Network Working Group                                           W. Mills
Internet-Draft                                               Yahoo! Inc.
Intended status: Standards Track                            M. Kucherawy
Expires: February 19, April 24, 2014                                   Facebook, Inc.
                                                         August 18,
                                                        October 21, 2013

    The Require-Recipient-Valid-Since Header Field
                draft-ietf-appsawg-rrvs-header-field-00 and SMTP Service


   This document defines an email extension for the Simple Mail Transfer
   Protocol called RRVS, and a header field, Require-Recipient-Valid-
   Since, field called Require-Recipient-
   Valid-Since, to provide a method for senders to indicate to receivers
   the time when the sender last confirmed the ownership of the target
   mailbox.  This can be used to detect changes of mailbox ownership,
   and thus prevent mail from being delivered to the wrong party.

   The intended use of this header field these facilities is on automatically generated
   messages that might contain sensitive information. information, though it may also
   be useful in other applications.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 19, April 24, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Description  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Use with Mailing Lists
     3.1.  The 'RRVS' SMTP Extension  . . . . . . . . . . . . . . . .  4
     3.2.  The 'Require-Recipient-Valid-Since' Header Field . . . .  5
   5.  Discussion .  4
   4.  Handling By Receivers  . . . . . . . . . . . . . . . . . . . .  5
     4.1.  SMTP Extension Used  . . . . . .  5
   6.  Continuous Ownership . . . . . . . . . . . . .  5
     4.2.  Header Field Used  . . . . . . . . . . .  6
   7.  Example . . . . . . . . .  5
   5.  Role Accounts  . . . . . . . . . . . . . . . . . . . . . . . .  7
   8.  Security Considerations
   6.  Method Conversion  . . . . . . . . . . . . . . . . . . . . . .  7
     8.1.  Abuse Countermeasures
   7.  Use with Mailing Lists . . . . . . . . . . . . . . . . . . . .  7
     8.2.  Suggested Use Restrictions
   8.  Discussion . . . . . . . . . . . . . . . . . . . . . . . . . .  8
   9.  Privacy Considerations  Continuous Ownership . . . . . . . . . . . . . . . . . . . . .  8
     9.1.  Probing Attacks
   10. Examples . . . . . . . . . . . . . . . . . . . . . . .  8
     9.2.  Envelope Recipients . . . .  9
     10.1. SMTP Extension Example . . . . . . . . . . . . . . . . . .  9
   10. IANA
     10.2. Header Field Example . . . . . . . . . . . . . . . . . . .  9
   11. Security Considerations  . . . . . . . . . . . . . . . . . . . 10
     11.1. Abuse Countermeasures  . .  9
     10.1. Header Field Registration . . . . . . . . . . . . . . . .  9
     10.2. Enhanced Status Code Registration 10
     11.2. Suggested Use Restrictions . . . . . . . . . . . .  9
   11. References . . . . 10
   12. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 11
     12.1. Probing Attacks  . . 10
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 10
     11.2. Informative References 11
     12.2. Envelope Recipients  . . . . . . . . . . . . . . . . . . 10
   Appendix A.  Acknowledgments . 12
   13. IANA Considerations  . . . . . . . . . . . . . . . . . . 10

1.  Introduction

   Email addresses sometimes get reassigned to a different person.  For
   example, employment changes at a company can cause an address used
   for an ex-employee to be assigned to a new employee, or a mail
   service provider (MSP) might expire an account and then let someone
   else register for the local-part that was previously used.  Those who
   sent mail to the previous owner of an address might . . . 12
     13.1. SMTP Extension Registration  . . . . . . . . . . . . . . . 12
     13.2. Header Field Registration  . . . . . . . . . . . . . . . . 12
     13.3. Enhanced Status Code Registration  . . . . . . . . . . . . 12
   14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     14.1. Normative References . . . . . . . . . . . . . . . . . . . 13
     14.2. Informative References . . . . . . . . . . . . . . . . . . 13
   Appendix A.  Acknowledgments . . . . . . . . . . . . . . . . . . . 14

1.  Introduction

   Email addresses sometimes get reassigned to a different person.  For
   example, employment changes at a company can cause an address used
   for an ex-employee to be assigned to a new employee, or a mail
   service provider (MSP) might expire an account and then let someone
   else register for the local-part that was previously used.  Those who
   sent mail to the previous owner of an address might not know that it
   has been reassigned.  This can lead to the sending of email to the
   correct address, but the wrong recipient.

