idnits 2.17.1 draft-ietf-dmarc-arc-multi-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 22, 2018) is 2276 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 309 == Unused Reference: 'RFC1345' is defined on line 183, but no explicit reference was found in the text == Unused Reference: 'RFC2142' is defined on line 192, but no explicit reference was found in the text == Unused Reference: 'RFC2606' is defined on line 196, but no explicit reference was found in the text == Unused Reference: 'RFC3463' is defined on line 200, but no explicit reference was found in the text == Unused Reference: 'RFC4686' is defined on line 204, but no explicit reference was found in the text == Unused Reference: 'RFC5226' is defined on line 208, but no explicit reference was found in the text == Unused Reference: 'RFC5234' is defined on line 213, but no explicit reference was found in the text == Unused Reference: 'RFC5321' is defined on line 218, but no explicit reference was found in the text == Unused Reference: 'RFC5322' is defined on line 222, but no explicit reference was found in the text == Unused Reference: 'RFC5585' is defined on line 226, but no explicit reference was found in the text == Unused Reference: 'RFC5863' is defined on line 235, but no explicit reference was found in the text == Unused Reference: 'RFC6376' is defined on line 241, but no explicit reference was found in the text == Unused Reference: 'RFC6377' is defined on line 246, but no explicit reference was found in the text == Unused Reference: 'RFC6651' is defined on line 250, but no explicit reference was found in the text == Unused Reference: 'RFC7208' is defined on line 255, but no explicit reference was found in the text == Unused Reference: 'RFC7601' is defined on line 260, but no explicit reference was found in the text == Unused Reference: 'ENHANCED-STATUS' is defined on line 273, but no explicit reference was found in the text == Unused Reference: 'RFC6982' is defined on line 278, but no explicit reference was found in the text == Unused Reference: 'RFC7489' is defined on line 283, but no explicit reference was found in the text == Unused Reference: 'RFC7960' is defined on line 288, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) ** Obsolete normative reference: RFC 7601 (Obsoleted by RFC 8601) == Outdated reference: A later version (-23) exists of draft-ietf-dmarc-arc-protocol-11 -- Obsolete informational reference (is this intentional?): RFC 6982 (Obsoleted by RFC 7942) Summary: 2 errors (**), 0 flaws (~~), 22 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DMARC Working Group K. Andersen 3 Internet-Draft LinkedIn 4 Intended status: Experimental S. Blank, Ed. 5 Expires: July 26, 2018 ValiMail 6 J. Levine, Ed. 7 Taughannock Networks 8 January 22, 2018 10 Using Multiple Signing Algorithms with the ARC (Authenticated Received 11 Chain) Protocol 12 draft-ietf-dmarc-arc-multi-00 14 Abstract 16 The Authenticated Received Chain (ARC) protocol creates a mechanism 17 whereby a series of handlers of an email message can conduct 18 authentication of the email message as it passes among them on the 19 way to its destination. 21 Initial development of ARC has been done with a single allowed 22 signing algorithm, but parallel work in the DCRUP working group 23 (https://datatracker.ietf.org/wg/dcrup/about/) is expanding the 24 supported algorithms. This specification defines how to extend ARC 25 for multiple signing algorithms. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on July 26, 2018. 44 Copyright Notice 46 Copyright (c) 2018 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (https://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 3. Definitions and Terminology . . . . . . . . . . . . . . . . . 3 64 4. Supporting Alternate Signing Algorithms . . . . . . . . . . . 3 65 5. General Approach . . . . . . . . . . . . . . . . . . . . . . 3 66 5.1. Signers . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 5.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 3 68 6. Phases of Algorithm Evolution . . . . . . . . . . . . . . . . 3 69 6.1. Introductory Period . . . . . . . . . . . . . . . . . . . 