draft-ietf-uta-mta-sts-16.txt   draft-ietf-uta-mta-sts-17.txt 
Using TLS in Applications D. Margolis Using TLS in Applications D. Margolis
Internet-Draft M. Risher Internet-Draft M. Risher
Intended status: Standards Track Google, Inc Intended status: Standards Track Google, Inc
Expires: November 3, 2018 B. Ramakrishnan Expires: November 4, 2018 B. Ramakrishnan
Yahoo!, Inc Yahoo!, Inc
A. Brotman A. Brotman
Comcast, Inc Comcast, Inc
J. Jones J. Jones
Microsoft, Inc Microsoft, Inc
May 2, 2018 May 3, 2018
SMTP MTA Strict Transport Security (MTA-STS) SMTP MTA Strict Transport Security (MTA-STS)
draft-ietf-uta-mta-sts-16 draft-ietf-uta-mta-sts-17
Abstract Abstract
SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a
mechanism enabling mail service providers to declare their ability to mechanism enabling mail service providers to declare their ability to
receive Transport Layer Security (TLS) secure SMTP connections, and receive Transport Layer Security (TLS) secure SMTP connections, and
to specify whether sending SMTP servers should refuse to deliver to to specify whether sending SMTP servers should refuse to deliver to
MX hosts that do not offer TLS with a trusted server certificate. MX hosts that do not offer TLS with a trusted server certificate.
Status of This Memo Status of This Memo
skipping to change at page 2, line 21 skipping to change at page 2, line 21
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Related Technologies . . . . . . . . . . . . . . . . . . . . 3 2. Related Technologies . . . . . . . . . . . . . . . . . . . . 3
3. Policy Discovery . . . . . . . . . . . . . . . . . . . . . . 4 3. Policy Discovery . . . . . . . . . . . . . . . . . . . . . . 4
3.1. MTA-STS TXT Records . . . . . . . . . . . . . . . . . . . 4 3.1. MTA-STS TXT Records . . . . . . . . . . . . . . . . . . . 4
3.2. MTA-STS Policies . . . . . . . . . . . . . . . . . . . . 5 3.2. MTA-STS Policies . . . . . . . . . . . . . . . . . . . . 5
3.3. HTTPS Policy Fetching . . . . . . . . . . . . . . . . . . 8 3.3. HTTPS Policy Fetching . . . . . . . . . . . . . . . . . . 8
3.4. Policy Selection for Smart Hosts and Subdomains . . . . . 9 3.4. Policy Selection for Smart Hosts and Subdomains . . . . . 9
4. Policy Validation . . . . . . . . . . . . . . . . . . . . . . 9 4. Policy Validation . . . . . . . . . . . . . . . . . . . . . . 10
4.1. MX Certificate Validation . . . . . . . . . . . . . . . . 10 4.1. MX Certificate Validation . . . . . . . . . . . . . . . . 10
5. Policy Application . . . . . . . . . . . . . . . . . . . . . 11 5. Policy Application . . . . . . . . . . . . . . . . . . . . . 11
5.1. Policy Application Control Flow . . . . . . . . . . . . . 11 5.1. Policy Application Control Flow . . . . . . . . . . . . . 11
6. Reporting Failures . . . . . . . . . . . . . . . . . . . . . 12 6. Reporting Failures . . . . . . . . . . . . . . . . . . . . . 12
7. Interoperability Considerations . . . . . . . . . . . . . . . 12 7. Interoperability Considerations . . . . . . . . . . . . . . . 12
7.1. SNI Support . . . . . . . . . . . . . . . . . . . . . . . 12 7.1. SNI Support . . . . . . . . . . . . . . . . . . . . . . . 12
7.2. Minimum TLS Version Support . . . . . . . . . . . . . . . 13 7.2. Minimum TLS Version Support . . . . . . . . . . . . . . . 13
8. Operational Considerations . . . . . . . . . . . . . . . . . 13 8. Operational Considerations . . . . . . . . . . . . . . . . . 13
8.1. Policy Updates . . . . . . . . . . . . . . . . . . . . . 13 8.1. Policy Updates . . . . . . . . . . . . . . . . . . . . . 13
8.2. Policy Delegation . . . . . . . . . . . . . . . . . . . . 13 8.2. Policy Delegation . . . . . . . . . . . . . . . . . . . . 13
skipping to change at page 7, line 9 skipping to change at page 7, line 9
