idnits 2.17.1 draft-chuang-bimi-certificate-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 12 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 7, 2018) is 2180 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC3629' is defined on line 149, but no explicit reference was found in the text == Unused Reference: 'RFC5234' is defined on line 158, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3709 (Obsoleted by RFC 9399) ** Obsolete normative reference: RFC 5751 (Obsoleted by RFC 8551) ** Obsolete normative reference: RFC 6170 (Obsoleted by RFC 9399) ** Downref: Normative reference to an Informational RFC: RFC 7299 Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Chuang, Ed. 3 Internet-Draft Google, Inc. 4 Intended status: Standards Track T. Loder, Ed. 5 Expires: November 8, 2018 Agari 6 May 7, 2018 8 Brand Indicator for Message Identification in X.509 certificates 9 draft-chuang-bimi-certificate-00 11 Abstract 13 This document defines a X.509 certificate profile to distinguish 14 those carrying logotypes and using email domain based authentication 15 from other usages. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on November 8, 2018. 34 Copyright Notice 36 Copyright (c) 2018 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 53 3. BIMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 54 4. BIMI Certificate Validation . . . . . . . . . . . . . . . . . 3 55 5. BIMI Certificate Extension . . . . . . . . . . . . . . . . . 3 56 6. Security Considerations . . . . . . . . . . . . . . . . . . . 3 57 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 58 8. Normative References . . . . . . . . . . . . . . . . . . . . 4 59 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 5 60 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 5 61 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 63 1. Introduction 65 [RFC5280] defines the Extended Key Usage extension to define 66 different usages of X.509 certificates. These certificates may carry 67 logotype as defined in [RFC3709] whose format is further refined in 68 [RFC6170]. This document defines a new usage for these logotype 69 carrying certificates to define an identify for Electronic Mail 70 senders as defined in [RFC5321] and whose sending domain is 71 authenticated by either Sender Policy Framework [RFC7208] or by 72 Domain Key Identified Mail signatures [RFC6376]. This new profile 73 distinguishes it from other certificate usages with electronic mail 74 such as S/MIME [RFC5751]. 76 2. Conventions Used in This Document 78 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 79 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 80 document are to be interpreted as described in [RFC2119]. 82 3. BIMI 84 This section describes non-normatively the Brand Indicator for 85 Message Identification (BIMI) electronic mail profile here. Its 86 intended that there will be a separate document that specifies the 87 BIMI electronic mail sending and receiving protocol that describes 88 the BIMI electronic mail headers, the sender validation process using 89 domain authentication methods and the fetch of the BIMI certificates. 90 BIMI follows the current practice of using domain based validation 91 methods Sender Policy Framework [RFC7208] or by Domain Key Identified 92 Mail signatures [RFC6376]. When an electronic mail sender has been 93 validated this way, and with the fetched BIMI certificate, the 94 receiver can proceed to validate the BIMI certificate with the sender 95 domain as described in this document. Upon successful validation, 96 the receiver may choose to show the associated logotype and other 97 identifying information contained in the BIMI certificate. This 98 document does not inform other uses of logotype with other email 99 profiles such as S/MIME. 101 4. BIMI Certificate Validation 103 Before a BIMI certificate can be used to provide identification, the 104 certificate path MUST be validated using the algorithm in [RFC5280]. 