idnits 2.17.1 draft-ietf-eai-framework-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 863. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 874. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 881. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 887. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 12, 2006) is 6403 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 1652 (Obsoleted by RFC 6152) ** Obsolete normative reference: RFC 2821 (Obsoleted by RFC 5321) ** Obsolete normative reference: RFC 3490 (Obsoleted by RFC 5890, RFC 5891) == Outdated reference: A later version (-06) exists of draft-ietf-eai-dsn-00 == Outdated reference: A later version (-13) exists of draft-ietf-eai-smtpext-01 == Outdated reference: A later version (-12) exists of draft-ietf-eai-utf8headers-01 == Outdated reference: A later version (-12) exists of draft-ietf-eai-downgrade-02 == Outdated reference: A later version (-09) exists of draft-ietf-eai-imap-utf8-00 == Outdated reference: A later version (-03) exists of draft-ietf-eai-scenarios-01 -- Obsolete informational reference (is this intentional?): RFC 2368 (Obsoleted by RFC 6068) -- Obsolete informational reference (is this intentional?): RFC 2822 (Obsoleted by RFC 5322) -- Obsolete informational reference (is this intentional?): RFC 4409 (Obsoleted by RFC 6409) Summary: 6 errors (**), 0 flaws (~~), 8 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Email Address Internationalization J. Klensin 3 (EAI) 4 Internet-Draft Y. Ko 5 Intended status: Informational ICU 6 Expires: April 15, 2007 October 12, 2006 8 Overview and Framework for Internationalized Email 9 draft-ietf-eai-framework-02.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on April 15, 2007. 36 Copyright Notice 38 Copyright (C) The Internet Society (2006). 40 Abstract 42 Full use of electronic mail throughout the world requires that people 43 be able to use their own names, written correctly in their own 44 languages and scripts, as mailbox names in email addresses. This 45 document introduces a series of specifications that define mechanisms 46 and protocol extensions needed to fully support internationalized 47 email addresses. These changes include an SMTP extension and 48 extension of email header syntax to accommodate UTF-8 data. The 49 document set also includes discussion of key assumptions and issues 50 in deploying fully internationalized email. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 1.1. Role of This Specification . . . . . . . . . . . . . . . . 3 56 1.2. Problem statement . . . . . . . . . . . . . . . . . . . . 3 57 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 58 2. Overview of the Approach . . . . . . . . . . . . . . . . . . . 6 59 3. Document Plan . . . . . . . . . . . . . . . . . . . . . . . . 6 60 4. Overview of Protocol Extensions and Changes . . . . . . . . . 6 61 4.1. SMTP Extension for Internationalized eMail Address . . . . 7 62 4.2. Transmission of Email Header in UTF-8 Encoding . . . . . . 8 63 4.3. Downgrading Mechanism for Backward Compatibility . . . . . 8 64 5. Downgrading Before and After SMTP Transactions . . . . . . . . 9 65 5.1. Downgrading Before or During Message Submission . . . . . 9 66 5.2. Downgrading or Other Processing After Final SMTP 67 Delivery . . . . . . . . . . . . . . . . . . . . . . . . . 10 68 6. Internationalization Considerations . . . . . . . . . . . . . 10 69 7. Additional Issues . . . . . . . . . . . . . . . . . . . . . . 10 70 7.1. Impact on IRIs . . . . . . . . . . . . . . . . . . . . . . 10 71 7.2. Interaction with delivery notifications . . . . . . . . . 11 72 7.3. Use of email addresses as identifiers . . . . . . . . . . 11 73 7.4. Encoded-words, signed messages and downgrading . . . . . . 11 74 8. Experimental Targets . . . . . . . . . . . . . . . . . . . . . 12 75 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 76 10. Security Considerations . . . . . . . . . . . . . . . . . . . 12 77 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 78 12. Change History . . . . . . . . . . . . . . . . . . . . . . . . 14 79 12.1. draft-klensin-ima-framework: Version 00 . . . . . . . . . 14 80 12.2. draft-klensin-ima-framework: Version 01 . . . . . . . . . 14 81 12.3. draft-ietf-eai-framework: Version 00 . . . . . . . . . . . 14 82 12.4. draft-ietf-eai-framework: Version 01 . . . . . . . . . . . 15 83 12.5. draft-ietf-eai-framework: Version 02 . . . . . . . . . . . 15 84 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 85 13.1. Normative References . . . . . . . . . . . . . . . . . . . 16 86 13.2. Informative References . . . . . . . . . . . . . . . . . . 16 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 88 Intellectual Property and Copyright Statements . . . . . . . . . . 