| rfc7281.txt | rfc7281_AM-fix.txt | |||
|---|---|---|---|---|
| skipping to change at page 2, line 11 | skipping to change at page 2, line 11 | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. | to this document. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 | 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 | |||
| 3. "smime" Authentication Method . . . . . . . . . . . . . . . . 2 | 3. "smime" Authentication Method . . . . . . . . . . . . . . . . 2 | |||
| 3.1. S/MIME Results . . . . . . . . . . . . . . . . . . . . . 2 | 3.1. S/MIME Results . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.2. Email Authentication Parameters for S/MIME . . . . . . . 4 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 3.2.1. body.smime-part . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.1. body.smime-part . . . . . . . . . . . . . . . . . . . . . 8 | 3.2.2. body.smime-identifier . . . . . . . . . . . . . . . . 4 | |||
| 3.2.3. body.smime-serial and body.smime-issuer . . . . . . . 4 | ||||
| 3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 5 | ||||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | ||||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 9 | 6.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| [RFC7001] specifies the Authentication-Results header field for | [RFC7001] specifies the Authentication-Results header field for | |||
| conveying results of message authentication checks. As S/MIME | conveying results of message authentication checks. As S/MIME | |||
| signature verification (and alteration) is sometimes implemented in | signature verification (and alteration) is sometimes implemented in | |||
| border message transfer agents, guards, and gateways (for example, | border message transfer agents, guards, and gateways (for example, | |||
| see [RFC3183]), there is a need to convey signature verification | see [RFC3183]), there is a need to convey signature verification | |||
| status to Mail User Agents (MUAs) and downstream filters. This | status to Mail User Agents (MUAs) and downstream filters. This | |||
| skipping to change at page 4, line 7 | skipping to change at page 4, line 7 | |||
| subjectAltName in the signing certificate matches the domain in the | subjectAltName in the signing certificate matches the domain in the | |||
| address of the sender of the message (value of the Sender header | address of the sender of the message (value of the Sender header | |||
| field, if present; value of the From header field otherwise), thus | field, if present; value of the From header field otherwise), thus | |||
| making third-party signatures unacceptable. [RFC5751] advises that | making third-party signatures unacceptable. [RFC5751] advises that | |||
| if a message fails verification, it should be treated as an unsigned | if a message fails verification, it should be treated as an unsigned | |||
| message. A report of "fail" here permits the receiver of the report | message. A report of "fail" here permits the receiver of the report | |||
| to decide how to handle the failure. A report of "neutral" or "none" | to decide how to handle the failure. A report of "neutral" or "none" | |||
| preempts that choice, ensuring that the message will be treated as if | preempts that choice, ensuring that the message will be treated as if | |||
| it had not been signed. | it had not been signed. | |||
| 3.2. Examples | 3.2. Email Authentication Parameters for S/MIME | |||
| This document defines several new authentication parameters for | ||||
| conveying S/MIME related information, such as location of an S/MIME | ||||
| signature and identity associated with the entity that signed the | ||||
| message or one of its body parts. | ||||
| 3.2.1. body.smime-part | ||||
| body.smime-part contains the MIME body part reference that contains | ||||
| the S/MIME signature. The syntax of this property is described by | ||||
| the smime-part ABNF production below. application/pkcs7-signature or | ||||
| application/pkcs7-mime (containing SignedData) media type body parts | ||||
| are referenced using the <section> syntax (see Section 6.4.5 of | ||||
| [RFC3501]). If the signature being verified is encapsulated by | ||||
| another Cryptographic Message Syntax (CMS) content type (e.g., | ||||
| application/pkcs7-mime containing EnvelopedData, which contains | ||||
| SignedData), such an inner signature body part can be referenced | ||||
| using "section[/section..." syntax. | ||||
| smime-part = section ["/" smime-subpart] | ||||
| smime-subpart = smime-part | ||||
| section = <Defined in Section 6.4.5 of [RFC3501]> | ||||
| 3.2.2. body.smime-identifier | ||||
