[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-wmills-rrvs-header-field) 00 01 02 03 04 05 06 07 08 09 10 11 RFC 7293

Network Working Group                                           W. Mills
Internet-Draft                                               Yahoo! Inc.
Intended status: Standards Track                            M. Kucherawy
Expires: May 10, 2014                                     Facebook, Inc.
                                                        November 6, 2013


      The "Require Recipient Valid Since"  SMTP Service Extension
                draft-ietf-appsawg-rrvs-header-field-02

Abstract

   This document defines an extension for the Simple Mail Transfer
   Protocol, called RRVS (for "Require Recipient Valid Since"), to
   provide a method for senders to indicate to receivers the time when
   the sender last confirmed the ownership of the target mailbox.  This
   can be used to detect changes of mailbox ownership, and thus prevent
   mail from being delivered to the wrong party.

   The intended use of this facility is on automatically generated
   messages that might contain sensitive information, though it may also
   be useful in other applications.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 10, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of



Mills & Kucherawy         Expires May 10, 2014                  [Page 1]


Internet-Draft        Require-Recipient-Valid-Since        November 2013


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  Description . . . . . . . . . . . . . . . . . . . . . . . . . . 3
     3.1.  The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . . 4
   4.  Handling By Receivers . . . . . . . . . . . . . . . . . . . . . 4
     4.1.  SMTP Extension Offered  . . . . . . . . . . . . . . . . . . 4
     4.2.  SMTP Extension Not Offered  . . . . . . . . . . . . . . . . 5
   5.  Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . . 5
   6.  Use with Mailing Lists  . . . . . . . . . . . . . . . . . . . . 5
   7.  Continuous Ownership  . . . . . . . . . . . . . . . . . . . . . 6
   8.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
     8.1.  SMTP Extension Example  . . . . . . . . . . . . . . . . . . 6
   9.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
     9.1.  Abuse Countermeasures . . . . . . . . . . . . . . . . . . . 6
     9.2.  Suggested Use Restrictions  . . . . . . . . . . . . . . . . 7
   10. Privacy Considerations  . . . . . . . . . . . . . . . . . . . . 7
     10.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . . 7
   11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
     11.1. SMTP Extension Registration . . . . . . . . . . . . . . . . 8
     11.2. Enhanced Status Code Registration . . . . . . . . . . . . . 8
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     12.1. Normative References  . . . . . . . . . . . . . . . . . . . 8
     12.2. Informative References  . . . . . . . . . . . . . . . . . . 9
   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . 9


















Mills & Kucherawy         Expires May 10, 2014                  [Page 2]


Internet-Draft        Require-Recipient-Valid-Since        November 2013


1.  Introduction

   Email addresses sometimes get reassigned to a different person.  For
   example, employment changes at a company can cause an address used
   for an ex-employee to be assigned to a new employee, or a mail
   service provider (MSP) might expire an account and then let someone
   else register for the local-part that was previously used.  Those who
   sent mail to the previous owner of an address might not know that it
   has been reassigned.  This can lead to the sending of email to the
   correct address, but the wrong recipient.

   What is needed is a way to indicate an attribute of the recipient
   that will distinguish between the previous owner of an address and
   its current owner, if they are different.  Further, this needs to be
   done in a way that respects privacy.

   The mechanism specified here allows the sender of the mail to
   indicate how "old" the address assignment is expected to be.  In
   effect, the sender is saying, "The person to whom I am sending to had
   this address assigned to as far back as this date-time."  A receiving
   system can then compare this information against the date and time
   the address was assigned to its current user.  If the assignment was
   made later than the date-time indicated in the message, there is a
   good chance the current user of the address is not the intended
   recipient.  The receiving system can then choose to prevent delivery
   and, possibly, to notify the original sender of the problem.

   The primary application is automatically generated messages rather
   than user-authored content, though it may be useful in other
   contexts.

2.  Definitions

   For a description of the email architecture, consult [EMAIL-ARCH].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [KEYWORDS].

3.  Description

   To address the problem described above, a mail sending client needs
   to indicate to the server to which it is connecting that there is an
   expectation that the destination of the message has been under
   continuous ownership since some date-time, presumably the most recent
   time the message author had confirmed its understanding of who owned
   that mailbox.  The mechanism defined here is an extension to the
   Simple Mail Transfer Protocol [SMTP] for use between a client and



Mills & Kucherawy         Expires May 10, 2014                  [Page 3]


Internet-Draft        Require-Recipient-Valid-Since        November 2013


   server that both implement the extension.

   The SMTP extenion is called "RRVS" (Require Recipient Valid Since),
   and adds a parameter to the SMTP "RCPT" command that indicates the
   most recent date and time when the message author believed the
   destination mailbox to be under the continuous ownership (see
   Section 7) of a specific party.  Presumably there has been some
   confirmation process applied to establish this ownership; however,
   the method of making such determinations is a local matter and
   outside the scope of this document.