20 90 1. Introduction 92 In order to use internationalized email addresses, we need to 93 internationalize both the domain part and the local part of email 94 addresses. The domain part of email addresses is already 95 internationalized [RFC3490], while the local part is not. Without 96 these extensions, the mailbox name is restricted to a subset of 7-bit 97 ASCII [RFC2821]. Though MIME enables the transport of non-ASCII 98 data, it does not provide a mechanism for internationalized email 99 address. RFC 2047 [RFC2047] defines an encoding mechanism for some 100 specific message header fields to accommodate non-ASCII data. 101 However, it does not address the issue of email addresses that 102 include non-ASCII characters. Without the extensions defined here, 103 or some equivalent set, the only way to incorporate non-ASCII 104 characters in email addresses is to use RFC2047 coding to embed them 105 in what RFC 2822 [RFC2822] calls the "display name" (known as a "name 106 phrase" or by other terms elsewhere) of the relevant headers. 107 Information coded into the display name is invisible in the message 108 envelope and would not be considered by many to be part of the 109 address at all. 111 1.1. Role of This Specification 113 This document presents the overview and framework for an approach to 114 the next stage of email internationalization. This new stage 115 requires not only internationalization of addresses and headers, but 116 also associated transport and delivery models. 118 This document describes how the various elements of email 119 internationalization fit together and describes the relationships 120 among the various documents involved. 122 1.2. Problem statement 124 Though domain names are already internationalized, the 125 internationalized forms are far from general adoption by ordinary 126 users. One of the reasons for this is that we do not yet have fully 127 internationalized naming schemes. Domain names are just one of the 128 various names and identifiers that are required to be 129 internationalized. 131 Email addresses are particularly important examples in which 132 internationalization of domain names alone is not sufficient. Unless 133 email addresses are presented to the user in familiar characters and 134 formats, the user's perception will not be of internationalization 135 and behavior that is culturally friendly. One thing most of us have 136 almost certainly learned from the experience with email usage is that 137 users strongly prefer email addresses that closely resemble names or 138 initials to those involving meaningless strings of letters or 139 numbers. If the names or initials of the names in the email address 140 can be expressed in the native languages and writing systems of the 141 users, the Internet will be perceived as more natural, especially by 142 those whose native language is not written in a subset of a Roman- 143 derived script. 145 Internationalization of email addresses is not merely a matter of 146 changing the SMTP envelope; or of modifying the From, To, and Cc 147 headers; or of permitting upgraded mail user agents (MUAs) to decode 148 a special coding and respond by displaying local characters. To be 149 perceived as usable by end users, the addresses must be 150 internationalized and handled consistently in all of the contexts in 151 which they occur. That requirement has far-reaching implications: 152 collections of patches and workarounds are not adequate. Even if 153 they were adequate, a workaround-based approach may result in an 154 assortment of implementations with different sets of patches and 155 workarounds having been applied with consequent user confusion about 156 what is actually usable and supported. Instead, we need to build a 157 fully internationalized email environment, focusing on permitting 158 efficient communication among those who share a language or other 159 community. That, in turn, implies changes to the mail header 160 environment to permit the full range of Unicode characters where that 161 makes sense, an SMTP extension to permit UTF-8 [RFC3629] mail 162 addressing and delivery of those extended headers, and (finally) a 163 requirement for support of the 8BITMIME SMTP Extension [RFC1652] so 164 that all of this can be transported through the mail system without 165 having to overcome the limitation that headers do not have content- 166 transfer-encodings. 168 1.3. Terminology 170 This document assumes a reasonable understanding of the protocols and 171 terminology of the core email standards as documented in [RFC2821] 172 and [RFC2822]. 174 Much of the description in this document depends on the abstractions 175 of "Mail Transfer Agent" ("MTA") and "Mail User Agent" ("MUA"). 176 However, it is important to understand that those terms and the 177 underlying concepts postdate the design of the Internet's email 178 architecture and the application of the "protocols on the wire" 179 principle to it. That email architecture, as it has evolved, and the 180 "wire" principle have prevented any strong and standardized 181 distinctions about how MTAs and MUAs interact on a given origin or 182 destination host (or even whether they are separate). 184 In this document, an address is "all-ASCII", or just an "ASCII 185 address", if every character in the address is in the ASCII character 186 repertoire [ASCII]; an address is "non-ASCII", or "an i18mail 187 address", if any character is not in the ASCII character repertoire. 188 Such addresses may be restricted in other ways, but those 189 restrictions are not relevant here. The term "all-ASCII" is also 190 applied to other protocol elements when the distinction is important, 191 with "non-ASCII" or "internationalized" as its opposite. 