draft-ietf-appsawg-rrvs-header-field-08.txt   draft-ietf-appsawg-rrvs-header-field-09.txt 
Network Working Group W. Mills Network Working Group W. Mills
Internet-Draft Yahoo! Inc. Internet-Draft Yahoo! Inc.
Intended status: Standards Track M. Kucherawy Intended status: Standards Track M. Kucherawy
Expires: September 21, 2014 Facebook, Inc. Expires: September 26, 2014 Facebook, Inc.
March 20, 2014 March 25, 2014
The Require-Recipient-Valid-Since Header Field and SMTP Service The Require-Recipient-Valid-Since Header Field and SMTP Service
Extension Extension
draft-ietf-appsawg-rrvs-header-field-08 draft-ietf-appsawg-rrvs-header-field-09
Abstract Abstract
This document defines an extension for the Simple Mail Transfer This document defines an extension for the Simple Mail Transfer
Protocol called RRVS, and a header field called Require-Recipient- Protocol called RRVS, and a header field called Require-Recipient-
Valid-Since, to provide a method for senders to indicate to receivers Valid-Since, to provide a method for senders to indicate to receivers
the point in time when the sender last confirmed the ownership of the a point in time when the the ownership of the target mailbox was
target mailbox. This can be used to detect changes of mailbox known to the sender. This can be used to detect changes of mailbox
ownership, and thus prevent mail from being delivered to the wrong ownership, and thus prevent mail from being delivered to the wrong
party. party.
The intended use of these facilities is on automatically generated The intended use of these facilities is on automatically generated
messages that might contain sensitive information, though it may also messages, such as account statements or password change instructions,
be useful in other applications. that might contain sensitive information, though it may also be
useful in other applications.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 21, 2014. This Internet-Draft will expire on September 26, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Reassignment of Mailboxes . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5
3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 5 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 6
3.3. Timestamps . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Timestamps . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6
5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 7 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 7
5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 7 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 7
5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 7 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 8
5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 8 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 8
5.2.1. Design Choices . . . . . . . . . . . . . . . . . . . . 9 5.2.1. Design Choices . . . . . . . . . . . . . . . . . . . . 9
5.3. Clock Synchronization . . . . . . . . . . . . . . . . . . 10 5.3. Clock Synchronization . . . . . . . . . . . . . . . . . . 10
6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 10 6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 10
7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 10 7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 10
7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 10 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 11
8. Header Field with Multiple Recipients . . . . . . . . . . . . 11 8. Header Field with Multiple Recipients . . . . . . . . . . . . 11
9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 12 9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 12
9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 12 9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 12
9.2. Single-Recipient Aliases . . . . . . . . . . . . . . . . . 12 9.2. Single-Recipient Aliases . . . . . . . . . . . . . . . . . 12
9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 13 9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 13
9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 13 9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 13
9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 13 9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 13
10. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 13 10. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 14
11. Digital Signatures . . . . . . . . . . . . . . . . . . . . . . 14 11. Digital Signatures . . . . . . . . . . . . . . . . . . . . . . 14
12. Authentication-Results Definitions . . . . . . . . . . . . . . 15 12. Authentication-Results Definitions . . . . . . . . . . . . . . 15
13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 15 13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 16
13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 16 13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 16
13.3. Authentication-Results Example . . . . . . . . . . . . . . 16 13.3. Authentication-Results Example . . . . . . . . . . . . . . 17
14. Security Considerations . . . . . . . . . . . . . . . . . . . 17 14. Security Considerations . . . . . . . . . . . . . . . . . . . 17
14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 17 14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 17
14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 17 14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 17
14.3. False Sense of Security . . . . . . . . . . . . . . . . . 17 14.3. False Sense of Security . . . . . . . . . . . . . . . . . 18
15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 18 15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 18
15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 18 15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 18
15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 18 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 19
15.3. Risks with Use . . . . . . . . . . . . . . . . . . . . . . 19 15.3. Risks with Use . . . . . . . . . . . . . . . . . . . . . . 19
16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 19 16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 19
16.2. Header Field Registration . . . . . . . . . . . . . . . . 19 16.2. Header Field Registration . . . . . . . . . . . . . . . . 19
16.3. Enhanced Status Code Registration . . . . . . . . . . . . 19 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 20
16.4. Authentication Results Registration . . . . . . . . . . . 20 16.4. Authentication Results Registration . . . . . . . . . . . 20
17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
17.1. Normative References . . . . . . . . . . . . . . . . . . . 21 17.1. Normative References . . . . . . . . . . . . . . . . . . . 21
17.2. Informative References . . . . . . . . . . . . . . . . . . 21 17.2. Informative References . . . . . . . . . . . . . . . . . . 22
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Email addresses sometimes get reassigned to a different person. For Email addresses sometimes get reassigned to a different person. For
example, employment changes at a company can cause an address used example, employment changes at a company can cause an address used
for an ex-employee to be assigned to a new employee, or a mail for an ex-employee to be assigned to a new employee, or a mail
service provider (MSP) might expire an account and then let someone service provider (MSP) might expire an account and then let someone
else register for the local-part that was previously used. Those who else register for the local-part that was previously used. Those who
sent mail to the previous owner of an address might not know that it sent mail to the previous owner of an address might not know that it
has been reassigned. This can lead to the sending of email to the has been reassigned. This can lead to the sending of email to the
correct address, but the wrong recipient. correct address, but the wrong recipient. This situation is of
particular concern with transactional mail related to purchases,
online accounts, and the like.
