idnits 2.17.1 draft-melnikov-mmhs-authorizing-users-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 22, 2014) is 3473 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'FWS' is mentioned on line 273, but not defined == Unused Reference: 'RFC5321' is defined on line 378, but no explicit reference was found in the text == Unused Reference: 'RFC5652' is defined on line 390, but no explicit reference was found in the text == Unused Reference: 'I-D.melnikov-smime-msa-to-mda' is defined on line 421, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5750 (Obsoleted by RFC 8550) ** Obsolete normative reference: RFC 5751 (Obsoleted by RFC 8551) Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Melnikov 3 Internet-Draft Isode Ltd 4 Intended status: Informational October 22, 2014 5 Expires: April 25, 2015 7 Draft and Release using Internet Email 8 draft-melnikov-mmhs-authorizing-users-07 10 Abstract 12 This document describes a procedure for when an Military Message 13 Handling System (MMHS) message is composed by one user and is only 14 released to the mail transfer system when one or more authorizing 15 users authorize release of the message by adding the MMHS- 16 Authorizing-Users header field. The resulting message can be 17 optionally signed by the sender and/or reviewer, allowing recipients 18 to verify both the original signature (if any) and review signatures. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 25, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 56 3. Draft and Release procedure . . . . . . . . . . . . . . . . . 3 57 3.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 58 3.2. Handling of Initial Message Submission by MSA . . . . . . 3 59 3.3. Review by Authorizing User(s) . . . . . . . . . . . . . . 4 60 3.3.1. Processing of Encrypted Messages . . . . . . . . . . 5 61 3.3.2. Authorizing S/MIME signatures . . . . . . . . . . . . 5 62 3.4. Role of other Messaging Agents . . . . . . . . . . . . . 5 63 3.4.1. Border MTA at the sender's domain . . . . . . . . . . 5 64 3.4.2. MDA at the sender's domain . . . . . . . . . . . . . 6 65 4. MMHS-Authorizing-Users header field . . . . . . . . . . . . . 6 66 5. Updated MIXER mapping . . . . . . . . . . . . . . . . . . . . 6 67 5.1. Mapping from RFC 5322/MIME to X.400 . . . . . . . . . . . 6 68 5.2. Mapping from X.400 to RFC 5322/MIME . . . . . . . . . . . 7 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 70 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 71 7.1. Forged Header Fields . . . . . . . . . . . . . . . . . . 8 72 7.2. Intentionally Malformed Header Fields . . . . . . . . . . 8 73 8. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 8 74 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 75 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 76 9.2. Informative References . . . . . . . . . . . . . . . . . 9 77 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 10 79 1. Introduction 81 In some secure environments email messages can't be released to the 82 MTS (Mail Transfer System) and, thus delivered to recipients, unless 83 they are authorized by one or more authorizing users (e.g. Releasing 84 Officers or Release Authorities). This document describes how this 85 mechanism can be realized by an additional Internet Email [RFC5322] 86 header field and optionally protected using S/MIME [RFC5750] 87 [RFC5751] or DKIM [RFC6376]. 89 This document describes a procedure for how an email message composed 90 by one user can be released to the MTS when one or more authorizing 91 users authorize and optionally countersign the message. The header 92 communicates which users authorized the message. If signed, the 93 resulting message allows recipients to verify both the original (if 94 any) and counter S/MIME signatures. The list of authorizing users is 95 specified in the MMHS-Authorizing-Users header field Section 4. The 96 original S/MIME signature generated by the sender (if any) should be 97 unaffected by additional S/MIME review signatures. 99 2. Conventions Used in This Document 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in [RFC2119]. 105 The formal syntax uses the Augmented Backus-Naur Form (ABNF) 106 [RFC5234] notation including the core rules defined in Appendix B of 107 RFC 5234 [RFC5234]. Terms not defined in this document are taken 108 from [RFC5322]. 110 3. Draft and Release procedure 112 3.1. Terminology 114 Drafter: Any email user that composes a message (Draft Message) 115 needing authorisation before it is released to its intended 116 recipients. 