193 The umbrella term to describe the email address internationalization 194 specified by this document and its companion documents is "UTF8SMTP". 195 For example, an address permitted by this specification is referred 196 as a "UTF8SMTP (compliant) address". 198 Please note that according to definitions given here the set of all 199 "all-ASCII" addresses and the set of all "non-ASCII" addresses are 200 mutually exclusive. The set of all UTF8SMTP addresses is the union 201 of these two sets. 203 An "ASCII user" (i) exclusively uses email addresses that contain 204 ASCII characters only, and (ii) cannot generate recipient addresses 205 that contain non-ASCII characters. 207 A "i18mail user" has one or more non-ASCII email addresses. Such a 208 user may have ASCII addresses too; if the user has more than one 209 email address, he or she has some method to choose which address to 210 use on outgoing email. Note that under this definition, it is not 211 possible to tell from the address that an email sender or recipient 212 is an i18mail user. 214 A "message" is sent from one user (sender) using a particular email 215 address to one or more other recipient email addresses (often 216 referred to just as "users" or "recipient users"). 218 A "mailing list" is a mechanism whereby a message may be distributed 219 to multiple recipients by sending to one recipient address. An agent 220 (typically not a human being) at that single address then causes the 221 message to be redistributed to the target recipients and sets the 222 envelope return address of the redistributed message to a different 223 error handling address from the original single recipient message. 225 The pronouns "he" and "she" are used interchangeably to indicate a 226 human of indeterminate gender. 228 The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED", 229 and "MAY" in this document are to be interpreted as described in RFC 230 2119 [RFC2119]. 232 2. Overview of the Approach 234 This set of specifications changes both SMTP and the format of email 235 headers to permit non-ASCII characters to be represented directly. 236 Each important component of the work is described in a separate 237 document. The document set, whose members are described in the next 238 section, also contains informational documents whose purpose is to 239 provide implementation suggestions and guidance for the protocols. 241 3. Document Plan 243 In addition to this document, the following documents make up this 244 specification and provide advice and context for it. 246 o SMTP extensions. This document [I18Nemail-SMTPext] provides an 247 SMTP extension for internationalized addresses, as provided for in 248 RFC 2821. 250 o Email headers in UTF-8. This document [I18Nemail-UTF8] 251 essentially updates RFC 2822 to permit some information in email 252 headers to be expressed directly by Unicode characters encoded in 253 UTF-8 when the SMTP extension described above is used. 255 o In-transit downgrading from internationalized addressing with the 256 SMTP extension and UTF-8 headers to traditional email formats and 257 characters [I18Nemail-downgrade]. Downgrading either at the point 258 of message origination or after the mail has successfully been 259 received by a final delivery SMTP server (sometimes called an 260 "MDA") involve different constraints and possibilities; see 261 Section 4.3 and Section 5, below. 263 o Extensions to the IMAP protocol to support internationalized 264 headers [I18Nemail-imap]. 266 o Parallel extensions to the POP protocol [I18Nemail-pop]. 268 o Description of internationalization changes for delivery 269 notifications (DSNs) [I18Nemail-DSN]. 271 o Scenarios for the use of these protocols [I18Nemail-scenarios]. 273 4. Overview of Protocol Extensions and Changes 274 4.1. SMTP Extension for Internationalized eMail Address 276 An SMTP extension, "UTF8SMTP" is specified that 278 o Permits the use of UTF-8 strings in email addresses, both local 279 parts and domain names. 281 o Permits the selective use of UTF-8 strings in email headers (see 282 the next subsection). 284 o Requires that the server advertise the 8BITMIME extension 285 [RFC1652] and that the client support 8-bit transmission so that 286 header information can be transmitted without using a special 287 content-transfer-encoding. 289 o Provides information to support downgrading mechanisms. 291 Some general principles apply to this work. 293 1. Whatever encoding is used should apply to the whole address and 294 be directly compatible with software used at the user interface. 296 2. An SMTP relay must 298 * Either recognize the format explicitly, agreeing to do so via 299 an ESMTP option, 301 * Select and use an ASCII-only address, downgrading other 302 information as needed (see Section 4.3), or 304 * Bounce the message so that the sender can make another plan. 306 If the message cannot be forwarded because the next-hop system 307 cannot accept the extension and insufficient information is 308 available to reliably downgrade it, it MUST be bounced. 