What is needed is a way to indicate an attribute of the recipient What is needed is a way to indicate an attribute of the recipient
that will distinguish between the previous owner of an address and that will distinguish between the previous owner of an address and
its current owner, if they are different. Further, this needs to be its current owner, if they are different. Further, this needs to be
done in a way that respects privacy. done in a way that respects privacy.
The mechanisms specified here allow the sender of the mail to The mechanisms specified here allow the sender of the mail to
indicate how "old" the address assignment is expected to be. In indicate how "old" the address assignment is expected to be. In
effect, the sender is saying, "The last time the intended recipient effect, the sender is saying, "I know that the intended recipient was
was known to be using this address was this point in time." A using this address at this point in time. I don't want this message
receiving system can then compare this information against the point delivered to anyone else" A receiving system can then compare this
in time at which the address was assigned to its current user. If information against the point in time at which the address was
the assignment was made later than the point in time indicated in the assigned to its current user. If the assignment was made later than
message, there is a good chance the current user of the address is the point in time indicated in the message, there is a good chance
not the correct recipient. The receiving system can then choose to the current user of the address is not the correct recipient. The
prevent delivery and, possibly, to notify the original sender of the receiving system can then choose to prevent delivery and, possibly,
problem. to notify the original sender of the problem.
The primary application is automatically generated messages rather The primary application is transactional mail (such as account
than user-authored content, though it may be useful in other information, password change requests, and other automatically
contexts. generated messages) rather than user-authored content. However, it
may be useful in other contexts; for example, a personal address book
could record the time an email address was added to it, and thus use
that time with this extension.
One important point is that the protocols presented here provide a One important point is that the protocols presented here provide a
way for a sending system to make a request to receiving systems with way for a sending system to make a request to receiving systems with
respect to handling of a message. In the end, there is no guarantee respect to handling of a message. In the end, there is no guarantee
that the request will have the desired effect. that the request will have the desired effect.
1.1. Reassignment of Mailboxes
It is expected that email addresses will not have a high rate of
turnover or ownership change. High-precision timestamps are used out
of convenience and convention rather than out of necessity.
It is also good practice to have a substantial period of time between
mailbox owners during which the mailbox accepts no mail.
2. Definitions 2. Definitions
For a description of the email architecture, consult [EMAIL-ARCH]. For a description of the email architecture, consult [EMAIL-ARCH].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS]. document are to be interpreted as described in [KEYWORDS].
