idnits 2.17.1 draft-melnikov-mmhs-authorizing-users-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 16, 2013) is 3839 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'FWS' is mentioned on line 227, but not defined == Unused Reference: 'RFC5321' is defined on line 330, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5750 (Obsoleted by RFC 8550) ** Obsolete normative reference: RFC 5751 (Obsoleted by RFC 8551) Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Melnikov 3 Internet-Draft Isode Ltd 4 Intended status: Informational October 16, 2013 5 Expires: April 19, 2014 7 Draft and Release using Internet Email 8 draft-melnikov-mmhs-authorizing-users-02 10 Abstract 12 This document describes a procedure for when an Military Message 13 Handling System (MMHS) message is composed by one user and is only 14 released to the mail transfer system when one or more authorizing 15 users authorize release of the message by adding the MMHS- 16 Authorizing-Users header field. The resulting message can be 17 optionally countersigned, allowing recipients to verify both the 18 original signature (if any) and countersignatures. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 19, 2014. 37 Copyright Notice 39 Copyright (c) 2013 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 56 3. Draft and Release procedure . . . . . . . . . . . . . . . . . 3 57 3.1. Initial Submission of a Message . . . . . . . . . . . . . 3 58 3.2. Review by Authorizing User(s) . . . . . . . . . . . . . . 3 59 3.2.1. Processing of Encrypted Messages . . . . . . . . . . 4 60 3.2.2. S/MIME countersignatures . . . . . . . . . . . . . . 4 61 3.3. Role of other Messaging Agents . . . . . . . . . . . . . 5 62 3.3.1. Border MTA at the sender&s domain . . . . . . . . . . 5 63 4. MMHS-Authorizing-Users header field . . . . . . . . . . . . . 5 64 5. Updated MIXER mapping . . . . . . . . . . . . . . . . . . . . 5 65 5.1. Mapping from RFC 5322/MIME to X.400 . . . . . . . . . . . 5 66 5.2. Mapping from X.400 to RFC 5322/MIME . . . . . . . . . . . 6 67 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 68 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 69 7.1. Forged Header Fields . . . . . . . . . . . . . . . . . . 7 70 7.2. Intentionally Malformed Header Fields . . . . . . . . . . 7 71 8. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 7 72 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 73 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 74 9.2. Informative References . . . . . . . . . . . . . . . . . 8 75 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 8 77 1. Introduction 79 In some secure environments email messages can't be released to the 80 MTS (Mail Transfer System) and, thus delivered to recipients, unless 81 they are authorized by one or more authorizing users (e.g. Releasing 82 Officers). This document describes how this mechanism can be 83 realized by an additional Internet Email [RFC5322] header field and 84 optionally using S/MIME [RFC5750] [RFC5751]. 86 This document describes a procedure for how an email message composed 87 by one user can be released to the MTS when one or more authorizing 88 users authorize and optionally countersign the message. The header 89 communicates which users authorized the message. If signed, the 90 resulting message allows recipients to verify both the original (if 91 any) and counter S/MIME signatures. The list of authorizing users is 92 specified in the MMHS-Authorizing-Users header field Section 4. The 93 original S/MIME signature generated by the sender (if any) should be 94 unaffected by additional S/MIME countersignatures [RFC5652]. 96 2. Conventions Used in This Document 98 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 100 document are to be interpreted as described in [RFC2119]. 102 The formal syntax uses the Augmented Backus-Naur Form (ABNF) 103 [RFC5234] notation including the core rules defined in Appendix B of 104 RFC 5234 [RFC5234]. Terms not defined in this document are taken 105 from [RFC5322]. 107 3. Draft and Release procedure 109 3.1. Initial Submission of a Message 111 The original email message to be sent doesn't include the MMHS- 112 Authorizing-Users header field. It may or may not include sender's S 113 /MIME signature. 115 The message to be sent is first submitted over SMTP [RFC6409]. The 116 specific mechanism for how it arrives to authorizing user(s) is not 117 specified in this document. One possibility is for the Message 118 Submission Agent (MSA) to redirect all email messages not addressed 119 to authorizing users and not submitted by authorizing users to a 120 preconfigured mailbox that can be accessed by authorizing user(s). 121 Another possibility is for the MSA to redirect all email messages 122 without the MMHS-Authorizing-Users header field and/or corresponding 123 S/MIME countersignatures to a preconfigured mailbox that can be 124 accessed by authorizing user(s). 