310 3. In the interest of interoperability, charsets other than UTF-8 311 are prohibited. There is no practical way to identify them 312 properly with an extension similar to this without introducing 313 great complexity. 315 Conformance to the group of standards specified here for email 316 transport and delivery requires implementation of the SMTP Extension 317 specification, including recognition of the keywords associated with 318 alternate addresses, and the UTF-8 Header specification. Support for 319 downgrading is not required, but, if implemented, MUST be implemented 320 as specified. Similarly, _if_ the system implements IMAP it conforms 321 to i18n IMAP spec, ditto for POP.??? 323 4.2. Transmission of Email Header in UTF-8 Encoding 325 There are many places in MUAs or in user presentation in which email 326 addresses or domain names appear. Examples include the conventional 327 From, To, or Cc header fields; Message-IDs; In-Reply-To fields that 328 may contain addresses or domain names; and in message bodies. We 329 must examine all of them from an internationalization perspective. 330 The user will expect to see mailbox and domain names in local 331 characters, and to see them consistently. If non-obvious encodings, 332 such as protocol-specific ASCII-Compatible Encoding (ACE) variants, 333 are used, the user will inevitably, if only occasionally, see them 334 rather than "native" characters and will find that discomfiting or 335 astonishing. Similarly, if different codings are used for mail 336 transport and message bodies, the user is particularly likely to be 337 surprised, if only as a consequence of the long-established "things 338 leak" principle. The only practical way to avoid these sources of 339 discomfort, in both the medium and the longer term, is to have the 340 encodings used in transport be as nearly as possible the same as the 341 encodings used in message headers and message bodies. 343 It seems clear that the point at which email local parts are 344 internationalized is the point that email headers should simply be 345 shifted to a full internationalized form, presumably using UTF-8 346 rather than ASCII as the base character set for other than protocol 347 elements such as the header field names themselves. The transition 348 to that model includes support for address, and address-related, 349 fields within the headers of legacy systems. This is done by 350 extending the encoding models of [RFC2045] and [RFC2231]. However, 351 our target should be fully internationalized headers, as discussed in 352 [I18Nemail-UTF8]. 354 4.3. Downgrading Mechanism for Backward Compatibility 356 As with any use of the SMTP extension mechanism, there is always the 357 possibility of a client that requires the feature encountering a 358 server that does not support the required feature. In the case of 359 email address and header internationalization, the risk should be 360 minimized by the fact that the selection of submission servers are 361 presumably under the control of the sender's client and the selection 362 of potential intermediate relays is under the control of the 363 administration of the final delivery server. 365 For those situations, there are basically two possibilities: 367 o Reject or bounce the message, requiring the sender to resubmit it 368 with traditional-format addresses and headers. 370 o Figure out a way to downgrade the envelope or message body in 371 transit. Especially when internationalized addresses are 372 involved, downgrading will require that all-ASCII addresses be 373 obtained from some source. An optional extension parameter is 374 provided as a way of transmitting an alternate address. Downgrade 375 issues and a specification are discussed in [I18Nemail-downgrade]. 377 The first of these two options, that of rejecting or returning the 378 message to the sender MAY always be chosen. 380 There is also a third case, one in which the client is I18Nemail- 381 capable, the server is not, but the message does not require the 382 extended capabilities. In other words, both the addresses in the 383 envelope and the entire set of headers of the message are entirely in 384 ASCII (perhaps including encoded-words in the headers). In that 385 case, the client SHOULD send the message whether or not the server 386 announces the capability specified here. 388 5. Downgrading Before and After SMTP Transactions 390 In addition to the in-transit downgrades discussed above, downgrading 391 may also occur before or during initial message submission or after 392 delivery to the final delivery MTA. Because these cases have a 393 different set of available information from in-transit cases, the 394 constraints and opportunities may be somewhat different too. These 395 two cases are discussed in the subsections below. 