<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd"> <?rfc toc="yes"?> <?rfc rfcedstyle="yes"?> <?rfc subcompact="no"?> <?rfc symrefs="yes"?> <?rfc comments="yes" ?> <?rfc inline="yes" ?>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-acme-email-smime-14" number="8823" obsoletes="" updates="" submissionType="IETF" category="info"docName='draft-ietf-acme-email-smime-14'>consensus="true" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.5.0 --> <front> <title abbrev="ACME for S/MIME"> Extensions to Automatic Certificate Management Environment forend-userEnd-User S/MIMEcertificatesCertificates </title> <seriesInfo name="RFC" value="8823"/> <author initials="A." surname="Melnikov" fullname="Alexey Melnikov"> <organization>Isode Ltd</organization> <address> <postal> <street>14 Castle Mews</street><city>Hampton</city> <region>Middlesex</region><city>Hampton, Middlesex</city> <code>TW12 2NP</code><country>UK</country><country>United Kingdom</country> </postal> <email>alexey.melnikov@isode.com</email> </address> </author> <date year="2021" month="April" /> <keyword>ACME</keyword> <keyword>S/MIME</keyword> <abstract> <t> This document specifies identifiers and challenges required to enable the Automated Certificate Management Environment (ACME) to issue certificates for use by email users that want to use S/MIME. </t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t> ACME <xreftarget="RFC8555"/>target="RFC8555" format="default"/> is a mechanism for automating certificate management on the Internet. It enables administrative entities to prove effective control over resources like domain names, and it automates the process of generating and issuing certificates. </t> <t> This document describes an extension to ACME for use by S/MIME. <xreftarget="smime"/>target="smime" format="default"/> defines extensions for issuing end-user S/MIME <xreftarget="RFC8550"/>target="RFC8550" format="default"/> certificates. </t> <t> This document aims to supportboth: <list style='numbers'> <t>Aboth:</t> <ol spacing="normal" type="1"> <li>A Mail User Agent (MUA)whichthat has a built-in ACME clientwhichthat is aware of the extension described in this document. (We will call such MUAs "ACME-email-aware".) Such an MUA can present a niceUser Interfaceuser interface to the user and automate certificateissuance.</t> <t>Aissuance.</li> <li>An MUAwhichthat is not ACME aware, with a separate ACME client implemented in acommand linecommand-line tool or as a part of a website. While S/MIME certificate issuance is not going to be as painless as in the case of the ACME-email-aware MUA, the extra burden on a user is going to beminimal.</t> </list> </t> <!-- <t> </t> -->minimal.</li> </ol> </section> <sectiontitle="Conventionsnumbered="true" toc="default"> <name>Conventions Used in ThisDocument"> <t>TheDocument</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xreftarget="RFC2119"/>.</t>target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> <sectiontitle="Useanchor="smime" numbered="true" toc="default"> <name>Use of ACME forissuing end-userIssuing End-User S/MIMEcertificates" anchor="smime">Certificates</name> <t> ACME <xreftarget="RFC8555"/>target="RFC8555" format="default"/> defines a "dns"Identifier Typeidentifier type that is used to verify that a particular entity has control over a domain or specific service associated with the domain. In order to be able to issue end-user S/MIME certificates, ACME needs a newIdentifier Typeidentifier type that proves ownership of an email address. </t> <t> This document defines a newIdentifier Type "email"identifier type, "email", which corresponds to an email address. The address can be all ASCII <xreftarget="RFC5321"/>target="RFC5321" format="default"/> or internationalized <xreftarget="RFC6531"/>;target="RFC6531" format="default"/>; when an internationalized email address is used, the domain part can contain both U-labels and A-labels <xreftarget="RFC5890"/>.target="RFC5890" format="default"/>. This can be used with S/MIME orotheranother similar service that requires possession of a certificate tied to an email address. </t> <t> Any identifier of type "email" in a newOrder requestMUST NOT<bcp14>MUST NOT</bcp14> have a wildcard ("*") character in its value. </t> <t> A new challengetype "email-reply-00"type, "email-reply-00", is used with the "email"Identifier Type,identifier type, which provides proof that an ACME client has control over an email address. </t><!--///Alexey: Describe how the process described below is updated if multiple email addresses are specified in a single newOrder request!--><t> The process ofissingissuing an S/MIME certificate works as follows. Note that the ACME client can be a standalone application (if the MUA is not ACME-email-aware) or can be a component of the MUA.<list style='numbers'> <t>An end-user</t> <ol spacing="normal" type="1"> <li>An end user initiates issuance of an S/MIME certificate for one ofhertheir email addresses. This might be done by using an email client UI, by running acommand linecommand-line tool, by visiting aCertificate Authoritycertificate authority web page, etc.