idnits 2.17.1 draft-ietf-appsawg-rrvs-header-field-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 21, 2013) is 3839 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Mills 3 Internet-Draft Yahoo! Inc. 4 Intended status: Standards Track M. Kucherawy 5 Expires: April 24, 2014 Facebook, Inc. 6 October 21, 2013 8 The Require-Recipient-Valid-Since Header Field and SMTP Service 9 Extension 10 draft-ietf-appsawg-rrvs-header-field-01 12 Abstract 14 This document defines an extension for the Simple Mail Transfer 15 Protocol called RRVS, and a header field called Require-Recipient- 16 Valid-Since, to provide a method for senders to indicate to receivers 17 the time when the sender last confirmed the ownership of the target 18 mailbox. This can be used to detect changes of mailbox ownership, 19 and thus prevent mail from being delivered to the wrong party. 21 The intended use of these facilities is on automatically generated 22 messages that might contain sensitive information, though it may also 23 be useful in other applications. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on April 24, 2014. 42 Copyright Notice 44 Copyright (c) 2013 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 4 63 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 4 64 4. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 5 65 4.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 5 66 4.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 5 67 5. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 7 68 6. Method Conversion . . . . . . . . . . . . . . . . . . . . . . 7 69 7. Use with Mailing Lists . . . . . . . . . . . . . . . . . . . . 7 70 8. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 8 71 9. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 8 72 10. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 73 10.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 9 74 10.2. Header Field Example . . . . . . . . . . . . . . . . . . . 9 75 11. Security Considerations . . . . . . . . . . . . . . . . . . . 10 76 11.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 10 77 11.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 10 78 12. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 11 79 12.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 11 80 12.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 12 81 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 82 13.1. SMTP Extension Registration . . . . . . . . . . . . . . . 12 83 13.2. Header Field Registration . . . . . . . . . . . . . . . . 12 84 13.3. Enhanced Status Code Registration . . . . . . . . . . . . 12 85 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 86 14.1. Normative References . . . . . . . . . . . . . . . . . . . 13 87 14.2. Informative References . . . . . . . . . . . . . . . . . . 13 88 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 14 90 1. Introduction 92 Email addresses sometimes get reassigned to a different person. For 93 example, employment changes at a company can cause an address used 94 for an ex-employee to be assigned to a new employee, or a mail 95 service provider (MSP) might expire an account and then let someone 96 else register for the local-part that was previously used. Those who 97 sent mail to the previous owner of an address might not know that it 98 has been reassigned. This can lead to the sending of email to the 99 correct address, but the wrong recipient. 101 What is needed is a way to indicate an attribute of the recipient 102 that will distinguish between the previous owner of an address and 103 its current owner, if they are different. Further, this needs to be 104 done in a way that respects privacy. 106 The mechanisms specified here allow the sender of the mail to 107 indicate how "old" the address assignment is expected to be. In 108 effect, the sender is saying, "The person to whom I am sending to had 109 this address assigned to as far back as this date-time." A receiving 110 system can then compare this information against the date and time 111 the address was assigned to its current user. If the assignment was 112 made later than the date-time indicated in the message, there is a 113 good chance the current user of the address is not the correct 114 recipient. The receiving system can then choose to prevent delivery 115 and, possibly, to notify the original sender of the problem. 117 The primary application is automatically generated messages rather 118 than user-authored content, though it may be useful in other 119 contexts. 121 2. Definitions 123 For a description of the email architecture, consult [EMAIL-ARCH]. 125 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 127 document are to be interpreted as described in [KEYWORDS]. 