draft-ietf-uta-mta-sts-15.txt   draft-ietf-uta-mta-sts-16.txt 
Using TLS in Applications D. Margolis Using TLS in Applications D. Margolis
Internet-Draft M. Risher Internet-Draft M. Risher
Intended status: Standards Track Google, Inc Intended status: Standards Track Google, Inc
Expires: October 6, 2018 B. Ramakrishnan Expires: November 3, 2018 B. Ramakrishnan
Yahoo!, Inc Yahoo!, Inc
A. Brotman A. Brotman
Comcast, Inc Comcast, Inc
J. Jones J. Jones
Microsoft, Inc Microsoft, Inc
April 4, 2018 May 2, 2018
SMTP MTA Strict Transport Security (MTA-STS) SMTP MTA Strict Transport Security (MTA-STS)
draft-ietf-uta-mta-sts-15 draft-ietf-uta-mta-sts-16
Abstract Abstract
SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a
mechanism enabling mail service providers to declare their ability to mechanism enabling mail service providers to declare their ability to
receive Transport Layer Security (TLS) secure SMTP connections, and receive Transport Layer Security (TLS) secure SMTP connections, and
to specify whether sending SMTP servers should refuse to deliver to to specify whether sending SMTP servers should refuse to deliver to
MX hosts that do not offer TLS with a trusted server certificate. MX hosts that do not offer TLS with a trusted server certificate.
Status of This Memo Status of This Memo
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 6, 2018. This Internet-Draft will expire on November 3, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 30 skipping to change at page 3, line 30
o whether MTAs sending mail to this domain can expect PKIX- o whether MTAs sending mail to this domain can expect PKIX-
authenticated TLS support authenticated TLS support
o what a conforming client should do with messages when TLS cannot o what a conforming client should do with messages when TLS cannot
be successfully negotiated be successfully negotiated
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. These "OPTIONAL" in this document are to be interpreted as described in
words may also appear in this document in lowercase, absent their [BCP 14] [RFC2119] [RFC8174] when, and only when, they appear in all
normative meanings. capitals, as shown here.
We also define the following terms for further use in this document: We also define the following terms for further use in this document:
o MTA-STS Policy: A commitment by the Policy Domain to support PKIX o MTA-STS Policy: A commitment by the Policy Domain to support PKIX
[RFC5280] authenticated TLS for the specified MX hosts. [RFC5280] authenticated TLS for the specified MX hosts.
o Policy Domain: The domain for which an MTA-STS Policy is defined. o Policy Domain: The domain for which an MTA-STS Policy is defined.
This is the next-hop domain; when sending mail to This is the next-hop domain; when sending mail to
"alice@example.com" this would ordinarily be "example.com", but "alice@example.com" this would ordinarily be "example.com", but
this may be overridden by explicit routing rules (as described in this may be overridden by explicit routing rules (as described in
skipping to change at page 7, line 36 skipping to change at page 7, line 36
sts-policy-version-field = %s"version" sts-policy-version-field = %s"version"
sts-policy-version-value = %s"STSv1" sts-policy-version-value = %s"STSv1"
sts-policy-mode = sts-policy-mode-field field-delim sts-policy-mode = sts-policy-mode-field field-delim
sts-policy-mode-value sts-policy-mode-value
sts-policy-mode-field = %s"mode" sts-policy-mode-field = %s"mode"
sts-policy-model-value = %s"testing" / %s"enforce" / %s"none" sts-policy-mode-value = %s"testing" / %s"enforce" / %s"none"
sts-policy-mx = sts-policy-mx-field field-delim sts-policy-mx = sts-policy-mx-field field-delim
sts-policy-mx-value sts-policy-mx-value
sts-policy-mx-field = %s"mx" sts-policy-mx-field = %s"mx"
sts-policy-mx-value = 1*(ALPHA / DIGIT / "_" / "-" / ".") sts-policy-mx-value = 1*(ALPHA / DIGIT / "_" / "-" / ".")
sts-policy-max-age = sts-policy-max-age-field field-delim sts-policy-max-age = sts-policy-max-age-field field-delim
sts-policy-max-age-value sts-policy-max-age-value
skipping to change at page 8, line 11 skipping to change at page 8, line 11
sts-policy-max-age-value = 1*10(DIGIT) sts-policy-max-age-value = 1*10(DIGIT)
sts-policy-extension = sts-policy-ext-name ; additional sts-policy-extension = sts-policy-ext-name ; additional
field-delim ; extension field-delim ; extension
sts-policy-ext-value ; fields sts-policy-ext-value ; fields
sts-policy-ext-name = (ALPHA / DIGIT) sts-policy-ext-name = (ALPHA / DIGIT)
*31(ALPHA / DIGIT / "_" / "-" / ".") *31(ALPHA / DIGIT / "_" / "-" / ".")
sts-policy-ext-value = 1*(%x21-3A / %x3C / %x3E-7E) sts-policy-ext-value = 1*(%x21-3A / %x3C / %x3E-7E)
; chars, excluding "=", ";", SP, and ; chars, excluding control chars
; control chars
Parsers MUST accept TXT records and policy files which are Parsers MUST accept TXT records and policy files which are
syntactically valid (i.e. valid key/value pairs separated by semi- syntactically valid (i.e. valid key/value pairs separated by semi-
colons for TXT records) and but containing additional key/value pairs colons for TXT records) and but containing additional key/value pairs
not specified in this document, in which case unknown fields SHALL be not specified in this document, in which case unknown fields SHALL be
ignored. If any non-repeated field--i.e. all fields excepting "mx"-- ignored. If any non-repeated field--i.e. all fields excepting "mx"--
is duplicated, all entries except for the first SHALL be ignored. If is duplicated, all entries except for the first SHALL be ignored. If
any field is not specified, the policy SHALL be treated as invalid. any field is not specified, the policy SHALL be treated as invalid.