mode: enforce mode: enforce
mx: mail.example.com mx: mail.example.com
mx: .example.net mx: .example.net
mx: backupmx.example.com mx: backupmx.example.com
max_age: 123456 max_age: 123456
The formal definition of the policy resource, defined using The formal definition of the policy resource, defined using
[RFC7405], is as follows: [RFC7405], is as follows:
sts-policy-record = sts-policy-field *WSP sts-policy-record = sts-policy-field *WSP
*(CRLF sts-policy-field *WSP) *(sts-policy-term sts-policy-field *WSP)
[CRLF] [sts-policy-term]
sts-policy-field = sts-policy-version / ; required once sts-policy-field = sts-policy-version / ; required once
sts-policy-mode / ; required once sts-policy-mode / ; required once
sts-policy-max-age / ; required once sts-policy-max-age / ; required once
0*(sts-policy-mx *WSP CRLF) / sts-policy-mx /
; required at least once, except when ; required at least once, except when
; mode is "none" ; mode is "none"
sts-policy-extension ; other fields sts-policy-extension ; other fields
field-delim = ":" *WSP field-delim = ":" *WSP
sts-policy-version = sts-policy-version-field field-delim sts-policy-version = sts-policy-version-field field-delim
sts-policy-version-value sts-policy-version-value
skipping to change at page 8, line 10 skipping to change at page 8, line 10
sts-policy-max-age-value = 1*10(DIGIT) sts-policy-max-age-value = 1*10(DIGIT)
sts-policy-extension = sts-policy-ext-name ; additional sts-policy-extension = sts-policy-ext-name ; additional
field-delim ; extension field-delim ; extension
sts-policy-ext-value ; fields sts-policy-ext-value ; fields
sts-policy-ext-name = (ALPHA / DIGIT) sts-policy-ext-name = (ALPHA / DIGIT)
*31(ALPHA / DIGIT / "_" / "-" / ".") *31(ALPHA / DIGIT / "_" / "-" / ".")
sts-policy-ext-value = 1*(%x21-3A / %x3C / %x3E-7E) sts-policy-term = CRLF / LF
; chars, excluding control chars
sts-policy-ext-value = sts-policy-vchar
[*(%x20 / sts-policy-vchar)
sts-policy-vchar]
; chars, including UTF-8 [RFC3629],
; excluding CTLs and no
; leading/trailing spaces
sts-policy-vchar = %x21-7E / UTF8-2 / UTF8-3 / UTF8-4
Parsers MUST accept TXT records and policy files which are Parsers MUST accept TXT records and policy files which are
syntactically valid (i.e. valid key/value pairs separated by semi- syntactically valid (i.e. valid key/value pairs separated by semi-
colons for TXT records) and but containing additional key/value pairs colons for TXT records) and but containing additional key/value pairs
not specified in this document, in which case unknown fields SHALL be not specified in this document, in which case unknown fields SHALL be
ignored. If any non-repeated field--i.e. all fields excepting "mx"-- ignored. If any non-repeated field--i.e. all fields excepting "mx"--
is duplicated, all entries except for the first SHALL be ignored. If is duplicated, all entries except for the first SHALL be ignored. If
any field is not specified, the policy SHALL be treated as invalid. any field is not specified, the policy SHALL be treated as invalid.
3.3. HTTPS Policy Fetching 3.3. HTTPS Policy Fetching
skipping to change at page 25, line 12 skipping to change at page 25, line 12
Email: risher (at) google (dot com) Email: risher (at) google (dot com)
Binu Ramakrishnan Binu Ramakrishnan
Yahoo!, Inc Yahoo!, Inc
Email: rbinu (at) yahoo-inc (dot com) Email: rbinu (at) yahoo-inc (dot com)
Alexander Brotman Alexander Brotman
Comcast, Inc Comcast, Inc
Email: alex_brotman (at) comcast (dot com) Email: alex_brotman@comcast.com
Janet Jones Janet Jones
Microsoft, Inc Microsoft, Inc
Email: janet.jones (at) microsoft (dot com) Email: janet.jones (at) microsoft (dot com)
 End of changes. 8 change blocks. 
10 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/