129 3. Description 131 To address the problem described above, a mail sending client needs 132 to indicate to the server to which it is connecting that there is an 133 expectation that the destination of the message has been under 134 continuous ownership since some date-time, presumably the most recent 135 time the message author had confirmed its understanding of who owned 136 that mailbox. Two mechanisms are defined here: an extension to the 137 Simple Mail Transfer Protocol [SMTP], for use between a client and 138 server that both implement the extension, and a header field that can 139 be used when passing a message to a server that appears not to 140 implement this extension. 142 The SMTP extenion is called "RRVS" (Require Recipient Valid Since), 143 and adds a parameter to the SMTP "RCPT" command that indicates the 144 most recent date and time when the message author believed the 145 destination mailbox to be under the continuous ownership (see 146 Section 9) of a specific party. Similarly, the Require-Recipient- 147 Valid-Since header field includes an intended recipient coupled with 148 a timestamp indicating the same thing. Presumably there has been 149 some confirmation process applied to establish this ownership; 150 however, the method of making such determinations is a local matter 151 and outside the scope of this document. 153 3.1. The 'RRVS' SMTP Extension 155 Extensions to SMTP are described in Section 2.2 of [SMTP]. 157 The name of the extension is "RRVS", an abbreviation of "Require 158 Recipient Valid Since". Servers implementing the SMTP extension 159 advertise an additional EHLO keyword of "RRVS", which has no 160 associated parameters, introduces no new SMTP verbs, and does not 161 alter the MAIL verb. 163 An MTA implementing RRVS can transmit or accept a new parameter to 164 the RCPT command. The new parameter is "RRVS", which takes a value 165 that is an integer timestamp expressed as an "epoch" time, namely the 166 number of seconds since midnight on January 1, 1970. Accordingly, 167 this extension increases the maximum command length for the RCPT verb 168 by 16 characters. 170 The meaning of this extension, when used, is described in 171 Section 4.1. 173 3.2. The 'Require-Recipient-Valid-Since' Header Field 175 The general constraints on syntax and placement of header fields in a 176 message are defined in Internet Message Format [MAIL]. 178 Using Augmented Backus-Naur Form [ABNF], the syntax for the field is: 180 rrvs = "Require-Recipient-Valid-Since:" addr-spec; date-time CRLF 182 "CFWS" is defined in Section 3.2.2, "date-time" is defined in Section 183 3.3, and "addr-spec" is defined in Section 3.4.1, of [MAIL]. 185 4. Handling By Receivers 187 If a receiver implements the RRVS SMTP extension, then there are two 188 possible evaluation paths: 190 1. The sending client implements the extension, and so there was an 191 RRVS parameter on a RCPT TO command in the SMTP session; or 193 2. The sending client does not (or elected not to) implement the 194 extension, so the RRVS parameter was not present on the RCPT TO 195 commands in the SMTP session. 197 4.1. SMTP Extension Used 199 A receiving system that implements the SMTP extension declared above 200 and observes an RRVS parameter on a RCPT TO command checks whether 201 the current owner of the destination mailbox has held it 202 continuously, far enough back to inclue the given date-time, and 203 delivers it unless that check returns in the negative. Expressed as 204 a sequence of steps: 206 1. Ignore the parameter if the named mailbox is a role account as 207 listed in Mailbox Names For Common Services, Roles And Functions 208 [ROLES]. (See Section 5.) 210 2. Determine if the named address is serviced for local delivery. 211 If so, and if that address, has not been under continuous 212 ownership since the specified timestamp, return a 550 error to 213 the RCPT command. (See also Section 13.3.) 215 3. RECOMMENDED: If any Require-Recipient-Valid-Since header fields 216 are present and refer to the named address, remove them prior to 217 delivery or relaying. (See Section 4.2 for discussion.) 219 4.2. Header Field Used 221 A receiving system that implements this specification, upon receiving 222 a message bearing a Require-Recipient-Valid-Since header field when 223 no corresponding RRVS SMTP extension was used, checks whether the 224 destination mailbox owner has held it continuously, far enough back 225 to include the given date-time, and delivers it unless that check 226 returns in the negative. Expressed as a sequence of steps: 228 1. Extract the set of Require-Recipient-Valid-Since fields from the 229 message for which no corresponding RRVS SMTP extension was used. 231 2. Discard any such fields that are syntactically invalid. 233 3. Discard any such fields that name a role account as listed in 234 [ROLES] (see Section 5). 236 4. Discard any such fields for which the "addr-spec" portion does 237 not match a current recipient, as listed in the RCPT TO commands 238 in the SMTP session. 240 5. Discard any such fields for which the "addr-spec" portion does 241 not refer to a mailbox handled for local delivery by this MTA. 243 6. For each field remaining, determine if the named address has been 244 under continuous ownership since the corresponding timestamp. If 245 it has not, reject the message. 