   What is needed is a way to indicate an attribute of the recipient
   that will distinguish between the previous owner of an address and
   its current owner. owner, if they are different.  Further, this needs to be
   done in a way that respects privacy.

   The mechanism mechanisms specified here allows allow the sender of the mail to
   indicate how "old" the address assignment is expected to be.  In
   effect, the sender is saying, "The person to whom I am sending to had
   this address assigned to as far back as this date-time."  A receiving
   system can then compare this information against the date and time
   the address was assigned to its current user.  If the assignment was
   made later than the date-time indicated in the message, there is a
   good chance the current user of the address is not the correct
   recipient.  The receiving system can then choose to prevent delivery
   and, possibly, to notify the original sender of the problem.

   The primary application is automatically generated messages rather
   than user-authored content. content, though it may be useful in other

2.  Definitions

   For a description of the email architecture, consult [EMAIL-ARCH].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [KEYWORDS].

3.  Description

   The Require-Recipient-Valid-Since header field includes an intended
   recipient coupled with a timestamp indicating

   To address the most recent date
   and time when problem described above, a mail sending client needs
   to indicate to the message author believed server to which it is connecting that there is an
   expectation that the destination of the message has been under
   continuous ownership since some date-time, presumably the most recent
   time the message author had confirmed its understanding of who owned
   that mailbox.  Two mechanisms are defined here: an extension to the
   Simple Mail Transfer Protocol [SMTP], for use between a client and
   server that both implement the extension, and a header field that can
   be used when passing a message to a server that appears not to
   implement this extension.

   The SMTP extenion is called "RRVS" (Require Recipient Valid Since),
   and adds a parameter to the SMTP "RCPT" command that indicates the
   most recent date and time when the message author believed the
   destination mailbox to be under the continuous ownership (see
   Section 6) 9) of a specific party.  Similarly, the Require-Recipient-
   Valid-Since header field includes an intended recipient coupled with
   a timestamp indicating the same thing.  Presumably there has been
   some confirmation process applied to establish this ownership;
   however, the method of making such determinations is a local matter
   and outside the scope of this document.

3.1.  The 'RRVS' SMTP Extension

   Extensions to SMTP are described in Section 2.2 of [SMTP].

   The name of the extension is "RRVS", an abbreviation of "Require
   Recipient Valid Since".  Servers implementing the SMTP extension
   advertise an additional EHLO keyword of "RRVS", which has no
   associated parameters, introduces no new SMTP verbs, and does not
   alter the MAIL verb.

   An MTA implementing RRVS can transmit or accept a new parameter to
   the RCPT command.  The new parameter is "RRVS", which takes a value
   that is an integer timestamp expressed as an "epoch" time, namely the
   number of seconds since midnight on January 1, 1970.  Accordingly,
   this extension increases the maximum command length for the RCPT verb
   by 16 characters.

   The meaning of this extension, when used, is described in
   Section 4.1.

3.2.  The 'Require-Recipient-Valid-Since' Header Field

   The general constraints on syntax and placement of header fields in a
   message are defined in Internet Message Format [MAIL].

   Using Augmented Backus-Naur Form [ABNF], the syntax for the field is:

       rrvs = "Require-Recipient-Valid-Since:" addr-spec; date-time CRLF

   "CFWS" is defined in Section 3.2.2, "date-time" is defined in Section
   3.3, and "addr-spec" is defined in Section 3.4.1, of [MAIL].

