idnits 2.17.1 draft-ietf-appsawg-rrvs-header-field-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (January 10, 2014) is 3759 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 7001 (ref. 'AUTHRES') (Obsoleted by RFC 7601) Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Mills 3 Internet-Draft Yahoo! Inc. 4 Intended status: Standards Track M. Kucherawy 5 Expires: July 14, 2014 Facebook, Inc. 6 January 10, 2014 8 The Require-Recipient-Valid-Since Header Field and SMTP Service 9 Extension 10 draft-ietf-appsawg-rrvs-header-field-06 12 Abstract 14 This document defines an extension for the Simple Mail Transfer 15 Protocol called RRVS, and a header field called Require-Recipient- 16 Valid-Since, to provide a method for senders to indicate to receivers 17 the time when the sender last confirmed the ownership of the target 18 mailbox. This can be used to detect changes of mailbox ownership, 19 and thus prevent mail from being delivered to the wrong party. 21 The intended use of these facilities is on automatically generated 22 messages that might contain sensitive information, though it may also 23 be useful in other applications. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on July 14, 2014. 42 Copyright Notice 44 Copyright (c) 2014 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5 63 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 5 64 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6 65 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 6 66 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 7 67 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 7 68 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 7 69 5.2.1. Design Choices . . . . . . . . . . . . . . . . . . . . 9 70 6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 9 71 7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 9 72 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 10 73 8. Header Field with Multiple Recipients . . . . . . . . . . . . 10 74 9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 11 75 9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 11 76 9.2. Single-Recipient Aliases . . . . . . . . . . . . . . . . . 11 77 9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 12 78 9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 12 79 9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 12 80 10. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 13 81 11. Digital Signatures . . . . . . . . . . . . . . . . . . . . . . 14 82 12. Authentication-Results Definitions . . . . . . . . . . . . . . 14 83 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 84 13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 15 85 13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 15 86 13.3. Authentication-Results Example . . . . . . . . . . . . . . 16 87 14. Security Considerations . . . . . . . . . . . . . . . . . . . 16 88 14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 16 89 14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 17 90 14.3. False Sense of Security . . . . . . . . . . . . . . . . . 17 91 15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 17 92 15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 17 93 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 18 94 15.3. Risks with Use of Header Field . . . . . . . . . . . . . . 18 95 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 96 16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 19 97 16.2. Header Field Registration . . . . . . . . . . . . . . . . 19 98 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 19 99 16.4. Authentication Results Registration . . . . . . . . . . . 20 100 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 101 17.1. Normative References . . . . . . . . . . . . . . . . . . . 21 102 17.2. Informative References . . . . . . . . . . . . . . . . . . 21 103 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 105 1. Introduction 107 Email addresses sometimes get reassigned to a different person. For 108 example, employment changes at a company can cause an address used 109 for an ex-employee to be assigned to a new employee, or a mail 110 service provider (MSP) might expire an account and then let someone 111 else register for the local-part that was previously used. Those who 112 sent mail to the previous owner of an address might not know that it 113 has been reassigned. This can lead to the sending of email to the 114 correct address, but the wrong recipient. 116 What is needed is a way to indicate an attribute of the recipient 117 that will distinguish between the previous owner of an address and 118 its current owner, if they are different. Further, this needs to be 119 done in a way that respects privacy. 121 The mechanisms specified here allow the sender of the mail to 122 indicate how "old" the address assignment is expected to be. In 123 effect, the sender is saying, "The person to whom I am sending to had 124 this address assigned to as far back as this date-time." A receiving 125 system can then compare this information against the date and time 126 the address was assigned to its current user. If the assignment was 127 made later than the date-time indicated in the message, there is a 128 good chance the current user of the address is not the correct 129 recipient. The receiving system can then choose to prevent delivery 130 and, possibly, to notify the original sender of the problem. 