idnits 2.17.1 draft-ietf-appsawg-rrvs-header-field-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (March 25, 2014) is 3686 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 7001 (ref. 'AUTHRES') (Obsoleted by RFC 7601) Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Mills 3 Internet-Draft Yahoo! Inc. 4 Intended status: Standards Track M. Kucherawy 5 Expires: September 26, 2014 Facebook, Inc. 6 March 25, 2014 8 The Require-Recipient-Valid-Since Header Field and SMTP Service 9 Extension 10 draft-ietf-appsawg-rrvs-header-field-09 12 Abstract 14 This document defines an extension for the Simple Mail Transfer 15 Protocol called RRVS, and a header field called Require-Recipient- 16 Valid-Since, to provide a method for senders to indicate to receivers 17 a point in time when the the ownership of the target mailbox was 18 known to the sender. This can be used to detect changes of mailbox 19 ownership, and thus prevent mail from being delivered to the wrong 20 party. 22 The intended use of these facilities is on automatically generated 23 messages, such as account statements or password change instructions, 24 that might contain sensitive information, though it may also be 25 useful in other applications. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at http://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on September 26, 2014. 44 Copyright Notice 46 Copyright (c) 2014 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 1.1. Reassignment of Mailboxes . . . . . . . . . . . . . . . . 4 63 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 5 65 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5 66 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 6 67 3.3. Timestamps . . . . . . . . . . . . . . . . . . . . . . . . 6 68 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6 69 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 7 70 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 7 71 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 8 72 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 8 73 5.2.1. Design Choices . . . . . . . . . . . . . . . . . . . . 9 74 5.3. Clock Synchronization . . . . . . . . . . . . . . . . . . 10 75 6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 10 76 7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 10 77 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 11 78 8. Header Field with Multiple Recipients . . . . . . . . . . . . 11 79 9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 12 80 9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 12 81 9.2. Single-Recipient Aliases . . . . . . . . . . . . . . . . . 12 82 9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 13 83 9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 13 84 9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 13 85 10. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 14 86 11. Digital Signatures . . . . . . . . . . . . . . . . . . . . . . 14 87 12. Authentication-Results Definitions . . . . . . . . . . . . . . 15 88 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 89 13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 16 90 13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 16 91 13.3. Authentication-Results Example . . . . . . . . . . . . . . 17 92 14. Security Considerations . . . . . . . . . . . . . . . . . . . 17 93 14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 17 94 14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 17 95 14.3. False Sense of Security . . . . . . . . . . . . . . . . . 18 96 15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 18 97 15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 18 98 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 19 99 15.3. Risks with Use . . . . . . . . . . . . . . . . . . . . . . 19 100 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 101 16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 19 102 16.2. Header Field Registration . . . . . . . . . . . . . . . . 19 103 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 20 104 16.4. Authentication Results Registration . . . . . . . . . . . 20 105 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 106 17.1. Normative References . . . . . . . . . . . . . . . . . . . 21 107 17.2. Informative References . . . . . . . . . . . . . . . . . . 22 108 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 110 1. Introduction 112 Email addresses sometimes get reassigned to a different person. For 113 example, employment changes at a company can cause an address used 114 for an ex-employee to be assigned to a new employee, or a mail 115 service provider (MSP) might expire an account and then let someone 116 else register for the local-part that was previously used. Those who 117 sent mail to the previous owner of an address might not know that it 118 has been reassigned. This can lead to the sending of email to the 119 correct address, but the wrong recipient. This situation is of 120 particular concern with transactional mail related to purchases, 121 online accounts, and the like. 123 What is needed is a way to indicate an attribute of the recipient 124 that will distinguish between the previous owner of an address and 125 its current owner, if they are different. Further, this needs to be 126 done in a way that respects privacy. 