3. Description 3. Description
To address the problem described above, a mail sending client needs To address the problem described in Section 1, a mail sending client
to indicate to the server to which it is connecting that there is an (usually an automated agent) needs to indicate to the server to which
expectation that the destination of the message has been under it is connecting that it expects the destination address of the
continuous ownership (see Section 10) since some point in time, message to have been under continuous ownership (see Section 10)
presumably the most recent time the message author had confirmed its since a specified point time. That specified time would be the time
understanding of who owned that mailbox. Two mechanisms are defined when the intended recipient gave the address to the message author,
here: an extension to the Simple Mail Transfer Protocol [SMTP] and a or perhaps a more recent time when the intended recipient reconfirmed
new message header field. The SMTP extension permits strong ownership of the address with the sender.
assurance of enforcement by confirming support at each handling step
for a message. The header field does not provide the strong Two mechanisms are defined here: an extension to the Simple Mail
assurance, but only requires adoption by the receiving Message Transfer Protocol [SMTP] and a new message header field. The SMTP
Delivery Agent (MDA). extension permits strong assurance of enforcement by confirming
support at each handling step for a message. The header field does
not provide the strong assurance, but only requires adoption by the
receiving Message Delivery Agent (MDA).
The SMTP extension is called "RRVS" (Require Recipient Valid Since), The SMTP extension is called "RRVS" (Require Recipient Valid Since),
and adds a parameter to the SMTP "RCPT" command that indicates the and adds a parameter to the SMTP "RCPT" command that indicates the
most recent point in time when the message author believed the most recent point in time when the message author believed the
destination mailbox to be under the continuous ownership of a destination mailbox to be under the continuous ownership of a
specific party. Similarly, the Require-Recipient-Valid-Since header specific party. Similarly, the Require-Recipient-Valid-Since header
field includes an intended recipient coupled with a timestamp field includes an intended recipient coupled with a timestamp
indicating the same thing. indicating the same thing.
3.1. The 'RRVS' SMTP Extension 3.1. The 'RRVS' SMTP Extension
skipping to change at page 8, line 39 skipping to change at page 8, line 51
* the "addr-spec" portion does not refer to a mailbox handled * the "addr-spec" portion does not refer to a mailbox handled
for local delivery by this ADMD. for local delivery by this ADMD.
3. For each field remaining, determine if the named address has been 3. For each field remaining, determine if the named address has been
under continuous ownership since the corresponding timestamp. If under continuous ownership since the corresponding timestamp. If
it has not, reject the message. it has not, reject the message.
4. RECOMMENDED: If local delivery is being performed, remove all 4. RECOMMENDED: If local delivery is being performed, remove all
instances of this field prior to delivery to a mailbox; if the instances of this field prior to delivery to a mailbox; if the
message is being forwarded, remove those instances of this header message is being forwarded, remove those instances of this header
field that were not discarded by steps 1-4 above. field that were not discarded by step 2 above.
Handling proceeds normally upon completion of the above steps if Handling proceeds normally upon completion of the above steps if
rejection has not been performed. rejection has not been performed.
The final step is not mandatory as not all mail handling agents are The final step is not mandatory as not all mail handling agents are
capable of stripping away header fields, and there are sometimes capable of stripping away header fields, and there are sometimes
reasons to keep the field intact such as debugging or presence of reasons to keep the field intact such as debugging or presence of
digital signatures that might be invalidated by such a change. See digital signatures that might be invalidated by such a change. See
Section 11 for additional discussion. Section 11 for additional discussion.
skipping to change at page 9, line 45 skipping to change at page 10, line 9
was created by the same party that owned the mailbox there, and was created by the same party that owned the mailbox there, and
thus concludes the continuous ownership test has been satisfied; thus concludes the continuous ownership test has been satisfied;
6. If possible, "A" removes this header field from the message, and 6. If possible, "A" removes this header field from the message, and
in either case, forwards it to "B"; in either case, forwards it to "B";
7. On receipt at "B", either the header field has been removed, or 7. On receipt at "B", either the header field has been removed, or
the header field does not refer to a current envelope recipient, the header field does not refer to a current envelope recipient,
and in either case delivers the message. and in either case delivers the message.
Section 9 discusses some interesting use cases, such as the case
where "B" above results in further forwarding of the message.
SMTP has never required any correspondence between addresses in the SMTP has never required any correspondence between addresses in the
RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a
message, which is why the header field defined here contains the message, which is why the header field defined here contains the
recipient address to which the timestamp applies. recipient address to which the timestamp applies.
5.3. Clock Synchronization 5.3. Clock Synchronization
The timestamp portion of this specification supports a precision at The timestamp portion of this specification supports a precision at
the seconds level. Although uncommon, it is not impossible for a the seconds level. Although uncommon, it is not impossible for a
clock at either a generator or a receiver to be incorrect, leading to clock at either a generator or a receiver to be incorrect, leading to
an incorrect result in the RRVS evaluation. an incorrect result in the RRVS evaluation.