132 The primary application is automatically generated messages rather 133 than user-authored content, though it may be useful in other 134 contexts. 136 One important point is that the protocols presented here provide a 137 way for a sending system to make a request to receiving systems with 138 respect to handling of a message. In the end, there is no guarantee 139 that the request will have the desired effect. 141 2. Definitions 143 For a description of the email architecture, consult [EMAIL-ARCH]. 145 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 146 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 147 document are to be interpreted as described in [KEYWORDS]. 149 3. Description 151 To address the problem described above, a mail sending client needs 152 to indicate to the server to which it is connecting that there is an 153 expectation that the destination of the message has been under 154 continuous ownership (see Section 10) since some date-time, 155 presumably the most recent time the message author had confirmed its 156 understanding of who owned that mailbox. Two mechanisms are defined 157 here: an extension to the Simple Mail Transfer Protocol [SMTP] and a 158 new message header field. The SMTP extension permits strong 159 assurance of enforcement by confirming support at each handling step 160 for a message. The header field does not provide the strong 161 assurance, but only requires adoption by the receiving Message 162 Delivery Agent (MDA). 164 The SMTP extension is called "RRVS" (Require Recipient Valid Since), 165 and adds a parameter to the SMTP "RCPT" command that indicates the 166 most recent date and time when the message author believed the 167 destination mailbox to be under the continuous ownership of a 168 specific party. Similarly, the Require-Recipient-Valid-Since header 169 field includes an intended recipient coupled with a timestamp 170 indicating the same thing. 172 3.1. The 'RRVS' SMTP Extension 174 Extensions to SMTP are described in Section 2.2 of [SMTP]. 176 The name of the extension is "RRVS", an abbreviation of "Require 177 Recipient Valid Since". Servers implementing the SMTP extension 178 advertise an additional EHLO keyword of "RRVS", which has no 179 associated parameters, introduces no new SMTP verbs, and does not 180 alter the MAIL verb. 182 A Message Transfer Agent (MTA) implementing RRVS can transmit or 183 accept a new parameter to the RCPT command. An MDA can also accept 184 this new parameter. The new parameter is "RRVS", which takes a value 185 that is a timestamp expressed as a "date-time" as defined in 186 [DATETIME], with the added restriction that a "time-secfrac" MUST NOT 187 be used. Accordingly, this extension increases the maximum command 188 length for the RCPT verb by 31 characters. 190 The meaning of this extension, when used, is described in 191 Section 5.1. 193 3.2. The 'Require-Recipient-Valid-Since' Header Field 195 The general constraints on syntax and placement of header fields in a 196 message are defined in Internet Message Format [MAIL]. 198 Using Augmented Backus-Naur Form [ABNF], the syntax for the field is: 200 rrvs = "Require-Recipient-Valid-Since:" addr-spec ";" date-time 201 CRLF 203 "date-time" is defined in Section 3.3, and "addr-spec" is defined in 204 Section 3.4.1, of [MAIL]. 206 4. Use By Generators 208 When a message is generated whose content is sufficiently sensitive 209 that an author or author's Administrative Management Domain (ADMD; 210 see [EMAIL-ARCH]) wishes to protect against misdelivery using this 211 protocol, it determines for each recipient mailbox on the message a 212 timestamp at which it last confirmed ownership of that mailbox. It 213 then applies either the SMTP extension or the header field defined 214 above when sending the message to its destination. 216 Use of the SMTP extension provided here is preferable over the header 217 field method because of: 219 1. the positive confirmation of support at each handling node; 221 2. the fact that the protocol is focused on affecting delivery (that 222 is, the transaction) rather than on content; and 224 3. the fact that there is less risk of the timestamp parameter being 225 inadvertently forwarded (see Section 15.3). 227 The header field mechanism is defined only to enable passage of the 228 request between and through systems that do not implement the SMTP 229 extension. 231 5. Handling By Receivers 233 If a receiver implements this specification, then there are two 234 possible evaluation paths: 236 1. The sending client implements the extension, and so there was an 237 RRVS parameter on a RCPT TO command in the SMTP session and the 238 parameters of interest are taken only from there (and the header 239 field, if present, is disregarded); or 241 2. The sending client does not (or elected not to) implement the 242 extension, so the RRVS parameter was not present on the RCPT TO 243 commands in the SMTP session, but the corresponding header field 244 might be present in the message. 