3 70 6.2. Co-Existence Period . . . . . . . . . . . . . . . . . . . 4 71 6.3. Deprecation Period . . . . . . . . . . . . . . . . . . . 4 72 6.4. Obsolescence Period . . . . . . . . . . . . . . . . . . . 4 73 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 4 74 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 75 9. Security Considerations . . . . . . . . . . . . . . . . . . . 4 76 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 77 10.1. Normative References . . . . . . . . . . . . . . . . . . 4 78 10.2. Informative References . . . . . . . . . . . . . . . . . 6 79 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 7 80 Appendix B. Comments and Feedback . . . . . . . . . . . . . . . 7 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 83 1. Introduction 85 The Authenticated Received Chain (ARC) protocol adds a traceable 86 chain of signatures that cover the handling of an email message 87 through a chain of intermediary handlers. 89 Initial development of ARC has been done with a single allowed 90 signing algorithm, but parallel work in the DCRUP working group 91 (https://datatracker.ietf.org/wg/dcrup/about/) is expanding the 92 supported algorithms. This specification defines how to extend ARC 93 for multiple signing algorithms. 95 2. Overview 97 In order to phase in new signing algorithms, this specification 98 identifies how signers and validators MUST process ARC sets found in 99 email messages. 101 3. Definitions and Terminology 103 This section defines terms used in the rest of the document. 105 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 107 document are to be interpreted as described in [RFC2119]. 109 Because many of the core concepts and definitions are found in 110 [RFC5598], readers SHOULD to be familiar with the contents of 111 [RFC5598], and in particular, the potential roles of intermediaries 112 in the delivery of email. 114 4. Supporting Alternate Signing Algorithms 116 During a period where multiple algorithms are allowed, all of the 117 statements in the ARC spec which refer to "exactly one set of ARC 118 headers per instance" need to be understood as "at least one set per 119 instance and no more than one set per instance per algorithm". 121 5. General Approach 123 5.1. Signers 125 Signers MUST initiate ARC signing of messages with all supported 126 algorithms that they are capable of using. 128 Signers MUST continue ARC chains with all supported algorithms that 129 they are capable of using. 131 5.2. Validators 133 Validators MUST use the longest ARC chain on the message for which 134 they can interpret the signing algorithm. 136 6. Phases of Algorithm Evolution 138 6.1. Introductory Period 140 Intermediaries MUST be able to validate ARC chains built with either 141 algorithm but MAY create ARC sets with either (or both) algorithm. 143 The introductory period should be at least six (6) months. 145 6.2. Co-Existence Period 147 Intermediaries MUST be able to validate ARC chains build with either 148 algorithm and MUST create ARC sets with both algorithms. Chains 149 ending with either algorithm may be used for the result. 151 6.3. Deprecation Period 153 ARC sets built with algorithms that are being deprecated MAY be 154 considered valid within an ARC chain, however, intermediaries MUST 155 NOT create additional sets with the deprecated algorithm. 157 The deprecation period should be at least two (2) years. 159 6.4. Obsolescence Period 161 ARC sets built with algorithms that are obsolete MUST NOT be 162 considered valid within an ARC chain. Intermediaries MUST NOT create 163 any sets with any obsoleted algorithm. 165 7. Privacy Considerations 167 No unique privacy considerations are introduced by this specification 168 beyond those of the base [ARC-DRAFT-11] protocol. 170 8. IANA Considerations 172 No new IANA considerations are introduced by this specification. 174 9. Security Considerations 176 No new security considerations are introduced by this specification 177 beyond those of the base [ARC-DRAFT-11] protocol. 179 10. References 181 10.1. Normative References 183 [RFC1345] Simonsen, K., "Character Mnemonics and Character Sets", 184 RFC 1345, DOI 10.17487/RFC1345, June 1992, 185 . 