Internet DRAFT - draft-santos-dkim-rcvd

draft-santos-dkim-rcvd







DKIM Working Group                                             H. Santos
Internet-Draft                                 Santronics Software, Inc.
Intended status: Experimental                             April 23, 2006
Expires: October 25, 2006


    Partial DKIM Verifier Support using a DKIM-Received Trace Header
                       draft-santos-dkim-rcvd-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on October 25, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   A proposal offering partial DKIM verification support to help resolve
   premature DKIM signature expiration and key revocation related
   problems associated with time shifted DKIM verifier applications.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this



Santos                  Expires October 25, 2006                [Page 1]

Internet-Draft                DKIM-Received                   April 2006


   document are to be interpreted as described in RFC 2119 [RFC2119].


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Background/Problem  . . . . . . . . . . . . . . . . . . . . . . 3
   3.  Solution Summary: Partial Verifier Support  . . . . . . . . . . 5
   4.  How it works? . . . . . . . . . . . . . . . . . . . . . . . . . 6
   5.  Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 7
   9.  Normative References  . . . . . . . . . . . . . . . . . . . . . 7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 8
   Intellectual Property and Copyright Statements  . . . . . . . . . . 9



































Santos                  Expires October 25, 2006                [Page 2]

Internet-Draft                DKIM-Received                   April 2006


1.  Introduction

   DKIM [DKIM-BASE] (Domain Keys Identified Message) has a potential
   premature signature expiration timing issue related to when DKIM
   verifiers receive a message and when domain signature expire and/or
   when public keys are revoked.

   The problem is highlighted when the DKIM verifiers is outside the
   SMTP transport such as MUAs and the backend software (MDA) does not
   support DKIM.

   This document offers a proposal and solution to the problem whereby a
   MDA can offer partial DKIM verification support by adding a new trace
   header called DKIM-Received recording the DKIM domain DNS public key
   information before it expired or is revoked.


2.  Background/Problem

   Some where along the email transport topology path when sending mail
   between point A and point B, we have DKIM signer(s) and DKIM
   verifier(s).  This generalized commonly understood email topology can
   be illustrated in the following diagram:
                   --------------        --------------
           MUA --> | MSA--->MTA | -----> | MDA--->MFA | ---> MUA
                   --------------        --------------
           \____________________/        \_____________________/
               DKIM SIGNER                    DKIM VERIFIER

                   Figure 1: Typical Mail Flow Topology

   The DKIM signer may be the MUA sending the message to the MSA or
   within a MSA/MTA network signing messages on behalf of the MUA.  The
   DKIM verifier may be located at the MDA, MFA or recipient MUA.

   The MFA (Mail Filtering Agent) is a new acronym describing a
   relatively recent industry direction and practice to include anti-
   virus/spam (AVS) mail filtering processes within the MDA network.
   The MFA could be a SIEVE process, SPAM-ASSASSIN or some non-standard
   proprietary Rule Based Messaging (RBM) scripting engine.  The MFA is
   any process that is outside the SMTP transport process after the
   message is accepted by the MDA and before it is stored in the
   recipient MUA user's mail box.

   This provides us with three possible verification delays, t1, t2, and
   t3, which can promote premature signature expiration or key
   revocation timing issues depending on where the DKIM verifier is
   located:



Santos                  Expires October 25, 2006                [Page 3]

Internet-Draft                DKIM-Received                   April 2006


                --------------         -----------------
        MUA --> | MSA--->MTA | --t1--> | MDA--t2-->MFA | --t3--> MUA
                --------------         -----------------

             Figure 2: Typical Mail Flow Topology with Delays

   The latter two are time shifted applications because message
   validation is belated or delayed.

   The t1 delay is the SMTP transport time from MTA to MDA.  SMTP has a
   recommended limit of 4-5 days for a SMTP sending/retry strategy [RFC
   2821 section 4.5.4.1] [RFC2821].  DKIM has a recommended seven (7)
   day retention limit.  So for t1, there would be a low occurrence of
   premature signature expiration problems at the MDA.  The DKIM
   recommendation of seven days is sufficient and covers the SMTP 4-5
   day retry limit recommendation.

   However, premature expiration potential increases once the MDA
   accepts the message and verification may occur at the MFA or MUA.

   The length of the MFA delay (t2) is directly proportional to the
   volume of mail being received (high volume system), and the higher
   the volume, scalarability operational considerations will typically
   mandate that the DKIM verification process begin after the message is
   accepted.

   The length of the MUA delay (t3) is directly proportional to the MUA
   ergonomics and user behavior in regards to frequency of mail pickup
   or frequency of user logins in order to download, read or received
   new mail.

   In short, the potential of premature DKIM expiration problems
   increase as the verification process is time shifted beyond MDA
   applications.

   To help resolve this, one possible idea is allow the MFA and MUA to
   use the time stamp recorded at the MDA as required by the all SMTP
   receivers when adding the Received: trace header [RFC 2821 section
   4.4] [RFC2821].  This time stamp may be called the Transaction
   Reception Time (TRT) because it represents the time the MDA first
   received the transaction from the MTA.  If the MFA and MUA use the
   TRT as part of the DKIM expiration checks, the problems related to
   signature expirations are eliminated.

   However, while using the TRT may help resolve MFA and MUA timing
   issues, there is still the possibility of a DKIM public key being
   revoked or removed from DNS.