247 7. RECOMMENDED: If local delivery is being performed, remove all 248 instances of this field prior to delivery to a mailbox; if the 249 message is being forwarded, remove those instances of this header 250 field that were not discarded by steps 1-4 above. 252 Handling proceeds normally upon completion of the above steps if 253 rejection has not been performed. 255 The final step is not mandatory as not all mail handling agents are 256 capable of stripping away header fields, and there are sometimes 257 reasons to keep the field intact such as debugging or presence of 258 digital signatures that might be invalidated by such a change. 260 If a message is to be rejected within the SMTP protocol itself 261 (versus generating a rejection message separately), servers 262 implementing this protocol and the SMTP extensions described in 263 Enhanced Mail System Status Codes [ESC] SHOULD use the enhanced 264 status code described in Section 13.3. 266 Implementation by this method is expected to be transparent to non- 267 participants, since they would typically ignore this header field. 269 This header field is not normally added to a message that is 270 addressed to multiple recipients. The intended use of this field 271 involves an author seeking to protect transactional or otherwise 272 sensitive data intended for a single recipient, and thus generating 273 independent messages for each individual recipient is normal 274 practice. Because of the nature of SMTP, a message bearing this 275 header field for multiple addressees could result in a single 276 delivery attempt for multiple recipients (in particular, if two of 277 the recipients are handled by the same server), and if any one of 278 them fails the test, the delivery fails to all of them; it then 279 becomes necessary to generate a Delivery Status Notification [DSN] 280 message for each of the failed recipients indicating the specific 281 failure cause for each. 283 5. Role Accounts 285 It is necessary not to interfere with delivery of messages to role 286 mailboxes (see [ROLES]), but it could be useful to indicate to users 287 handling those mailboxes that a change of ownership might have taken 288 place where doing so is possible. 290 6. Method Conversion 292 Use of the SMTP extension provided here is preferable over the header 293 field method, since the additional detail about the relationship 294 between the message author and its intended recipient is at best a 295 property of the message transaction and not part of the message 296 itself. The header field mechanism is defined only to enable passage 297 of the request between and through systems that that do not implement 298 the SMTP extension. 300 If an SMTP server receives a message from a client and both of them 301 use the SMTP extension described here, the server thus has "valid- 302 since" timestamps associated with one or more of the destination 303 mailboxes. If that server needs to relay the message on to another 304 server (thereby becoming a client), but this new server does not 305 advertise the SMTP extension, the client SHOULD add Require- 306 Recipient-Valid-Since header fields matching each mailbox to which 307 relaying is being done, and the corresponding valid-since timestamp 308 for each. 310 Similarly, if an SMTP server receives a message bearing one or more 311 Require-Recipient-Valid-Since header fields for which it must now 312 relay the message (thereby becoming a client) and the new server 313 advertises support for the SMTP extension, the client SHOULD delete 314 the header field(s) and instead relay this information by making use 315 of the SMTP extension. 317 7. Use with Mailing Lists 319 Mailing list services can store the timestamp at which a subscriber 320 was added to a mailing list. This specification can be used in 321 conjunction with that information in order to restrict traffic to the 322 original subscriber, rather than a different person now in possession 323 of an address under which the original subscriber registered. Upon 324 receiving a rejection caused by this specification, the list service 325 can remove that address from further distribution. 327 A mailing list service that receives a message containing this field 328 removes it from the message prior to redistributing it, limiting 329 exposure of information regarding the relationship between the 330 message's author and mailing list. 332 8. Discussion 334 To further obscure account details on the receiving system, the 335 receiver SHOULD ignore the SMTP extension or the header field if the 336 address specified has had one continuous owner since it was created, 337 regardless of the purported confirmation date of the address. This 338 is further discussed in Section 11. 