<!--The following might not actually work: or by sending an email to a well known Certificate Authority's email address-->This document doesn't prescribe a specific UI used to initiate S/MIME certificate issuance or where the ACME client is located.</t> <t></li> <li> The ACME-email-aware client component begins the certificate issuance process by sending a POST request to the server's newOrder resource, including the identifier of type "email". SeeSection 7.4 of<xreftarget='RFC8555'/>target="RFC8555" sectionFormat="of" section="7.4"/> for more details.</t></li> <li> <t> The ACMEserver<!--(run by the Certificate Authority or their authorized third party)-->server responds to the POST request, including an "authorizations" URL for the requested email address. The ACME client then retrieves information about the corresponding "email-reply-00"challengechallenge, as specified inSection 7.5 of<xreftarget='RFC8555'/>.target="RFC8555" sectionFormat="of" section="7.5"/>. The "token" field of the corresponding challenge object (from the "challenges" array) contains token-part2. token-part2 should contain at least 128 bits of entropy. The "type" field of the challenge object is "email-reply-00". The challenge object<!--///Also say something about unique from email address per challenge?-->also contains the "from" field, with the email address that would be used in the From header field of the "challenge" email message (see the next step).<list style="empty"> <t> <figure><artwork> An</t> <t>An exampleChallengechallenge object might look likethis:this:</t> <sourcecode type=""><![CDATA[ { "type": "email-reply-00", "url": "https://example.com/acme/chall/ABprV_B7yEyA4f", "from": "acme-challenge+2i211oi1204310@example.com", "token": "DGyRejmCefe7v4NfDGDKfA" }</artwork></figure> </t> </list> </t> <t>]]></sourcecode> </li> <li> After responding to the authorizationrequestrequest, the ACME server generates another token and a "challenge" email message with the subject "ACME: <token-part1>", where <token-part1> is thebase64url encodedbase64url-encoded <xreftarget="RFC4648"/>target="RFC4648" format="default"/> form of the token. The ACME serverMUST<bcp14>MUST</bcp14> generate a fresh token for each S/MIME issuance request (authorization request), and token-part1MUST<bcp14>MUST</bcp14> contain at least 128 bits of entropy. The "challenge" email message structure is described in more details in <xreftarget="acme-smime-challenge-email"/>. </t> <t>target="acme-smime-challenge-email" format="default"/>. </li> <li> The MUA retrieves and parses the "challenge" email message. If the MUA is ACME-email-aware, it ignores any "challenge" email that is not expected,e.g.e.g., if there is no ACME certificate issuance pending. The ACME-email-aware MUA also ignores any "challenge" email that has the Subject header fieldwhichthat indicates that it is an email reply,e.g.e.g., a subject starting with the reply prefix "Re:".</t> <t></li> <li> The ACME client concatenates "token-part1" (received over email) and "token-part2" (received over HTTPS <xreftarget="RFC2818"/>)target="RFC2818" format="default"/>) to create the ACME"token","token" and calculates keyAuthorization (as perSection 8.1 of<xreftarget="RFC8555"/>), thentarget="RFC8555" sectionFormat="of" section="8.1"/>). Then, it returns thebase64url encodedbase64url-encoded SHA-256 digest <xreftarget="FIPS180-4"/>target="RFC6234" format="default"/> of the key authorization. The MUA returns thebase64url encodedbase64url-encoded SHA-256 digest obtained from the ACME client in the body of a "response" email message. The "response" email message structure is described in more details in <xreftarget="acme-smime-response-email"/>.target="acme-smime-response-email" format="default"/>. If the MUA is ACME-email-aware, itMUST NOT<bcp14>MUST NOT</bcp14> respond to the same "challenge" email more than once.</t> <t></li> <li> Once the MUA sends the "response" email, the ACME client notifies the ACME server by POST to the challenge URL ("url" field).</t> <t></li> <li> The ACME client can start polling the authorization URL (using POST-as-GET requests) to see if the ACME server received and validated the "response" email message. (SeeSection 7.5.1 of<xreftarget="RFC8555"/>target="RFC8555" sectionFormat="of" section="7.5.1"/> for more details.) If the "status" field of the challenge switches to "valid", then the ACME client can proceed with request finalization. The Certificate Signing Request (CSR)MUST<bcp14>MUST</bcp14> indicate the exact same set of requested identifiers as the initial newOrder request. For an identifier of type "email", the PKCS#10 <xreftarget="RFC2986"/>target="RFC2986" format="default"/> CSRMUST<bcp14>MUST</bcp14> contain the requested email address<!