126 3.2. Review by Authorizing User(s) 128 Each user agent that is used by an authorized user has to perform the 129 following steps (if there are multiple authorizing users, these steps 130 are repeated for each): 132 1. Verify the origination of the message. The exact mechanism to do 133 that is out of scope for this document, but one example is by 134 verifying the S/MIME signature and making sure that it matches 135 the sender of the message, as described in [RFC5750] [RFC5751]. 136 Another example is by verifying DKIM signature [RFC6376] that 137 covers From/Sender header fields. 139 2. Check if the message already contains the MMHS-Authorizing-Users 140 header field with the email address of the authorizing user. 141 (This can happen if email system is misconfigured and thus 142 contains a loop, or if a malicious sender or attacker is trying 143 to affect authorization procedure.) If yes, verify validity of 144 the header field (for example by checking for S/MIME 145 countersignature or for DKIM signature). If the validity of the 146 MMHS-Authorizing-Users header field containing the email address 147 of the authorizing user can be verified, go to step 5 below. 148 Otherwise strip the MMHS-Authorizing-Users header field or return 149 the message to sender (bounce). 151 3. Allow the authorizing user to review content of the message. 152 Some of the checks can be automated (for example search for 153 keywords). (See Section 3.2.1 for additional considerations.) 154 If based on the check the authorizing user is happy to release 155 the message to MTS (or to the next authorizing user, if multiple 156 authorizations are required), the UA should enable the 157 authorizing user to protect additions to the MMHS-Authorizing- 158 Users header field, for example by allowing to add S/MIME 159 countersignature (if S/MIME is used for protecting MMHS- 160 Authorizing-Users header field. See Section 3.2.2 for more 161 details). If the authorizing user wants to block the message, it 162 can be discarded or returned to sender, and no further steps from 163 this list should take place. The authorizing user can also 164 choose to forward the message to another authorizing user for 165 approval. 167 4. If there is an existing MMHS-Authorizing-Users header field 168 containing the email address of the authorizing user, skip this 169 step. Othrwise insert a new MMHS-Authorizing-Users header field 170 (if absent) containing the email address of the authorizing user 171 or append the email address of the authorizing user to the end of 172 the existing MMHS-Authorizing-Users header field. 174 5. The (possibly) updated email message is either released to the 175 MTS, or to the next authorizing user, as per email system 176 configuration. 178 3.2.1. Processing of Encrypted Messages 180 Any encrypted message sent in an environment where Draft and Release 181 procedure is in force needs to be also encrypted to all authorizing 182 users, so that they can perform review of the message. A message 183 that can't be decrypted by an authorizing user MUST be returned to 184 sender. 186 3.2.2. S/MIME countersignatures 188 If a message is signed multiple times (for example using different 189 cryptographic algorithms), all of the signatures that can be verified 190 by an authorizing user SHOULD be countersigned. A recipient of the 191 message should consider any chain of countersignatures that matches 192 MMHS-Authorizing-Users header field values as valid, if all 193 signatures in the chain verify. 195 When both encryption and signing is used, countersignature SHOULD be 196 applied to the outer level, so that it can be verified by MTAs 197 without the need to decrypt content. 199 3.3. Role of other Messaging Agents 201 3.3.1. Border MTA at the sender&s domain 203 Sender's domain border MTAs are responsible for ensuring that all 204 messages that leave sender's domain were properly authorized by 205 authorizing user(s), as determined by the sender's domain email 206 system configuration. They verify presence and validity of MMHS- 207 Authorizing-Users header field in outgoing messages, as well as 208 validity of associated signatures on the message. 210 4. MMHS-Authorizing-Users header field 212 The MMHS-Authorizing-Users header field specifies the list of 213 authorizing users that countersigned this email message (for example 214 using S/MIME) before it was authorized for release to MTS. Each user 215 is described by her/his email address. 217 The MMHS-Authorizing-Users header field specified in this document 218 MUST NOT appear more than once in message headers. (An email message 219 that contains multiple MMHS-Authorizing-Users is malformed. An agent 220 processing such malformed message SHOULD either return it to sender 221 (if possible) or fix the message so that it only contains one copy of 222 the header field.) [[An alternative is to allow for multiple copies 223 of the header field and treat them as additive. This might work 224 better with DKIM!]] 226 MMHS-Authorizing-Users = "MMHS-Authorizing-Users:" 227 [FWS] mailbox-list [FWS] CRLF 229 mailbox-list = 231 5. Updated MIXER mapping 233 This section updates MIXER mapping specified in [RFC2156]. 235 5.1. Mapping from RFC 5322/MIME to X.400 236 In the absence of the MMHS-Authorizing-Users header field, From and 237 Sender header fields are mapped to their X.400 equivalents as 238 specified in [RFC2156]. 