397 5.1. Downgrading Before or During Message Submission 399 Perhaps obviously, the most convenient time to find an ASCII address 400 corresponding to an internationalized address, or to convert a 401 message from the internationalized form into conventional ASCII form, 402 is at the originating MUA, either before the message is sent or after 403 the internationalized form of the message is rejected or bounced by 404 some MTA in the path to the presumed destination. At that point, the 405 user has a full range of choices available, including contacting the 406 intended recipient out of band for an alternate address, consulting 407 appropriate directories, arranging for translation of both addresses 408 and message content into a different language, and so on. While it 409 is natural to think of message downgrading as optimally being a 410 fully-automated process, we should not underestimate the capabilities 411 of a user of at least moderate intelligence who wishes to communicate 412 with another such user. 414 In this context, one can easily imagine modifications to message 415 submission servers (as described in [RFC4409]) so that they would 416 perform downgrading, or perhaps even upgrading, operations, receiving 417 messages with one or more of the internationalization extensions 418 discussed here and adapting the outgoing message, as needed, to 419 respond to the delivery or next-hop environment it encounters. 421 5.2. Downgrading or Other Processing After Final SMTP Delivery 423 When an email message is received by a final delivery SMTP server, it 424 is usually stored in some form. Then it is retrieved either by 425 software that reads the stored form directly or by client software 426 via some email retrieval mechanisms such as POP or IMAP. 428 The SMTP extension described in Section 4.1 provides protection only 429 in transport. It does not prevent MUAs and email retrieval 430 mechanisms that have not been upgraded to understand 431 internationalized addresses and UTF-8 headers from accessing stored 432 internationalized emails. 434 Since the final delivery SMTP server (or, to be more specific, its 435 corresponding mail storage agent) cannot safely assume that agents 436 accessing email storage will be always be capable of handling the 437 extensions proposed here, it MAY either downgrade internationalized 438 emails or specially identify messages that utilize these extensions, 439 or both. If this done, the final delivery SMTP server SHOULD include 440 a mechanism to preserve or recover the original internationalized 441 forms without information loss to support access by I18Nemail-aware 442 agents. 444 6. Internationalization Considerations 446 This entire specification addresses issues in internationalization 447 and especially the boundaries between internationalization and 448 localization and between network protocols and client/user interface 449 actions. 451 7. Additional Issues 453 This section identifies issues that are not covered as part of this 454 set of specifications, but that will need to be considered as part of 455 deployment of email address and header internationalization. 457 7.1. Impact on IRIs 459 The mailto: schema defined in [RFC2368] and discussed in IRI 460 [RFC3987] may need to be modified when this work is completed and 461 standardized. 463 7.2. Interaction with delivery notifications 465 The advent of UTF8SMTP will make necessary consideration of the 466 interaction with delivery notification mechanisms, including the SMTP 467 extension for requesting delivery notifications [RFC3461], and the 468 format of delivery notifications [RFC3464]. These issues are 469 discussed in a forthcoming document that will update those RFCs as 470 needed [I18Nemail-DSN]. 472 7.3. Use of email addresses as identifiers 474 There are a number of places in contemporary Internet usage in which 475 email addresses are used as identifiers for individuals, including as 476 identifiers to web servers supporting some electronic commerce sites. 477 These documents do not address those uses, but it is reasonable to 478 expect that some difficulties will be encountered when 479 internationalized addresses are first used in those contexts, many of 480 which cannot handle the full range of addresses permitted today. 482 7.4. Encoded-words, signed messages and downgrading 484 One particular characteristic of the email format is its persistency: 485 MUA are expected to handle messages that were originally sent decades 486 ago and not just those delivered seconds ago. As such, MUAs and mail 487 filtering software will need to continue to accept and decode header 488 fields that use the "encoded word" mechanism [RFC2047] to accommodate 489 non-ASCII characters in some header fields. While extensions to both 490 POP3 and IMAP have been proposed to enable automatic EAI-upgrade--- 491 including RFC 2047 decoding---of messages by the POP3 or IMAP server, 492 there are message structures and MIME content-types for which that 493 cannot be done or where the change would have unacceptable side- 494 effects. 496 For example, message parts that are cryptographically signed using, 497 e.g., S/MIME [RFC2663] or PGP [RFC3156], cannot be upgraded from RFC 498 2047 form to normal UTF-8 characters without breaking the signature. 