128 The mechanisms specified here allow the sender of the mail to 129 indicate how "old" the address assignment is expected to be. In 130 effect, the sender is saying, "I know that the intended recipient was 131 using this address at this point in time. I don't want this message 132 delivered to anyone else" A receiving system can then compare this 133 information against the point in time at which the address was 134 assigned to its current user. If the assignment was made later than 135 the point in time indicated in the message, there is a good chance 136 the current user of the address is not the correct recipient. The 137 receiving system can then choose to prevent delivery and, possibly, 138 to notify the original sender of the problem. 140 The primary application is transactional mail (such as account 141 information, password change requests, and other automatically 142 generated messages) rather than user-authored content. However, it 143 may be useful in other contexts; for example, a personal address book 144 could record the time an email address was added to it, and thus use 145 that time with this extension. 147 One important point is that the protocols presented here provide a 148 way for a sending system to make a request to receiving systems with 149 respect to handling of a message. In the end, there is no guarantee 150 that the request will have the desired effect. 152 1.1. Reassignment of Mailboxes 154 It is expected that email addresses will not have a high rate of 155 turnover or ownership change. High-precision timestamps are used out 156 of convenience and convention rather than out of necessity. 158 It is also good practice to have a substantial period of time between 159 mailbox owners during which the mailbox accepts no mail. 161 2. Definitions 163 For a description of the email architecture, consult [EMAIL-ARCH]. 165 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 166 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 167 document are to be interpreted as described in [KEYWORDS]. 169 3. Description 171 To address the problem described in Section 1, a mail sending client 172 (usually an automated agent) needs to indicate to the server to which 173 it is connecting that it expects the destination address of the 174 message to have been under continuous ownership (see Section 10) 175 since a specified point time. That specified time would be the time 176 when the intended recipient gave the address to the message author, 177 or perhaps a more recent time when the intended recipient reconfirmed 178 ownership of the address with the sender. 180 Two mechanisms are defined here: an extension to the Simple Mail 181 Transfer Protocol [SMTP] and a new message header field. The SMTP 182 extension permits strong assurance of enforcement by confirming 183 support at each handling step for a message. The header field does 184 not provide the strong assurance, but only requires adoption by the 185 receiving Message Delivery Agent (MDA). 187 The SMTP extension is called "RRVS" (Require Recipient Valid Since), 188 and adds a parameter to the SMTP "RCPT" command that indicates the 189 most recent point in time when the message author believed the 190 destination mailbox to be under the continuous ownership of a 191 specific party. Similarly, the Require-Recipient-Valid-Since header 192 field includes an intended recipient coupled with a timestamp 193 indicating the same thing. 195 3.1. The 'RRVS' SMTP Extension 197 Extensions to SMTP are described in Section 2.2 of [SMTP]. 199 The name of the extension is "RRVS", an abbreviation of "Require 200 Recipient Valid Since". Servers implementing the SMTP extension 201 advertise an additional EHLO keyword of "RRVS", which has no 202 associated parameters, introduces no new SMTP commands, and does not 203 alter the MAIL command. 205 A Message Transfer Agent (MTA) implementing RRVS can transmit or 206 accept a new parameter to the RCPT command. An MDA can also accept 207 this new parameter. The new parameter is "RRVS", which takes a value 208 that is a timestamp expressed as a "date-time" as defined in 209 [DATETIME], with the added restriction that a "time-secfrac" MUST NOT 210 be used. Accordingly, this extension increases the maximum command 211 length for the RCPT command by 31 characters. 213 The meaning of this extension, when used, is described in 214 Section 5.1. 216 3.2. The 'Require-Recipient-Valid-Since' Header Field 218 The general constraints on syntax and placement of header fields in a 219 message are defined in Internet Message Format [MAIL]. 221 Using Augmented Backus-Naur Form [ABNF], the syntax for the field is: 223 rrvs = "Require-Recipient-Valid-Since:" addr-spec ";" date-time 224 CRLF 226 "date-time" is defined in Section 3.3, and "addr-spec" is defined in 227 Section 3.4.1, of [MAIL]. 229 3.3. Timestamps 231 The header field version of this protocol has a different format for 232 the date and time expression than the SMTP extension does. This is 233 because message header fields use a format to express time and date 234 that is specific to message header fields, and this is consistent 235 with that usage. 237 Use of both date and time is done to be consistent with how current 238 implementations typically store the timestamp, and to make it easy to 239 include the time zone. In practice, granularity beyond the date may 240 or may not be useful. 