3.1.  The 'RRVS' SMTP Extension

   Extensions to SMTP are described in Section 2.2 of [SMTP].

   The name of the extension is "RRVS", an abbreviation of "Require
   Recipient Valid Since".  Servers implementing the SMTP extension
   advertise an additional EHLO keyword of "RRVS", which has no
   associated parameters, introduces no new SMTP verbs, and does not
   alter the MAIL verb.

   An MTA implementing RRVS can transmit or accept a new parameter to
   the RCPT command.  The new parameter is "RRVS", which takes a value
   that is a timestamp expressed as a "date-time" as defiend in
   [DATETIME], with the added restriction that a "time-secfrac" MUST NOT
   be used.  Accordingly, this extension increases the maximum command
   length for the RCPT verb by 31 characters.

   The meaning of this extension, when used, is described in
   Section 4.1.

4.  Handling By Receivers

   If a receiver implements the RRVS SMTP extension, then there are two
   possible evaluation paths:

   1.  The sending client implements the extension, and so there was an
       RRVS parameter on a RCPT TO command in the SMTP session; or

   2.  The sending client does not (or elected not to) implement the
       extension, so the RRVS parameter was not present on the RCPT TO
       commands in the SMTP session.

4.1.  SMTP Extension Offered

   A receiving system that implements the SMTP extension declared above
   and observes an RRVS parameter on a RCPT TO command checks whether
   the current owner of the destination mailbox has held it



Mills & Kucherawy         Expires May 10, 2014                  [Page 4]


Internet-Draft        Require-Recipient-Valid-Since        November 2013


   continuously, far enough back to inclue the given date-time, and
   delivers it unless that check returns in the negative.  Expressed as
   a sequence of steps:

   1.  Ignore the parameter if the named mailbox is a role account as
       listed in Mailbox Names For Common Services, Roles And Functions
       [ROLES].  (See Section 5.)

   2.  Determine if the named address is serviced for local delivery.
       If so, and if that address has not been under continuous
       ownership since the specified timestamp, return a 550 error to
       the RCPT command.  If the server implements Enhanced Mail System
       Status Codes [ESC], it SHOULD use the code defined in
       Section 11.2.

   3.  Otherwise, continue with normal delivery.

   To further obscure account details on the receiving system, the
   receiver SHOULD ignore the SMTP extension if the address specified
   has had one continuous owner since it was created, regardless of the
   purported confirmation date of the address.  This is further
   discussed in Section 9.

4.2.  SMTP Extension Not Offered

   For a message being sent that includes content meant to be protected
   by this extension, the client MUST NOT continue to deliver a message
   to a server where the server does not advertise the RRVS SMTP
   extension.

5.  Role Accounts

   It is necessary not to interfere with delivery of messages to role
   mailboxes (see [ROLES]), but it could be useful to indicate to users
   handling those mailboxes that a change of ownership might have taken
   place where such notification is possible.

6.  Use with Mailing Lists

   Mailing list services can store the timestamp at which a subscriber
   was added to a mailing list.  This specification can be used in
   conjunction with that information in order to restrict traffic to the
   original subscriber, rather than a different person now in possession
   of an address under which the original subscriber registered.  Upon
   receiving a rejection caused by this specification, the list service
   can remove that address from further distribution.





Mills & Kucherawy         Expires May 10, 2014                  [Page 5]


Internet-Draft        Require-Recipient-Valid-Since        November 2013


7.  Continuous Ownership

   Determining continuous ownership of a mailbox is a local matter at
   the receiving site.  In particular, the only possible answers to the
   continuous-ownership-since question are "yes", "no", and "unknown";
   the action to be taken in the "unknown" case is a matter of local
   policy.

   For example, when control of a domain name is transferred, the new
   domain owner might be unable to determine whether the owner of the
   subject address has been under continuous ownership since the stated
   date if the mailbox history is not also transferred (or was not
   previously maintained).

   It will also be "unknown" if whatever database contains mailbox
   ownership data is temporarily unavailable at the time a message
   arrives for delivery.  In this case, typical SMTP temporary failure
   handling is appropriate.

8.  Examples

   In the following examples, "C:" indicates data sent by an SMTP
   client, and "S:" indicates responses by the SMTP server.  Message
   content is CRLF terminated, though these are omitted here for ease of
   reading.

8.1.  SMTP Extension Example


     C: [connection established]
     S: 220 server.example.com ESMTP ready
     C: EHLO client.example.net
     S: 250-server.example.com
     S: 250 RRVS
     C: MAIL FROM:<sender@example.net>
     S: 250 OK
     C: RCPT TO:<receiver@example.com> RRVS=2013-12-31T23:59:59
     S: 550 5.7.15 receiver@example.com is no longer valid
     C: QUIT
     S: 221 So long!