4.  Handling By Receivers

   If a receiver implements the RRVS SMTP extension, then there are two
   possible evaluation paths:

   1.  The sending client implements the extension, and so there was an
       RRVS parameter on a RCPT TO command in the SMTP session; or

   2.  The sending client does not (or elected not to) implement the
       extension, so the RRVS parameter was not present on the RCPT TO
       commands in the SMTP session.

4.1.  SMTP Extension Used

   A receiving system that implements this specification the SMTP extension declared above
   and observes an RRVS parameter on a RCPT TO command checks whether
   the current owner of the destination mailbox has held it
   continuously, far enough back to inclue the given date-time, and
   delivers it unless that check returns in the negative.  Expressed as
   a sequence of steps:

   1.  Ignore the parameter if the named mailbox is a role account as
       listed in Mailbox Names For Common Services, Roles And Functions
       [ROLES].  (See Section 5.)

   2.  Determine if the named address is serviced for local delivery.
       If so, and if that address, has not been under continuous
       ownership since the specified timestamp, return a 550 error to
       the RCPT command.  (See also Section 13.3.)

   3.  RECOMMENDED: If any Require-Recipient-Valid-Since header fields
       are present and refer to the named address, remove them prior to
       delivery or relaying.  (See Section 4.2 for discussion.)

4.2.  Header Field Used

   A receiving system that implements this specification, upon receiving
   a message bearing a Require-Recipient-Valid-Since header field when
   no corresponding RRVS SMTP extension was used, checks whether the
   destination mailbox owner has held it continuously, far enough back
   to include the given date-time, and delivers it unless that check
   returns in the negative.  Expressed as a sequence of steps:

   1.  Extract the set of Require-Recipient-Valid-Since fields from the
       message for which no corresponding RRVS SMTP extension was used.

   2.  Discard any such fields that are syntactically invalid.

   3.  Discard any such fields that name a role account as listed in
       Mailbox Names For Common Services, Roles And Functions [ROLES].
       [ROLES] (see Section 5).

   4.  Discard any such fields for which the "addr-spec" portion does
       not match a current recipient, as listed in the RCPT TO commands
       in the corresponding Simple Mail Transfer Protocol [SMTP] SMTP session.

   5.  Discard any such fields for which the "addr-spec" portion does
       not refer to a mailbox handled for local delivery by this MTA.

   6.  For each field remaining, determine if the named address has been
       under continuous ownership since the corresponding timestamp.  If
       it has not, reject the message.


   7.  RECOMMENDED: If local delivery is being performed, remove all
       instances of this field prior to delivery to a mailbox; if the
       message is being forwarded, remove those instances of this header
       field that were not discarded by steps 1-4 above.

   Handling proceeds normally upon completion of the above steps if
   rejection has not been performed.

   The final step is not mandatory as not all mail handling agents are
   capable of stripping away header fields. fields, and there are sometimes
   reasons to keep the field intact such as debugging or presence of
   digital signatures that might be invalidated by such a change.

   If a message is to be rejected within the SMTP protocol itself
   (versus generating a rejection message separately), servers
   implementing this protocol and the SMTP extensions described in
   Enhanced Mail System Status Codes [ESC] SHOULD use the enhanced
   status code described in Section 10.2. 13.3.

   Implementation by this method is expected to be transparent to non non-
   participants, since they would typically ignore this header field.

   This header field is not typically normally added to a message that is
   addressed to multiple recipients.  The intended use of this field
   involves an author seeking to protect transactional or otherwise
   sensitive data intended for a single recipient, and thus generating
   independent messages for each individual recipient is normal
   practice.  Because of the nature of SMTP, a message bearing this
   header field for multiple addressees could result in a single
   delivery attempt for multiple recipients (in particular, if two of
   the recipients are handled by the same server), and if any one of
   them fails the test, the delivery fails to all of them; it then
   becomes necessary to generate a Delivery Status Notification [DSN]
   message for each of the failed recipients indicating the specific
   failure cause for each.