Santos                  Expires October 25, 2006                [Page 4]

Internet-Draft                DKIM-Received                   April 2006


   To help resolve this problem, a new idea called "Partial Verifier
   DKIM support" may be used by MDA verifiers to help resolve both
   expiration or keys revocation problems potentially occurring at the
   MFA and much greater potential at the MUA.


3.  Solution Summary: Partial Verifier Support

   In practice, it is conceivable for DKIM implementations to operate in
   a partial or full verifier support mode..

   Partial Verifier support may include early adopters migrating towards
   full support and wanting to assist independent Full Verifier support
   processes, such as MFAs and MUAs, while the backend is being upgraded
   for full DKIM support.

   Partial (including full) verifier support would begin with the simple
   addition of adding public key information in the new message RFC2822
   [RFC2822] header called DKIM-Received:

        DKIM-Received:
           rt=<DKIM-timestamp>;    # Current time msg was received.
           sd=<selector-data>;     # Selector DNS record Data.
           [vt=<DKIM-timestamp>;]  # Current time msg was validated.

                      Figure 3: DKIM-Received: Header

   If available, this header allows for time shifted full verifiers to
   obtain message state information that might be missing at a future
   moment of time to correctly validate a DKIM signature.

   Semantics:

   o  Partial Verifiers MUST add DKIM-Received header.

   o  Full Verifiers MAY add DKIM-Received header.

   o  The sd= tag MUST include the p=data tag.  It MAY include other or
      all tags in record.  However, all that is required is the public-
      key (p=data).

   o  The optional vt= tag is added by FULL verifiers only.

   o  DKIM-timestamps are in a format deemed acceptable by the DKIM
      protocol (i.e., easy extraction, easy parsing, Y2K compliant).






Santos                  Expires October 25, 2006                [Page 5]

Internet-Draft                DKIM-Received                   April 2006


4.  How it works?

   As an organization is migrating to full DKIM support, it may decide
   to add partial verification support by performing the following
   steps:

   1.  If a incoming message has a DKIM-Signature, obtain the selector
       and domain from the s= and d= tag respectively.

   2.  Obtain the public key by performing DKIM DNS query on
       selector._domainkey.<domain>.

   3.  Create and prepend the DKIM-Received: header setting the rt=
       received time and the sd= tag with the public key data.  The
       DKIM-Received MUST be written before the SMTP required Received:
       Header is written.

   The full verifier MAY support DKIM-Received: If the full verifiers
   attempts to validate the signature, it MAY add the vt= verification
   time stamp tag.  Adding the vt= tag to the DKIM-Received MUST NOT be
   viewed by MFA or MUAs as an indication of success or failure.  It
   merely indicates that a verification was performed.

   MFA and MUAs MAY support the DKIM-Received: header and if supported,
   it MAY use the public key information to validate the signature.  The
   recommended steps are:

   1.  If the DKIM-Signature: has a x= expiration tag, check for a DKIM-
       Received: header and use the rt= received time stamp for time
       comparison.

   2.  If no x= expiration is available, begin the DKIM verification by
       obtaining the public key from DNS.

   3.  If no public key is available, it MAY verify the signature by
       using the public key (sd=) recorded in the DKIM-Received: header,
       if any.


5.  Example

   The following example shows what a MDA would add to the incoming
   message:








Santos                  Expires October 25, 2006                [Page 6]

Internet-Draft                DKIM-Received                   April 2006


   Example 5.1

    Received: from sb10.example.com ([202.134.19.231])
              by winserver.com (Wildcat! SMTP v6.1.451.7) with ESMTP
              id 2671734859; Sat, 22 Apr 2006 12:28:31 -0400
    DKIM-Received: rt=1145722498;
                   sd=p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALRW7ct
                        LniHlMlENXl0cW98CU9LqiI2vk0Dy42Wmg7jzJk/Phf1QHu
                        8ykUG8BMCagx7nPCWmT51FeqgmCqrb4475jZmNVg6TR4NQ9;



6.  IANA Considerations

   This document makes no request of IANA.

   Note to RFC Editor: this section may be removed on publication as an
   RFC.


7.  Security Considerations

   Other than not enforcing the key revocation concept. i.e.
   verification is still possible after the domain's public key is
   revoked, there are no security concerns currently envision with this
   proposal at this time.


8.  Acknowledgements

   Discussions related to signature expiration and key revocation timing
   problems in the IETF-DKIM Working Group among many participants lead
   to the development of this proposed solution.


9.  Normative References

   [DKIM-BASE]
              Allman, E., "DomainKeys Identified Mail Signatures",
              April 2006, <http://mipassoc.org/dkim/specs/
              draft-allman-dkim-base-01.html>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
              April 2001.




Santos                  Expires October 25, 2006                [Page 7]

Internet-Draft                DKIM-Received                   April 2006


   [RFC2822]  Resnick, P., "Internet Message Format", RFC 2822,
              April 2001.


Author's Address

   Hector Santos
   Santronics Software, Inc.
   15600 SW 158 ST Suite #306
   Homestead, Florida, FL  33033
   United States of America

   Email: hsantos@isdg.net
   URI:   http://www.isdg.net





































Santos                  Expires October 25, 2006                [Page 8]

Internet-Draft                DKIM-Received                   April 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Santos                  Expires October 25, 2006                [Page 9]