--either in the commonName portion of the requested subject name, or-->in an extensionRequest attribute <xreftarget="RFC2985"/>target="RFC2985" format="default"/> requesting a subjectAltName extension.SuchThe email addressMUST<bcp14>MUST</bcp14> also match the From header field value of the "response" email message.</t> <t></li> <li> In order to request generation ofsigning onlysigning-only orencryption onlyencryption-only S/MIME certificates (as opposed to requesting generation of S/MIME certificates suitable for both), the CSR needs to include the key usage extension (seeSection 4.4.2 of<xreftarget="RFC8550"/>.target="RFC8550" sectionFormat="of" section="4.4.2"/>). This is described in more details in <xreftarget="acme-smime-sign-or-encrypt-only"/>. </t> <t>target="acme-smime-sign-or-encrypt-only" format="default"/>. </li> <li> If a request to finalize an order is successful, the ACME server will return a 200 (OK) with an updated order object.<!--///Add text about downloading the certificate?-->If the certificate is issued successfully,i.e.i.e., if the order "status" is "valid", then the ACME client can download the issued S/MIME certificate from the URL specified in the "certificate" field.</t> </list> </t> <!-- On receiving a response,</li> </ol> <section anchor="acme-smime-challenge-email" numbered="true" toc="default"> <name>ACME "Challenge" Email</name> <t> A "challenge" email message <bcp14>MUST</bcp14> have theserver constructs and storesfollowing structure: </t> <ol spacing="normal" type="1"> <li> The Subject header field has thekey authorization fromfollowing syntax: "ACME: <token-part1>", where thechallenge "token" valueprefix "ACME:" is followed by folding white space (FWS; see <xref target="RFC5322" format="default"/>) and then by <token-part1>, which is thecurrent client account key. To validate a DNS challenge, the server performs the following steps: 1. Compute the SHA-256 digest [FIPS180-4]base64url-encoded first part of thestored key authorization 2. Query for TXT records for the validation domain name 3. VerifyACME token thatthe contents of one of the TXT records match the digest value If all of the above verifications succeed, then the validation is successful. If no DNS record is found, or DNS record and response payload do not pass these checks, then the validation fails. --> <!-- <figure title="Figure 1"> <preamble> For example, if the ACME client were to respond to the "email-reply-00" challenge, it would send the following request to the ACME server: </preamble> <artwork><![CDATA[ POST /acme/authz/asdf/0 HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "Q_s3MWoqT05TrdkM2MTDcw", "url": "https://example.com/acme/authz/asdf/0" }), "payload": base64url({ "type": "email-reply-00", "keyAuthorization": "IlirfxKKXA...vb29HhjjLPSggQiE" }), "signature": "7cbg5JO1Gf5YLjjF...SpkUfcdPai9uVYYU" } ]]></artwork> <postamble>Note that "..." in keyAuthorization and signature attributes above denote omitted part of base64 data.</postamble> </figure> --> <section title="ACME challenge email" anchor="acme-smime-challenge-email"> <t> A "challenge" email message MUST have the following structure: <list style='numbers'> <t> The message Subject header field has the following syntax: "ACME: <token-part1>", where the prefix "ACME:" is followed by folding white space (FWS, see <xref target='RFC5322'/>) and then by <token-part1>, which is the base64url encoded first part of the ACME token that MUST be at least 128 bits long after decoding. <!--Alternative to allow for arbitrary prefix, if needed: The message Subject header field has the following syntax: "<prefix>ACME: <token-part1>", where the optional prefix <prefix> contain any text (it SHOULD be omitted), which is then followed by the literal string "ACME:", which in turn is followed by a folding white space (FWS, see <xref target='RFC5322'/>) and then by <token-part1> is the base64url encoded first part of the ACME token that MUST be at least 128 bits long after decoding. --> Due to<bcp14>MUST</bcp14> be at least 128 bits long after decoding. Due to the recommended 78-octetline lengthline-length limit in <xreftarget='RFC5322'/>,target="RFC5322" format="default"/>, the subject line can be folded, sowhitespaceswhite spaces (if any) within the <token-part1>MUST<bcp14>MUST</bcp14> be ignored. <xreftarget='RFC2231'/>target="RFC2231" format="default"/> encoding of themessageSubject header fieldMUST<bcp14>MUST</bcp14> be supported,andand, when used, only the "UTF-8" and "US-ASCII" charsets areallowed:allowed; other charsetsMUST NOT<bcp14>MUST NOT</bcp14> be used. The US-ASCII charsetSHOULD<bcp14>SHOULD</bcp14> be used.</t> <t></li> <li> The From header fieldMUST<bcp14>MUST</bcp14> be the same email address as specified in the "from" field of thechallangechallenge object.</t> <t></li> <li> The To header fieldMUST<bcp14>MUST</bcp14> be the email address of the entity that requested the S/MIME certificate to begenerated.</t> <t>Thegenerated.</li> <li>The messageMAY<bcp14>MAY</bcp14> contain a Reply-To and/or CC headerfields.</t> <t>field.