9.  Security Considerations

9.1.  Abuse Countermeasures

   The response of a server implementing this protocol can disclose
   information about the age of existing email mailbox.  Implementation
   of countermeasures against probing attacks is advised.  For example,



Mills & Kucherawy         Expires May 10, 2014                  [Page 6]


Internet-Draft        Require-Recipient-Valid-Since        November 2013


   an operator could track appearance of this extension with respect to
   a particular mailbox and observe the timestamps being submitted for
   testing; if it appears a variety of timestamps is being tried against
   a single mailbox in short order, the extension could be ignored and
   the message silently discarded.  This concern is discussed further in
   Section 10.

9.2.  Suggested Use Restrictions

   If the mailbox named in the RCPT TO command is known to have had only
   a single continuous owner since creation, or not to have existed at
   all (under any owner) prior to the time specified in the parameter,
   then the field can be silently ignored and normal message handling
   applied so that this information is not disclosed.  Such parameters
   are likely the product of either gross error or an attack.

   A message author using this specification might restrict use of the
   extension such that it is only done for recipients known also to
   implement this specification, in order to reduce the possibility of
   revealing information about the relationship between the author and
   the mailbox.

   If ownership of an entire domain is transferred, the new owner may
   not know what addresses were assigned in the past by the prior owner.
   Hence, no address can be known not to have had a single owner, or to
   have existed (or not) at all.

10.  Privacy Considerations

10.1.  Probing Attacks

   As described above, use of this extension in probing attacks can
   disclose information about the history of the mailbox.  The harm that
   can be done by leaking any kind of private information is difficult
   to predict, so it is prudent to be sensitive to this sort of
   disclosure, be it inadvertently or in response to probing by an
   attacker.  It bears restating, then, that implementing
   countermeasures to abuse of this capability needs strong
   consideration.

   That some MSPs allow for expiration of account names when they have
   been unused for a protracted period forces a choice between two
   potential types of privacy vulnerabilities, one of which presents
   significantly greater threats to users than the other.  Automatically
   generated mail is often used to convey authentication credentials
   that can potentially provide access to extremely sensitive
   information.  Supplying such credentials to the wrong party after a
   mailbox ownership change could allow the previous owner's data to be



Mills & Kucherawy         Expires May 10, 2014                  [Page 7]


Internet-Draft        Require-Recipient-Valid-Since        November 2013


   exposed without his or her authorization or knowledge.  In contrast,
   the information that may be exposed to a third party via the proposal
   in this document is limited to information about the mailbox history.
   Given that MSPs have chosen to allow transfers of mailbox ownership
   without the prior owner's involvement, the information leakage from
   the header field specified here creates far fewer risks than the
   potential for delivering mail to the wrong party.

11.  IANA Considerations

11.1.  SMTP Extension Registration

   IANA is requested to register the SMTP extension described in
   Section 3.1.

11.2.  Enhanced Status Code Registration

   IANA is requested to register the following in the SMTP Enhanced
   Status Codes registry:

      Code:               X.7.15
      Sample Text:        Mailbox owner has changed
      Associated basic status code:  5
      Description:        This status code is returned when a message is
                          received with a Require-Recipient-Valid-Since
                          field and the receiving system is able to
                          determine that the intended recipient mailbox
                          has not been under continuous ownership since
                          the specified date.
      Reference:          [this document]
      Submitter:          M. Kucherawy
      Change controller:  IESG

12.  References

12.1.  Normative References

   [DATETIME]    Klyne, G. and C. Newman, "Date and Time on the
                 Internet: Timestamps", RFC 3339, July 2002.

   [KEYWORDS]    Bradner, S., "Key words for use in RFCs to Indicate
                 Requirement Levels", BCP 14, RFC 2119, March 1997.

   [ROLES]       Crocker, D., "Mailbox Names For Common Services, Roles
                 And Functions", RFC 2142, May 1997.

   [SMTP]        Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
                 October 2008.



Mills & Kucherawy         Expires May 10, 2014                  [Page 8]


Internet-Draft        Require-Recipient-Valid-Since        November 2013


12.2.  Informative References

   [EMAIL-ARCH]  Crocker, D., "Internet Mail Architecture", RFC 5598,
                 July 2009.

   [ESC]         Vaudreuil, G., "Enhanced Mail System Status Codes",
                 RFC 3463, January 2003.

Appendix A.  Acknowledgments

   Erling Ellingsen proposed the idea.

   Reviews and comments were provided by Michael Adkins, Kurt Andersen,
   Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine,
   Hector Santos, Gregg Stefancik, Ed Zayas, (others)

Authors' Addresses

   William J. Mills
   Yahoo! Inc.

   EMail: wmills_92105@yahoo.com


   Murray S. Kucherawy
   Facebook, Inc.
   1 Hacker Way
   Menlo Park, CA  94025
   USA

   EMail: msk@fb.com




















Mills & Kucherawy         Expires May 10, 2014                  [Page 9]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/