--- 1/draft-ietf-appsawg-rrvs-header-field-08.txt 2014-03-25 13:14:40.088956119 -0700 +++ 2/draft-ietf-appsawg-rrvs-header-field-09.txt 2014-03-25 13:14:40.136957278 -0700 @@ -1,176 +1,195 @@ Network Working Group W. Mills Internet-Draft Yahoo! Inc. Intended status: Standards Track M. Kucherawy -Expires: September 21, 2014 Facebook, Inc. - March 20, 2014 +Expires: September 26, 2014 Facebook, Inc. + March 25, 2014 The Require-Recipient-Valid-Since Header Field and SMTP Service Extension - draft-ietf-appsawg-rrvs-header-field-08 + draft-ietf-appsawg-rrvs-header-field-09 Abstract This document defines an extension for the Simple Mail Transfer Protocol called RRVS, and a header field called Require-Recipient- Valid-Since, to provide a method for senders to indicate to receivers - the point in time when the sender last confirmed the ownership of the - target mailbox. This can be used to detect changes of mailbox + a point in time when the the ownership of the target mailbox was + known to the sender. This can be used to detect changes of mailbox ownership, and thus prevent mail from being delivered to the wrong party. The intended use of these facilities is on automatically generated - messages that might contain sensitive information, though it may also - be useful in other applications. + messages, such as account statements or password change instructions, + that might contain sensitive information, though it may also be + useful in other applications. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 21, 2014. + This Internet-Draft will expire on September 26, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 1.1. Reassignment of Mailboxes . . . . . . . . . . . . . . . . 4 + 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5 - 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 5 + 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 6 3.3. Timestamps . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 7 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 7 - 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 7 + 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 8 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 8 5.2.1. Design Choices . . . . . . . . . . . . . . . . . . . . 9 5.3. Clock Synchronization . . . . . . . . . . . . . . . . . . 10 6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 10 7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 10 - 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 10 + 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 11 8. Header Field with Multiple Recipients . . . . . . . . . . . . 11 9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 12 9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 12 9.2. Single-Recipient Aliases . . . . . . . . . . . . . . . . . 12 9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 13 9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 13 9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 13 - 10. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 13 + 10. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 14 11. Digital Signatures . . . . . . . . . . . . . . . . . . . . . . 14 12. Authentication-Results Definitions . . . . . . . . . . . . . . 15 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 - 13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 15 + 13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 16 13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 16 - 13.3. Authentication-Results Example . . . . . . . . . . . . . . 16 + 13.3. Authentication-Results Example . . . . . . . . . . . . . . 17 14. Security Considerations . . . . . . . . . . . . . . . . . . . 17 14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 17 14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 17 - 14.3. False Sense of Security . . . . . . . . . . . . . . . . . 17 + 14.3. False Sense of Security . . . . . . . . . . . . . . . . . 18 15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 18 15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 18 - 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 18 + 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 19 15.3. Risks with Use . . . . . . . . . . . . . . . . . . . . . . 19 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 19 16.2. Header Field Registration . . . . . . . . . . . . . . . . 19 - 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 19 + 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 20 16.4. Authentication Results Registration . . . . . . . . . . . 20 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 17.1. Normative References . . . . . . . . . . . . . . . . . . . 21 - 17.2. Informative References . . . . . . . . . . . . . . . . . . 21 + 17.2. Informative References . . . . . . . . . . . . . . . . . . 22 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 1. Introduction Email addresses sometimes get reassigned to a different person. For example, employment changes at a company can cause an address used for an ex-employee to be assigned to a new employee, or a mail service provider (MSP) might expire an account and then let someone else register for the local-part that was previously used. Those who sent mail to the previous owner of an address might not know that it has been reassigned. This can lead to the sending of email to the - correct address, but the wrong recipient. + correct address, but the wrong recipient. This situation is of + particular concern with transactional mail related to purchases, + online accounts, and the like. What is needed is a way to indicate an attribute of the recipient that will distinguish between the previous owner of an address and its current owner, if they are different. Further, this needs to be done in a way that respects privacy. The mechanisms specified here allow the sender of the mail to indicate how "old" the address assignment is expected to be. In - effect, the sender is saying, "The last time the intended recipient - was known to be using this address was this point in time." A - receiving system can then compare this information against the point - in time at which the address was assigned to its current user. If - the assignment was made later than the point in time indicated in the - message, there is a good chance the current user of the address is - not the correct recipient. The receiving system can then choose to - prevent delivery