idnits 2.17.00 (12 Aug 2021) /tmp/idnits54909/draft-ietf-dmarc-arc-multi-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (September 10, 2018) is 1349 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 241 == Outdated reference: draft-ietf-dmarc-arc-protocol has been published as RFC 8617 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DMARC Working Group K. Andersen 3 Internet-Draft LinkedIn 4 Intended status: Experimental S. Blank, Ed. 5 Expires: March 14, 2019 ValiMail 6 J. Levine, Ed. 7 Taughannock Networks 8 September 10, 2018 10 Using Multiple Signing Algorithms with the ARC (Authenticated Received 11 Chain) Protocol 12 draft-ietf-dmarc-arc-multi-02 14 Abstract 16 The Authenticated Received Chain (ARC) protocol creates a mechanism 17 whereby a series of handlers of an email message can conduct 18 authentication of the email message as it passes among them on the 19 way to its destination. 21 Initial development of ARC has been done with a single allowed 22 signing algorithm, but RFC 8463 has expanded the supported 23 algorithms. This specification defines how to extend ARC for 24 multiple signing algorithms. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on March 14, 2019. 43 Copyright Notice 45 Copyright (c) 2018 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. Definitions and Terminology . . . . . . . . . . . . . . . . . 3 63 4. Supporting Alternate Signing Algorithms . . . . . . . . . . . 3 64 5. General Approach . . . . . . . . . . . . . . . . . . . . . . 3 65 5.1. Signers . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 5.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 4 67 6. Phases of Algorithm Evolution . . . . . . . . . . . . . . . . 4 68 6.1. Introductory Period . . . . . . . . . . . . . . . . . . . 4 69 6.2. Co-Existence Period . . . . . . . . . . . . . . . . . . . 4 70 6.3. Deprecation Period . . . . . . . . . . . . . . . . . . . 4 71 6.4. Obsolescence Period . . . . . . . . . . . . . . . . . . . 4 72 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 4 73 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 74 9. Security Considerations . . . . . . . . . . . . . . . . . . . 5 75 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 76 10.1. Normative References . . . . . . . . . . . . . . . . . . 5 77 10.2. Informative References . . . . . . . . . . . . . . . . . 5 78 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 6 79 Appendix B. Comments and Feedback . . . . . . . . . . . . . . . 6 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 82 1. Introduction 84 The Authenticated Received Chain (ARC) protocol adds a traceable 85 chain of signatures that cover the handling of an email message 86 through a chain of intermediary handlers. 88 Initial development of ARC has been done with a single allowed 89 signing algorithm, but RFC 8463 expanded the supported algorithms. 90 This specification defines how to extend ARC for multiple signing 91 algorithms. 93 2. Overview 95 In order to phase in new signing algorithms, this specification 96 identifies how signers and validators process ARC sets found in email 97 messages. 99 3. Definitions and Terminology 101 This section defines terms used in the rest of the document. 103 The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL", 104 "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and 105 "OPTIONAL" in this document are to be interpreted as described in 106 [RFC2119]. 108 Because many of the core concepts and definitions are found in 109 [RFC5598], readers should to be familiar with the contents of 110 [RFC5598], and in particular, the potential roles of intermediaries 111 in the delivery of email and the problems [RFC7960] created by the 112 initial DMARC [RFC7489] . 114 4. Supporting Alternate Signing Algorithms 116 To enable multiple algorithms, all of the statements in the ARC spec 117 which refer to "exactly one set of ARC headers per instance" need to 118 be understood as "at least one set per instance and no more than one 119 set per instance per algorithm". 121 5. General Approach 123 5.1. Signers 125 There is a separate independent signing chain for each signing 126 algorithm. Hence, when creating an ARC signature, a signer MUST 127 include only other signatures that use the same algorithm as the 128 signature being created. 