246 5.1. SMTP Extension Used 248 For an MTA supporting the SMTP extension, the requirement is to 249 continue enforcement of RRVS during the relaying process to the next 250 MTA or the MDA. 252 A receiving MDA that implements the SMTP extension declared above and 253 observes an RRVS parameter on a RCPT TO command checks whether the 254 current owner of the destination mailbox has held it continuously, 255 far enough back to include the given date-time, and delivers it 256 unless that check returns in the negative. Specifically, an MDA will 257 do the following before continuing with delivery: 259 1. Ignore the parameter if the named mailbox is known to be a role 260 account as listed in Mailbox Names For Common Services, Roles And 261 Functions [ROLES]. (See Section 6.) 263 2. If the address is not known to be a role account, and if that 264 address has not been under continuous ownership since the 265 timestamp specified in the extension, return a 550 error to the 266 RCPT command. (See also Section 16.3.) 268 3. If any Require-Recipient-Valid-Since header fields are present 269 and refer to the named address, they SHOULD be removed prior to 270 delivery or relaying. (See Section 5.2 and Section 7.1 for 271 discussion.) 273 5.1.1. Relays 275 An MTA that does not make mailbox ownership checks, such as an MTA 276 positioned to do SMTP ingress at an organizational boundary, SHOULD 277 relay the RRVS extension parameter to the next MTA or MDA so that it 278 can be processed there. 280 See Section 9.2 for additional discussion. 282 5.2. Header Field Used 284 A receiving system that implements this specification, upon receiving 285 a message bearing a Require-Recipient-Valid-Since header field when 286 no corresponding RRVS SMTP extension was used, checks whether the 287 destination mailbox owner has held it continuously, far enough back 288 to include the given date-time, and delivers it unless that check 289 returns in the negative. Expressed as a sequence of steps: 291 1. Extract the set of Require-Recipient-Valid-Since fields from MDA 292 the message for which no corresponding RRVS SMTP extension was 293 used. 295 2. Discard any such fields that are syntactically invalid. 297 3. Discard any such fields that name a role account as listed in 298 [ROLES] (see Section 6). 300 4. Discard any such fields for which the "addr-spec" portion does 301 not match a current recipient, as listed in the RCPT TO commands 302 in the SMTP session. 304 5. Discard any such fields for which the "addr-spec" portion does 305 not refer to a mailbox handled for local delivery by this ADMD. 307 6. For each field remaining, determine if the named address has been 308 under continuous ownership since the corresponding timestamp. If 309 it has not, reject the message. 311 7. RECOMMENDED: If local delivery is being performed, remove all 312 instances of this field prior to delivery to a mailbox; if the 313 message is being forwarded, remove those instances of this header 314 field that were not discarded by steps 1-4 above. 316 Handling proceeds normally upon completion of the above steps if 317 rejection has not been performed. 319 The final step is not mandatory as not all mail handling agents are 320 capable of stripping away header fields, and there are sometimes 321 reasons to keep the field intact such as debugging or presence of 322 digital signatures that might be invalidated by such a change. See 323 Section 11 for additional discussion. 325 If a message is to be rejected within the SMTP protocol itself 326 (versus generating a rejection message separately), servers 327 implementing this protocol SHOULD also implement the SMTP extension 328 described in Enhanced Mail System Status Codes [ESC] and use the 329 enhanced status codes described in Section 16.3 as appropriate. 331 Implementation by this method is expected to be transparent to non- 332 participants, since they would typically ignore this header field. 334 This header field is not normally added to a message that is 335 addressed to multiple recipients. The intended use of this field 336 involves an author seeking to protect transactional or otherwise 337 sensitive data intended for a single recipient, and thus generating 338 independent messages for each individual recipient is normal 339 practice. See Section 8 for further discussion. 