and, possibly, to notify the original sender of the - problem. + effect, the sender is saying, "I know that the intended recipient was + using this address at this point in time. I don't want this message + delivered to anyone else" A receiving system can then compare this + information against the point in time at which the address was + assigned to its current user. If the assignment was made later than + the point in time indicated in the message, there is a good chance + the current user of the address is not the correct recipient. The + receiving system can then choose to prevent delivery and, possibly, + to notify the original sender of the problem. - The primary application is automatically generated messages rather - than user-authored content, though it may be useful in other - contexts. + The primary application is transactional mail (such as account + information, password change requests, and other automatically + generated messages) rather than user-authored content. However, it + may be useful in other contexts; for example, a personal address book + could record the time an email address was added to it, and thus use + that time with this extension. One important point is that the protocols presented here provide a way for a sending system to make a request to receiving systems with respect to handling of a message. In the end, there is no guarantee that the request will have the desired effect. +1.1. Reassignment of Mailboxes + + It is expected that email addresses will not have a high rate of + turnover or ownership change. High-precision timestamps are used out + of convenience and convention rather than out of necessity. + + It is also good practice to have a substantial period of time between + mailbox owners during which the mailbox accepts no mail. + 2. Definitions For a description of the email architecture, consult [EMAIL-ARCH]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS]. 3. Description - To address the problem described above, a mail sending client needs - to indicate to the server to which it is connecting that there is an - expectation that the destination of the message has been under - continuous ownership (see Section 10) since some point in time, - presumably the most recent time the message author had confirmed its - understanding of who owned that mailbox. Two mechanisms are defined - here: an extension to the Simple Mail Transfer Protocol [SMTP] and a - new message header field. The SMTP extension permits strong - assurance of enforcement by confirming support at each handling step - for a message. The header field does not provide the strong - assurance, but only requires adoption by the receiving Message - Delivery Agent (MDA). + To address the problem described in Section 1, a mail sending client + (usually an automated agent) needs to indicate to the server to which + it is connecting that it expects the destination address of the + message to have been under continuous ownership (see Section 10) + since a specified point time. That specified time would be the time + when the intended recipient gave the address to the message author, + or perhaps a more recent time when the intended recipient reconfirmed + ownership of the address with the sender. + + Two mechanisms are defined here: an extension to the Simple Mail + Transfer Protocol [SMTP] and a new message header field. The SMTP + extension permits strong assurance of enforcement by confirming + support at each handling step for a message. The header field does + not provide the strong assurance, but only requires adoption by the + receiving Message Delivery Agent (MDA). The SMTP extension is called "RRVS" (Require Recipient Valid Since), and adds a parameter to the SMTP "RCPT" command that indicates the most recent point in time when the message author believed the destination mailbox to be under the continuous ownership of a specific party. Similarly, the Require-Recipient-Valid-Since header field includes an intended recipient coupled with a timestamp indicating the same thing. 3.1. The 'RRVS' SMTP Extension @@ -321,21 +340,21 @@ * the "addr-spec" portion does not refer to a mailbox handled for local delivery by this ADMD. 3. For each field remaining, determine if the named address has been under continuous ownership since the corresponding timestamp. If it has not, reject the message. 4. RECOMMENDED: If local delivery is being performed, remove all instances of this field prior to delivery to a mailbox; if the message is being forwarded, remove those instances of this header - field that were not discarded by steps 1-4 above. + field that were not discarded by step 2 above. Handling proceeds normally upon completion of the above steps if rejection has not been performed. The final step is not mandatory as not all mail handling agents are capable of stripping away header fields, and there are sometimes reasons to keep the field intact such as debugging or presence of digital signatures that might be invalidated by such a change. See Section 11 for additional discussion. @@ -376,35 +395,39 @@ was created by the same party that owned the mailbox there, and thus concludes the continuous ownership test has been satisfied; 6. If possible, "A" removes this header field from the message, and in either case, forwards it to "B"; 7. On receipt at "B", either the header field has been removed, or the header field does not refer to a current envelope recipient, and in either case delivers the message. + Section 9 discusses some interesting use cases, such as the case + where "B" above results in further forwarding of the message. + SMTP has never required any correspondence between addresses in the RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a message, which is why the header field defined here contains the recipient address to which the timestamp applies. 5.3. Clock Synchronization The timestamp portion of this specification supports a precision at the seconds level. Although uncommon, it is not impossible for a clock at either a generator or a receiver to be incorrect, leading to an incorrect result in the RRVS evaluation. To minimize the risk of such incorrect results, both generators and receivers implementing this specification MUST use a standard clock - synchronization protocol such as [NTP]. + synchronization protocol such as [NTP] to synchronize to a common + clock. 