499 Similarly, message parts that are encrypted encrypted) may contain, 500 when decrypted, header fields that use the RFC 2047 encoding; such 501 messages cannot be 'fully' upgraded without access to cryptographic 502 keys. 504 Similar issues may arise if signed messages are downgraded in transit 505 [I18Nemail-downgrade] and then an attempt is made to upgrade them to 506 the original form and then verify the signatures. Even the very 507 subtle changes that may result from algorithms to downgrade and then 508 upgrade again may be sufficient to invalidate the signatures if they 509 impact either the primary or MIME bodypart headers. When signatures 510 are present, downgrading must be performed with extreme care if at 511 all. 513 8. Experimental Targets 515 In addition to the simple question of whether the model outlined here 516 can be made to work in a satisfactory way for upgraded systems and 517 provide adequate protection for un-upgraded ones, we expect that 518 actually working with the systems will provide answers to two 519 additional questions: what restrictions such as character lists or 520 normalization should be placed, if any, on the characters that are 521 permitted to be used in address local-parts and how useful, in 522 practice, will downgrading turn out to be given whatever restrictions 523 and constraints that must be placed upon it. 525 9. IANA Considerations 527 This overview description and framework document does not contemplate 528 any IANA registrations or other actions. Some of the documents in 529 the group have their own IANA considerations sections and 530 requirements. 532 10. Security Considerations 534 Any expansion of permitted characters and encoding forms in email 535 addresses raises some risks. There have been discussions on so 536 called "IDN-spoofing" or "IDN homograph attacks". These attacks 537 allow an attacker (or "phisher") to spoof the domain or URLs of 538 businesses. The same kind of attack is also possible on the local 539 part of internationalized email addresses. It should be noted that 540 one of the proposed fixes for, e.g., domain names in URLs, does not 541 work for email local parts since they are case-sensitive. That fix 542 involves forcing all elements that are displayed to be in lower-case 543 and normalized. 545 Since email addresses are often transcribed from business cards and 546 notes on paper, they are subject to problems arising from confusable 547 characters. These problems are somewhat reduced if the domain 548 associated with the mailbox is unambiguous and supports a relatively 549 small number of mailboxes whose names follow local system 550 conventions; they are increased with very large mail systems in which 551 users can freely select their own addresses. 553 The internationalization of email addresses and headers must not 554 leave the Internet less secure than it is that without the required 555 extensions. The requirements and mechanisms documented in this set 556 of specifications do not, in general, raise any new security issues. 557 They do require a review of issues associated with confusable 558 characters -- a topic that is being explored thoroughly elsewhere 559 [RFC4690] -- and, potentially, some issues with UTF-8 560 canonicalization, discussed in [RFC3629]. The latter is also part of 561 the subject of ongoing work discussed in [Net-Unicode]. Specific 562 issues are discussed in more detail in the other documents in this 563 set. However, in particular, caution should be taken that any 564 "downgrading" mechanism, or use of downgraded addresses, does not 565 inappropriately assume authenticated bindings between the 566 internationalized and ASCII addresses. 568 The new UTF-8 header and message formats might also raise, or 569 aggravate, another known issue. If the model creates new forms of 570 'invalid' or 'malformed' message, then a new email attack is created: 571 in an effort to be robust, some or or most agents will accept such 572 message and interpret them as if they were well-formed. If a filter 573 interprets such a message differently than then final MUA, then it 574 may be possible to create a message which appears acceptable under 575 the filter's interpretation but which should be rejected under the 576 interpretation given it by the final MUA. Such attacks already exist 577 for existing messages and encoding layers, e.g., invalid MIME syntax, 578 invalid HTML markup, and invalid coding of particular image types. 580 In addition, email addresses are used in many contexts other than 581 sending mail, such as for identifiers under various circumstances 582 (see Section 7.3). Each of those contexts will need to be evaluated, 583 in turn, to determine whether the use of non-ASCII forms is 584 appropriate and what particular issues they raise. 586 This work will clearly impact any systems or mechanisms that is 587 dependent on digital signatures or similar integrity protection for 588 mail headers (see also the discussion in Section 7.4. Many 589 conventional uses of PGP and S/MIME are not affected since they are 590 used to sign body parts but not headers. On the other hand, the 591 developing work on domain keys identified mail (DKIM [DKIM-Charter]) 592 will eventually need to consider this work and vice versa: while this 593 experiment does not propose to address or solve the issues raised by 594 DKIM and other signed header mechanisms, the issues will have to be 595 coordinated and resolved eventually. 