| body.smime-identifier contains the email address [RFC5322] associated | ||||
| with the S/MIME signature referenced in the corresponding body.smime- | ||||
| part. The email address can be specified explicitly in the signer's | ||||
| X.509 certificate or derived from the identity of the signer. Note | ||||
| that this email address can correspond to a countersignature. | ||||
| 3.2.3. body.smime-serial and body.smime-issuer | ||||
| body.smime-serial contains the serialNumber of the X.509 certificate | ||||
| associated with the S/MIME signature (see Section 4.1.2.2 of | ||||
| [RFC5280]) referenced in the corresponding body.smime-part. | ||||
| body.smime-issuer contains the Issuer name DN (e.g. | ||||
| "CN=CA1,ST=BC,c=CA") of the X.509 certificate associated with the S/ | ||||
| MIME signature (see section 4.1.2.4 of [RFC5280]) referenced in the | ||||
| corresponding body.smime-part. | ||||
| Either both or neither of body.smime-serial and body.smime-issuer | ||||
| should be present in an Authentication-Results header field. | ||||
| body.smime-serial and body.smime-issuer are used for cases when | ||||
| body.smime-identifier (email address) can't be derived by the entity | ||||
| adding the corresponding Authentication-Results header field. For | ||||
| example, this can be used when gatewaying from X.400. | ||||
| 3.3. Examples | ||||
| Return-Path: <aliceDss@example.com> | Return-Path: <aliceDss@example.com> | |||
| Authentication-Results: example.net; | Authentication-Results: example.net; | |||
| smime=fail (certificate is revoked by CRL) | smime=fail (certificate is revoked by CRL) | |||
| body.smime-identifier=aliceDss@example.com | body.smime-identifier=aliceDss@example.com | |||
| body.smime-part=2 | body.smime-part=2 | |||
| Received: from ietfa.example.com (localhost [IPv6:::1]) | Received: from ietfa.example.com (localhost [IPv6:::1]) | |||
| by ietfa.example.com (Postfix) with ESMTP id 2875111E81A0; | by ietfa.example.com (Postfix) with ESMTP id 2875111E81A0; | |||
| Fri, 06 Sep 2002 00:35:14 -0700 (PDT) | Fri, 06 Sep 2002 00:35:14 -0700 (PDT) | |||
| MIME-Version: 1.0 | MIME-Version: 1.0 | |||
| To: User2@example.com | To: User2@example.com | |||
| skipping to change at page 6, line 21 | skipping to change at page 7, line 21 | |||
| +------+----------+-------+------------+----------------+-------+------+ | +------+----------+-------+------------+----------------+-------+------+ | |||
| |Method| Defined | ptype | Property | Value |Status | Ver- | | |Method| Defined | ptype | Property | Value |Status | Ver- | | |||
| | | in | | | | | sion | | | | in | | | | | sion | | |||
| +------+----------+-------+------------+----------------+-------+------+ | +------+----------+-------+------------+----------------+-------+------+ | |||
| | smime| [RFC5751]| body | smime-part | A reference to |active | 1 | | | smime| [RFC5751]| body | smime-part | A reference to |active | 1 | | |||
| | | | | | the MIME body | | | | | | | | | the MIME body | | | | |||
| | | | | | part that | | | | | | | | | part that | | | | |||
| | | | | | contains the | | | | | | | | | contains the | | | | |||
| | | | | | signature, as | | | | | | | | | signature, as | | | | |||
| | | | | | defined in | | | | | | | | | defined in | | | | |||
| | | | | | Section 4.1 of | | | | | | | | | Section 3.2.1 | | | | |||
| | | | | | [RFC7281]. | | | | | | | | | of [RFC7281]. | | | | |||
| | | | | | | | | | | | | | | | | | | |||
| | smime| [RFC5751]| body | smime- | The email |active | 1 | | | smime| [RFC5751]| body | smime- | The email |active | 1 | | |||
| | | | | identifier | address | | | | | | | | identifier | address | | | | |||
| | | | | | [RFC5322] | | | | | | | | | [RFC5322] | | | | |||
| | | | | | associated | | | | | | | | | associated | | | | |||
| | | | | | with the | | | | | | | | | with the | | | | |||
| | | | | | S/MIME | | | | | | | | | S/MIME | | | | |||
| | | | | | signature. | | | | | | | | | signature. | | | | |||
| | | | | | The email | | | | | | | | | The email | | | | |||
| | | | | | address can be | | | | | | | | | address can be | | | | |||
| skipping to change at page 7, line 20 | skipping to change at page 8, line 21 | |||
| | | | | | certificate | | | | | | | | | certificate | | | | |||
| | | | | | associated | | | | | | | | | associated | | | | |||
| | | | | | with the | | | | | | | | | with the | | | | |||
| | | | | | S/MIME | | | | | | | | | S/MIME | | | | |||
| | | | | | signature (see | | | | | | | | | signature (see | | | | |||
| | | | | | Section | | | | | | | | | Section | | | | |||
| | | | | | 4.1.2.4 of | | | | | | | | | 4.1.2.4 of | | | | |||
| | | | | | [RFC5280]. | | | | | | | | | [RFC5280]. | | | | |||