341 5.2.1. Design Choices 343 The presence of the intended address in the field content supports 344 the case where a message bearing this header field is forwarded. The 345 specific use case is as follows: 347 1. A user subscribes to a service "S" on date "D" and confirms an 348 email address at the user's current location, "A"; 350 2. At some later date, the user intends to leave the current 351 location, and thus creates a new mailbox elsewhere, at "B"; 353 3. The user replaces address "A" with forwarding to "B"; 355 4. "S" constructs a message to "A" claiming that address was valid 356 at date "D" and sends it to "A"; 358 5. The receiving MTA at "A" determines that the forwarding in effect 359 was created by the same party that owned the mailbox there, and 360 thus concludes the continuous ownership test has been satisfied; 362 6. If possible, "A" removes this header field from the message, and 363 in either case, forwards it to "B"; 365 7. On receipt at "B", either the header field has been removed, or 366 the header field does not refer to a current envelope recipient, 367 and in either case delivers the message. 369 SMTP has never required any correspondence between addresses in the 370 RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a 371 message, which is why the header field defined here contains the 372 recipient address to which the timestamp applies. 374 6. Role Accounts 376 It is necessary not to interfere with delivery of messages to role 377 mailboxes (see [ROLES]), but it could be useful to notify users 378 sending to those mailboxes that a change of ownership might have 379 taken place, if such notification is possible. 381 7. Relaying Without RRVS Support 383 When a message is received using the SMTP extension defined here but 384 will not be delivered locally (that is, it needs to be relayed 385 further), the MTA to which the relay will take place might not be 386 compliant with this specification. Where the MTA in possession of 387 the message observes it is going to relay the message to an MTA that 388 does not advertise this extension, it needs to choose one of the 389 following actions: 391 1. Decline to relay the message further, preferably generating a 392 Delivery Status Notification [DSN] to indicate failure 393 (RECOMMENDED); 395 2. Downgrade the data thus provided in the SMTP extension to a 396 header field, as described in Section 7.1 below (RECOMMENDED when 397 the previous option is not available); or 399 3. Silently continue with delivery, dropping the protection offered 400 by this protocol. 402 Using other than the first option needs to be avoided unless there is 403 specific knowledge that further relaying with the degraded 404 protections thus provided does not introduce undue risk. 406 7.1. Header Field Conversion 408 If an SMTP server ("B") that has received mailbox timestamps from a 409 client ("A") using this extension but then needs to relay the 410 corresponding message on to another server ("C") (thereby becoming a 411 client), but "C" does not advertise the SMTP extension and "B" elects 412 not to reject the message, "B" SHOULD add Require-Recipient-Valid- 413 Since header fields matching each mailbox to which relaying is being 414 done, and the corresponding valid-since timestamp for each. 416 Similarly, if "B" receives a message bearing one or more Require- 417 Recipient-Valid-Since header fields from "A" for which it must now 418 relay the message, and "C" advertises support for the SMTP extension, 419 "B" SHOULD delete the header field(s) and instead relay this 420 information by making use of the SMTP extension. Note that such 421 modification of the header might affect later validation of the 422 header upon delivery; for example, a hash of the header would produce 423 a different result. This might be a valid cause for some operators 424 to skip this delete operation. 426 8. Header Field with Multiple Recipients 428 Numerous issues arise when using the header field form of this 429 extension, particularly when multiple recipients are specified for a 430 single message resulting in one multiple fields each with a distinct 431 address and timestamp. 433 Because of the nature of SMTP, a message bearing a multiplicity of 434 Require-Recipient-Valid-Since header fields could result in a single 435 delivery attempt for multiple recipients (in particular, if two of 436 the recipients are handled by the same server), and if any one of 437 them fails the test, the delivery fails to all of them; it then 438 becomes necessary to do one of the following: 440 o reject the message on completion of the DATA phase of the SMTP 441 session, which is a rejection of delivery to all recipients; or 443 o accept the message on completion of DATA, and then generate a 444 Delivery Status Notification [DSN] message for each of the failed 445 recipients 447 Additional complexity arises when a message is sent to two 448 recipients, "A" and "B", presumably with different timestamps, both 449 of which are then redirected to a common address "C". The author is 450 not necessarily aware of the current or past ownership of mailbox 451 "C", or indeed that "A" and/or "B" have been redirected. This might 452 result in either or both of the two deliveries failing at "C", which 453 is likely to confuse the message author, who (as far as the author is 454 aware) never sent a message to "C" in the first place. 