597 11. Acknowledgements 599 This document, and the related ones, were originally derived from 600 drafts by John Klensin and the JET group [Klensin-emailaddr], 601 [JET-IMA]. The work drew inspiration from discussions on the "IMAA" 602 mailing list, sponsored by the Internet Mail Consortium and 603 especially from an early draft by Paul Hoffman and Adam Costello 604 [Hoffman-IMAA] that attempted to define an MUA-only solution to the 605 address internationalization problem. 607 More recent drafts have benefited from considerable discussion within 608 the IETF EAI Working Group and especially from suggestions and text 609 provided by Frank Ellermann, Philip Guenther, and Kari Hurtta, and 610 from extended discussions among the editors and authors of the core 611 documents cited in Section 3: Harald Alvestrand, Kazunori Fujiwara, 612 Chris Newman, Pete Resnick, Jiankang Yao, Jeff Yeh, and Yoshiro 613 Yoneya. 615 12. Change History 617 This document has evolved through several titles as well as the usual 618 version numbers. The list below tries to trace that thread as well 619 as changes within the substance of the document. The first document 620 of the series was posted as draft-klensin-emailaddr-i18n-00.txt in 621 October 2003. 623 12.1. draft-klensin-ima-framework: Version 00 625 This version supercedes draft-lee-jet-ima-00 and 626 draft-klensin-emailaddr-i18n-03. It represents a major rewrite and 627 change of architecture from the former and incorporates many ideas 628 and some text from the latter. 630 12.2. draft-klensin-ima-framework: Version 01 632 o Some clarifications of terminology (more to follow) and general 633 editorial improvements. 635 o Upgrades to reflect discussions during IETF 64. 637 o Improved treatment of downgrading before and after message 638 transport. 640 12.3. draft-ietf-eai-framework: Version 00 642 This version supercedes draft-klensin-ima-framework-01; its file name 643 should represent the form to be used until the IETF email address and 644 header internationalization ("EAI") work concludes. 646 o Changed "display name" terminology to be consistent with RFC 2822. 647 Also clarified some other terminology issues. 649 o Added a comment about the possible role of MessageSubmission 650 servers in downgrading. 652 o Removed the "IMA" terminology, converting it to either "EAI" or 653 prose. 655 o Per meeting and mailing list discussion, added conformance 656 statements about bouncing if neither forwarding nor downgrading 657 were possible and about implementation requirements. 659 o Updated several references. Some documents are still tentative. 661 o Fixed many typographical errors. 663 12.4. draft-ietf-eai-framework: Version 01 665 o Added comments about PGP, S/MIME, and DKIM to Security 666 Considerations 668 o Rationalized terminology and included terminology from scenarios 669 document. 671 12.5. draft-ietf-eai-framework: Version 02 673 o Clarified comment about IRIs and MAILTO. 675 o Identified issue with S/MIME and PGP for encapsulated content. 677 o Added note about the definitive "UTF8SMTP" terminology. 679 o Removed mail exploder related discussions and reference. 681 o Adjusted some requirement levels. 683 o Removed computed ASCII address (aka ATOMIC) related discussion. 685 o Added a section about delivery notifications and created a pointer 686 to a new document about them. 688 o Added a new section noting the use of email addresses as 689 identifiers. 691 o Added a new section discussing implications of downgrading to 692 digital signatures on messages. 694 o Many editorial revisions, corrections to references, etc., 695 including moving the references to the other documents in the 696 series to "informative" -- this document does not depend on them 697 for a specification and is, itself, intended to be Informational. 699 13. References 701 13.1. Normative References 703 [ASCII] American National Standards Institute (formerly United 704 States of America Standards Institute), "USA Code for 705 Information Interchange", ANSI X3.4-1968, 1968. 707 ANSI X3.4-1968 has been replaced by newer versions with 708 slight modifications, but the 1968 version remains 709 definitive for the Internet. 711 [RFC1652] Klensin, J., Freed, N., Rose, M., Stefferud, E., and D. 712 Crocker, "SMTP Service Extension for 8bit-MIMEtransport", 713 RFC 1652, July 1994. 715 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 716 Requirement Levels'", RFC 2119, March 1997. 718 [RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, 719 April 2001. 721 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, 722 "Internationalizing Domain Names in Applications (IDNA)", 723 RFC 3490, March 2003. 725 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 726 10646", STD 63, RFC 3629, November 2003. 728 13.2. Informative References 730 [DKIM-Charter] 731 IETF, "Domain Keys Identified Mail (dkim)", October 2006, 732 . 734 [Hoffman-IMAA] 735 Hoffman, P. and A. Costello, "Internationalizing Mail 736 Addresses in Applications (IMAA)", draft-hoffman-imaa-03 737 (work in progress), October 2003. 739 [I18Nemail-DSN] 740 Newman, C., "UTF-8 Delivery and Disposition Notification", 741 draft-ietf-eai-dsn-00 (work in progress), January 2007. 743 This document is under development by the WG. The date 744 given is an estimate for a version ready for posting. 