draft-ietf-uta-smtp-tlsrpt-22.txt   draft-ietf-uta-smtp-tlsrpt-23.txt 
Using TLS in Applications D. Margolis Using TLS in Applications D. Margolis
Internet-Draft Google, Inc Internet-Draft Google, Inc
Intended status: Standards Track A. Brotman Intended status: Standards Track A. Brotman
Expires: November 24, 2018 Comcast, Inc Expires: December 16, 2018 Comcast, Inc
B. Ramakrishnan B. Ramakrishnan
Yahoo!, Inc Yahoo!, Inc
J. Jones J. Jones
Microsoft, Inc Microsoft, Inc
M. Risher M. Risher
Google, Inc Google, Inc
May 23, 2018 June 14, 2018
SMTP TLS Reporting SMTP TLS Reporting
draft-ietf-uta-smtp-tlsrpt-22 draft-ietf-uta-smtp-tlsrpt-23
Abstract Abstract
A number of protocols exist for establishing encrypted channels A number of protocols exist for establishing encrypted channels
between SMTP Mail Transfer Agents, including STARTTLS, DANE TLSA, and between SMTP Mail Transfer Agents, including STARTTLS, DANE TLSA, and
MTA-STS. These protocols can fail due to misconfiguration or active MTA-STS. These protocols can fail due to misconfiguration or active
attack, leading to undelivered messages or delivery over unencrypted attack, leading to undelivered messages or delivery over unencrypted
or unauthenticated channels. This document describes a reporting or unauthenticated channels. This document describes a reporting
mechanism and format by which sending systems can share statistics mechanism and format by which sending systems can share statistics
and specific information about potential failures with recipient and specific information about potential failures with recipient
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 24, 2018. This Internet-Draft will expire on December 16, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 5 skipping to change at page 3, line 5
5.3. Email Transport . . . . . . . . . . . . . . . . . . . . . 16 5.3. Email Transport . . . . . . . . . . . . . . . . . . . . . 16
5.3.1. Example Report . . . . . . . . . . . . . . . . . . . 17 5.3.1. Example Report . . . . . . . . . . . . . . . . . . . 17
5.4. HTTPS Transport . . . . . . . . . . . . . . . . . . . . . 18 5.4. HTTPS Transport . . . . . . . . . . . . . . . . . . . . . 18
5.5. Delivery Retry . . . . . . . . . . . . . . . . . . . . . 19 5.5. Delivery Retry . . . . . . . . . . . . . . . . . . . . . 19
5.6. Metadata Variances . . . . . . . . . . . . . . . . . . . 19 5.6. Metadata Variances . . . . . . . . . . . . . . . . . . . 19
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
6.1. Message headers . . . . . . . . . . . . . . . . . . . . . 19 6.1. Message headers . . . . . . . . . . . . . . . . . . . . . 19
6.2. Report Type . . . . . . . . . . . . . . . . . . . . . . . 19 6.2. Report Type . . . . . . . . . . . . . . . . . . . . . . . 19
6.3. +gzip Media Type Suffix . . . . . . . . . . . . . . . . . 20 6.3. +gzip Media Type Suffix . . . . . . . . . . . . . . . . . 20
6.4. application/tlsrpt+json Media Type . . . . . . . . . . . 21 6.4. application/tlsrpt+json Media Type . . . . . . . . . . . 21
6.5. application/tlsrpt+gzip Media Type . . . . . . . . . . . 22 6.5. application/tlsrpt+gzip Media Type . . . . . . . . . . . 23
6.6. STARTTLS Validation Result Types . . . . . . . . . . . . 24 6.6. STARTTLS Validation Result Types . . . . . . . . . . . . 24
7. Security Considerations . . . . . . . . . . . . . . . . . . . 24 7. Security Considerations . . . . . . . . . . . . . . . . . . . 24
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 26 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 26
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
9.1. Normative References . . . . . . . . . . . . . . . . . . 26 9.1. Normative References . . . . . . . . . . . . . . . . . . 26
9.2. Informative References . . . . . . . . . . . . . . . . . 28 9.2. Informative References . . . . . . . . . . . . . . . . . 28
9.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 29 9.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Appendix A. Example Reporting Policy . . . . . . . . . . . . . . 30 Appendix A. Example Reporting Policy . . . . . . . . . . . . . . 30
A.1. Report using MAILTO . . . . . . . . . . . . . . . . . . . 30 A.1. Report using MAILTO . . . . . . . . . . . . . . . . . . . 30
A.2. Report using HTTPS . . . . . . . . . . . . . . . . . . . 30 A.2. Report using HTTPS . . . . . . . . . . . . . . . . . . . 30
skipping to change at page 20, line 21 skipping to change at page 20, line 21
o one or more registered media-types that can be used with this o one or more registered media-types that can be used with this
report-type report-type
o the document containing the registration action o the document containing the registration action
o an optional comment o an optional comment
The initial entries are: The initial entries are:
Report-Type: tlsrpt Report-Type: tlsrpt Media Type: application/tlsrpt+gzip, application/
Media Type: application/tlsrpt+gzip, application/tlsrpt+json tlsrpt+json Registered By: [RFCXXXX] Comment: Media types suitable
Registered By: [I-D.ietf-uta-smtp-tlsrpt] for use with this report-type are defined in Sections 6.4 and 6.5 of