242 4. Use By Generators 244 When a message is generated whose content is sufficiently sensitive 245 that an author or author's Administrative Management Domain (ADMD; 246 see [EMAIL-ARCH]) wishes to protect against misdelivery using this 247 protocol, it determines for each recipient mailbox on the message a 248 timestamp at which it last confirmed ownership of that mailbox. It 249 then applies either the SMTP extension or the header field defined 250 above when sending the message to its destination. 252 Use of the SMTP extension provided here is preferable over the header 253 field method because of: 255 1. the positive confirmation of support at each handling node; 257 2. the fact that the protocol is focused on affecting delivery (that 258 is, the transaction) rather than on content; and 260 3. the fact that there is less risk of the timestamp parameter being 261 inadvertently forwarded (see Section 15.3). 263 The header field mechanism is defined only to enable passage of the 264 request between and through systems that do not implement the SMTP 265 extension. 267 5. Handling By Receivers 269 If a receiver implements this specification, then there are two 270 possible evaluation paths: 272 1. The sending client implements the extension, and so there was an 273 RRVS parameter on a RCPT TO command in the SMTP session and the 274 parameters of interest are taken only from there (and the header 275 field, if present, is disregarded); or 277 2. The sending client does not (or elected not to) implement the 278 extension, so the RRVS parameter was not present on the RCPT TO 279 commands in the SMTP session, but the corresponding header field 280 might be present in the message. 282 5.1. SMTP Extension Used 284 For an MTA supporting the SMTP extension, the requirement is to 285 continue enforcement of RRVS during the relaying process to the next 286 MTA or the MDA. 288 A receiving MTA or MDA that implements the SMTP extension declared 289 above and observes an RRVS parameter on a RCPT TO command checks 290 whether the current owner of the destination mailbox has held it 291 continuously, far enough back to include the given point in time, and 292 delivers it unless that check returns in the negative. Specifically, 293 an MDA will do the following before continuing with delivery: 295 1. Ignore the parameter if the named mailbox is known to be a role 296 account as listed in Mailbox Names For Common Services, Roles And 297 Functions [ROLES]. (See Section 6.) 299 2. If the address is not known to be a role account, and if that 300 address has not been under continuous ownership since the 301 timestamp specified in the extension, return a 550 error to the 302 RCPT command. (See also Section 16.3.) 304 3. If any Require-Recipient-Valid-Since header fields are present 305 and refer to the named address, they SHOULD be removed prior to 306 delivery or relaying. (See Section 5.2 and Section 7.1 for 307 discussion.) 309 5.1.1. Relays 311 An MTA that does not make mailbox ownership checks, such as an MTA 312 positioned to do SMTP ingress at an organizational boundary, SHOULD 313 relay the RRVS extension parameter to the next MTA or MDA so that it 314 can be processed there. 316 See Section 9.2 for additional discussion. 318 5.2. Header Field Used 320 A receiving system that implements this specification, upon receiving 321 a message bearing a Require-Recipient-Valid-Since header field when 322 no corresponding RRVS SMTP extension was used, checks whether the 323 destination mailbox owner has held it continuously, far enough back 324 to include the given date-time, and delivers it unless that check 325 returns in the negative. Expressed as a sequence of steps: 327 1. Extract those Require-Recipient-Valid-Since fields from the 328 message that contain a recipient for which no corresponding RRVS 329 SMTP extension was used. 331 2. Discard any such fields that match any of these criteria: 333 * are syntactically invalid; 335 * name a role account as listed in [ROLES] (see Section 6); 337 * the "addr-spec" portion does not match a current recipient, as 338 listed in the RCPT TO commands in the SMTP session; or 340 * the "addr-spec" portion does not refer to a mailbox handled 341 for local delivery by this ADMD. 343 3. For each field remaining, determine if the named address has been 344 under continuous ownership since the corresponding timestamp. If 345 it has not, reject the message. 347 4. RECOMMENDED: If local delivery is being performed, remove all 348 instances of this field prior to delivery to a mailbox; if the 349 message is being forwarded, remove those instances of this header 350 field that were not discarded by step 2 above. 352 Handling proceeds normally upon completion of the above steps if 353 rejection has not been performed. 355 The final step is not mandatory as not all mail handling agents are 356 capable of stripping away header fields, and there are sometimes 357 reasons to keep the field intact such as debugging or presence of 358 digital signatures that might be invalidated by such a change. See 359 Section 11 for additional discussion. 361 If a message is to be rejected within the SMTP protocol itself 362 (versus generating a rejection message separately), servers 363 implementing this protocol SHOULD also implement the SMTP extension 364 described in Enhanced Mail System Status Codes [ESC] and use the 365 enhanced status codes described in Section 16.3 as appropriate. 367 Implementation by this method is expected to be transparent to non- 368 participants, since they would typically ignore this header field. 