6. Role Accounts It is necessary not to interfere with delivery of messages to role mailboxes (see [ROLES]), but it could be useful to notify users sending to those mailboxes that a change of ownership might have taken place, if such notification is possible. 7. Relaying Without RRVS Support @@ -448,21 +471,21 @@ information by making use of the SMTP extension. Note that such modification of the header might affect later validation of the header upon delivery; for example, a hash of the header would produce a different result. This might be a valid cause for some operators to skip this delete operation. 8. Header Field with Multiple Recipients Numerous issues arise when using the header field form of this extension, particularly when multiple recipients are specified for a - single message resulting in one multiple fields each with a distinct + single message resulting in multiple fields each with a distinct address and timestamp. Because of the nature of SMTP, a message bearing a multiplicity of Require-Recipient-Valid-Since header fields could result in a single delivery attempt for multiple recipients (in particular, if two of the recipients are handled by the same server), and if any one of them fails the test, the delivery fails to all of them; it then becomes necessary to do one of the following: o reject the message on completion of the DATA phase of the SMTP @@ -483,60 +506,61 @@ 9. Special Use Addresses In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to request generation of DSNs, and related information to allow such reports to be maximally useful. Section 5.2.7 of that document explored the issue of the use of that extension where the recipient is a mailing list. This extension has similar concerns which are covered here following that document as a model. + For all cases described below, a receiving MTA SHOULD NOT introduce + RRVS in either form (SMTP extension or header field) if the message + did not arrive with RRVS in use. This would amount to second- + guessing of the message originator's intention and might lead to an + undesirable outcome. + 9.1. Mailing Lists Delivery to a mailing list service is considered a final delivery. Where this protocol is in use, it is evaluated as per any normal delivery: If the same mailing list has been operating in place of the specified recipient mailbox since at least the timestamp given as the RRVS parameter, the message is delivered to the list service normally, and is otherwise not delivered. It is important, however, that the participating MDA passing the message to the list service needs to omit the RRVS parameter in either form (SMTP extension or header field) when doing so. The emission of a message from the list service to its subscribers constitutes a new message not covered by the previous transaction. 9.2. Single-Recipient Aliases Upon delivery of an RRVS-protected message to an alias (acting in place of a mailbox) that results in relaying of the message to a single other destination, the usual RRVS check is performed. The - continuous ownership test here might succeed if a conventional user - inbox was replaced with an alias on behalf of that same user, and - this information is recorded someplace. If the message is thus - accepted, the relaying MTA can choose to do one of the following: - - 1. Do not include an RRVS parameter or header field when relaying to - the new address. (RECOMMENDED) - - 2. If the relaying system records the time when the alias was - established, independent of confirming the validity of the new - destination address, it MAY add an RRVS parameter for the new - target address that includes that time. + continuous ownership test here might succeed if, for example, a + conventional user inbox was replaced with an alias on behalf of that + same user, and the time when this was done is recorded in a way that + can be queried by the relaying MTA. - 3. If an explicit confirmation of the new destination was done, it - MAY add an RRVS parameter for the new target address that - includes that time. + If the relaying system also performs some kind of step where + ownership of the new destination address is confirmed, it SHOULD + apply RRVS using the later of that timestamp and the one that was + used inbound. This also allows for changes to the alias without + disrupting the protection offered by RRVS. - There is risk and additional administrative burden associated with - all but the first option in that list which are believed to make them - not worth pursuing. + If the relaying system has no such time records related to the new + destination address, the RRVS SMTP extension is not used on the + relaying SMTP session, and the header field relative to the local + alias is removed, in accordance with Section 5. 9.3. Multiple-Recipient Aliases Upon delivery of an RRVS-protected message to an alias (acting in place of a mailbox) that results in relaying of the message to multiple other destinations, the usual RRVS check is performed as in Section 9.2. The MTA expanding such an alias then decides which of the options enumerated in that section is to be applied for each new recipient. @@ -789,21 +814,21 @@ significantly greater threats to users than the other. Automatically generated mail is often used to convey authentication credentials that can potentially provide access to extremely sensitive information. Supplying such credentials to the wrong party after a mailbox ownership change could allow the previous owner's data to be exposed without his or her authorization or knowledge. In contrast, the information that may be exposed to a third party via the proposal in this document is limited to information about the mailbox history. Given that MSPs have chosen to allow transfers of mailbox ownership without the prior owner's involvement, the information leakage from - the extensions specified here creates far fewer risks than the + the extensions specified here creates far lower overall risk than the potential for delivering mail to the wrong party. 15.2. Envelope Recipients The email To and Cc header fields are not required to be populated with addresses that match the envelope recipient set, and Cc may even be absent. However, the algorithm in Section 3 requires that this header field contain a match for an envelope recipient in order to be actionable. As such, use of this specification can reveal some or all of the original intended recipient set to any party that can see