</li> <li> The messageMUST<bcp14>MUST</bcp14> include the"Auto-Submitted: auto-generated"Auto-Submitted header field with the value "auto-generated" <xreftarget="RFC3834"/>.target="RFC3834" format="default"/>. To aid in debugging(and in(and, for someimplementationsimplementations, to make automated processingeasier)easier), the"Auto-Submitted"Auto-Submitted header fieldSHOULD<bcp14>SHOULD</bcp14> include the "type=acme" parameter. ItMAY<bcp14>MAY</bcp14> include other optionalparametersparameters, as allowed by the syntax of the Auto-Submitted headerfield.</t>field.</li> <li> <t> In order to prove authenticity of a challenge message, itMUST<bcp14>MUST</bcp14> be signed using eitherDKIMDomainKeys Identified Mail (DKIM) <xreftarget="RFC6376"/>target="RFC6376" format="default"/> or S/MIME <xreftarget="RFC8551"/>. <!--Alexey: James suggested that PGP/MIME can also be used here. This might be introduced in a later version, but for simplicity there are only 2 options right now.--> <list style='bullets'> <t>target="RFC8551" format="default"/>. </t> <ul spacing="normal"> <li> If DKIM signing is used, the resulting DKIM-Signature header fieldMUST<bcp14>MUST</bcp14> contain the "h=" tag that includes at least"From", "Sender", "Reply-To", "To", "CC", "Subject", "Date", "In-Reply-To", "References", "Message-ID", "Auto-Submitted", "Content-Type",the From, Sender, Reply-To, To, CC, Subject, Date, In-Reply-To, References, Message-ID, Auto-Submitted, Content-Type, and"Content-Transfer-Encoding"Content-Transfer-Encoding header fields. The DKIM-Signature header field's "h=" tagSHOULD<bcp14>SHOULD</bcp14> also include"Resent-Date", "Resent-From", "Resent-To", "Resent-Cc", "List-Id", "List-Help", "List-Unsubscribe", "List-Subscribe", "List-Post", "List-Owner", "List-Archive"the Resent-Date, Resent-From, Resent-To, Resent-Cc, List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive, and"List-Unsubscribe-Post"List-Unsubscribe-Post header fields.<!--The following is basically strict identifier alignment for DKIM from the DMARC spec:-->The domain from the "d=" tag of the DKIM-Signature header fieldMUST<bcp14>MUST</bcp14> be the same as the domain from the From header field of the "challenge"email<!--RFC5322.From domain-->. </t> <t> <!--///Alexey: Say something about how TA for the S/MIME cert should relate to the TA used for issuing the end user S/MIME certificate.-->email. </li> <li> If S/MIME signing is used, the certificate corresponding to the signerMUST<bcp14>MUST</bcp14> have an rfc822Name subjectAltName extension with the value equal to the From header field email address of the "challenge" email.</t> </list> </t> <t></li> </ul> </li> <li> The body of the challenge message is not used for automated processing, so it can be any media type.(However(However, there are extra requirements on S/MIME signing, if used. See below.)TypicallyTypically, it is text/plain or text/html containing a human-readable explanation of the purpose of the message. If S/MIME signing is used to prove authenticity of the challenge message, then the multipart/signed or "application/pkcs7-mime; smime-type=signed-data;" media type should be used. Either way, itMUST<bcp14>MUST</bcp14> use S/MIME header protection.<!--/////Add a ref in the future--> </t> </list> </t></li> </ol> <t> An email client compliant with this specification that detects that a particular "challenge" email fails the validation described aboveMUST<bcp14>MUST</bcp14> ignore the challenge and thus will not generateanya "response" email. To aid indebuggingdebugging, such failed validationsSHOULD<bcp14>SHOULD</bcp14> be logged. </t><figure title="Figure 1"> <preamble> An<t keepWithNext="true"> Here is an example of an ACME "challenge" email (notethatthat, forsimplicity DKIM relatedsimplicity, DKIM-related header fields are not included).</preamble> <artwork> <![CDATA[</t> <figure> <artwork name="" type="" align="left" alt=""><![CDATA[ Auto-Submitted: auto-generated; type=acme Date: Sat, 5 Dec 2020 10:08:55 +0100 Message-ID: <A2299BB.FF7788@example.org> From: acme-generator@example.org To: alexey@example.com Subject: ACME: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME= Content-Type: text/plain MIME-Version: 1.0 This is an automatically generated ACME challenge for email address "alexey@example.com". If you haven't requested an S/MIME certificate generation for this email address, be very afraid. If you did request it, your email client might be able to process this request automatically, or you might have to paste the first token part into an external program. ]]></artwork><postamble></postamble></figure> <t keepWithPrevious="true"/> </section> <sectiontitle="ACME response email" anchor="acme-smime-response-email">anchor="acme-smime-response-email" numbered="true" toc="default"> <name>ACME "Response" Email</name> <t> A valid "response" email messageMUST<bcp14>MUST</bcp14> have the following structure:<list style='numbers'> <!