6ujx48eKwj9q3ow2aVz++PqwvD3/ap0tCnePrwbvb7sEPqU4q
tPtX6AVsuz5aQZjcOe0e4/xuOq/8mHw1iXEW+nt70bki9AjEenD03iROi71n
gW1WsQMnZvRfLN6Nw2+RHM6ONw6+RdrmzrZfPa2ejwDXsHHwJuq5ttUrQU5D
SlQ0Nydn7/py62/wUI8R/u7s9vTvWwTX3W5XWhf1l9OTm/dfLnAltvF4WKj6
rxBEo4ZIP5VFIW6ptfxxXGpHygxgH3WQSk51huQ2YSoXhLvDpVQiaG/w0o2A
xzYv4C+6Rv1y2uFICGqsGcozZ/MyixySSjhSm8ip2zG9qOlVkCbKmQqBJE/h
TCKaStAT8QL9AGhtANo50NJYZtUT4tSaaFSBp3NduNkUckgANSj0CznUcDHC
o1OXVZK6Mdow+opbwAEhtWOh6nbckcOS9PCg0IWkgkYUWYfjo+u7K35CbW/M
bW+nzle0VUX+vtd+lbWL8V6e+XK2p4aujHu70gTqf/CbSfbJUM5m6E06X2kQ
evJ2AsIw05kZ1U5DzwL4BDlxC3KE/hq1zdlMlKuc1uPFE3tCL6XD1OQIFhIF
Tdo7Cgtxfdg2dPv47yeJynPKEDJZqyEkZ0wF1wvSQcXSQ9s4URFpMNeereWM
IdOfy5g4gUfHFKOaFbAIA8UU8Kb8skm3/wf9u4K+LS/h9rlBG3nYdtXlI/kO
nSungDg5g7c0WWpBVXGRKy4daPtEJ5NTioxMUouDTRgA8yT1V7jE4RZ5kiGu
rCt6b4DCJSjMRtCTosdkpiHuic8tgm6sK9x4SYlJKuhszSGUFoFGxbyOk6cZ
qkIWTMIl5URPprzO1MxE6PYPkN/rJUUTybt1fndzu9VJv/Likq+vT/56d3p9
ckzXNx8GZ2fNRU1x8+Hy7gzvRXW1Onl0eX5+cnGcDp8PfsMPWbN1eXV7enkx
ONtKusKcWkEMupriMNQp1WdeU+UpBrnMm2Gy7+Ghas+Pj2TSW50pmpIxOixr
kzPn6R+b6VlMTszbTsXLJgDMjfr+42NHAOqp5ckwcWWRJ13kSE1NgZpbbSbg
jNSLDPXt8yzJWIHSAWyUhfIdpp85IqcSpQmFj7VqmXKnCluuC2CMZztSZhBH
wTy8A64gzCyQJo/Hx6o35RKtiGhMBQRpI0mEmFZAyIl1kwot7Vu0m+DscxvY
w7YqYpdSGQVyXHouAzlDp3N5an2rYluVB7u1wpQObypVMDB5RT1lf8E39WZH
ZQRmJpsgWUepALf0V7ToAuYDrFAnDYpVYYEKNENgksv0FqoUkJFCVPKkgiGJ
s2ULKFtoRRVQ8WkfZJdaJ6eUI0Bk26YSDRUdaYzbYv+916htuHcwQzBUNsGz
bfYfZHNpgaGhNhA0gWekgOR6BpCi5K4BJcE5IZYGj6c40xMfNBTokKdtijC/
t8ltdTfpMJCTbMkVa2xW0MrkLPkPXvZPOg9VCQcEA9dKHnmMn9bUcCjrmXIL
ln+2UKTRs+lQXA5wJMp0blwZ1vUDXNZgyPrRDTRIwFysQF+uwfRgzSaqM2PL
pDU28jGhGklhH+5gD4YnNxQC8xbyJ8MxSlXy0FjQWegR9KOFup0pVb7WglhI
ECWPYLblMObZeL/m3Gm8iIe15sm1tbo9cTqCx74lat0a3vzbYlcuS5MnS1qT
WkN33RoJERPrjuTpmiwmcAMXXyVi7jS3DqGei0mPc/zXppNRhJq+luTVWfVs
fKp5tbKJ7VctBhntilE2aN8Ys1YRxKUF7utO64iKHTXEESCTbf0DY+W3jD1l
EamO1wFiTWryOo0RlMtIdsAhfiqGNOwPdUoT6MzTHWnP2LfSNuWiro9z++aa
T9FrFX1Snr091HV/xxkx8m7acORxSlUaMmBd0UDD7aZBd3kyd0VJ4jmyzfjr
0HSuGOFpJlrrTbVcnmuBt5U8vVINM2ZpYAIXoDbkwZVXBQ2T6P8VoKxmoDb1
DpJhCNTaXYvGLfe0loZVD6raM+lU128wX+XOT7sImo2TkNL2yHVPvpoQCU7/
U+PybxhHzSRh1XPWkUltgJNpe8AEnOLb4rkCLUwyS25qlBDUJ1YBT3Yda9RK
NX/WZjVyW5HYhEHVYHtecYAAisyQR5qAWdajpbILmAPhUSsDOzTiAkcAOuYZ
LxLwVF7AOsSzlirEyhlpwGkEbwY6b1n17TjHhZM7B7tyqZWvwnw5DDRVZWth
/l5/OD4MlRsTvtMZPflcJrV9YJct4xkBKlkb+CqvvJmrbIl8TWITOghx4TDY
mN9LGv4SRbZGwQbU9VFPgU82lKFeOiRpnDiAfAWhQ1p0Hh7a360wJNbbLCt1
OrgYPKcR7Ub87k/okqZQnWGkjJvmYurEWtMF18dGTqhJ/2d207eBITZYUnSQ
3Vu3KHQ+TtNrtXzxZzfqD/whhnZjMH/m/wDA7T0NgaMSU/yMcttUK2OoEF7z
hsHDvXY0TC8mNE25uaFXI4y3pErzJYDrx4SsDEHQbkCSCsAbe/XITdOITYD0
rjoqxBVVDdejp/2TulVWUXZqZuTStLog1ULyMPT6mT8qvqkX+V9o12L/jIpy
NBLi57/gWp65TBWfaYPs08fa6htJGtirFSb5ZuOrl2p/XAHbX57jtxpJjz+d
nsvLwfUGm26CxcAMxD8Bz0rmJGcaAAA=

-->

</rfc>