130 Wnen signing a message with no previous ARC signatures, signers MUST 131 sign using all supported algorithms. 133 A signer MUST continue the longest ARC chain(s) in a message with all 134 algorithms that it supports. That is, if at least one of the longest 135 chains uses an algorithm that a signer supports, the signer continues 136 the chain(s). If none of the longest chains in a message use an 137 algorithm supported by a signer, the signer MUST NOT extend any 138 chains, even if a shorter chain does use a supported algorithm. 140 5.2. Validators 142 A validator MUST use the longest ARC chain(s) on the message. If a 143 validator cannot interpret the signing algorithm on any of the 144 longest chains, validation fails, evven if a shorter chain does use a 145 supported algorithm. 147 If there is more than one longest chain, the overall result reported 148 can be that of of any of the validations. The result used when 149 extending an ARC chain MUST be the result from validating that chain. 151 6. Phases of Algorithm Evolution 153 6.1. Introductory Period 155 Intermediaries MUST be able to validate ARC chains built with either 156 algorithm but MAY create ARC sets with either (or both) algorithm. 158 The introductory period should be at least six (6) months. 160 6.2. Co-Existence Period 162 Intermediaries MUST be able to validate ARC chains build with either 163 algorithm and MUST create ARC sets with both algorithms. Chains 164 ending with either algorithm may be used for the result. 166 6.3. Deprecation Period 168 ARC sets built with algorithms that are being deprecated MAY be 169 considered valid within an ARC chain, however, intermediaries MUST 170 NOT create additional sets with the deprecated algorithm. 172 The deprecation period should be at least two (2) years. 174 6.4. Obsolescence Period 176 ARC sets built with algorithms that are obsolete MUST NOT be 177 considered valid within an ARC chain. Intermediaries MUST NOT create 178 any sets with any obsoleted algorithm. 180 7. Privacy Considerations 182 No unique privacy considerations are introduced by this specification 183 beyond those of the base [ARC-DRAFT] protocol. 185 8. IANA Considerations 187 No new IANA considerations are introduced by this specification. 189 9. Security Considerations 191 No new security considerations are introduced by this specification 192 beyond those of the base [ARC-DRAFT] protocol. 194 10. References 196 10.1. Normative References 198 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 199 Requirement Levels", BCP 14, RFC 2119, 200 DOI 10.17487/RFC2119, March 1997, 201 . 203 [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, 204 DOI 10.17487/RFC5598, July 2009, 205 . 207 10.2. Informative References 209 [ARC-DRAFT] 210 Andersen, K., Long, B., and S. Jones, "Authenticated 211 Received Chain (ARC) Protocol (I-D-16)", n.d., 212 . 215 [RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based 216 Message Authentication, Reporting, and Conformance 217 (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015, 218 . 220 [RFC7960] Martin, F., Ed., Lear, E., Ed., Draegen. Ed., T., Zwicky, 221 E., Ed., and K. Andersen, Ed., "Interoperability Issues 222 between Domain-based Message Authentication, Reporting, 223 and Conformance (DMARC) and Indirect Email Flows", 224 RFC 7960, DOI 10.17487/RFC7960, September 2016, 225 . 227 10.3. URIs 229 [1] mailto:dmarc@ietf.org 231 Appendix A. Acknowledgements 233 This draft is the work of DMARC Working Group. 235 Grateful appreciation is extended to the people who provided feedback 236 through the discuss mailing list. 238 Appendix B. Comments and Feedback 240 Please address all comments, discussions, and questions to 241 dmarc@ietf.org [1]. 243 Authors' Addresses 245 Kurt Andersen 246 LinkedIn 247 1000 West Maude Ave 248 Sunnyvale, California 94085 249 US 251 Email: kurta@linkedin.com 253 Seth Blank (editor) 254 ValiMail 255 Montgomery 256 San Francisco, California 257 US 259 Email: seth@valimail.com 261 John Levine (editor) 262 Taughannock Networks 263 PO Box 727 264 Trumansburg, New York 265 US 267 Email: standards@taugh.com