118 Authorizing User (also Releaser or Authorizer): The mailbox of a user 119 or a group of users that must inspect and authorise the release of 120 Draft Message before it can be sent. An organization may require 121 more than one Authorizing User to authorize release of a Draft 122 Message. 124 3.2. Handling of Initial Message Submission by MSA 126 The original email message to be sent doesn't include the MMHS- 127 Authorizing-Users header field. It may or may not include sender's 128 S/MIME signature. 130 The message to be sent is first submitted over SMTP [RFC6409]. The 131 specific mechanism for how it arrives to authorizing user(s) is not 132 specified in this document. One possibility is for the Message 133 Submission Agent (MSA) to redirect all email messages not addressed 134 to authorizing users and not submitted by authorizing users to a 135 preconfigured mailbox that can be accessed by authorizing user(s). 136 Another possibility is for the MSA to redirect all email messages 137 without the MMHS-Authorizing-Users header field and/or corresponding 138 S/MIME review signatures to a preconfigured mailbox that can be 139 accessed by authorizing user(s). 141 In order to prevent a malicious sender from bypassing or altering 142 Draft and Release procedure, MSA MUST check that MMHS-Authorizing- 143 Users header field (if present) is syntactically valid, contains 144 email addresses of entities authorized to act as authorizing users 145 and, when review signatures are used, that every entity listed has 146 one or more matching review signature (or signature) which is valid. 148 3.3. Review by Authorizing User(s) 150 Each user agent that is used by an authorized user MUST perform the 151 following steps (if there are multiple authorizing users, these steps 152 are repeated for each): 154 1. Verify the origination of the message. The exact mechanism to do 155 that is out of scope for this document, but one example is by 156 verifying the S/MIME signature and making sure that it matches 157 the sender of the message, as described in [RFC5750] [RFC5751]. 158 Another example is by verifying a DKIM signature [RFC6376] that 159 covers From/Sender header fields. 161 2. Check if the message already contains the MMHS-Authorizing-Users 162 header field with the email address of the authorizing user. 163 (This can happen if email system is misconfigured and thus 164 contains a loop, or if a malicious sender or attacker is trying 165 to affect authorization procedure.) If the message doesn't 166 contain the email address of the authorizing user in the MMHS- 167 Authorizing-Users header field, then go to the next step. If 168 MMHS-Authorizing-Users header field contains the email address of 169 the authorizing user, verify validity of the header field (for 170 example by checking for S/MIME signature/review signature or for 171 DKIM signature). If the validity of the MMHS-Authorizing-Users 172 header field can be verified, go to step 5 below. Otherwise 173 strip the MMHS-Authorizing-Users header field or return the 174 message to sender (bounce). 176 3. Allow the authorizing user to review content of the message. 177 Some of the checks can be automated (for example search for 178 keywords). (See Section 3.3.1 for additional considerations.) 179 If based on the check the authorizing user is happy to release 180 the message to MTS (or to the next authorizing user, if multiple 181 authorizations are required), the UA SHOULD enable the 182 authorizing user to protect additions to the MMHS-Authorizing- 183 Users header field, for example by allowing to add S/MIME review 184 signature (if S/MIME is used for protecting MMHS-Authorizing- 185 Users header field. See Section 3.3.2 for more details). If the 186 authorizing user wants to block the message, it can be discarded 187 or returned to sender. The authorizing user can also choose to 188 forward the message to another authorizing user for approval. 190 4. If there is an existing MMHS-Authorizing-Users header field 191 containing the email address of the authorizing user, skip this 192 step. Otherwise, insert a new MMHS-Authorizing-Users header 193 field (if absent) containing the email address of the authorizing 194 user or append the email address of the authorizing user to the 195 end of the existing MMHS-Authorizing-Users header field. 197 5. The (possibly) updated email message is either released to the 198 MTS, or to the next authorizing user, as per email system 199 configuration. Note that if the authorizing user updates the 200 message in a manner that invalidates existing S/MIME/DKIM 201 signature(s), the authorizing user becomes the Drafter, and need 202 to reapply any protections. 