--Original: <t> The message Subject header field has the following syntax: "<Reply-prefix> ACME: <token-part1>", where <Reply-prefix> is typically the reply prefix "Re:" and the string "ACME:" is preceded and followed by folding white space (FWS, see <xref target='RFC5322'/>) and then by <token-part1>. <token-part1> is the base64url encoded first part of the ACME token (as received in the ACME challenge) that MUST be at least 128 bits long after decoding. Due to recommended 78 octet line length limit in <xref target='RFC5322'/>, the subject line can be folded, so whitespaces (if any) within the <token-part1> MUST be ignored. <xref target='RFC2231'/> encoding of the Subject header field MUST be supported, and when used, only the "UTF-8" and "US-ASCII" charsets are allowed: other charsets MUST NOT be used. When parsing subjects, ACME servers must decode <xref target='RFC2231'/> encoding (if any) and then they can ignore any prefix before the "ACME:" label.</t>--> <t><ol spacing="normal" type="1"> <li> ThemessageSubject header field is formed as a reply to the ACME "challenge" email (see <xreftarget="acme-smime-challenge-email"/>).target="acme-smime-challenge-email" format="default"/>). Its syntax is the same as that of the challenge message except that it may be prefixed by a US-ASCII reply prefix (typically "Re:") andfolding white space (FWS, seeFWS (see <xreftarget="RFC5322"/>),target="RFC5322" format="default"/>), as is normal in reply messages. When parsing the subject, ACME serversMUST<bcp14>MUST</bcp14> decode <xreftarget='RFC2231'/>target="RFC2231" format="default"/> encoding (ifany)any), and then they can ignore any prefix before the "ACME:" label.</t> <t>The From:</li> <li>The From header field contains the email address of the user that is requesting S/MIME certificateissuance.</t> <t>The To:issuance.</li> <li>The To header field of the response contains the value from theReply-To:Reply-To header field from the challenge message (ifset) orset). Otherwise, it contains the value from theFrom:From header field of the challengemessage otherwise.</t> <t>The Cc:message.</li> <li>The Cc header field is ignored if present in the "response" emailmessage.</t> <t>The In-Reply-To:message.</li> <li>The In-Reply-To header fieldSHOULD<bcp14>SHOULD</bcp14> be set to the Message-ID header field of the challenge message according to rules inSection 3.6.4 of<xreftarget="RFC5322"/>.</t> <t>List-*target="RFC5322" sectionFormat="of" section="3.6.4"/>.</li> <li>List-* header fields <xreftarget="RFC4021"/><xref target="RFC8058"/> MUSTtarget="RFC4021" format="default"/><xref target="RFC8058" format="default"/> <bcp14>MUST</bcp14> be absent (i.e., the reply can't come from a mailinglist)</t> <!--Alexey: not needed, as the message might not be generated automatically: <t> The message MAY include the "Auto-Submitted: auto-generated" header field <xref target="RFC3834"/>. It MAY include optional parameters as allowed by syntax of Auto-Submitted header field.</t> --> <t> <!--////Should we allow either new MIME type or text/plain?--> Thelist).</li> <li> <t>The media type of the "response" email message is either text/plain or multipart/alternative <xreftarget="RFC2046"/>target="RFC2046" format="default"/>, containing text/plain as one of the alternatives. (Note that the requirement to support multipart/alternative is to allow use of ACME-unawareMUAsMUAs, which can't always generate pure text/plain,e.g.e.g., if they reply to a text/html). The text/plain body part (whether or not it is inside multipart/alternative)MUST<bcp14>MUST</bcp14> contain a block of lines starting with the line "-----BEGIN ACME RESPONSE-----", followed by one or morelinelines containing the base64url-encoded SHA-256 digest <xreftarget="FIPS180-4"/>target="RFC6234" format="default"/> of the key authorization, calculated from concatenated token-part1 (received over email) and token-part2 (received over HTTPS), as outlined in the 5th bullet in <xreftarget="smime"/>.target="smime" format="default"/>. (Note that each line of text/plain is terminated by CRLF. Bare LFs or bare CRs are not allowed.) Due to historicalline lengthline-length limitations in email, line endings (CRLFs) can be freely inserted in the middle of the encoded digest, so theyMUST<bcp14>MUST</bcp14> be ignored when processingit.)it. The final line of the encoded digest is followed by a linecontaining "-----ENDcontaining:</t> <artwork name="" type="" align="left" alt=""><![CDATA[ -----END ACMERESPONSE-----". AnyRESPONSE----- ]]></artwork> <t>Any text before and after this block is ignored. Forexampleexample, such text might explain what to do with it for ACME-unawareclients. </t> <t>Thereclients.</t> </li> <li>There is no need to use any Content-Transfer-Encoding other than 7bit for the text/plain body part. Use ofQuoted-Printablequoted-printable or base64 in a "response" email message is not necessaryand should be avoided, though it is permitted. </t> <t> <!--Can't use S/MIME signing here, as the whole pointand should be avoided, though it isto issue an S/MIME certificate for the user.