456 9. Special Use Addresses 458 In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to 459 request generation of DSNs, and related information to allow such 460 reports to be maximally useful. Section 5.2.7 of that document 461 explored the issue of the use of that extension where the recipient 462 is a mailing list. This extension has similar concerns which are 463 covered here following that document as a model. 465 9.1. Mailing Lists 467 Delivery to a mailing list service is considered a final delivery. 468 Where this protocol is in use, it is evaluated as per any normal 469 delivery: If the same mailing list has been operating in place of the 470 specified recipient mailbox since at least the timestamp given as the 471 RRVS parameter, the message is delivered to the list service 472 normally, and is otherwise not delivered. 474 It is important, however, that the participating MDA passing the 475 message to the list service needs to omit the RRVS parameter in 476 either form (SMTP extension or header field) when doing so. The 477 emission of a message from the list service to its subscribers 478 constitutes a new message not covered by the previous transaction. 480 9.2. Single-Recipient Aliases 482 Upon delivery of an RRVS-protected message to an alias (acting in 483 place of a mailbox) that results in relaying of the message to a 484 single other destination, the usual RRVS check is performed. The 485 continuous ownership test here might succeed if a conventional user 486 inbox was replaced with an alias on behalf of that same user, and 487 this information is recorded someplace. If the message is thus 488 accepted, the relaying MTA can choose to do one of the following: 490 1. Do not include an RRVS parameter or header field when relaying to 491 the new address. (RECOMMENDED) 493 2. If the relaying system records the time when the alias was 494 established, independent of confirming the validity of the new 495 destination address, it MAY add an RRVS parameter for the new 496 target address that includes that time. 498 3. If an explicit confirmation of the new destination was done, it 499 MAY add an RRVS parameter for the new target address that 500 includes that time. 502 There is risk and additional administrative burden associated with 503 all but the first option in that list which are believed to make them 504 not worth pursuing. 506 9.3. Multiple-Recipient Aliases 508 Upon delivery of an RRVS-protected message to an alias (acting in 509 place of a mailbox) that results in relaying of the message to 510 multiple other destinations, the usual RRVS check is performed as in 511 Section 9.2. The MTA expanding such an alias then decides which of 512 the options enumerated in that section is to be applied for each new 513 recipient. 515 9.4. Confidential Forwarding Addresses 517 In the above cases, the original author could receive message 518 rejections, such as DSNs, from the ultimate destination, where the 519 RRVS check (or indeed, any other) fails and rejection is warranted. 520 This can reveal the existence of a forwarding relationship between 521 the original intended recipient and the actual final recipient. 523 Where this is a concern, the initial delivery attempt is to be 524 treated like a mailing list delivery, with RRVS evaluation done and 525 then all RRVS information removed from the message prior to relaying 526 it to its true destination. 528 9.5. Suggested Mailing List Enhancements 530 Mailing list services could store the timestamp at which a subscriber 531 was added to a mailing list. This specification could then be used 532 in conjunction with that information in order to restrict list 533 traffic to the original subscriber, rather than a different person 534 now in possession of an address under which the original subscriber 535 was added to the list. Upon receiving a rejection caused by this 536 specification, the list service can remove that address from further 537 distribution. 539 A mailing list service that receives a message containing the header 540 field defined here needs to remove it from the message prior to 541 redistributing it, limiting exposure of information regarding the 542 relationship between the message's author and the mailing list. 544 10. Continuous Ownership 546 For the purposes of this specification, an address is defined as 547 having been under continuous ownership since a given date-time if a 548 message sent to the address at any point since the given date would 549 not go to anyone except the owner at that given date-time. That is, 550 while an address may have been suspended or otherwise disabled for 551 some period, any mail actually delivered would have been delivered 552 exclusively to the same owner. It is is presumed that some sort of 553 relationship exists between the message sender and the intended 554 recipient. Presumably there has been some confirmation process 555 applied to establish this ownership of the receiver's mailbox; 556 however, the method of making such determinations is a local matter 557 and outside the scope of this document. 559 Evaluating the notion of continuous ownership is accomplished by 560 doing any query that establishes whether the above condition holds 561 for a given mailbox. 