   To further obscure account details on

5.  Role Accounts

   It is necessary not to interfere with delivery of messages to role
   mailboxes (see [ROLES]), but it could be useful to indicate to users
   handling those mailboxes that a change of ownership might have taken
   place where doing so is possible.

6.  Method Conversion

   Use of the receiving system, SMTP extension provided here is preferable over the
   receiver SHOULD ignore header
   field method, since the additional detail about the relationship
   between the message author and its intended recipient is at best a
   property of the message transaction and not part of the message
   itself.  The header field if mechanism is defined only to enable passage
   of the address within it request between and through systems that that do not implement
   the SMTP extension.

   If an SMTP server receives a message from a client and both of them
   use the SMTP extension described here, the server thus has
   had "valid-
   since" timestamps associated with one continuous owner since it was created, regardless or more of the
   purported confirmation date destination
   mailboxes.  If that server needs to relay the message on to another
   server (thereby becoming a client), but this new server does not
   advertise the SMTP extension, the client SHOULD add Require-
   Recipient-Valid-Since header fields matching each mailbox to which
   relaying is being done, and the corresponding valid-since timestamp
   for each.

   Similarly, if an SMTP server receives a message bearing one or more
   Require-Recipient-Valid-Since header fields for which it must now
   relay the message (thereby becoming a client) and the new server
   advertises support for the SMTP extension, the client SHOULD delete
   the header field(s) and instead relay this information by making use
   of the address.  This is further
   discussed in Section 8.

4. SMTP extension.

7.  Use with Mailing Lists

   Mailing list services can store the timestamp at which a subscriber
   was added to a mailing list.  This specification can be used in
   conjunction with that information in order to restrict traffic to the
   original subscriber, rather than a different person now in possession
   of an address under which the original subscriber registered.  Upon
   receiving a rejection caused by this specification, the list service
   can remove that address from further distribution.

   A mailing list service that receives a message containing this field
   removes it from the message prior to redistributing it, limiting
   exposure of information regarding the relationship between the
   message's author and mailing list.


8.  Discussion

   It can be argued that placing this information in a message header
   field is not the ideal architectural choice and that it would have
   been better to introduce this capability as an extension to SMTP.
   The exchange of meta data about the target address is not part of the
   actual message content, nor is it meta data about the content.
   However, if

   To further obscure account details on the author and receiving system, the target address are separated by an
   SMTP server that does not implement
   receiver SHOULD ignore the SMTP extension, the check
   will not be able to propagate to extension or the intended receiving system.
   Implementing this service as a header field allows if the check to occur
   even across non-participating systems, effectively tunneling
   address specified has had one continuous owner since it was created,
   regardless of the purported confirmation date of the
   request. address.  This
   is further discussed in Section 11.

   The presence of the intended address in the field content supports
   the case where a message bearing this header field is forwarded.  The
   specific use case is as follows:

   1.  A user subscribes to a service "S" on date "D" and confirms an
       email address at the user's current location, "A";

   2.  At some later date, the user intends to leave the current
       location, and thus creates a new mailbox elsewhere, at "B";

   3.  The user replaces address "A" with forwarding to "B";

   4.  "S" constructs a message to "A" claiming that address was valid
       at date "D" and sends it to "A";

   5.  The receiving MTA at "A" determines that the forwarding in effect
       was created by the same party that owned the mailbox there, and
       thus concludes the continuous ownership test has been satisfied;

   6.  If possible, "A" removes this header field from the message, and
       in either case, forwards it to "B";

   7.  On receipt at "B", either the header field has been removed, or
       the header field does not refer to a current envelope recipient,
       and in either case delivers the message.

   Some services generate messages with an RFC5322.To field that does
   not contain a valid address, in order to obscure the intended
   recipient.  For this reason, the original intended recipient is
   included in this header field.


