| draft-ietf-uta-mta-sts-16.txt | draft-ietf-uta-mta-sts-17.txt | |||
|---|---|---|---|---|
| Using TLS in Applications D. Margolis | Using TLS in Applications D. Margolis | |||
| Internet-Draft M. Risher | Internet-Draft M. Risher | |||
| Intended status: Standards Track Google, Inc | Intended status: Standards Track Google, Inc | |||
| Expires: November 3, 2018 B. Ramakrishnan | Expires: November 4, 2018 B. Ramakrishnan | |||
| Yahoo!, Inc | Yahoo!, Inc | |||
| A. Brotman | A. Brotman | |||
| Comcast, Inc | Comcast, Inc | |||
| J. Jones | J. Jones | |||
| Microsoft, Inc | Microsoft, Inc | |||
| May 2, 2018 | May 3, 2018 | |||
| SMTP MTA Strict Transport Security (MTA-STS) | SMTP MTA Strict Transport Security (MTA-STS) | |||
| draft-ietf-uta-mta-sts-16 | draft-ietf-uta-mta-sts-17 | |||
| Abstract | Abstract | |||
| SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a | SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a | |||
| mechanism enabling mail service providers to declare their ability to | mechanism enabling mail service providers to declare their ability to | |||
| receive Transport Layer Security (TLS) secure SMTP connections, and | receive Transport Layer Security (TLS) secure SMTP connections, and | |||
| to specify whether sending SMTP servers should refuse to deliver to | to specify whether sending SMTP servers should refuse to deliver to | |||
| MX hosts that do not offer TLS with a trusted server certificate. | MX hosts that do not offer TLS with a trusted server certificate. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 2, line 21 ¶ | skipping to change at page 2, line 21 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Related Technologies . . . . . . . . . . . . . . . . . . . . 3 | 2. Related Technologies . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Policy Discovery . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Policy Discovery . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. MTA-STS TXT Records . . . . . . . . . . . . . . . . . . . 4 | 3.1. MTA-STS TXT Records . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. MTA-STS Policies . . . . . . . . . . . . . . . . . . . . 5 | 3.2. MTA-STS Policies . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.3. HTTPS Policy Fetching . . . . . . . . . . . . . . . . . . 8 | 3.3. HTTPS Policy Fetching . . . . . . . . . . . . . . . . . . 8 | |||
| 3.4. Policy Selection for Smart Hosts and Subdomains . . . . . 9 | 3.4. Policy Selection for Smart Hosts and Subdomains . . . . . 9 | |||
| 4. Policy Validation . . . . . . . . . . . . . . . . . . . . . . 9 | 4. Policy Validation . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.1. MX Certificate Validation . . . . . . . . . . . . . . . . 10 | 4.1. MX Certificate Validation . . . . . . . . . . . . . . . . 10 | |||
| 5. Policy Application . . . . . . . . . . . . . . . . . . . . . 11 | 5. Policy Application . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5.1. Policy Application Control Flow . . . . . . . . . . . . . 11 | 5.1. Policy Application Control Flow . . . . . . . . . . . . . 11 | |||
| 6. Reporting Failures . . . . . . . . . . . . . . . . . . . . . 12 | 6. Reporting Failures . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7. Interoperability Considerations . . . . . . . . . . . . . . . 12 | 7. Interoperability Considerations . . . . . . . . . . . . . . . 12 | |||
| 7.1. SNI Support . . . . . . . . . . . . . . . . . . . . . . . 12 | 7.1. SNI Support . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7.2. Minimum TLS Version Support . . . . . . . . . . . . . . . 13 | 7.2. Minimum TLS Version Support . . . . . . . . . . . . . . . 13 | |||
| 8. Operational Considerations . . . . . . . . . . . . . . . . . 13 | 8. Operational Considerations . . . . . . . . . . . . . . . . . 13 | |||
| 8.1. Policy Updates . . . . . . . . . . . . . . . . . . . . . 13 | 8.1. Policy Updates . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 8.2. Policy Delegation . . . . . . . . . . . . . . . . . . . . 13 | 8.2. Policy Delegation . . . . . . . . . . . . . . . . . . . . 13 | |||
| skipping to change at page 7, line 9 ¶ | skipping to change at page 7, line 9 ¶ | |||
| mode: enforce | mode: enforce | |||