370 This header field is not normally added to a message that is 371 addressed to multiple recipients. The intended use of this field 372 involves an author seeking to protect transactional or otherwise 373 sensitive data intended for a single recipient, and thus generating 374 independent messages for each individual recipient is normal 375 practice. See Section 8 for further discussion. 377 5.2.1. Design Choices 379 The presence of the intended address in the field content supports 380 the case where a message bearing this header field is forwarded. The 381 specific use case is as follows: 383 1. A user subscribes to a service "S" on date "D" and confirms an 384 email address at the user's current location, "A"; 386 2. At some later date, the user intends to leave the current 387 location, and thus creates a new mailbox elsewhere, at "B"; 389 3. The user replaces address "A" with forwarding to "B"; 391 4. "S" constructs a message to "A" claiming that address was valid 392 at date "D" and sends it to "A"; 394 5. The receiving MTA at "A" determines that the forwarding in effect 395 was created by the same party that owned the mailbox there, and 396 thus concludes the continuous ownership test has been satisfied; 398 6. If possible, "A" removes this header field from the message, and 399 in either case, forwards it to "B"; 401 7. On receipt at "B", either the header field has been removed, or 402 the header field does not refer to a current envelope recipient, 403 and in either case delivers the message. 405 Section 9 discusses some interesting use cases, such as the case 406 where "B" above results in further forwarding of the message. 408 SMTP has never required any correspondence between addresses in the 409 RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a 410 message, which is why the header field defined here contains the 411 recipient address to which the timestamp applies. 413 5.3. Clock Synchronization 415 The timestamp portion of this specification supports a precision at 416 the seconds level. Although uncommon, it is not impossible for a 417 clock at either a generator or a receiver to be incorrect, leading to 418 an incorrect result in the RRVS evaluation. 420 To minimize the risk of such incorrect results, both generators and 421 receivers implementing this specification MUST use a standard clock 422 synchronization protocol such as [NTP] to synchronize to a common 423 clock. 425 6. Role Accounts 427 It is necessary not to interfere with delivery of messages to role 428 mailboxes (see [ROLES]), but it could be useful to notify users 429 sending to those mailboxes that a change of ownership might have 430 taken place, if such notification is possible. 432 7. Relaying Without RRVS Support 434 When a message is received using the SMTP extension defined here but 435 will not be delivered locally (that is, it needs to be relayed 436 further), the MTA to which the relay will take place might not be 437 compliant with this specification. Where the MTA in possession of 438 the message observes it is going to relay the message to an MTA that 439 does not advertise this extension, it needs to choose one of the 440 following actions: 442 1. Decline to relay the message further, preferably generating a 443 Delivery Status Notification [DSN] to indicate failure 444 (RECOMMENDED); 446 2. Downgrade the data thus provided in the SMTP extension to a 447 header field, as described in Section 7.1 below (RECOMMENDED when 448 the previous option is not available); or 450 3. Silently continue with delivery, dropping the protection offered 451 by this protocol. 453 Using other than the first option needs to be avoided unless there is 454 specific knowledge that further relaying with the degraded 455 protections thus provided does not introduce undue risk. 457 7.1. Header Field Conversion 459 If an SMTP server ("B") that has received mailbox timestamps from a 460 client ("A") using this extension but then needs to relay the 461 corresponding message on to another server ("C") (thereby becoming a 462 client), but "C" does not advertise the SMTP extension and "B" elects 463 not to reject the message, "B" SHOULD add Require-Recipient-Valid- 464 Since header fields matching each mailbox to which relaying is being 465 done, and the corresponding valid-since timestamp for each. 467 Similarly, if "B" receives a message bearing one or more Require- 468 Recipient-Valid-Since header fields from "A" for which it must now 469 relay the message, and "C" advertises support for the SMTP extension, 470 "B" SHOULD delete the header field(s) and instead relay this 471 information by making use of the SMTP extension. Note that such 472 modification of the header might affect later validation of the 473 header upon delivery; for example, a hash of the header would produce 474 a different result. This might be a valid cause for some operators 475 to skip this delete operation. 477 8. Header Field with Multiple Recipients 479 Numerous issues arise when using the header field form of this 480 extension, particularly when multiple recipients are specified for a 481 single message resulting in multiple fields each with a distinct 482 address and timestamp. 