| +------+----------+-------+------------+----------------+-------+------+ | +------+----------+-------+------------+----------------+-------+------+ | |||
| Either both or neither of body.smime-serial and body.smime-issuer | ||||
| should be present in an Authentication-Results header field. | ||||
| body.smime-serial and body.smime-issuer are used for cases when | ||||
| body.smime-identifier (email address) can't be derived by the entity | ||||
| adding the corresponding Authentication-Results header field. For | ||||
| example, this can be used when gatewaying from X.400. | ||||
| IANA has added the following entries to the "Email Authentication | IANA has added the following entries to the "Email Authentication | |||
| Result Names" sub-registry of the "Email Authentication Parameters" | Result Names" sub-registry of the "Email Authentication Parameters" | |||
| registry: | registry: | |||
| +-----------+-----------+----------+-----------------------+--------+ | +-----------+-----------+----------+-----------------------+--------+ | |||
| | Code | Defined | Auth | Meaning | Status | | | Code | Defined | Auth | Meaning | Status | | |||
| | | | Method | | | | | | | Method | | | | |||
| +-----------+-----------+----------+-----------------------+--------+ | +-----------+-----------+----------+-----------------------+--------+ | |||
| | none | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | | none | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | |||
| | | | | | | | | | | | | | | |||
| skipping to change at page 8, line 5 | skipping to change at page 8, line 44 | |||
| | | | | | | | | | | | | | | |||
| | policy | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | | policy | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | |||
| | | | | | | | | | | | | | | |||
| | neutral | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | | neutral | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | |||
| | | | | | | | | | | | | | | |||
| | temperror | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | | temperror | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | |||
| | | | | | | | | | | | | | | |||
| | permerror | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | | permerror | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | |||
| +-----------+-----------+----------+-----------------------+--------+ | +-----------+-----------+----------+-----------------------+--------+ | |||
| 4.1. body.smime-part | ||||
| body.smime-part contains the MIME body part reference that contains | ||||
| the S/MIME signature. The syntax of this property is described by | ||||
| the smime-part ABNF production below. application/pkcs7-signature or | ||||
| application/pkcs7-mime (containing SignedData) media type body parts | ||||
| are referenced using the <section> syntax (see Section 6.4.5 of | ||||
| [RFC3501]). If the signature being verified is encapsulated by | ||||
| another Cryptographic Message Syntax (CMS) content type (e.g., | ||||
| application/pkcs7-mime containing EnvelopedData, which contains | ||||
| SignedData), such an inner signature body part can be referenced | ||||
| using "section[/section..." syntax. | ||||
| smime-part = section ["/" smime-subpart] | ||||
| smime-subpart = smime-part | ||||
| section = <Defined in Section 6.4.5 of [RFC3501]> | ||||
| 5. Security Considerations | 5. Security Considerations | |||
| This document doesn't add new security considerations not already | This document doesn't add new security considerations not already | |||
| covered by [RFC7001] and [RFC5751]. In particular, security | covered by [RFC7001] and [RFC5751]. In particular, security | |||
| considerations related to the use of weak cryptography over | considerations related to the use of weak cryptography over | |||
| plaintext, weakening and breaking of cryptographic algorithms over | plaintext, weakening and breaking of cryptographic algorithms over | |||
| time, and changing the behavior of message processing based on | time, and changing the behavior of message processing based on | |||
| presence of a signature specified in [RFC5751] are relevant to this | presence of a signature specified in [RFC5751] are relevant to this | |||
| document. Similarly, the following security considerations specified | document. Similarly, the following security considerations specified | |||
| in [RFC7001] are particularly relevant to this document: Forged | in [RFC7001] are particularly relevant to this document: Forged | |||
| End of changes. 6 change blocks. | ||||
| 31 lines changed or deleted | 61 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||