340 The presence of the intended address in the field content supports 341 the case where a message bearing this header field is forwarded. The 342 specific use case is as follows: 344 1. A user subscribes to a service "S" on date "D" and confirms an 345 email address at the user's current location, "A"; 347 2. At some later date, the user intends to leave the current 348 location, and thus creates a new mailbox elsewhere, at "B"; 350 3. The user replaces address "A" with forwarding to "B"; 352 4. "S" constructs a message to "A" claiming that address was valid 353 at date "D" and sends it to "A"; 355 5. The receiving MTA at "A" determines that the forwarding in effect 356 was created by the same party that owned the mailbox there, and 357 thus concludes the continuous ownership test has been satisfied; 359 6. If possible, "A" removes this header field from the message, and 360 in either case, forwards it to "B"; 362 7. On receipt at "B", either the header field has been removed, or 363 the header field does not refer to a current envelope recipient, 364 and in either case delivers the message. 366 Some services generate messages with an RFC5322.To field that does 367 not contain a valid address, in order to obscure the intended 368 recipient. For this reason, the original intended recipient is 369 included in this header field. 371 9. Continuous Ownership 373 Determining continuous ownership of a mailbox is a local matter at 374 the receiving site. In particular, the only possible answers to the 375 continuous-ownership-since question are "yes", "no", and "unknown"; 376 the action to be taken in the "unknown" case is a matter of local 377 policy. 379 For example, when control of a domain name is transferred, the new 380 domain owner might be unable to determine whether the owner of the 381 subject address has been under continuous ownership since the stated 382 date if the mailbox history is not also transferred (or was not 383 previously maintained). 385 It will also be "unknown" if whatever database contains mailbox 386 ownership data is temporarily unavailable at the time a message 387 arrives for delivery. In this case, typical SMTP temporary failure 388 handling is appropriate. 390 10. Examples 392 In the following examples, "C:" indicates data sent by an SMTP 393 client, and "S:" indicates responses by the SMTP server. Message 394 content is CRLF terminated, though these are omitted here for ease of 395 reading. 397 10.1. SMTP Extension Example 399 C: [connection established] 400 S: 220 server.example.com ESMTP ready 401 C: EHLO client.example.net 402 S: 250-server.example.com 403 S: 250 RRVS 404 C: MAIL FROM: 405 S: 250 OK 406 C: RCPT TO: RRVS=1381993177 407 S: 550 5.7.15 receiver@example.com is no longer valid 408 C: QUIT 409 S: 221 So long! 411 10.2. Header Field Example 412 C: [connection established] 413 S: 220 server.example.com ESMTP ready 414 C: HELO client.example.net 415 S: 250 server.example.com 416 C: MAIL FROM: 417 S: 250 OK 418 C: RCPT TO: 419 S: 250 OK 420 C: DATA 421 S: 354 Ready for message content 422 C: From: Mister Sender 423 To: Miss Receiver 424 Subject: Are you still there? 425 Date: Fri, 28 Jun 2013 18:01:01 +0200 426 Require-Recipient-Valid-Since: receiver@example.com; 427 Sat, 1 Jun 2013 09:23:01 -0700 429 Are you still there? 430 . 431 S: 550 5.7.15 receiver@example.com is no longer valid 432 C: QUIT 433 S: 221 So long! 435 If an authentication scheme is applied to claim the added header 436 field is valid, but the scheme fails, a receiver might reject the 437 message with an SMTP reply such as: 439 S: 550-5.7.7 Use of Require-Recipient-Valid-Since header 440 S: 550 field requires a valid signature 442 11. Security Considerations 444 11.1. Abuse Countermeasures 446 The response of a server implementing this protocol can disclose 447 information about the age of existing email mailbox. Implementation 448 of countermeasures against probing attacks is advised. For example, 449 an operator could track appearance of this field with respect to a 450 particular mailbox and observe the timestamps being submitted for 451 testing; if it appears a variety of timestamps is being tried against 452 a single mailbox in short order, the field could be ignored and the 453 message silently discarded. This concern is discussed further in 454 Section 12. 456 11.2. Suggested Use Restrictions 458 If the mailbox named in the field is known to have had only a single 459 continuous owner since creation, or not to have existed at all (under 460 any owner) prior to the date specified in the field, then the field 461 can be silently ignored and normal message handling applied so that 462 this information is not disclosed. Such fields are likely the 463 product of either gross error or an attack. 465 A message author using this specification might restrict inclusion of 466 the header field such that it is only done for recipients known also 467 to implement this specification, in order to reduce the possibility 468 of revealing information about the relationship between the author 469 and the mailbox. 471 If ownership of an entire domain is transferred, the new owner may 472 not know what addresses were assigned in the past by the prior owner. 