484 Because of the nature of SMTP, a message bearing a multiplicity of 485 Require-Recipient-Valid-Since header fields could result in a single 486 delivery attempt for multiple recipients (in particular, if two of 487 the recipients are handled by the same server), and if any one of 488 them fails the test, the delivery fails to all of them; it then 489 becomes necessary to do one of the following: 491 o reject the message on completion of the DATA phase of the SMTP 492 session, which is a rejection of delivery to all recipients; or 494 o accept the message on completion of DATA, and then generate a 495 Delivery Status Notification [DSN] message for each of the failed 496 recipients 498 Additional complexity arises when a message is sent to two 499 recipients, "A" and "B", presumably with different timestamps, both 500 of which are then redirected to a common address "C". The author is 501 not necessarily aware of the current or past ownership of mailbox 502 "C", or indeed that "A" and/or "B" have been redirected. This might 503 result in either or both of the two deliveries failing at "C", which 504 is likely to confuse the message author, who (as far as the author is 505 aware) never sent a message to "C" in the first place. 507 9. Special Use Addresses 509 In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to 510 request generation of DSNs, and related information to allow such 511 reports to be maximally useful. Section 5.2.7 of that document 512 explored the issue of the use of that extension where the recipient 513 is a mailing list. This extension has similar concerns which are 514 covered here following that document as a model. 516 For all cases described below, a receiving MTA SHOULD NOT introduce 517 RRVS in either form (SMTP extension or header field) if the message 518 did not arrive with RRVS in use. This would amount to second- 519 guessing of the message originator's intention and might lead to an 520 undesirable outcome. 522 9.1. Mailing Lists 524 Delivery to a mailing list service is considered a final delivery. 525 Where this protocol is in use, it is evaluated as per any normal 526 delivery: If the same mailing list has been operating in place of the 527 specified recipient mailbox since at least the timestamp given as the 528 RRVS parameter, the message is delivered to the list service 529 normally, and is otherwise not delivered. 531 It is important, however, that the participating MDA passing the 532 message to the list service needs to omit the RRVS parameter in 533 either form (SMTP extension or header field) when doing so. The 534 emission of a message from the list service to its subscribers 535 constitutes a new message not covered by the previous transaction. 537 9.2. Single-Recipient Aliases 539 Upon delivery of an RRVS-protected message to an alias (acting in 540 place of a mailbox) that results in relaying of the message to a 541 single other destination, the usual RRVS check is performed. The 542 continuous ownership test here might succeed if, for example, a 543 conventional user inbox was replaced with an alias on behalf of that 544 same user, and the time when this was done is recorded in a way that 545 can be queried by the relaying MTA. 547 If the relaying system also performs some kind of step where 548 ownership of the new destination address is confirmed, it SHOULD 549 apply RRVS using the later of that timestamp and the one that was 550 used inbound. This also allows for changes to the alias without 551 disrupting the protection offered by RRVS. 553 If the relaying system has no such time records related to the new 554 destination address, the RRVS SMTP extension is not used on the 555 relaying SMTP session, and the header field relative to the local 556 alias is removed, in accordance with Section 5. 558 9.3. Multiple-Recipient Aliases 560 Upon delivery of an RRVS-protected message to an alias (acting in 561 place of a mailbox) that results in relaying of the message to 562 multiple other destinations, the usual RRVS check is performed as in 563 Section 9.2. The MTA expanding such an alias then decides which of 564 the options enumerated in that section is to be applied for each new 565 recipient. 567 9.4. Confidential Forwarding Addresses 569 In the above cases, the original author could receive message 570 rejections, such as DSNs, from the ultimate destination, where the 571 RRVS check (or indeed, any other) fails and rejection is warranted. 572 This can reveal the existence of a forwarding relationship between 573 the original intended recipient and the actual final recipient. 575 Where this is a concern, the initial delivery attempt is to be 576 treated like a mailing list delivery, with RRVS evaluation done and 577 then all RRVS information removed from the message prior to relaying 578 it to its true destination. 580 9.5. Suggested Mailing List Enhancements 582 Mailing list services could store the timestamp at which a subscriber 583 was added to a mailing list. This specification could then be used 584 in conjunction with that information in order to restrict list 585 traffic to the original subscriber, rather than a different person 586 now in possession of an address under which the original subscriber 587 was added to the list. Upon receiving a rejection caused by this 588 specification, the list service can remove that address from further 589 distribution. 