To minimize the risk of such incorrect results, both generators and To minimize the risk of such incorrect results, both generators and
receivers implementing this specification MUST use a standard clock receivers implementing this specification MUST use a standard clock
synchronization protocol such as [NTP]. synchronization protocol such as [NTP] to synchronize to a common
clock.
6. Role Accounts 6. Role Accounts
It is necessary not to interfere with delivery of messages to role It is necessary not to interfere with delivery of messages to role
mailboxes (see [ROLES]), but it could be useful to notify users mailboxes (see [ROLES]), but it could be useful to notify users
sending to those mailboxes that a change of ownership might have sending to those mailboxes that a change of ownership might have
taken place, if such notification is possible. taken place, if such notification is possible.
7. Relaying Without RRVS Support 7. Relaying Without RRVS Support
skipping to change at page 11, line 23 skipping to change at page 11, line 36
information by making use of the SMTP extension. Note that such information by making use of the SMTP extension. Note that such
modification of the header might affect later validation of the modification of the header might affect later validation of the
header upon delivery; for example, a hash of the header would produce header upon delivery; for example, a hash of the header would produce
a different result. This might be a valid cause for some operators a different result. This might be a valid cause for some operators
to skip this delete operation. to skip this delete operation.
8. Header Field with Multiple Recipients 8. Header Field with Multiple Recipients
Numerous issues arise when using the header field form of this Numerous issues arise when using the header field form of this
extension, particularly when multiple recipients are specified for a extension, particularly when multiple recipients are specified for a
single message resulting in one multiple fields each with a distinct single message resulting in multiple fields each with a distinct
address and timestamp. address and timestamp.
Because of the nature of SMTP, a message bearing a multiplicity of Because of the nature of SMTP, a message bearing a multiplicity of
Require-Recipient-Valid-Since header fields could result in a single Require-Recipient-Valid-Since header fields could result in a single
delivery attempt for multiple recipients (in particular, if two of delivery attempt for multiple recipients (in particular, if two of
the recipients are handled by the same server), and if any one of the recipients are handled by the same server), and if any one of
them fails the test, the delivery fails to all of them; it then them fails the test, the delivery fails to all of them; it then
becomes necessary to do one of the following: becomes necessary to do one of the following:
o reject the message on completion of the DATA phase of the SMTP o reject the message on completion of the DATA phase of the SMTP
skipping to change at page 12, line 14 skipping to change at page 12, line 23
9. Special Use Addresses 9. Special Use Addresses
In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to
request generation of DSNs, and related information to allow such request generation of DSNs, and related information to allow such
reports to be maximally useful. Section 5.2.7 of that document reports to be maximally useful. Section 5.2.7 of that document
explored the issue of the use of that extension where the recipient explored the issue of the use of that extension where the recipient
is a mailing list. This extension has similar concerns which are is a mailing list. This extension has similar concerns which are
covered here following that document as a model. covered here following that document as a model.
For all cases described below, a receiving MTA SHOULD NOT introduce
RRVS in either form (SMTP extension or header field) if the message
did not arrive with RRVS in use. This would amount to second-
guessing of the message originator's intention and might lead to an
undesirable outcome.
9.1. Mailing Lists 9.1. Mailing Lists
Delivery to a mailing list service is considered a final delivery. Delivery to a mailing list service is considered a final delivery.
Where this protocol is in use, it is evaluated as per any normal Where this protocol is in use, it is evaluated as per any normal
delivery: If the same mailing list has been operating in place of the delivery: If the same mailing list has been operating in place of the
specified recipient mailbox since at least the timestamp given as the specified recipient mailbox since at least the timestamp given as the
RRVS parameter, the message is delivered to the list service RRVS parameter, the message is delivered to the list service
normally, and is otherwise not delivered. normally, and is otherwise not delivered.
It is important, however, that the participating MDA passing the It is important, however, that the participating MDA passing the
message to the list service needs to omit the RRVS parameter in message to the list service needs to omit the RRVS parameter in
either form (SMTP extension or header field) when doing so. The either form (SMTP extension or header field) when doing so. The
emission of a message from the list service to its subscribers emission of a message from the list service to its subscribers
constitutes a new message not covered by the previous transaction. constitutes a new message not covered by the previous transaction.
