idnits 2.17.1 draft-ser-authentication-results-openpgp-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 11, 2019) is 1863 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 5751 (Obsoleted by RFC 8551) ** Obsolete normative reference: RFC 7601 (Obsoleted by RFC 8601) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Independent Submission S. Ser 3 Internet-Draft March 11, 2019 4 Intended status: Informational 5 Expires: September 12, 2019 7 Authentication-Results Registration for OpenPGP Signature Verification 8 draft-ser-authentication-results-openpgp-00 10 Abstract 12 RFC 7601 specifies the Authentication-Results header field for 13 conveying results of message authentication checks. This document 14 defines a new authentication method to be used in the Authentication- 15 Results header field for PGP-related signature checks. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on September 12, 2019. 34 Copyright Notice 36 Copyright (c) 2019 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 49 2. "pgp" Authentication Method . . . . . . . . . . . . . . . . . 2 50 2.1. OpenPGP Results . . . . . . . . . . . . . . . . . . . . . 2 51 2.2. Email Authentication Parameters for OpenPGP . . . . . . . 4 52 2.2.1. body.pgp-fingerprint . . . . . . . . . . . . . . . . 4 53 2.2.2. body.pgp-user-id . . . . . . . . . . . . . . . . . . 4 54 2.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 55 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 56 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 57 5. Normative References . . . . . . . . . . . . . . . . . . . . 6 58 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 60 1. Introduction 62 [RFC7601] specifies the Authentication-Results header field for 63 conveying results of message authentication checks. OpenPGP 64 signature verification is sometimes implemented in border message 65 transfer agents (for instance some MTAs have their own OpenPGP PKI), 66 there is a need to convey signature verification status to Mail User 67 Agents (MUAs) and downstream filters. This document defines a new 68 authentication method to be used in the Authentication-Results header 69 field for OpenPGP-related signature checks. 71 2. "pgp" Authentication Method 73 OpenPGP signature verification is represented by the "pgp" method and 74 is defined in [RFC4880]. 76 2.1. OpenPGP Results 78 The result values used by OpenPGP [RFC4880] are as follows: 80 +-----------+-------------------------------------------------------+ 81 | Result | Meaning | 82 | Code | | 83 +-----------+-------------------------------------------------------+ 84 | none | The message was not signed. | 85 | pass | The message was signed, the signature or signatures | 86 | | were acceptable to the verifier, and the signature(s) | 87 | | passed verification tests. | 88 | fail | The message was signed and the signature or | 89 | | signatures were acceptable to the verifier, but they | 90 | | failed the verification test(s). | 91 | policy | The message was signed and signature(s) passed | 92 | | verification tests, but the signature or signatures | 93 | | were not acceptable to the verifier. | 94 | neutral | The message was signed but the signature or | 95 | | signatures contained syntax errors or were not | 96 | | otherwise able to be processed. This result is also | 97 | | used for other failures not covered elsewhere in this | 98 | | list. | 99 | temperror | The message could not be verified due to some error | 100 | | that is likely transient in nature, such as a | 101 | | temporary inability to retrieve a key. A later | 102 | | attempt may produce a final result. | 103 | permerror | The message could not be verified due to some error | 104 | | that is unrecoverable, such as a required header | 105 | | field being absent or the signer's key not being | 106 | | available. A later attempt is unlikely to produce a | 107 | | final result. | 108 +-----------+-------------------------------------------------------+ 110 OpenPGP Results 112 A signature is "acceptable to the verifier" if it passes local policy 113 checks (or there are no specific local policy checks). For example, 114 a verifier might require that the domain in the user ID in the 115 signing OpenPGP key matches the domain in the address of the author 116 of the message (value of the From header field), thus making third- 117 party signatures unacceptable. [RFC5751] advises that if a message 118 fails verification, it should be treated as an unsigned message. A 119 report of "fail" here permits the receiver of the report to decide 120 how to handle the failure. A report of "neutral" or "none" preempts 121 that choice, ensuring that the message will be treated as if it had 122 not been signed. 124 2.2. Email Authentication Parameters for OpenPGP 126 This document defines several new authentication parameters for 127 conveying OpenPGP-related information, such as the identity 128 associated with the entity that signed the message or one of its body 129 parts. 131 2.2.1. body.pgp-fingerprint 133 body.pgp-fingerprint contains the fingerprint [RFC4880] of the key 134 used to generate the OpenPGP signature referenced in the 135 corresponding body.pgp-part. 137 2.2.2. body.pgp-user-id 139 body.pgp-user-id contains the signer's user ID [RFC4880] associated 140 with the OpenPGP signature referenced in the corresponding body.pgp- 141 part. 143 2.3. Examples 144 Return-Path: 145 Authentication-Results: example.net; 146 pgp=pass (1024-bit key) 147 body.pgp-fingerprint=89A8DCE5EAE72D530905C65241BA574B8FBB172B 148 body.pgp-user-id="Michael Elkins " 149 Received: from ietfa.example.com (localhost [IPv6:::1]) 150 by ietfa.example.com (Postfix) with ESMTP id 2875111E81A0; 151 Fri, 06 Sep 2002 00:35:14 -0700 (PDT) 152 From: Michael Elkins 153 To: Michael Elkins 154 Mime-Version: 1.0 155 Content-Type: multipart/signed; boundary=bar; micalg=pgp-md5; 156 protocol="application/pgp-signature" 158 --bar 159 Content-Type: text/plain; charset=iso-8859-1 160 Content-Transfer-Encoding: quoted-printable 162 =A1Hola! 164 Did you know that talking to yourself is a sign of senility? 166 It's generally a good idea to encode lines that begin with 167 From=20because some mail transport agents will insert a greater- 168 than (>) sign, thus invalidating the signature. 170 Also, in some cases it might be desirable to encode any =20 171 trailing whitespace that occurs on lines in order to ensure =20 172 that the message signature is not invalidated when passing =20 173 a gateway that modifies such whitespace (like BITNET). =20 175 me 177 --bar 179 Content-Type: application/pgp-signature 181 -----BEGIN PGP MESSAGE----- 182 Version: 2.6.2 184 iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC// 185 jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq 186 uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn 187 HOxEa44b+EI= 188 =ndaj 189 -----END PGP MESSAGE----- 191 --bar-- 193 3. IANA Considerations 195 IANA has added the following entries to the "Email Authentication 196 Methods" sub-registry of the "Email Authentication Parameters" 197 registry: 199 TBD 201 IANA has added the following entries to the "Email Authentication 202 Result Names" sub-registry of the "Email Authentication Parameters" 203 registry: 205 TBD 207 4. Security Considerations 209 TODO 211 5. Normative References 213 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 214 Thayer, "OpenPGP Message Format", RFC 4880, 215 DOI 10.17487/RFC4880, November 2007, 216 . 218 [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 219 Mail Extensions (S/MIME) Version 3.2 Message 220 Specification", RFC 5751, DOI 10.17487/RFC5751, January 221 2010, . 223 [RFC7601] Kucherawy, M., "Message Header Field for Indicating 224 Message Authentication Status", RFC 7601, 225 DOI 10.17487/RFC7601, August 2015, 226 . 228 Author's Address 230 Simon Ser 231 14, rue Girardot 232 Villebon-sur-Yvette 91140 233 France 235 Email: contact@emersion.fr