563 Determining continuous ownership of a mailbox is a local matter at 564 the receiving site. The only possible answers to the continuous- 565 ownership-since question are "yes", "no", and "unknown"; the action 566 to be taken in the "unknown" case is a matter of local policy. 568 For example, when control of a domain name is transferred, the new 569 domain owner might be unable to determine whether the owner of the 570 subject address has been under continuous ownership since the stated 571 date if the mailbox history is not also transferred (or was not 572 previously maintained). It will also be "unknown" if whatever 573 database contains mailbox ownership data is temporarily unavailable 574 at the time a message arrives for delivery. In this latter case, 575 typical SMTP temporary failure handling is appropriate. 577 To further obscure account details on the receiving system, the 578 receiver SHOULD ignore the SMTP extension or the header field if the 579 address specified has had one continuous owner since it was created, 580 regardless of the purported confirmation date of the address. This 581 is further discussed in Section 14. 583 11. Digital Signatures 585 This protocol mandates removal of the header field (when used) upon 586 delivery in all but iexceptional circumstances. Altering a message 587 in this way will invalidate a digital signature intended to guard 588 against message modification in transit, which can interfere with 589 delivery. 591 Section 5.4.1 of DomainKeys Identified Mail [DKIM] proposes a 592 strategy for selecting header fields to sign. Specifically, it 593 advises including in the signed portion of the message only those 594 header fields that comprise part of the core content of the message. 595 As the header field version of this protocol is ephemeral, it cannot 596 be considered core content. 598 Accordingly, applying digital signatures that attempt to protect the 599 content of this header field is NOT RECOMMENDED. 601 12. Authentication-Results Definitions 603 [AUTHRES] defines a mechanism for indicating, via a header field, the 604 results of message authentication checks. Section 16 registers RRVS 605 as a new method that can be reported in this way, and corresponding 606 result names. The possible result names and their meanings are as 607 follows: 609 none: The message had no recipient mailbox timestamp associated with 610 it, either via the SMTP extension or header field method; this 611 protocol was not in use. 613 unknown: At least one form of this protocol was in use, but 614 continuous ownership of the recipient mailbox could not be 615 determined. 617 temperror: At least one form of this protocol was in use, but some 618 kind of error occurred during evaluation that was transient in 619 nature; a later retry will likely produce a final result. 621 permerror: At least one form of this protocol was in use, but some 622 kind of error occurred during evaluation that was not recoverable; 623 a later retry will not likely produce a final result. 625 pass: At least one form of this protocol was in use, and the 626 destination mailbox was confirmed to have been under constant 627 ownership since the timestamp thus provided. 629 fail: At least one form of this protocol was in use, and the 630 destination mailbox was confirmed not to have been under constant 631 ownership since the timestamp thus provided. 633 Where multiple recipients are present on a message, multiple results 634 can be reported using the mechanism described in [AUTHRES]. 636 13. Examples 638 In the following examples, "C:" indicates data sent by an SMTP 639 client, and "S:" indicates responses by the SMTP server. Message 640 content is CRLF terminated, though these are omitted here for ease of 641 reading. 643 13.1. SMTP Extension Example 645 C: [connection established] 646 S: 220 server.example.com ESMTP ready 647 C: EHLO client.example.net 648 S: 250-server.example.com 649 S: 250 RRVS 650 C: MAIL FROM: 651 S: 250 OK 652 C: RCPT TO: RRVS=1381993177 653 S: 550 5.7.17 receiver@example.com is no longer valid 654 C: QUIT 655 S: 221 So long! 657 13.2. Header Field Example 658 C: [connection established] 659 S: 220 server.example.com ESMTP ready 660 C: HELO client.example.net 661 S: 250 server.example.com 662 C: MAIL FROM: 663 S: 250 OK 664 C: RCPT TO: 665 S: 250 OK 666 C: DATA 667 S: 354 Ready for message content 668 C: From: Mister Sender 669 To: Miss Receiver 670 Subject: Are you still there? 671 Date: Fri, 28 Jun 2013 18:01:01 +0200 672 Require-Recipient-Valid-Since: receiver@example.com; 673 Sat, 1 Jun 2013 09:23:01 -0700 675 Are you still there? 676 . 677 S: 550 5.7.17 receiver@example.com is no longer valid 678 C: QUIT 679 S: 221 So long! 681 13.3. Authentication-Results Example 683 An example use of the Authentication-Results header field used to 684 yield the results of an RRVS evaluation: 686 Authentication-Results: mx.example.com; rrvs=pass 687 smtp.rcptto=user@example.com 689 This indicates that the message arrived addressed to the mailbox 690 user@example.com, the continuous ownership test was applied with the 691 provided timestamp, and the check revealed that test was satisfied. 