9.2. Single-Recipient Aliases 9.2. Single-Recipient Aliases
Upon delivery of an RRVS-protected message to an alias (acting in Upon delivery of an RRVS-protected message to an alias (acting in
place of a mailbox) that results in relaying of the message to a place of a mailbox) that results in relaying of the message to a
single other destination, the usual RRVS check is performed. The single other destination, the usual RRVS check is performed. The
continuous ownership test here might succeed if a conventional user continuous ownership test here might succeed if, for example, a
inbox was replaced with an alias on behalf of that same user, and conventional user inbox was replaced with an alias on behalf of that
this information is recorded someplace. If the message is thus same user, and the time when this was done is recorded in a way that
accepted, the relaying MTA can choose to do one of the following: can be queried by the relaying MTA.
1. Do not include an RRVS parameter or header field when relaying to
the new address. (RECOMMENDED)
2. If the relaying system records the time when the alias was
established, independent of confirming the validity of the new
destination address, it MAY add an RRVS parameter for the new
target address that includes that time.
3. If an explicit confirmation of the new destination was done, it If the relaying system also performs some kind of step where
MAY add an RRVS parameter for the new target address that ownership of the new destination address is confirmed, it SHOULD
includes that time. apply RRVS using the later of that timestamp and the one that was
used inbound. This also allows for changes to the alias without
disrupting the protection offered by RRVS.
There is risk and additional administrative burden associated with If the relaying system has no such time records related to the new
all but the first option in that list which are believed to make them destination address, the RRVS SMTP extension is not used on the
not worth pursuing. relaying SMTP session, and the header field relative to the local
alias is removed, in accordance with Section 5.
9.3. Multiple-Recipient Aliases 9.3. Multiple-Recipient Aliases
Upon delivery of an RRVS-protected message to an alias (acting in Upon delivery of an RRVS-protected message to an alias (acting in
place of a mailbox) that results in relaying of the message to place of a mailbox) that results in relaying of the message to
multiple other destinations, the usual RRVS check is performed as in multiple other destinations, the usual RRVS check is performed as in
Section 9.2. The MTA expanding such an alias then decides which of Section 9.2. The MTA expanding such an alias then decides which of
the options enumerated in that section is to be applied for each new the options enumerated in that section is to be applied for each new
recipient. recipient.
skipping to change at page 18, line 36 skipping to change at page 18, line 47
significantly greater threats to users than the other. Automatically significantly greater threats to users than the other. Automatically
generated mail is often used to convey authentication credentials generated mail is often used to convey authentication credentials
that can potentially provide access to extremely sensitive that can potentially provide access to extremely sensitive
information. Supplying such credentials to the wrong party after a information. Supplying such credentials to the wrong party after a
mailbox ownership change could allow the previous owner's data to be mailbox ownership change could allow the previous owner's data to be
exposed without his or her authorization or knowledge. In contrast, exposed without his or her authorization or knowledge. In contrast,
the information that may be exposed to a third party via the proposal the information that may be exposed to a third party via the proposal
in this document is limited to information about the mailbox history. in this document is limited to information about the mailbox history.
Given that MSPs have chosen to allow transfers of mailbox ownership Given that MSPs have chosen to allow transfers of mailbox ownership
without the prior owner's involvement, the information leakage from without the prior owner's involvement, the information leakage from
the extensions specified here creates far fewer risks than the the extensions specified here creates far lower overall risk than the
potential for delivering mail to the wrong party. potential for delivering mail to the wrong party.
15.2. Envelope Recipients 15.2. Envelope Recipients
The email To and Cc header fields are not required to be populated The email To and Cc header fields are not required to be populated
with addresses that match the envelope recipient set, and Cc may even with addresses that match the envelope recipient set, and Cc may even
be absent. However, the algorithm in Section 3 requires that this be absent. However, the algorithm in Section 3 requires that this
header field contain a match for an envelope recipient in order to be header field contain a match for an envelope recipient in order to be
actionable. As such, use of this specification can reveal some or actionable. As such, use of this specification can reveal some or
all of the original intended recipient set to any party that can see all of the original intended recipient set to any party that can see
 End of changes. 30 change blocks. 
66 lines changed or deleted 90 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/