-->permitted. </li> <li> In order to prove authenticity of a response message, itMUST<bcp14>MUST</bcp14> be DKIM <xreftarget="RFC6376"/>target="RFC6376" format="default"/> signed. The resulting DKIM-Signature header fieldMUST<bcp14>MUST</bcp14> contain the "h=" tag that includes at least"From", "Sender", "Reply-To", "To", "CC", "Subject", "Date", "In-Reply-To", "References", "Message-ID", "Content-Type"the From, Sender, Reply-To, To, CC, Subject, Date, In-Reply-To, References, Message-ID, Content-Type, and"Content-Transfer-Encoding"Content-Transfer-Encoding header fields.<!--Should the following just be MUSTs as well? Does it make it the list too long?-->The DKIM-Signature header field's "h=" tagSHOULD<bcp14>SHOULD</bcp14> also include"Resent-Date", "Resent-From", "Resent-To", "Resent-Cc", "List-Id", "List-Help", "List-Unsubscribe", "List-Subscribe", "List-Post", "List-Owner", "List-Archive"the Resent-Date, Resent-From, Resent-To, Resent-Cc, List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive, and"List-Unsubscribe-Post"List-Unsubscribe-Post header fields. The domain from the "d=" tag of DKIM-Signature header fieldMUST<bcp14>MUST</bcp14> be the same as the domain from the From header field of the "response"email<!--RFC5322.From domain-->. </t> </list> </t> <figure title="Figure 2"> <preamble> Exampleemail. </li> </ol> <t keepWithNext="true"> Here is an example of an ACME "response" email (notethatthat, forsimplicity DKIM relatedsimplicity, DKIM-related header fields are not included).</preamble> <artwork> <![CDATA[</t> <figure> <artwork name="" type="" align="left" alt=""><![CDATA[ Date: Sat, 5 Dec 2020 12:01:45 +0100 Message-ID: <111-22222-3333333@example.com> In-Reply-To: <A2299BB.FF7788@example.org> From: alexey@example.com To: acme-generator@example.org Subject: Re: ACME: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME= Content-Type: text/plain MIME-Version: 1.0 -----BEGIN ACME RESPONSE----- LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowy jxAjEuX0= -----END ACME RESPONSE----- ]]></artwork><postamble></postamble></figure> <t keepWithPrevious="true"/> </section> <sectiontitle="Generating encryption onlyanchor="acme-smime-sign-or-encrypt-only" numbered="true" toc="default"> <name>Generating Encryption-Only orsigning onlySigning-Only S/MIMEcertificates" anchor="acme-smime-sign-or-encrypt-only">Certificates</name> <t> ACME extensions specified in this document can be used to requestsigning onlysigning-only orencryption onlyencryption-only S/MIME certificates. </t> <t> In order to requestsigning onlysigning-only S/MIMEcertificate,certificates, the CSRMUST<bcp14>MUST</bcp14> include the key usage extension with digitalSignature and/or nonRepudiation bits set and no other bits set. </t> <t><!--///What about dataEncipherment?-->In order to requestencryption onlyencryption-only S/MIMEcertificate,certificates, the CSRMUST<bcp14>MUST</bcp14> include the key usage extension with keyEncipherment or keyAgreement bits set and no other bits set. </t> <t> Presence of both of the above sets of key usage bits in the CSR,<!--///Is the following right?-->as well as absence of the key usage extension in the CSR, signals to the ACME server to issue an S/MIME certificate suitable for both signing and encryption. </t> </section> </section> <sectiontitle="Internationalization Considerations">numbered="true" toc="default"> <name>Internationalization Considerations</name> <t> <xreftarget="RFC8616"/>target="RFC8616" format="default"/> updated/clarified use of DKIM withInternationalized Emailinternationalized email addresses <xreftarget="RFC6531"/>.target="RFC6531" format="default"/>. Please consultRFC 8616<xref target="RFC8616" format="default"/> in regards to any changes that need to be implemented. </t> <t> Use ofnon ASCIInon-ASCII characters inleft handleft-hand sides ofInternationalized Emailinternationalized email addresses requires puttingInternationalized Email Addressesinternationalized email addresses in X.509Certificatescertificates <xreftarget="RFC8398"/>.target="RFC8398" format="default"/>. </t> </section> <sectiontitle="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <sectiontitle="ACMEnumbered="true" toc="default"> <name>ACME IdentifierType">Type</name> <t> IANAis requested to registerhas registered a newIdentifieridentifier type in the "ACME Identifier Types" registry defined inSection 9.7.7 of<xreftarget="RFC8555"/>target="RFC8555" sectionFormat="of" section="9.7.7"/> with Label "email" and a Reference to[RFCXXXX],this document, <xreftarget="RFC5321"/>target="RFC5321" format="default"/>, and <xreftarget="RFC6531"/>.target="RFC6531" format="default"/>. The newIdentifier Typeidentifier type corresponds to an (all ASCII) email address <xreftarget="RFC5321"/>target="RFC5321" format="default"/> orInternationalized Emailinternationalized email addresses <xreftarget="RFC6531"/>.target="RFC6531" format="default"/>. </t> </section> <sectiontitle="ACMEnumbered="true" toc="default"> <name>ACME ChallengeType">Type</name> <t> IANAis also requested to registerhas registered a new entry in the "ACME Validation Methods" registry defined inSection 9.7.8 of<xreftarget="RFC8555"/>.target="RFC8555" sectionFormat="of" section="9.7.8"/>. This entry is as follows: </t><texttable> <!