692 The timestamp is not revealed. 694 14. Security Considerations 696 14.1. Abuse Countermeasures 698 The response of a server implementing this protocol can disclose 699 information about the age of existing email mailbox. Implementation 700 of countermeasures against probing attacks is advised. For example, 701 an operator could track appearance of this field with respect to a 702 particular mailbox and observe the timestamps being submitted for 703 testing; if it appears a variety of timestamps is being tried against 704 a single mailbox in short order, the field could be ignored and the 705 message silently discarded. This concern is discussed further in 706 Section 15. 708 14.2. Suggested Use Restrictions 710 If the mailbox named in the field is known to have had only a single 711 continuous owner since creation, or not to have existed at all (under 712 any owner) prior to the date specified in the field, then the field 713 can be silently ignored and normal message handling applied so that 714 this information is not disclosed. Such fields are likely the 715 product of either gross error or an attack. 717 A message author using this specification might restrict inclusion of 718 the header field such that it is only done for recipients known also 719 to implement this specification, in order to reduce the possibility 720 of revealing information about the relationship between the author 721 and the mailbox. 723 If ownership of an entire domain is transferred, the new owner may 724 not know what addresses were assigned in the past by the prior owner. 725 Hence, no address can be known not to have had a single owner, or to 726 have existed (or not) at all. In this case, the "unknown" result is 727 likely appropriate. 729 14.3. False Sense of Security 731 Senders implementing this protocol likely believe their content is 732 being protected by doing so. It has to be considered, however, that 733 receiving systems might not implement this protocol correctly, or at 734 all. Furthermore, use of RRVS by a sending system constitutes 735 nothing more than a request to the receiving system; that system 736 could choose not to prevent delivery for some local policy or 737 operational reason, which compromises the security the sending system 738 believed was a benefit to using RRVS. This could mean the timestamp 739 information involved in the protocol becomes inadvertently revealed. 741 This concern lends further support to the notion that senders would 742 do well to avoid using this protocol other than when sending to 743 known, trusted receivers. 745 15. Privacy Considerations 747 15.1. Probing Attacks 749 As described above, use of this extension or header field in probing 750 attacks can disclose information about the history of the mailbox. 751 The harm that can be done by leaking any kind of private information 752 is difficult to predict, so it is prudent to be sensitive to this 753 sort of disclosure, either inadvertently or in response to probing by 754 an attacker. It bears restating, then, that implementing 755 countermeasures to abuse of this capability needs strong 756 consideration. 758 That some MSPs allow for expiration of account names when they have 759 been unused for a protracted period forces a choice between two 760 potential types of privacy vulnerabilities, one of which presents 761 significantly greater threats to users than the other. Automatically 762 generated mail is often used to convey authentication credentials 763 that can potentially provide access to extremely sensitive 764 information. Supplying such credentials to the wrong party after a 765 mailbox ownership change could allow the previous owner's data to be 766 exposed without his or her authorization or knowledge. In contrast, 767 the information that may be exposed to a third party via the proposal 768 in this document is limited to information about the mailbox history. 769 Given that MSPs have chosen to allow transfers of mailbox ownership 770 without the prior owner's involvement, the information leakage from 771 the extensions specified here creates far fewer risks than the 772 potential for delivering mail to the wrong party. 774 15.2. Envelope Recipients 776 The email To and Cc header fields are not required to be populated 777 with addresses that match the envelope recipient set, and Cc may even 778 be absent. However, the algorithm in Section 3 requires that this 779 header field contain a match for an envelope recipient in order to be 780 actionable. As such, use of this specification can reveal some or 781 all of the original intended recipient set to any party that can see 782 the message in transit or upon delivery. 784 For a message destined to a single recipient, this is unlikely to be 785 a concern, which is one of the reasons use of this specification on 786 multi-recipient messages is discouraged. 