draft-ietf-uta-smtp-tlsrpt-16.txt   draft-ietf-uta-smtp-tlsrpt-17.txt 
Using TLS in Applications D. Margolis Using TLS in Applications D. Margolis
Internet-Draft Google, Inc Internet-Draft Google, Inc
Intended status: Standards Track A. Brotman Intended status: Standards Track A. Brotman
Expires: September 5, 2018 Comcast, Inc Expires: September 6, 2018 Comcast, Inc
B. Ramakrishnan B. Ramakrishnan
Yahoo!, Inc Yahoo!, Inc
J. Jones J. Jones
Microsoft, Inc Microsoft, Inc
M. Risher M. Risher
Google, Inc Google, Inc
March 4, 2018 March 5, 2018
SMTP TLS Reporting SMTP TLS Reporting
draft-ietf-uta-smtp-tlsrpt-16 draft-ietf-uta-smtp-tlsrpt-17
Abstract Abstract
A number of protocols exist for establishing encrypted channels A number of protocols exist for establishing encrypted channels
between SMTP Mail Transfer Agents, including STARTTLS, DANE TLSA, and between SMTP Mail Transfer Agents, including STARTTLS, DANE TLSA, and
MTA-STS. These protocols can fail due to misconfiguration or active MTA-STS. These protocols can fail due to misconfiguration or active
attack, leading to undelivered messages or delivery over unencrypted attack, leading to undelivered messages or delivery over unencrypted
or unauthenticated channels. This document describes a reporting or unauthenticated channels. This document describes a reporting
mechanism and format by which sending systems can share statistics mechanism and format by which sending systems can share statistics
and specific information about potential failures with recipient and specific information about potential failures with recipient
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 5, 2018. This Internet-Draft will expire on September 6, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 12, line 18 skipping to change at page 12, line 18
o "report-id": A unique identifier for the report. Report authors o "report-id": A unique identifier for the report. Report authors
may use whatever scheme they prefer to generate a unique may use whatever scheme they prefer to generate a unique
identifier. It is provided as a string. identifier. It is provided as a string.
o "policy-type": The type of policy that was applied by the sending o "policy-type": The type of policy that was applied by the sending
domain. Presently, the only three valid choices are "tlsa", domain. Presently, the only three valid choices are "tlsa",
"sts", and the literal string "no-policy-found". It is provided "sts", and the literal string "no-policy-found". It is provided
as a string. as a string.
o "policy-string": A string representation of the policy, whether o "policy-string": An encoding of the applied policy as a JSON array
TLSA record ([RFC6698] section 2.3) or MTA-STS policy. Examples of strings, whether TLSA record ([RFC6698] section 2.3) or MTA-STS
follow in the next section. policy. Examples follow in the next section.
o "domain": The Policy Domain is the domain against which the MTA- o "domain": The Policy Domain is the domain against which the MTA-
STS or DANE policy is defined. In the case of Internationalized STS or DANE policy is defined. In the case of Internationalized
Domain Names ([RFC5891]), the domain MUST consist of the Punycode- Domain Names ([RFC5891]), the domain MUST consist of the Punycode-
encoded A-labels ([RFC3492]) and not the U-labels. encoded A-labels ([RFC3492]) and not the U-labels.
o "mx-host-pattern": The pattern of MX hostnames from the applied o "mx-host-pattern": The pattern of MX hostnames from the applied
policy. It is provided as a string, and is interpreted in the policy. It is provided as a string, and is interpreted in the
same manner as the "Checking of Wildcard Certificates" rules in same manner as the "Checking of Wildcard Certificates" rules in
Section 6.4.3 of [RFC6125]. In the case of Internationalized Section 6.4.3 of [RFC6125]. In the case of Internationalized
skipping to change at page 13, line 40 skipping to change at page 13, line 40
Part of the report body includes the policy that is applied when Part of the report body includes the policy that is applied when
attemping relay to the destination. attemping relay to the destination.
For DANE TLSA policies, a JSON array of strings each representing the For DANE TLSA policies, a JSON array of strings each representing the
RDATA of a single TLSA resource record as a space-separated list of RDATA of a single TLSA resource record as a space-separated list of
its four TLSA fields; the fields are in presentation format (defined its four TLSA fields; the fields are in presentation format (defined
in RFC6698 Section 2.2) with no internal spaces or grouping in RFC6698 Section 2.2) with no internal spaces or grouping
parentheses: parentheses:
["3 0 1 [
1F850A337E6DB9C609C522D136A475638CC43E1ED424F8EEC8513D747D1D085D", "3 0 1 1F850A337E6DB9C609C522D136A475638CC43E1ED424F8EEC8513D747D1D085D",
3 0 1 "3 0 1 12350A337E6DB9C6123522D136A475638CC43E1ED424F8EEC8513D747D1D1234"
12350A337E6DB9C6123522D136A475638CC43E1ED424F8EEC8513D747D1D1234"] ]
For the MTA-STS policy, an array of JSON string will represent the For the MTA-STS policy, an array of JSON strings that represents the
policy that is declared by the receiving site, including any errors policy that is declared by the receiving site, including any errors
that may be present. Note that if there are multiple MX records, that may be present. Note that where there are multiple "mx" values,
they are not included as an array. they must be listed as separate "mx" elements in the policy array,
rather as a single nested "mx" sub-array.
["version: STSv1","mode: report","mx: mx1.example.com","mx: [
mx2.example.com","mx: mx.backup-example.com","max_age: 12345678"] "version: STSv1",
"mode: report",
"mx: mx1.example.com",
"mx: mx2.example.com",
"mx: mx.backup-example.com",
"max_age: 12345678"
]
5. Report Delivery 5. Report Delivery
Reports can be delivered either as an email message via SMTP or via Reports can be delivered either as an email message via SMTP or via
HTTP POST. HTTP POST.
5.1. Report Filename 5.1. Report Filename
The filename is RECOMMENDED to be constructed using the following The filename is RECOMMENDED to be constructed using the following
ABNF: ABNF:
 End of changes. 9 change blocks. 
16 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/