-- <preamble></preamble> --> <ttcol align='center'>Label</ttcol> <ttcol align='center'>Identifier Type</ttcol> <ttcol align='center'>ACME</ttcol> <ttcol align='center'>Reference</ttcol> <c>email-reply-00</c> <c>email</c> <c>Y</c> <c>[RFCXXXX]</c> <!--<postamble></postamble>--> </texttable><table align="center"> <thead> <tr> <th align="center">Label</th> <th align="center">Identifier Type</th> <th align="center">ACME</th> <th align="center">Reference</th> </tr> </thead> <tbody> <tr> <td align="center">email-reply-00</td> <td align="center">email</td> <td align="center">Y</td> <td align="center">RFC 8823</td> </tr> </tbody> </table> </section> </section> <sectiontitle="Security Considerations" anchor="seccons">anchor="seccons" numbered="true" toc="default"> <name>Security Considerations</name> <t> Please see the Security Considerations section of <xreftarget="RFC8555"/>target="RFC8555" format="default"/> for general security considerations related to the use of ACME. This challenge/response protocol demonstrates that an entity that controls the private key (corresponding to the public key in the certificate) also controls the named email account. The ACME server is confirming that the requested email address belongs to the entity that requested the certificate, but this makes no claim to address correctness orfitness-for-purpose of the address. Itfitness for purpose. If such claims areneededneeded, they must be obtained by some other mechanism. </t> <t> The security of the "email-reply-00" challenge type depends on the security of the email system. A third party that can read and reply to user's email messages (by possessing a user's password or a secret derived from it that can give read and reply access, such as "password equivalent"information;information, or by being given permissions to act on a user's behalf using email delegationfeaturefeatures common in some email systems) can request S/MIME certificates using the protocol specified in this document and is indistinguishable from the email account owner. This has several possible implications:<list style='numbers'> <t>an</t> <ol spacing="normal" type="1"> <li>An entity that compromised an email account would be able to request S/MIME certificates using the protocol specified in thisdocumentdocument, and such entity couldn't be distinguished from the legitimate email account owner (unless some external sources of information areconsulted);</t> <t>forconsulted).</li> <li>For email addresses with legitimate shared access/control by multiple users, any such user would be able to request S/MIME certificates using the protocol specified in thisdocument anddocument; such requests can't be attributed to a specific user without consulting external systems (such as IMAP/SMTP accesslogs);</t> <t>thelogs).</li> <li>The protocol specified in this document is not suitable for use with email addresses associated with mailing lists <xreftarget="RFC5321"/>.target="RFC5321" format="default"/>. While it is not always possible to guarantee that a particular S/MIME certificate request is not from a mailing list address, prohibition on inclusion of List-* header fields helpsCertificate Issuerscertificate issuers to handle most commoncases.</t> </list> </t>cases.</li> </ol> <t> An email system in its turn depends on DNS. A third party that can manipulate DNS MX records for a domain might be able to redirect an email and can get (at least temporary) read and reply access to it. Similar considerations apply to<!--SPF and -->DKIMDKIM TXT records in DNS. Use of DNSSEC by email system administrators is recommended to avoid making it easy to spoof DNS records affecting an email system.HoweverHowever, use of DNSSEC is not ubiquitous at the time of publishing of this document, so it is not required here. Also, many existing systems that rely on verification of ownership of an emailaddress,address -- forexample 2 factorexample, 2-factor authentication systems used by banks or traditional certificate issuance systems -- send email messages to email addresses, expecting the owner to click on the link supplied in them (or to reply to a message), without requiring use of DNSSEC. So the risk of not requiring DNSSEC is presumed acceptable in this document. </t> <t> An ACME email challenge message can be forged by an attacker. As per requirements on an ACME-email-aware MUA specified in <xreftarget="smime"/>,target="smime" format="default"/>, the MUA will not respond to requests it is not expecting.<!