788 15.3. Risks with Use of Header Field 790 MDAs might not implement the recommendation to remove the header 791 field defined here when messages are delivered, either out of 792 ignorance or due to error. Since user agents often do not render all 793 of the header fields present, the message could be forwarded to 794 another party that would then inadvertently have the content of this 795 header field. 797 A bad actor may detect use of either form of the RRVS protocol and 798 interpret it as an indication of high value content. 800 16. IANA Considerations 802 16.1. SMTP Extension Registration 804 Section 2.2.2 of [MAIL] sets out the procedure for registering a new 805 SMTP extension. IANA is requested to register the SMTP extension 806 using the details provided in Section 3.1 of this document. 808 16.2. Header Field Registration 810 IANA is requested to add the following entry to the Permanent Message 811 Header Field Names registry, as per the procedure found in 812 [IANA-HEADERS]: 814 Header field name: Require-Recipient-Valid-Since 815 Applicable protocol: mail ([MAIL]) 816 Status: Standard 817 Author/Change controller: IETF 818 Specification document(s): [this document] 819 Related information: 820 Requesting review of any proposed changes and additions to 821 this field is recommended. 823 16.3. Enhanced Status Code Registration 825 IANA is requested to register the following in the Enumerated Status 826 Codes table of the Simple Mail Transfer Protocol (SMTP) Enhanced 827 Status Codes Registry: 829 Code: X.7.17 830 Sample Text: Mailbox owner has changed 831 Associated basic status code: 5 832 Description: This status code is returned when a message is 833 received with a Require-Recipient-Valid-Since 834 field or RRVS extension and the receiving 835 system is able to determine that the intended 836 recipient mailbox has not been under 837 continuous ownership since the specified date. 838 Reference: [this document] 839 Submitter: M. Kucherawy 840 Change controller: IESG 841 Code: X.7.18 842 Sample Text: Domain owner has changed 843 Associated basic status code: 5 844 Description: This status code is returned when a message is 845 received with a Require-Recipient-Valid-Since 846 field or RRVS extension and the receiving 847 system wishes to disclose that the owner of 848 the domain name of the recipient has changed 849 since the specified date. 850 Reference: [this document] 851 Submitter: M. Kucherawy 852 Change controller: IESG 854 16.4. Authentication Results Registration 856 IANA is requested to register the following in the "Email 857 Authentication Methods" Registry: 859 Method: rrvs 861 Specifying Document: [this document] 863 ptype: smtp 865 Property: rcptto 867 Value: envelope recipient 869 Status: active 871 Version: 1 873 IANA is also requested to register the following in the "Email 874 Authentication Result Names" Registry: 876 Codes: none, unknown, temperror, permerror, pass, fail 878 Defined: [this document] 880 Auth Method(s): rrvs 882 Meaning: Section 12 of [this document] 884 Status: active 886 17. References 887 17.1. Normative References 889 [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for 890 Syntax Specifications: ABNF", RFC 5234, January 2008. 892 [DATETIME] Klyne, G. and C. Newman, "Date and Time on the 893 Internet: Timestamps", RFC 3339, July 2002. 895 [IANA-HEADERS] Klyne, G., Nottingham, M., and J. Mogul, 896 "Registration Procedures for Message Header Fields", 897 BCP 90, RFC 3864, September 2004. 899 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 900 Requirement Levels", BCP 14, RFC 2119, March 1997. 902 [MAIL] Resnick, P., "Internet Message Format", RFC 5322, 903 October 2008. 905 [ROLES] Crocker, D., "Mailbox Names For Common Services, 906 Roles And Functions", RFC 2142, May 1997. 908 [SMTP] Klensin, J., "Simple Mail Transfer Protocol", 909 RFC 5321, October 2008. 911 17.2. Informative References 913 [AUTHRES] Kucherawy, M., "Message Header Field for Indicating 914 Message Authentication Status", RFC 7001, 915 September 2013. 917 [DKIM] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, 918 Ed., "DomainKeys Identified Mail (DKIM) Signatures", 919 RFC 6376, September 2011. 921 [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message 922 Format for Delivery Status Notifications", RFC 3464, 923 January 2003. 925 [DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP) 926 Service Extension for Delivery Status Notifications 927 (DSNs)", RFC 3461, January 2003. 929 [EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598, 930 July 2009. 932 [ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", 933 RFC 3463, January 2003. 935 Appendix A. Acknowledgments 937 Erling Ellingsen proposed the idea. 939 Reviews and comments were provided by Michael Adkins, Kurt Andersen, 940 Eric Burger, Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, 941 John Levine, Alexey Melnikov, Hector Santos, Gregg Stefancik, Ed 942 Zayas, (others) 944 Authors' Addresses 946 William J. Mills 947 Yahoo! Inc. 949 EMail: wmills_92105@yahoo.com 951 Murray S. Kucherawy 952 Facebook, Inc. 953 1 Hacker Way 954 Menlo Park, CA 94025 955 USA 957 EMail: msk@fb.com