3.3. HTTPS Policy Fetching 3.3. HTTPS Policy Fetching
skipping to change at page 19, line 7 skipping to change at page 19, line 7
One approach commonly employed by Web browsers to help mitigate One approach commonly employed by Web browsers to help mitigate
against some of these attacks is to allow for revocation of against some of these attacks is to allow for revocation of
compromised or fraudulent certificates via OCSP [RFC6960] or CRLs compromised or fraudulent certificates via OCSP [RFC6960] or CRLs
[RFC6818]. Such mechanisms themselves represent tradeoffs and are [RFC6818]. Such mechanisms themselves represent tradeoffs and are
not universally implemented; we nonetheless recommend implementors of not universally implemented; we nonetheless recommend implementors of
MTA-STS to implement revocation mechanisms which are most applicable MTA-STS to implement revocation mechanisms which are most applicable
to their implementations. to their implementations.
11. Contributors 11. Contributors
Nicolas Lidzborski Google, Inc nlidz (at) google (dot com)
Wei Chuang Google, Inc weihaw (at) google (dot com) Wei Chuang Google, Inc weihaw (at) google (dot com)
Viktor Dukhovni ietf-dane (at) dukhovni (dot org)
Markus Laber 1&1 Mail & Media Development & Technology GmbH
markus.laber (at) 1und1 (dot de)
Nicolas Lidzborski Google, Inc nlidz (at) google (dot com)
Brandon Long Google, Inc blong (at) google (dot com) Brandon Long Google, Inc blong (at) google (dot com)
Franck Martin LinkedIn, Inc fmartin (at) linkedin (dot com) Franck Martin LinkedIn, Inc fmartin (at) linkedin (dot com)
Klaus Umbach 1&1 Mail & Media Development & Technology GmbH Klaus Umbach 1&1 Mail & Media Development & Technology GmbH
klaus.umbach (at) 1und1 (dot de) klaus.umbach (at) 1und1 (dot de)
Markus Laber 1&1 Mail & Media Development & Technology GmbH
markus.laber (at) 1und1 (dot de)
12. References 12. References
12.1. Normative References 12.1. Normative References
[I-D.ietf-uta-smtp-tlsrpt] [I-D.ietf-uta-smtp-tlsrpt]
Margolis, D., Brotman, A., Ramakrishnan, B., Jones, J., Margolis, D., Brotman, A., Ramakrishnan, B., Jones, J.,
and M. Risher, "SMTP TLS Reporting", draft-ietf-uta-smtp- and M. Risher, "SMTP TLS Reporting", draft-ietf-uta-smtp-
tlsrpt-17 (work in progress), March 2018. tlsrpt-18 (work in progress), April 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
[RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
Transport Layer Security", RFC 3207, DOI 10.17487/RFC3207, Transport Layer Security", RFC 3207, DOI 10.17487/RFC3207,
February 2002, <https://www.rfc-editor.org/info/rfc3207>. February 2002, <https://www.rfc-editor.org/info/rfc3207>.
[RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in Applications for Internationalized Domain Names in Applications
(IDNA)", RFC 3492, DOI 10.17487/RFC3492, March 2003, (IDNA)", RFC 3492, DOI 10.17487/RFC3492, March 2003,
<https://www.rfc-editor.org/info/rfc3492>. <https://www.rfc-editor.org/info/rfc3492>.
skipping to change at page 20, line 32 skipping to change at page 20, line 42
[RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF",
RFC 7405, DOI 10.17487/RFC7405, December 2014, RFC 7405, DOI 10.17487/RFC7405, December 2014,
<https://www.rfc-editor.org/info/rfc7405>. <https://www.rfc-editor.org/info/rfc7405>.
[RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of Transport Layer "Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security Security (TLS) and Datagram Transport Layer Security
(DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
2015, <https://www.rfc-editor.org/info/rfc7525>. 2015, <https://www.rfc-editor.org/info/rfc7525>.
12.2. Informative References [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 12.2. Informative References
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005, RFC 4033, DOI 10.17487/RFC4033, March 2005,
<https://www.rfc-editor.org/info/rfc4033>. <https://www.rfc-editor.org/info/rfc4033>.
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
DOI 10.17487/RFC5322, October 2008, <https://www.rfc- DOI 10.17487/RFC5322, October 2008, <https://www.rfc-
editor.org/info/rfc5322>. editor.org/info/rfc5322>.
 End of changes. 13 change blocks. 
22 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/