591 A mailing list service that receives a message containing the header 592 field defined here needs to remove it from the message prior to 593 redistributing it, limiting exposure of information regarding the 594 relationship between the message's author and the mailing list. 596 10. Continuous Ownership 598 For the purposes of this specification, an address is defined as 599 having been under continuous ownership since a given date-time if a 600 message sent to the address at any point since the given date would 601 not go to anyone except the owner at that given date-time. That is, 602 while an address may have been suspended or otherwise disabled for 603 some period, any mail actually delivered would have been delivered 604 exclusively to the same owner. It is presumed that some sort of 605 relationship exists between the message sender and the intended 606 recipient. Presumably there has been some confirmation process 607 applied to establish this ownership of the receiver's mailbox; 608 however, the method of making such determinations is a local matter 609 and outside the scope of this document. 611 Evaluating the notion of continuous ownership is accomplished by 612 doing any query that establishes whether the above condition holds 613 for a given mailbox. 615 Determining continuous ownership of a mailbox is a local matter at 616 the receiving site. The only possible answers to the continuous- 617 ownership-since question are "yes", "no", and "unknown"; the action 618 to be taken in the "unknown" case is a matter of local policy. 620 For example, when control of a domain name is transferred, the new 621 domain owner might be unable to determine whether the owner of the 622 subject address has been under continuous ownership since the stated 623 date if the mailbox history is not also transferred (or was not 624 previously maintained). It will also be "unknown" if whatever 625 database contains mailbox ownership data is temporarily unavailable 626 at the time a message arrives for delivery. In this latter case, 627 typical SMTP temporary failure handling is appropriate. 629 To avoid exposing account details unnecessarily, if the address 630 specified has had one continuous owner since it was created, any 631 confirmation date SHOULD be considered to pass the test, even if that 632 date is earlier than the account creation date. This is further 633 discussed in Section 14. 635 11. Digital Signatures 637 This protocol mandates removal of the header field (when used) upon 638 delivery in all but exceptional circumstances. Altering a message in 639 this way will invalidate a digital signature intended to guard 640 against message modification in transit, which can interfere with 641 delivery. 643 Section 5.4.1 of DomainKeys Identified Mail [DKIM] proposes a 644 strategy for selecting header fields to sign. Specifically, it 645 advises including in the signed portion of the message only those 646 header fields that comprise part of the core content of the message. 647 As the header field version of this protocol is ephemeral, it cannot 648 be considered core content. 650 Accordingly, applying digital signatures that attempt to protect the 651 content of this header field is NOT RECOMMENDED. 653 12. Authentication-Results Definitions 655 [AUTHRES] defines a mechanism for indicating, via a header field, the 656 results of message authentication checks. Section 16 registers RRVS 657 as a new method that can be reported in this way, and corresponding 658 result names. The possible result names and their meanings are as 659 follows: 661 none: The message had no recipient mailbox timestamp associated with 662 it, either via the SMTP extension or header field method; this 663 protocol was not in use. 665 unknown: At least one form of this protocol was in use, but 666 continuous ownership of the recipient mailbox could not be 667 determined. 669 temperror: At least one form of this protocol was in use, but some 670 kind of error occurred during evaluation that was transient in 671 nature; a later retry will likely produce a final result. 673 permerror: At least one form of this protocol was in use, but some 674 kind of error occurred during evaluation that was not recoverable; 675 a later retry will not likely produce a final result. 677 pass: At least one form of this protocol was in use, and the 678 destination mailbox was confirmed to have been under continuous 679 ownership since the timestamp thus provided. 681 fail: At least one form of this protocol was in use, and the 682 destination mailbox was confirmed not to have been under 683 continuous ownership since the timestamp thus provided. 685 Where multiple recipients are present on a message, multiple results 686 can be reported using the mechanism described in [AUTHRES]. 688 13. Examples 690 In the following examples, "C:" indicates data sent by an SMTP 691 client, and "S:" indicates responses by the SMTP server. Message 692 content is CRLF terminated, though these are omitted here for ease of 693 reading. 695 13.1. SMTP Extension Example 697 C: [connection established] 698 S: 220 server.example.com ESMTP ready 699 C: EHLO client.example.net 700 S: 250-server.example.com 701 S: 250 RRVS 702 C: MAIL FROM: 703 S: 250 OK 704 C: RCPT TO: RRVS=2014-04-03T23:01:00Z 705 S: 550 5.7.17 receiver@example.com is no longer valid 706 C: QUIT 707 S: 221 So long! 709 13.2. Header Field Example 711 C: [connection established] 712 S: 220 server.example.com ESMTP ready 713 C: HELO client.example.net 714 S: 250 server.example.com 715 C: MAIL FROM: 716 S: 250 OK 717 C: RCPT TO: 718 S: 250 OK 719 C: DATA 720 S: 354 Ready for message content 721 C: From: Mister Sender 722 To: Miss Receiver 723 Subject: Are you still there? 