746 [I18Nemail-SMTPext] 747 Yao, J., Ed. and W. Mao, Ed., "SMTP extension for 748 internationalized email address", 749 draft-ietf-eai-smtpext-01 (work in progress), July 2006. 751 [I18Nemail-UTF8] 752 Yeh, J., "Internationalized Email Headers", 753 draft-ietf-eai-utf8headers-01.txt (work in progress), 754 August 2006. 756 [I18Nemail-downgrade] 757 YONEYA, Y., Ed. and K. Fujiwara, Ed., "Downgrading 758 mechanism for Internationalized eMail Address (IMA)", 759 draft-ietf-eai-downgrade-02 (work in progress), 760 August 2005. 762 [I18Nemail-imap] 763 Resnick, P. and C. Newman, "IMAP Support for UTF-8", 764 draft-ietf-eai-imap-utf8-00 (work in progress), May 2006. 766 [I18Nemail-pop] 767 Newman, C., "POP3 Support for UTF-8", June 2006, . 770 [I18Nemail-scenarios] 771 Alvestrand, H., "UTF-8 Mail: Scenarios", 772 draft-ietf-eai-scenarios-01 (work in progress), June 2006. 774 [JET-IMA] Yao, J. and J. Yeh, "Internationalized eMail Address 775 (IMA)", draft-lee-jet-ima-00 (work in progress), 776 June 2005. 778 [Klensin-emailaddr] 779 Klensin, J., "Internationalization of Email Addresses", 780 draft-klensin-emailaddr-i18n-03 (work in progress), 781 July 2005. 783 [Net-Unicode] 784 Klensin, J. and M. Padlipsky, "Unicode Format for Network 785 Interchange", April 2006, . 788 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 789 Extensions (MIME) Part One: Format of Internet Message 790 Bodies", RFC 2045, November 1996. 792 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) 793 Part Three: Message Header Extensions for Non-ASCII Text", 794 RFC 2047, November 1996. 796 [RFC2231] Freed, N. and K. Moore, "MIME Parameter Value and Encoded 797 Word Extensions: Character Sets, Languages, and 798 Continuations", RFC 2231, November 1997. 800 [RFC2368] Hoffman, P., Masinter, L., and J. Zawinski, "The mailto 801 URL scheme", RFC 2368, July 1998. 803 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 804 Translator (NAT) Terminology and Considerations", 805 RFC 2663, August 1999. 807 [RFC2822] Resnick, P., "Internet Message Format", RFC 2822, 808 April 2001. 810 [RFC3156] Elkins, M., Del Torto, D., Levien, R., and T. Roessler, 811 "MIME Security with OpenPGP", RFC 3156, August 2001. 813 [RFC3461] Moore, K., "Simple Mail Transfer Protocol (SMTP) Service 814 Extension for Delivery Status Notifications (DSNs)", 815 RFC 3461, January 2003. 817 [RFC3464] Moore, K. and G. Vaudreuil, "An Extensible Message Format 818 for Delivery Status Notifications", RFC 3464, 819 January 2003. 821 [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource 822 Identifiers (IRIs)", RFC 3987, January 2005. 824 [RFC4409] Gellens, R. and J. Klensin, "Message Submission for Mail", 825 RFC 4409, April 2006. 827 [RFC4690] Klensin, J., Faltstrom, P., Karp, C., and IAB, "Review and 828 Recommendations for Internationalized Domain Names 829 (IDNs)", RFC 4690, September 2006. 831 Authors' Addresses 833 John C Klensin 834 1770 Massachusetts Ave, #322 835 Cambridge, MA 02140 836 USA 838 Phone: +1 617 491 5735 839 Email: john-ietf@jck.com 841 YangWoo Ko 842 ICU 843 119 Munjiro 844 Yuseong-gu, Daejeon 305-732 845 Republic of Korea 847 Email: yw@mrko.pe.kr 849 Full Copyright Statement 851 Copyright (C) The Internet Society (2006). 853 This document is subject to the rights, licenses and restrictions 854 contained in BCP 78, and except as set forth therein, the authors 855 retain all their rights. 857 This document and the information contained herein are provided on an 858 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 859 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 860 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 861 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 862 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 863 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 865 Intellectual Property 867 The IETF takes no position regarding the validity or scope of any 868 Intellectual Property Rights or other rights that might be claimed to 869 pertain to the implementation or use of the technology described in 870 this document or the extent to which any license under such rights 871 might or might not be available; nor does it represent that it has 872 made any independent effort to identify any such rights. Information 873 on the procedures with respect to rights in RFC documents can be 874 found in BCP 78 and BCP 79. 876 Copies of IPR disclosures made to the IETF Secretariat and any 877 assurances of licenses to be made available, or the result of an 878 attempt made to obtain a general license or permission for the use of 879 such proprietary rights by implementers or users of this 880 specification can be obtained from the IETF on-line IPR repository at 881 http://www.ietf.org/ipr. 883 The IETF invites any interested party to bring to its attention any 884 copyrights, patents or patent applications, or other proprietary 885 rights that may cover technology that may be required to implement 886 this standard. Please address the information to the IETF at 887 ietf-ipr@ietf.org. 889 Acknowledgment 891 Funding for the RFC Editor function is provided by the IETF 892 Administrative Support Activity (IASA).