204 3.3.1. Processing of Encrypted Messages 206 Any encrypted message sent in an environment where Draft and Release 207 procedure is in force needs to be also encrypted to all authorizing 208 users, so that they can perform review of the message. A message 209 that can't be decrypted by an authorizing user MUST be returned to 210 sender. 212 3.3.2. Authorizing S/MIME signatures 214 If S/MIME were not used, the Authorizing User can become the original 215 signer of the message. 217 If a message is signed multiple times (for example using different 218 cryptographic algorithms), all of the signatures that can be verified 219 by an authorizing user SHOULD be signed with a review signature 220 (authorizing signatures). A recipient of the message must consider 221 any chain of review signatures that matches MMHS-Authorizing-Users 222 header field values as valid, only if all signatures in the chain 223 verify. 225 When triple wrapping [RFC2634] is used, authorizing signatures are 226 applied to the outer level, so that it can be verified by MTAs 227 without the need to decrypt content. 229 3.4. Role of other Messaging Agents 231 3.4.1. Border MTA at the sender's domain 233 Sender's domain border MTAs are responsible for ensuring that all 234 messages that leave sender's domain were properly authorized by 235 authorizing user(s), as determined by the sender's domain email 236 system configuration. They verify presence and validity of MMHS- 237 Authorizing-Users header field in outgoing messages, as well as 238 validity of associated signatures on the message. 240 3.4.2. MDA at the sender's domain 242 If a message being sent is to be delivered within the sender's 243 domain, Message Delivery Agents (MDAs) are responsible for ensuring 244 that the message was properly authorized by authorizing user(s), as 245 determined by the sender's domain email system configuration. They 246 verify presence and validity of MMHS-Authorizing-Users header field 247 in the message, as well as validity of associated signatures on the 248 message. 250 4. MMHS-Authorizing-Users header field 252 The MMHS-Authorizing-Users header field specifies the list of 253 authorizing users (or entities(*)) that countersigned this email 254 message (for example using S/MIME) before it was authorized for 255 release to MTS. Each user/entity is described by her/his/its email 256 address. 258 (*) Note that in some environments identities of authorizing users 259 are required to be hidden from recipients of email messages, so upon 260 receipt MMHS-Authorizing-Users might contain an email address 261 associated with a group of possible users. 263 The MMHS-Authorizing-Users header field specified in this document 264 MUST NOT appear more than once in message headers. (An email message 265 that contains multiple MMHS-Authorizing-Users is malformed. An agent 266 processing such malformed message SHOULD either return it to sender 267 (if possible) or fix the message so that it only contains one copy of 268 the header field.) [[An alternative is to allow for multiple copies 269 of the header field and treat them as additive. This might work 270 better with DKIM!]] 272 MMHS-Authorizing-Users = "MMHS-Authorizing-Users:" 273 [FWS] mailbox-list [FWS] CRLF 275 mailbox-list = 277 5. Updated MIXER mapping 279 This section updates MIXER mapping specified in [RFC2156]. 281 5.1. Mapping from RFC 5322/MIME to X.400 283 In the absence of the MMHS-Authorizing-Users header field, From and 284 Sender header fields are mapped to their X.400 equivalents as 285 specified in [RFC2156]. 287 If MMHS-Authorizing-Users header field is present: 289 1. The first From header field address is mapped to 290 IPMS.Heading.originator if there is no Sender header field and 291 the remaining From header field addresses + the MMHS-Authorizing- 292 Users header field address(es) are mapped to 293 IPMS.Heading.authorizing-users. If a Sender header field is 294 present, the From header field address(es) and the MMHS- 295 Authorizing-Users header field address(es) are mapped to 296 IPMS.Heading.authorizing-users. 298 2. The Sender header field (if present) is mapped to 299 IPMS.Heading.originator. 