724 Date: Fri, 28 Jun 2013 18:01:01 +0200 725 Require-Recipient-Valid-Since: receiver@example.com; 726 Sat, 1 Jun 2013 09:23:01 -0700 728 Are you still there? 729 . 730 S: 550 5.7.17 receiver@example.com is no longer valid 731 C: QUIT 732 S: 221 So long! 734 13.3. Authentication-Results Example 736 An example use of the Authentication-Results header field used to 737 yield the results of an RRVS evaluation: 739 Authentication-Results: mx.example.com; rrvs=pass 740 smtp.rcptto=user@example.com 742 This indicates that the message arrived addressed to the mailbox 743 user@example.com, the continuous ownership test was applied with the 744 provided timestamp, and the check revealed that test was satisfied. 745 The timestamp is not revealed. 747 14. Security Considerations 749 14.1. Abuse Countermeasures 751 The response of a server implementing this protocol can disclose 752 information about the age of an existing email mailbox. 753 Implementation of countermeasures against probing attacks is 754 RECOMMENDED. For example, an operator could track appearance of this 755 field with respect to a particular mailbox and observe the timestamps 756 being submitted for testing; if it appears a variety of timestamps is 757 being tried against a single mailbox in short order, the field could 758 be ignored and the message silently discarded. This concern is 759 discussed further in Section 15. 761 14.2. Suggested Use Restrictions 763 If the mailbox named in the field is known to have had only a single 764 continuous owner since creation, or not to have existed at all (under 765 any owner) prior to the date specified in the field, then the field 766 SHOULD be silently ignored and normal message handling applied so 767 that this information is not disclosed. Such fields are likely the 768 product of either gross error or an attack. 770 A message author using this specification might restrict inclusion of 771 the header field such that it is only done for recipients known also 772 to implement this specification, in order to reduce the possibility 773 of revealing information about the relationship between the author 774 and the mailbox. 776 If ownership of an entire domain is transferred, the new owner may 777 not know what addresses were assigned in the past by the prior owner. 778 Hence, no address can be known not to have had a single owner, or to 779 have existed (or not) at all. In this case, the "unknown" result is 780 likely appropriate. 782 14.3. False Sense of Security 784 Senders implementing this protocol likely believe their content is 785 being protected by doing so. It has to be considered, however, that 786 receiving systems might not implement this protocol correctly, or at 787 all. Furthermore, use of RRVS by a sending system constitutes 788 nothing more than a request to the receiving system; that system 789 could choose not to prevent delivery for some local policy, legal or 790 operational reason, which compromises the security the sending system 791 believed was a benefit to using RRVS. This could mean the timestamp 792 information involved in the protocol becomes inadvertently revealed. 794 This concern lends further support to the notion that senders would 795 do well to avoid using this protocol other than when sending to 796 known, trusted receivers. 798 15. Privacy Considerations 800 15.1. Probing Attacks 802 As described above, use of this extension or header field in probing 803 attacks can disclose information about the history of the mailbox. 804 The harm that can be done by leaking any kind of private information 805 is difficult to predict, so it is prudent to be sensitive to this 806 sort of disclosure, either inadvertently or in response to probing by 807 an attacker. It bears restating, then, that implementing 808 countermeasures to abuse of this capability needs strong 809 consideration. 811 That some MSPs allow for expiration of account names when they have 812 been unused for a protracted period forces a choice between two 813 potential types of privacy vulnerabilities, one of which presents 814 significantly greater threats to users than the other. Automatically 815 generated mail is often used to convey authentication credentials 816 that can potentially provide access to extremely sensitive 817 information. Supplying such credentials to the wrong party after a 818 mailbox ownership change could allow the previous owner's data to be 819 exposed without his or her authorization or knowledge. In contrast, 820 the information that may be exposed to a third party via the proposal 821 in this document is limited to information about the mailbox history. 822 Given that MSPs have chosen to allow transfers of mailbox ownership 823 without the prior owner's involvement, the information leakage from 824 the extensions specified here creates far lower overall risk than the 825 potential for delivering mail to the wrong party. 827 15.2. Envelope Recipients 829 The email To and Cc header fields are not required to be populated 830 with addresses that match the envelope recipient set, and Cc may even 831 be absent. However, the algorithm in Section 3 requires that this 832 header field contain a match for an envelope recipient in order to be 833 actionable. As such, use of this specification can reveal some or 834 all of the original intended recipient set to any party that can see 835 the message in transit or upon delivery. 