Comment: Media types suitable for use with this report-type are [RFCXXXX]
defined in Sections 6.4 and 6.5 of [I-D.ietf-uta-smtp-tlsrpt]
Report-Type: disposition-notification Report-Type: disposition-notification Media Type: message/
Media Type: message/disposition-notification disposition-notification Registered By: [RFC8098] Section 10
Registered By: [RFC8098] Section 10
Report-Type: disposition-notification Report-Type: disposition-notification Media Type: message/global-
Media Type: message/global-disposition-notification disposition-notification Registered By: [RFC6533] Section 6
Registered By: [RFC6533] Section 6
Report-Type: delivery-status Report-Type: delivery-status Media Type: message/delivery-status
Media Type: message/delivery-status
Registered By: [RFC3464] Appendix D Registered By: [RFC3464] Appendix D
Report-Type: delivery-status Report-Type: delivery-status Media Type: message/global-delivery-
Media Type: message/global-delivery-status status Registered By: [RFC6533] Section 6
Registered By: [RFC6533] Section 6
6.3. +gzip Media Type Suffix 6.3. +gzip Media Type Suffix
This document registers a new media type suffix "+gzip". The GZIP This document registers a new media type suffix "+gzip". The GZIP
format is a public domain, cross-platform, interoperable file storage format is a public domain, cross-platform, interoperable file storage
and transfer format, specified in [RFC1952]; it supports compression and transfer format, specified in [RFC1952]; it supports compression
and is used as the underlying representation by a variety of file and is used as the underlying representation by a variety of file
formats. The media type "application/gzip" has been registered for formats. The media type "application/gzip" has been registered for
such files. The suffix "+gzip" MAY be used with any media type whose such files. The suffix "+gzip" MAY be used with any media type whose
representation follows that established for "application/gzip". The representation follows that established for "application/gzip". The
skipping to change at page 21, line 28 skipping to change at page 21, line 28
For cases defined in +gzip, where the fragment identifier does For cases defined in +gzip, where the fragment identifier does
not resolve per the +gzip rules, then process as specified in not resolve per the +gzip rules, then process as specified in
"xxx/yyy+gzip". "xxx/yyy+gzip".
For cases not defined in +gzip, then process as specified in For cases not defined in +gzip, then process as specified in
"xxx/yyy+gzip". "xxx/yyy+gzip".
Interoperability considerations: n/a Interoperability considerations: n/a
Security considerations: GZIP format doesn't provide encryption. See Security considerations: GZIP format doesn't provide confidentiality
also security considerations of [RFC6713]. Each individual media protection. Integrity protection is provided by and Adler-32
type registered with a +gzip suffix can have additional security checksum, which is not cryptographically strong. See also security
considerations considerations of [RFC6713]. Each individual media type registered
with a +gzip suffix can have additional security considerations.
Additionally, GZIP objects can contain multiple files and associated
paths. File paths must be validated when the files are extracted; a
malicious file path could otherwise cause the extractor to overwrite
application or system files.
Contact: art@ietf.org Contact: art@ietf.org
Author/Change controller: Internet Engineering Task Force Author/Change controller: Internet Engineering Task Force
(mailto:iesg@ietf.org). (mailto:iesg@ietf.org).
6.4. application/tlsrpt+json Media Type 6.4. application/tlsrpt+json Media Type
This document registers multiple media types, beginning with Table 1 This document registers multiple media types, beginning with Table 1
below. below.
skipping to change at page 26, line 25 skipping to change at page 26, line 27
commonly used in a operating system release that is centered in a commonly used in a operating system release that is centered in a
certain region. The risk may be minimal, but should be considered. certain region. The risk may be minimal, but should be considered.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-uta-mta-sts] [I-D.ietf-uta-mta-sts]
Margolis, D., Risher, M., Ramakrishnan, B., Brotman, A., Margolis, D., Risher, M., Ramakrishnan, B., Brotman, A.,
and J. Jones, "SMTP MTA Strict Transport Security (MTA- and J. Jones, "SMTP MTA Strict Transport Security (MTA-
STS)", draft-ietf-uta-mta-sts-17 (work in progress), May STS)", draft-ietf-uta-mta-sts-19 (work in progress), May
2018. 2018.
[RFC1952] Deutsch, P., "GZIP file format specification version 4.3", [RFC1952] Deutsch, P., "GZIP file format specification version 4.3",
RFC 1952, DOI 10.17487/RFC1952, May 1996, RFC 1952, DOI 10.17487/RFC1952, May 1996,
<https://www.rfc-editor.org/info/rfc1952>. <https://www.rfc-editor.org/info/rfc1952>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
 End of changes. 12 change blocks. 
26 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/