105 The BIMI certificate MUST contain an extended key usage extension 106 specified for id-kp-BrandIndicatorforMessageIdentification as defined 107 in Section 5. It MUST also contain dnsName field of an X.509 Subject 108 Alternative Name as specified in [RFC5280] and a subject LogoType as 109 specified in [RFC3709]. The BIMI certificate domain name and the 110 domain of the From or Sender header email address are compared. If 111 they match using the method specified in [RFC5280]), then the 112 certificate identifies the sender of the electron mail and the 113 certificate subject information may be used to describe the sender. 115 5. BIMI Certificate Extension 117 This document describes a new Extended Key Usage OID for the BIMI use 118 case id-kp-BrandIndicatorforMessageIdentification. 120 id-kp-BrandIndicatorforMessageIdentification OBJECT IDENTIFIER ::= { 121 id-kp 31 } 123 6. Security Considerations 125 o SPF maybe spoofed. See considerations in [RFC7208]. 127 o DKIM maybe spoofed. See considerations in [RFC6376]. 129 o LogoTypes identities may be spoofed. See considerations in 130 [RFC3709]. 132 7. IANA Considerations 134 In Section 5 and the ASN.1 module identifier defined in Appendix A. 135 IANA is kindly requested to reserve the following assignments for: 137 o The LAMPS-Bimi-Certificate-2018 ASN.1 module in the "SMI Security 138 for PKIX Extended Key Purpose" registry (1.3.6.1.5.5.7.3). 140 o The BIMI certificate extended key usage (1.3.6.1.5.5.7.3.31). 142 8. Normative References 144 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 145 Requirement Levels", BCP 14, RFC 2119, 146 DOI 10.17487/RFC2119, March 1997, 147 . 149 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 150 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 151 2003, . 153 [RFC3709] Santesson, S., Housley, R., and T. Freeman, "Internet 154 X.509 Public Key Infrastructure: Logotypes in X.509 155 Certificates", RFC 3709, DOI 10.17487/RFC3709, February 156 2004, . 158 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 159 Specifications: ABNF", STD 68, RFC 5234, 160 DOI 10.17487/RFC5234, January 2008, 161 . 163 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 164 Housley, R., and W. Polk, "Internet X.509 Public Key 165 Infrastructure Certificate and Certificate Revocation List 166 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 167 . 169 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 170 DOI 10.17487/RFC5321, October 2008, 171 . 173 [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 174 Mail Extensions (S/MIME) Version 3.2 Message 175 Specification", RFC 5751, DOI 10.17487/RFC5751, January 176 2010, . 178 [RFC6170] Santesson, S., Housley, R., Bajaj, S., and L. Rosenthol, 179 "Internet X.509 Public Key Infrastructure -- Certificate 180 Image", RFC 6170, DOI 10.17487/RFC6170, May 2011, 181 . 183 [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed., 184 "DomainKeys Identified Mail (DKIM) Signatures", STD 76, 185 RFC 6376, DOI 10.17487/RFC6376, September 2011, 186 . 188 [RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for 189 Authorizing Use of Domains in Email, Version 1", RFC 7208, 190 DOI 10.17487/RFC7208, April 2014, 191 . 193 [RFC7299] Housley, R., "Object Identifier Registry for the PKIX 194 Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, 195 . 197 Appendix A. ASN.1 Module 199 The following ASN.1 module normatively specifies the BIMI extended 200 key usage name. This specification uses the ASN.1 definitions from 201 [RFC7299]. 203 LAMPS-BIMI-Certificate-2018 204 { iso(1) identified-organization(3) dod(6) 205 internet(1) security(5) mechanisms(5) pkix(7) id-kp(3) 206 id-kp-BrandIndicatorforMessageIdentification(TBD) } 208 DEFINITIONS IMPLICIT TAGS ::= 209 BEGIN 211 IMPORTS 212 id-pkix 213 FROM PKIX1Explicit-2009 214 { iso(1) identified-organization(3) 215 dod(6) internet(1) security(5) mechanisms(5) pkix(7) } ; 217 -- Extended key purpose identifiers 218 id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 220 id-kp-BrandIndicatorforMessageIdentification OBJECT IDENTIFIER ::= { id-kp TBD } 222 END 224 Appendix B. Acknowledgements 226 Thank you to Kefeng Chen and Kirk Hall for their help with the BIMI 227 certificate profile. Thanks to the other document reviewers. 229 Authors' Addresses 230 Weihaw Chuang (editor) 231 Google, Inc. 232 1600 Amphitheater Parkway 233 Mountain View, CA 94043 234 US 236 Email: weihaw@google.com 238 Thede Loder (editor) 239 Agari 240 100 S. Ellsworth Ave 241 San Mateo, CA 94401 242 US 244 Email: tloder@agari.com