837 For a message destined to a single recipient, this is unlikely to be 838 a concern, which is one of the reasons use of this specification on 839 multi-recipient messages is discouraged. 841 15.3. Risks with Use 843 MDAs might not implement the recommendation to remove the header 844 field defined here when messages are delivered, either out of 845 ignorance or due to error. Since user agents often do not render all 846 of the header fields present, the message could be forwarded to 847 another party that would then inadvertently have the content of this 848 header field. 850 A bad actor may detect use of either form of the RRVS protocol and 851 interpret it as an indication of high value content. 853 16. IANA Considerations 855 16.1. SMTP Extension Registration 857 Section 2.2.2 of [MAIL] sets out the procedure for registering a new 858 SMTP extension. IANA is requested to register the SMTP extension 859 using the details provided in Section 3.1 of this document. 861 16.2. Header Field Registration 863 IANA is requested to add the following entry to the Permanent Message 864 Header Field Names registry, as per the procedure found in 865 [IANA-HEADERS]: 867 Header field name: Require-Recipient-Valid-Since 868 Applicable protocol: mail ([MAIL]) 869 Status: Standard 870 Author/Change controller: IETF 871 Specification document(s): [this document] 872 Related information: 873 Requesting review of any proposed changes and additions to 874 this field is recommended. 876 16.3. Enhanced Status Code Registration 878 IANA is requested to register the following in the Enumerated Status 879 Codes table of the Simple Mail Transfer Protocol (SMTP) Enhanced 880 Status Codes Registry: 882 Code: X.7.17 883 Sample Text: Mailbox owner has changed 884 Associated basic status code: 5 885 Description: This status code is returned when a message is 886 received with a Require-Recipient-Valid-Since 887 field or RRVS extension and the receiving 888 system is able to determine that the intended 889 recipient mailbox has not been under 890 continuous ownership since the specified date. 891 Reference: [this document] 892 Submitter: M. Kucherawy 893 Change controller: IESG 895 Code: X.7.18 896 Sample Text: Domain owner has changed 897 Associated basic status code: 5 898 Description: This status code is returned when a message is 899 received with a Require-Recipient-Valid-Since 900 field or RRVS extension and the receiving 901 system wishes to disclose that the owner of 902 the domain name of the recipient has changed 903 since the specified date. 904 Reference: [this document] 905 Submitter: M. Kucherawy 906 Change controller: IESG 908 16.4. Authentication Results Registration 910 IANA is requested to register the following in the "Email 911 Authentication Methods" Registry: 913 Method: rrvs 915 Specifying Document: [this document] 917 ptype: smtp 919 Property: rcptto 920 Value: envelope recipient 922 Status: active 924 Version: 1 926 IANA is also requested to register the following in the "Email 927 Authentication Result Names" Registry: 929 Codes: none, unknown, temperror, permerror, pass, fail 931 Defined: [this document] 933 Auth Method(s): rrvs 935 Meaning: Section 12 of [this document] 937 Status: active 939 17. References 941 17.1. Normative References 943 [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for 944 Syntax Specifications: ABNF", RFC 5234, January 2008. 946 [DATETIME] Klyne, G. and C. Newman, "Date and Time on the 947 Internet: Timestamps", RFC 3339, July 2002. 949 [IANA-HEADERS] Klyne, G., Nottingham, M., and J. Mogul, 950 "Registration Procedures for Message Header Fields", 951 BCP 90, RFC 3864, September 2004. 953 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 954 Requirement Levels", BCP 14, RFC 2119, March 1997. 956 [MAIL] Resnick, P., "Internet Message Format", RFC 5322, 957 October 2008. 959 [NTP] Mills, D., Martin, J., Ed., Burbank, J., and W. 960 Kasch, "Network Time Protocol Version 4: Protocol and 961 Algorithms Specification", RFC 5905, June 2010. 963 [ROLES] Crocker, D., "Mailbox Names For Common Services, 964 Roles And Functions", RFC 2142, May 1997. 966 [SMTP] Klensin, J., "Simple Mail Transfer Protocol", 967 RFC 5321, October 2008. 969 17.2. Informative References 971 [AUTHRES] Kucherawy, M., "Message Header Field for Indicating 972 Message Authentication Status", RFC 7001, 973 September 2013. 975 [DKIM] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, 976 Ed., "DomainKeys Identified Mail (DKIM) Signatures", 977 RFC 6376, September 2011. 979 [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message 980 Format for Delivery Status Notifications", RFC 3464, 981 January 2003. 983 [DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP) 984 Service Extension for Delivery Status Notifications 985 (DSNs)", RFC 3461, January 2003. 987 [EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598, 988 July 2009. 990 [ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", 991 RFC 3463, January 2003. 993 Appendix A. Acknowledgments 995 Erling Ellingsen proposed the idea. 997 Reviews and comments were provided by Michael Adkins, Kurt Andersen, 998 Eric Burger, Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, 999 John Levine, Alexey Melnikov, Jay Nancarrow, Hector Santos, Gregg 1000 Stefancik, Ed Zayas, (others) 1002 Authors' Addresses 1004 William J. Mills 1005 Yahoo! Inc. 1007 EMail: wmills_92105@yahoo.com 1008 Murray S. Kucherawy 1009 Facebook, Inc. 1010 1 Hacker Way 1011 Menlo Park, CA 94025 1012 USA 1014 EMail: msk@fb.com