473 Hence, no address can be known not to have had a single owner, or to 474 have existed (or not) at all. 476 12. Privacy Considerations 478 12.1. Probing Attacks 480 As described above, use of this header field in probing attacks can 481 disclose information about the history of the mailbox. The harm that 482 can be done by leaking any kind of private information is difficult 483 to predict, so it is prudent to be sensitive to this sort of 484 disclosure, either inadvertently or in response to probing by an 485 attacker. It bears restating, then, that implementing 486 countermeasures to abuse of this capability needs strong 487 consideration. 489 That some MSPs allow for expiration of account names when they have 490 been unused for a protracted period forces a choice between two 491 potential types of privacy vulnerabilities, one of which presents 492 significantly greater threats to users than the other. Automatically 493 generated mail is often used to convey authentication credentials 494 that can potentially provide access to extremely sensitive 495 information. Supplying such credentials to the wrong party after a 496 mailbox ownership change could allow the previous owner's data to be 497 exposed without his or her authorization or knowledge. In contrast, 498 the information that may be exposed to a third party via the proposal 499 in this document is limited to information about the mailbox history. 500 Given that MSPs have chosen to allow transfers of mailbox ownership 501 without the prior owner's involvement, the information leakage from 502 the header field specified here creates far fewer risks than the 503 potential for delivering mail to the wrong party. 505 12.2. Envelope Recipients 507 The email To and Cc header fields are not required to be populated 508 with addresses that match the envelope recipient set, and Cc may even 509 be absent. However, the algorithm in Section 3 requires that this 510 header field contain a match for an envelope recipient in order to be 511 actionable. As such, use of this specification can reveal some or 512 all of the original intended recipient set to any party that can see 513 the message in transit or upon delivery. 515 For a message destined to a single recipient, this is unlikely to be 516 a concern, which is one of the reasons use of this specification on 517 multi-recipient messages is discouraged. 519 13. IANA Considerations 521 13.1. SMTP Extension Registration 523 IANA is requested to register the SMTP extension described in 524 Section 3.1. 526 13.2. Header Field Registration 528 IANA is requested to add the following entry to the Permanent Message 529 Header Field registry, as per the procedure found in [IANA-HEADERS]: 531 Header field name: Require-Recipient-Valid-Since 532 Applicable protocol: mail ([MAIL]) 533 Status: Standard 534 Author/Change controller: IETF 535 Specification document(s): [this document] 536 Related information: 537 Requesting review of any proposed changes and additions to 538 this field is recommended. 540 13.3. Enhanced Status Code Registration 542 IANA is requested to register the following in the SMTP Enhanced 543 Status Codes registry: 545 Code: X.7.15 546 Sample Text: Mailbox owner has changed 547 Associated basic status code: 5 548 Description: This status code is returned when a message is 549 received with a Require-Recipient-Valid-Since 550 field and the receiving system is able to 551 determine that the intended recipient mailbox 552 has not been under continuous ownership since 553 the specified date. 554 Reference: [this document] 555 Submitter: M. Kucherawy 556 Change controller: IESG 558 14. References 560 14.1. Normative References 562 [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for 563 Syntax Specifications: ABNF", RFC 5234, January 2008. 565 [IANA-HEADERS] Klyne, G., Nottingham, M., and J. Mogul, 566 "Registration Procedures for Message Header Fields", 567 BCP 90, RFC 3864, September 2004. 569 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 570 Requirement Levels", BCP 14, RFC 2119, March 1997. 572 [MAIL] Resnick, P., "Internet Message Format", RFC 5322, 573 October 2008. 575 [ROLES] Crocker, D., "Mailbox Names For Common Services, 576 Roles And Functions", RFC 2142, May 1997. 578 [SMTP] Klensin, J., "Simple Mail Transfer Protocol", 579 RFC 5321, October 2008. 581 14.2. Informative References 583 [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message 584 Format for Delivery Status Notifications", RFC 3464, 585 January 2003. 587 [EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598, 588 July 2009. 590 [ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", 591 RFC 3463, January 2003. 593 Appendix A. Acknowledgments 595 Erling Ellingsen proposed the idea. 597 Reviews and comments were provided by Michael Adkins, Kurt Andersen, 598 Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine, 599 Hector Santos, Gregg Stefancik, Ed Zayas, (others) 601 Authors' Addresses 603 William J. Mills 604 Yahoo! Inc. 606 EMail: wmills_92105@yahoo.com 608 Murray S. Kucherawy 609 Facebook, Inc. 610 1 Hacker Way 611 Menlo Park, CA 94025 612 USA 614 EMail: msk@fb.com