301 5.2. Mapping from X.400 to RFC 5322/MIME 303 Mapping from X.400 to Internet is controlled by whether or not a 304 particular message is considered to be a military message. A message 305 is considered to be a military message (as defined by ACP 123 306 [ACP123] and also specified in STANAG 4406 [STANAG-4406]) if there 307 are any MMHS heading extensions present. Alternatively, this MAY be 308 done by configuration (i.e. all messages can be considered to be 309 military messages). 311 For non military messages, mapping from X.400 as specified in 312 [RFC2156] is used. 314 For military messages, the following mapping is used: 316 1. IPMS.Heading.originator is mapped to From header field. 318 2. The IPMS.Heading.authorizing-users is mapped to MMHS-Authorizing- 319 Users header field. 321 6. IANA Considerations 323 IANA is requested to add the MMHS-Authorizing-Users header field 324 specified in Section 4 to the "Permanent Message Header Field Names", 325 defined by Registration Procedures for Message Header Fields 326 [RFC3864]. The registration template is as follows: 328 Header field name: MMHS-Authorizing-Users 330 Applicable protocol: mail ([RFC5322]) 332 Status: Standard 334 Author/Change controller: IETF 335 Specification document(s): [[RFC XXXX]] 337 Related information: 339 7. Security Considerations 341 7.1. Forged Header Fields 343 A malicious sender may add/change an MMHS-Authorizing-Users header 344 field to bypass or alter the message authorization procedure invoked 345 for messages with no MMHS-Authorizing-Users header field. For that 346 reason it is important for agents and clients that rely on the 347 validity of the MMHS-Authorizing-Users header field to also verify 348 the review signature (or a similar protection mechanism), that 349 confirms that a particular person or entity authorized release of a 350 message. 352 7.2. Intentionally Malformed Header Fields 354 It is possible for an attacker to add an MMHS-Authorizing-Users 355 header field that is extraordinarily large or otherwise malformed in 356 an attempt to discover or exploit weaknesses in header field parsing 357 code. Implementations MUST thoroughly verify all such header fields 358 received from MTAs and be robust against intentionally as well as 359 unintentionally malformed header fields. 361 8. Open Issues 363 Netnews Approved header field has the same syntax and semantics as 364 the one described here. Should it be used (and be formally 365 registered for email) instead? 367 9. References 369 9.1. Normative References 371 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 372 Requirement Levels", BCP 14, RFC 2119, March 1997. 374 [RFC2156] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay): 375 Mapping between X.400 and RFC 822/MIME", RFC 2156, January 376 1998. 378 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 379 October 2008. 381 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, 382 October 2008. 384 [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", 385 STD 72, RFC 6409, November 2011. 387 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 388 Specifications: ABNF", STD 68, RFC 5234, January 2008. 390 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 391 RFC 5652, September 2009. 393 [RFC2634] Hoffman, P., "Enhanced Security Services for S/MIME", RFC 394 2634, June 1999. 396 [RFC5750] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 397 Mail Extensions (S/MIME) Version 3.2 Certificate 398 Handling", RFC 5750, January 2010. 400 [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 401 Mail Extensions (S/MIME) Version 3.2 Message 402 Specification", RFC 5751, January 2010. 404 [RFC6376] Crocker, D., Hansen, T., and M. Kucherawy, "DomainKeys 405 Identified Mail (DKIM) Signatures", STD 76, RFC 6376, 406 September 2011. 408 [ACP123] "Common Messaging strategy and procedures", ACP 123(B), 409 May 2009. 411 9.2. Informative References 413 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration 414 Procedures for Message Header Fields", BCP 90, RFC 3864, 415 September 2004. 417 [STANAG-4406] 418 "STANAG 4406 Edition 2: Military Message Handling System", 419 STANAG 4406 Ed. 2, March 2005. 421 [I-D.melnikov-smime-msa-to-mda] 422 Ottaway, W. and A. Melnikov, "Domain-based signing and 423 encryption using S/MIME", draft-melnikov-smime-msa-to- 424 mda-04 (work in progress), March 2014. 426 Appendix A. Acknowledgements 428 Many thanks for reviews and text provided by Steve Kille, Jim Schaad, 429 Russ Housley, David Wilson and Chris Bonatti. 431 Some text in this document was copied from RFC 7001. 433 Author's Address 435 Alexey Melnikov 436 Isode Ltd 437 14 Castle Mews 438 Hampton, Middlesex TW12 2NP 439 UK 441 EMail: Alexey.Melnikov@isode.com