240 If MMHS-Authorizing-Users header field is present: 242 1. The first From header field address is mapped to 243 IPMS.Heading.originator if there is no Sender header field and 244 the remaining From header field addresses + the MMHS-Authorizing- 245 Users header field address(es) are mapped to IPMS.Heading 246 .authorizing-users. If a Sender header field is present, the 247 From header field address(es) and the MMHS-Authorizing-Users 248 header field address(es) are mapped to IPMS.Heading.authorizing- 249 users. 251 2. The Sender header field (if present) is mapped to 252 IPMS.Heading.originator. 254 5.2. Mapping from X.400 to RFC 5322/MIME 256 Mapping from X.400 to Internet is controlled by whether or not a 257 particular message is considered to be a military message. A message 258 is considered to be a military message (as defined by ACP 123 259 [ACP123] and also specified in STANAG 4406 [STANAG-4406]) if there 260 are any MMHS heading extensions present. Alternatively, this MAY be 261 done by configuration (i.e. all messages can be considered to be 262 military messages). 264 For non military messages, mapping from X.400 as specified in 265 [RFC2156] is used. 267 For military messages, the following mapping is used: 269 1. IPMS.Heading.originator is mapped to From header field. 271 2. The IPMS.Heading.authorizing-users is mapped to MMHS-Authorizing- 272 Users header field. 274 6. IANA Considerations 276 IANA is requested to add the MMHS-Authorizing-Users header field 277 specified in Section 4 to the "Permanent Message Header Field Names", 278 defined by Registration Procedures for Message Header Fields 279 [RFC3864]. The registration template is as follows: 281 Header field name: MMHS-Authorizing-Users 283 Applicable protocol: mail ([RFC5322]) 284 Status: Standard 286 Author/Change controller: IETF 288 Specification document(s): [[RFC XXXX]] 290 Related information: 292 7. Security Considerations 294 7.1. Forged Header Fields 296 A malicious sender may add/change an MMHS-Authorizing-Users header 297 field to bypass or alter message authorization procedure invoked for 298 messages with no MMHS-Authorizing-Users header field. For that 299 reason it is important for agents and clients that rely on validity 300 of MMHS-Authorizing-Users header field to also verify 301 countersignature (or a similar protection mechanism), that confirms 302 that a particular person or entity authorized release of a message. 304 7.2. Intentionally Malformed Header Fields 306 It is possible for an attacker to add an MMHS-Authorizing-Users 307 header field that is extraordinarily large or otherwise malformed in 308 an attempt to discover or exploit weaknesses in header field parsing 309 code. Implementers must thoroughly verify all such header fields 310 received from MTAs and be robust against intentionally as well as 311 unintentionally malformed header fields. 313 8. Open Issues 315 Netnews Approved header field has the same syntax and semantics as 316 the one described here. Should it be used (and be formally 317 registered for email) instead? 319 9. References 321 9.1. Normative References 323 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 324 Requirement Levels", BCP 14, RFC 2119, March 1997. 326 [RFC2156] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay): 327 Mapping between X.400 and RFC 822/MIME", RFC 2156, January 328 1998. 330 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 331 October 2008. 333 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, 334 October 2008. 336 [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", 337 STD 72, RFC 6409, November 2011. 339 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 340 Specifications: ABNF", STD 68, RFC 5234, January 2008. 342 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 343 RFC 5652, September 2009. 345 [RFC5750] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 346 Mail Extensions (S/MIME) Version 3.2 Certificate 347 Handling", RFC 5750, January 2010. 349 [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 350 Mail Extensions (S/MIME) Version 3.2 Message 351 Specification", RFC 5751, January 2010. 353 [RFC6376] Crocker, D., Hansen, T., and M. Kucherawy, "DomainKeys 354 Identified Mail (DKIM) Signatures", STD 76, RFC 6376, 355 September 2011. 357 [ACP123] CCEB, ., "Common Messaging strategy and procedures", ACP 358 123, May 2009. 360 9.2. Informative References 362 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration 363 Procedures for Message Header Fields", BCP 90, RFC 3864, 364 September 2004. 366 [STANAG-4406] 367 NATO, ., "STANAG 4406 Edition 2: Military Message Handling 368 System", STANAG 4406, March 2005. 370 Appendix A. Acknowledgements 372 Many thanks for reviews and text provided by Steve Kille, Jim Schaad 373 and David Wilson. 375 Some text in this document was copied from RFC 7001. 377 Author's Address 378 Alexey Melnikov 379 Isode Ltd 380 5 Castle Business Village 381 36 Station Road 382 Hampton, Middlesex TW12 2BX 383 UK 385 EMail: Alexey.Melnikov@isode.com