--///Even if it does: (Ben wrote:) The From: header field value of the forged message could, of course, be forged, so this would be a potential backscatter vector, but I don't think there would be much amplification per message, and probably the client would only produce one "response" email and then try to poll the ACME order, so there would only be one forgery possible per ACME request. -->Even if the attacker causes the erroneous "response" email to go to an attacker-controlled email address, very little information is leaked -- the SHA-256 hash of the keyauthorization,authorization would be leaked, not the key authorization itself, so no parts of the token or thetheaccount key thumbprint are leaked. </t> <t> An attacker that can read the "response" email has only one chance to guess the token-part2. Even if the attacker can guess it right, it still needs to know the ACME account key to be able to make use of the intercepted SHA-256 hash of the key authorization. </t> <t> Also see the Security Considerations section of <xreftarget="RFC6376"/>target="RFC6376" format="default"/> for details on how DKIM depends on the DNS and the respective vulnerabilities this dependence has. </t> </section> </middle> <back><references title="Normative References"> <!--<?rfc include="reference.RFC.2045"?>--> <!-- MIME, part 1 --> <?rfc include="reference.RFC.2046"?> <!-- MIME, part 2 --> <?rfc include="reference.RFC.2119"?> <!-- Keywords --> <?rfc include="reference.RFC.2231"?> <!-- RFC 2231 parameter encoding --> <?rfc include="reference.RFC.2818"?> <!-- HTTPS --> <?rfc include="reference.RFC.2985"?> <!-- PKCS #9: Selected Object Classes and Attribute Types Version 2.0 --> <?rfc include="reference.RFC.2986"?> <!-- PKCS #10: Certification Request Syntax Specification --> <?rfc include="reference.RFC.3834"?> <!-- Auto-Submitted header field --> <?rfc include="reference.RFC.4648"?> <!-- base64url --> <?rfc include="reference.RFC.5321"?> <!-- SMTP --> <?rfc include="reference.RFC.5322"?> <!-- Email Format --> <?rfc include="reference.RFC.5890"?> <!-- IDNA --> <?rfc include="reference.RFC.6376"?> <!-- DKIM --> <?rfc include="reference.RFC.6531"?> <!-- Internationalized Email Addresses (SMTP Extension) --> <!--<?rfc include="reference.RFC.7208"?>--> <!-- SPF --> <!--<?rfc include="reference.RFC.7489"?>--> <!-- DMARC --> <?rfc include="reference.RFC.8398"?> <!-- Internationalized Email Addresses in X.509 Certificates --> <?rfc include="reference.RFC.8550"?> <!-- S/MIME Certificate Handling --> <?rfc include="reference.RFC.8551"?> <!-- S/MIME Message Format --> <?rfc include="reference.RFC.8555"?> <!-- ACME --> <?rfc include="reference.RFC.8616"?> <!-- Email Authentication for Internationalized Mail --> <!--Note for RFC Editor: you can use RFC 6234 reference here instead--> <reference anchor="FIPS180-4" target="https://csrc.nist.gov/publications/detail/fips/180/4/final"> <front> <title>Secure Hash Standard (SHS)</title> <author> <organization>National Institute of Standards and Technology</organization> </author> <date month="August" year="2015"/> </front> <seriesInfo name="FIPS" value="PUB 180-4"/> </reference><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2046.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2231.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2818.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2985.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3834.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5321.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5322.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5890.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6376.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6531.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8398.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8550.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8551.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8555.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8616.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6234.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4021.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8058.xml"/> </references><references title="Informative References"> <?rfc include="reference.RFC.4021"?> <!-- Registration of Mail and MIME Header Fields --> <?rfc include="reference.RFC.8058"?> <!-- Signaling One-Click Functionality for List Email Headers --></references> <sectiontitle="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t>Thank you toAndreas Schulze, Gerd<contact fullname="Andreas Schulze"/>, <contact fullname="Gerd v.Egidy, JamesEgidy"/>, <contact fullname="James A.Baker, Ben Schwartz, Peter Yee, Hilarie Orman, Michael Jenkins, Barry Leiba, Fraser Tweedale, DanielBaker"/>, <contact fullname="Ben Schwartz"/>, <contact fullname="Peter Yee"/>, <contact fullname="Hilarie Orman"/>, <contact fullname="Michael Jenkins"/>, <contact fullname="Barry Leiba"/>, <contact fullname="Fraser Tweedale"/>, <contact fullname="Daniel KahnGillmorGillmor"/>, andBenjamin Kaduk<contact fullname="Benjamin Kaduk"/> for their suggestions, comments, and correctionsonof this document.</t> </section> </back> </rfc>