187 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 188 Requirement Levels", BCP 14, RFC 2119, 189 DOI 10.17487/RFC2119, March 1997, 190 . 192 [RFC2142] Crocker, D., "Mailbox Names for Common Services, Roles and 193 Functions", RFC 2142, DOI 10.17487/RFC2142, May 1997, 194 . 196 [RFC2606] Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS 197 Names", BCP 32, RFC 2606, DOI 10.17487/RFC2606, June 1999, 198 . 200 [RFC3463] Vaudreuil, G., "Enhanced Mail System Status Codes", 201 RFC 3463, DOI 10.17487/RFC3463, January 2003, 202 . 204 [RFC4686] Fenton, J., "Analysis of Threats Motivating DomainKeys 205 Identified Mail (DKIM)", RFC 4686, DOI 10.17487/RFC4686, 206 September 2006, . 208 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 209 IANA Considerations Section in RFCs", RFC 5226, 210 DOI 10.17487/RFC5226, May 2008, 211 . 213 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 214 Specifications: ABNF", STD 68, RFC 5234, 215 DOI 10.17487/RFC5234, January 2008, 216 . 218 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 219 DOI 10.17487/RFC5321, October 2008, 220 . 222 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, 223 DOI 10.17487/RFC5322, October 2008, 224 . 226 [RFC5585] Hansen, T., Crocker, D., and P. Hallam-Baker, "DomainKeys 227 Identified Mail (DKIM) Service Overview", RFC 5585, 228 DOI 10.17487/RFC5585, July 2009, 229 . 231 [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, 232 DOI 10.17487/RFC5598, July 2009, 233 . 235 [RFC5863] Hansen, T., Siegel, E., Hallam-Baker, P., and D. Crocker, 236 "DomainKeys Identified Mail (DKIM) Development, 237 Deployment, and Operations", RFC 5863, 238 DOI 10.17487/RFC5863, May 2010, 239 . 241 [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed., 242 "DomainKeys Identified Mail (DKIM) Signatures", STD 76, 243 RFC 6376, DOI 10.17487/RFC6376, September 2011, 244 . 246 [RFC6377] Kucherawy, M., "DomainKeys Identified Mail (DKIM) and 247 Mailing Lists", BCP 167, RFC 6377, DOI 10.17487/RFC6377, 248 September 2011, . 250 [RFC6651] Kucherawy, M., "Extensions to DomainKeys Identified Mail 251 (DKIM) for Failure Reporting", RFC 6651, 252 DOI 10.17487/RFC6651, June 2012, 253 . 255 [RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for 256 Authorizing Use of Domains in Email, Version 1", RFC 7208, 257 DOI 10.17487/RFC7208, April 2014, 258 . 260 [RFC7601] Kucherawy, M., "Message Header Field for Indicating 261 Message Authentication Status", RFC 7601, 262 DOI 10.17487/RFC7601, August 2015, 263 . 265 10.2. Informative References 267 [ARC-DRAFT-11] 268 Andersen, K., Long, B., and S. Jones, "Authenticated 269 Received Chain (ARC) Protocol (I-D-11)", n.d., 270 . 273 [ENHANCED-STATUS] 274 "IANA SMTP Enhanced Status Codes", n.d., 275 . 278 [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 279 Code: The Implementation Status Section", RFC 6982, 280 DOI 10.17487/RFC6982, July 2013, 281 . 283 [RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based 284 Message Authentication, Reporting, and Conformance 285 (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015, 286 . 288 [RFC7960] Martin, F., Ed., Lear, E., Ed., Draegen. Ed., T., Zwicky, 289 E., Ed., and K. Andersen, Ed., "Interoperability Issues 290 between Domain-based Message Authentication, Reporting, 291 and Conformance (DMARC) and Indirect Email Flows", 292 RFC 7960, DOI 10.17487/RFC7960, September 2016, 293 . 295 10.3. URIs 297 [1] mailto:dmarc@ietf.org 299 Appendix A. Acknowledgements 301 This draft is the work of DMARC Working Group. 303 Grateful appreciation is extended to the people who provided feedback 304 through the discuss mailing list. 306 Appendix B. Comments and Feedback 308 Please address all comments, discussions, and questions to 309 dmarc@ietf.org [1]. 311 Authors' Addresses 313 Kurt Andersen 314 LinkedIn 315 1000 West Maude Ave 316 Sunnyvale, California 94085 317 US 319 Email: kurta@linkedin.com 321 Seth Blank (editor) 322 ValiMail 323 Montgomery 324 San Francisco 325 US 327 Email: seth@valimail.com 328 John Levine (editor) 329 Taughannock Networks 330 PO Box 727 331 Trumansburg 332 US 334 Email: standards@taugh.com