9.  Continuous Ownership

   Determining continuous ownership of a mailbox is a local matter at
   the receiving site.  In particular, the only possible answers to the
   continuous-ownership-since question are "yes", "no", and "unknown";
   the action to be taken in the "unknown" case is a matter of local

   For example, when control of a domain name is transferred, the new
   domain owner might be unable to determine whether the owner of the
   subject address has been under continuous ownership since the stated
   date if the mailbox history is not also transferred (or was not
   previously maintained).

   It will also be "unknown" if whatever database contains mailbox
   ownership data is temporarily unavailable at the time a message
   arrives for delivery.  In this case, typical SMTP temporary failure
   handling is appropriate.

7.  Example

10.  Examples

   In the following example, examples, "C:" indicates data sent by an SMTP
   client, and "S:" indicates responses by the SMTP server.  Message
   content is CRLF terminated, though these are omitted here for ease of

10.1.  SMTP Extension Example

     C: [connection established]
     S: 220 ESMTP ready
     C: EHLO
     S: 250 RRVS
     C: MAIL FROM:<>
     S: 250 OK
     C: RCPT TO:<> RRVS=1381993177
     S: 550 5.7.15 is no longer valid
     C: QUIT
     S: 221 So long!

10.2.  Header Field Example
     C: [connection established]
     S: 220 ESMTP ready
     C: HELO
     S: 250
     C: MAIL FROM:<>
     S: 250 OK
     C: RCPT TO:<>
     S: 250 OK
     C: DATA
     S: 354 Ready for message content
     C: From: Mister Sender <>
        To: Miss Receiver <>
        Subject: Are you still there?
        Date: Fri, 28 Jun 2013 18:01:01 +0200
          Sat, 1 Jun 2013 09:23:01 -0700

        Are you still there?
     S: 550 5.7.15 is no longer valid
     C: QUIT
     S: 221 So long!

   If an authentication scheme is applied to claim the added header
   field is valid, but the scheme fails, a receiver might reject the
   message with an SMTP reply such as:

     S: 550-5.7.7 Use of Require-Recipient-Valid-Since header
     S: 550 field requires a valid signature


11.  Security Considerations


11.1.  Abuse Countermeasures

   The response of a server implementing this protocol can disclose
   information about the age of existing email mailbox.  Implementation
   of countermeasures against probing attacks is advised.  For example,
   an operator could track appearance of this field with respect to a
   particular mailbox and observe the timestamps being submitted for
   testing; if it appears a variety of timestamps is being tried against
   a single mailbox in short order, the field could be ignored and the
   message silently discarded.  This concern is discussed further in
   Section 9.

8.2. 12.

11.2.  Suggested Use Restrictions

   If the mailbox named in the field is known to have had only a single
   continuous owner since creation, or not to have existed at all (under
   any owner) prior to the date specified in the field, then the field
   can be silently ignored and normal message handling applied so that
   this information is not disclosed.  Such fields are likely the
   product of either gross error or an attack.

   A message author using this specification might restrict inclusion of
   the header field such that it is only done for recipients known also
   to implement this specification, in order to reduce the possibility
   of revealing information about the relationship between the author
   and the mailbox.


   If ownership of an entire domain is transferred, the new owner may
   not know what addresses were assigned in the past by the prior owner.
   Hence, no address can be known not to have had a single owner, or to
   have existed (or not) at all.

12.  Privacy Considerations


12.1.  Probing Attacks

   As described above, use of this header field in probing attacks can
   disclose information about the history of the mailbox.  The harm that
   can be done by leaking any kind of private information is difficult
   to predict, so it is prudent to be sensitive to this sort of
   disclosure, either inadvertently or in response to probing by an
   attacker.  It bears restating, then, that implementing
   countermeasures to abuse of this capability needs strong

   That some MSPs allow for expiration of account names when they have
   been unused for a protracted period forces a choice between two
   potential types of privacy vulnerabilities, one of which presents
   significantly greater threats to users than the other.  Automatically
   generated mail is often used to convey authentication credentials
   that can potentially provide access to extremely sensitive
   information.  Supplying such credentials to the wrong party after a
   mailbox ownership change could allow the previous owner's data to be
   exposed without his or her authorization or knowledge.  In contrast,
   the information that may be exposed to a third party via the proposal
   in this document is limited to information about the mailbox history.
   Given that MSPs have chosen to allow transfers of mailbox ownership
   without the prior owner's involvement, the information leakage from
   the header field specified here creates far fewer risks than the
   potential for delivering mail to the wrong party.