| mx: mail.example.com | mx: mail.example.com | |||
| mx: .example.net | mx: .example.net | |||
| mx: backupmx.example.com | mx: backupmx.example.com | |||
| max_age: 123456 | max_age: 123456 | |||
| The formal definition of the policy resource, defined using | The formal definition of the policy resource, defined using | |||
| [RFC7405], is as follows: | [RFC7405], is as follows: | |||
| sts-policy-record = sts-policy-field *WSP | sts-policy-record = sts-policy-field *WSP | |||
| *(CRLF sts-policy-field *WSP) | *(sts-policy-term sts-policy-field *WSP) | |||
| [CRLF] | [sts-policy-term] | |||
| sts-policy-field = sts-policy-version / ; required once | sts-policy-field = sts-policy-version / ; required once | |||
| sts-policy-mode / ; required once | sts-policy-mode / ; required once | |||
| sts-policy-max-age / ; required once | sts-policy-max-age / ; required once | |||
| 0*(sts-policy-mx *WSP CRLF) / | sts-policy-mx / | |||
| ; required at least once, except when | ; required at least once, except when | |||
| ; mode is "none" | ; mode is "none" | |||
| sts-policy-extension ; other fields | sts-policy-extension ; other fields | |||
| field-delim = ":" *WSP | field-delim = ":" *WSP | |||
| sts-policy-version = sts-policy-version-field field-delim | sts-policy-version = sts-policy-version-field field-delim | |||
| sts-policy-version-value | sts-policy-version-value | |||
| skipping to change at page 8, line 10 ¶ | skipping to change at page 8, line 10 ¶ | |||
| sts-policy-max-age-value = 1*10(DIGIT) | sts-policy-max-age-value = 1*10(DIGIT) | |||
| sts-policy-extension = sts-policy-ext-name ; additional | sts-policy-extension = sts-policy-ext-name ; additional | |||
| field-delim ; extension | field-delim ; extension | |||
| sts-policy-ext-value ; fields | sts-policy-ext-value ; fields | |||
| sts-policy-ext-name = (ALPHA / DIGIT) | sts-policy-ext-name = (ALPHA / DIGIT) | |||
| *31(ALPHA / DIGIT / "_" / "-" / ".") | *31(ALPHA / DIGIT / "_" / "-" / ".") | |||
| sts-policy-ext-value = 1*(%x21-3A / %x3C / %x3E-7E) | sts-policy-term = CRLF / LF | |||
| ; chars, excluding control chars | ||||
| sts-policy-ext-value = sts-policy-vchar | ||||
| [*(%x20 / sts-policy-vchar) | ||||
| sts-policy-vchar] | ||||
| ; chars, including UTF-8 [RFC3629], | ||||
| ; excluding CTLs and no | ||||
| ; leading/trailing spaces | ||||
| sts-policy-vchar = %x21-7E / UTF8-2 / UTF8-3 / UTF8-4 | ||||
| Parsers MUST accept TXT records and policy files which are | Parsers MUST accept TXT records and policy files which are | |||
| syntactically valid (i.e. valid key/value pairs separated by semi- | syntactically valid (i.e. valid key/value pairs separated by semi- | |||
| colons for TXT records) and but containing additional key/value pairs | colons for TXT records) and but containing additional key/value pairs | |||
| not specified in this document, in which case unknown fields SHALL be | not specified in this document, in which case unknown fields SHALL be | |||
| ignored. If any non-repeated field--i.e. all fields excepting "mx"-- | ignored. If any non-repeated field--i.e. all fields excepting "mx"-- | |||
| is duplicated, all entries except for the first SHALL be ignored. If | is duplicated, all entries except for the first SHALL be ignored. If | |||
| any field is not specified, the policy SHALL be treated as invalid. | any field is not specified, the policy SHALL be treated as invalid. | |||
| 3.3. HTTPS Policy Fetching | 3.3. HTTPS Policy Fetching | |||
| skipping to change at page 25, line 12 ¶ | skipping to change at page 25, line 12 ¶ | |||
| Email: risher (at) google (dot com) | Email: risher (at) google (dot com) | |||
| Binu Ramakrishnan | Binu Ramakrishnan | |||
| Yahoo!, Inc | Yahoo!, Inc | |||
| Email: rbinu (at) yahoo-inc (dot com) | Email: rbinu (at) yahoo-inc (dot com) | |||
| Alexander Brotman | Alexander Brotman | |||
| Comcast, Inc | Comcast, Inc | |||
| Email: alex_brotman (at) comcast (dot com) | Email: alex_brotman@comcast.com | |||
| Janet Jones | Janet Jones | |||
| Microsoft, Inc | Microsoft, Inc | |||
| Email: janet.jones (at) microsoft (dot com) | Email: janet.jones (at) microsoft (dot com) | |||
| End of changes. 8 change blocks. | ||||
| 10 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||