12.2.  Envelope Recipients

   The email To and Cc header fields are not required to be populated
   with addresses that match the envelope recipient set, and Cc may even
   be absent.  However, the algorithm in Section 3 requires that this
   header field contain a match for an envelope recipient in order to be
   actionable.  As such, use of this specification can reveal some or
   all of the original intended recipient set to any party that can see
   the message in transit or upon delivery.

   For a message destined to a single recipient, this is unlikely to be
   a concern, which is one of the reasons use of this specification on
   multi-recipient messages is discouraged.


13.  IANA Considerations


13.1.  SMTP Extension Registration

   IANA is requested to register the SMTP extension described in
   Section 3.1.

13.2.  Header Field Registration

   IANA is requested to add the following entry to the Permanent Message
   Header Field registry, as per the procedure found in [IANA-HEADERS]:

     Header field name: Require-Recipient-Valid-Since
     Applicable protocol: mail ([MAIL])
     Status: Standard
     Author/Change controller: IETF
     Specification document(s): [this document]
     Related information:
       Requesting review of any proposed changes and additions to
       this field is recommended.


13.3.  Enhanced Status Code Registration

   IANA is requested to register the following in the SMTP Enhanced
   Status Codes registry:

      Code:               X.7.15
      Sample Text:        Mailbox owner has changed
      Associated basic status code:  5
      Description:        This status code is returned when a message is
                          received with a Require-Recipient-Valid-Since
                          field and the receiving system is able to
                          determine that the intended recipient mailbox
                          has not been under continuous ownership since
                          the specified date.
      Reference:          [this document]
      Submitter:          M. Kucherawy
      Change controller:  IESG


14.  References


14.1.  Normative References

   [ABNF]          Crocker, D., Ed. and P. Overell, "Augmented BNF for
                   Syntax Specifications: ABNF", RFC 5234, January 2008.

   [IANA-HEADERS]  Klyne, G., Nottingham, M., and J. Mogul,
                   "Registration Procedures for Message Header Fields",
                   BCP 90, RFC 3864, September 2004.

   [KEYWORDS]      Bradner, S., "Key words for use in RFCs to Indicate
                   Requirement Levels", BCP 14, RFC 2119, March 1997.

   [MAIL]          Resnick, P., "Internet Message Format", RFC 5322,
                   October 2008.

   [ROLES]         Crocker, D., "Mailbox Names For Common Services,
                   Roles And Functions", RFC 2142, May 1997.

   [SMTP]          Klensin, J., "Simple Mail Transfer Protocol",
                   RFC 5321, October 2008.


14.2.  Informative References

   [DSN]           Moore, K. and G. Vaudreuil, "An Extensible Message
                   Format for Delivery Status Notifications", RFC 3464,
                   January 2003.

   [EMAIL-ARCH]    Crocker, D., "Internet Mail Architecture", RFC 5598,
                   July 2009.

   [ESC]           Vaudreuil, G., "Enhanced Mail System Status Codes",
                   RFC 3463, January 2003.

Appendix A.  Acknowledgments

   Erling Ellingsen proposed the idea.

   Reviews and comments were provided by Michael Adkins, Kurt Andersen,
   Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine,
   Hector Santos, Gregg Stefancik, Ed Zayas, (others)

Authors' Addresses

   William J. Mills
   Yahoo! Inc.


   Murray S. Kucherawy
   Facebook, Inc.
   1 Hacker Way
   Menlo Park, CA  94025