rfc7281.txt   rfc7281_AM-fix.txt 
skipping to change at page 2, line 11 skipping to change at page 2, line 11
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. to this document.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2
3. "smime" Authentication Method . . . . . . . . . . . . . . . . 2 3. "smime" Authentication Method . . . . . . . . . . . . . . . . 2
3.1. S/MIME Results . . . . . . . . . . . . . . . . . . . . . 2 3.1. S/MIME Results . . . . . . . . . . . . . . . . . . . . . 2
3.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Email Authentication Parameters for S/MIME . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 3.2.1. body.smime-part . . . . . . . . . . . . . . . . . . . 4
4.1. body.smime-part . . . . . . . . . . . . . . . . . . . . . 8 3.2.2. body.smime-identifier . . . . . . . . . . . . . . . . 4
3.2.3. body.smime-serial and body.smime-issuer . . . . . . . 4
3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1. Normative References . . . . . . . . . . . . . . . . . . 9 6.1. Normative References . . . . . . . . . . . . . . . . . . 9
6.2. Informative References . . . . . . . . . . . . . . . . . 9 6.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
[RFC7001] specifies the Authentication-Results header field for [RFC7001] specifies the Authentication-Results header field for
conveying results of message authentication checks. As S/MIME conveying results of message authentication checks. As S/MIME
signature verification (and alteration) is sometimes implemented in signature verification (and alteration) is sometimes implemented in
border message transfer agents, guards, and gateways (for example, border message transfer agents, guards, and gateways (for example,
see [RFC3183]), there is a need to convey signature verification see [RFC3183]), there is a need to convey signature verification
status to Mail User Agents (MUAs) and downstream filters. This status to Mail User Agents (MUAs) and downstream filters. This
skipping to change at page 4, line 7 skipping to change at page 4, line 7
subjectAltName in the signing certificate matches the domain in the subjectAltName in the signing certificate matches the domain in the
address of the sender of the message (value of the Sender header address of the sender of the message (value of the Sender header
field, if present; value of the From header field otherwise), thus field, if present; value of the From header field otherwise), thus
making third-party signatures unacceptable. [RFC5751] advises that making third-party signatures unacceptable. [RFC5751] advises that
if a message fails verification, it should be treated as an unsigned if a message fails verification, it should be treated as an unsigned
message. A report of "fail" here permits the receiver of the report message. A report of "fail" here permits the receiver of the report
to decide how to handle the failure. A report of "neutral" or "none" to decide how to handle the failure. A report of "neutral" or "none"
preempts that choice, ensuring that the message will be treated as if preempts that choice, ensuring that the message will be treated as if
it had not been signed. it had not been signed.
3.2. Examples 3.2. Email Authentication Parameters for S/MIME
This document defines several new authentication parameters for
conveying S/MIME related information, such as location of an S/MIME
signature and identity associated with the entity that signed the
message or one of its body parts.
3.2.1. body.smime-part
body.smime-part contains the MIME body part reference that contains
the S/MIME signature. The syntax of this property is described by
the smime-part ABNF production below. application/pkcs7-signature or
application/pkcs7-mime (containing SignedData) media type body parts
are referenced using the <section> syntax (see Section 6.4.5 of
[RFC3501]). If the signature being verified is encapsulated by
another Cryptographic Message Syntax (CMS) content type (e.g.,
application/pkcs7-mime containing EnvelopedData, which contains
SignedData), such an inner signature body part can be referenced
using "section[/section..." syntax.
smime-part = section ["/" smime-subpart]
smime-subpart = smime-part
section = <Defined in Section 6.4.5 of [RFC3501]>
3.2.2. body.smime-identifier
body.smime-identifier contains the email address [RFC5322] associated
with the S/MIME signature referenced in the corresponding body.smime-
part. The email address can be specified explicitly in the signer's
X.509 certificate or derived from the identity of the signer. Note
that this email address can correspond to a countersignature.
3.2.3. body.smime-serial and body.smime-issuer
body.smime-serial contains the serialNumber of the X.509 certificate
associated with the S/MIME signature (see Section 4.1.2.2 of
[RFC5280]) referenced in the corresponding body.smime-part.
body.smime-issuer contains the Issuer name DN (e.g.
"CN=CA1,ST=BC,c=CA") of the X.509 certificate associated with the S/
MIME signature (see section 4.1.2.4 of [RFC5280]) referenced in the
corresponding body.smime-part.
Either both or neither of body.smime-serial and body.smime-issuer
should be present in an Authentication-Results header field.
body.smime-serial and body.smime-issuer are used for cases when
body.smime-identifier (email address) can't be derived by the entity
adding the corresponding Authentication-Results header field. For
example, this can be used when gatewaying from X.400.
3.3. Examples
Return-Path: <aliceDss@example.com> Return-Path: <aliceDss@example.com>
Authentication-Results: example.net; Authentication-Results: example.net;
smime=fail (certificate is revoked by CRL) smime=fail (certificate is revoked by CRL)
body.smime-identifier=aliceDss@example.com body.smime-identifier=aliceDss@example.com
body.smime-part=2 body.smime-part=2
Received: from ietfa.example.com (localhost [IPv6:::1]) Received: from ietfa.example.com (localhost [IPv6:::1])
by ietfa.example.com (Postfix) with ESMTP id 2875111E81A0; by ietfa.example.com (Postfix) with ESMTP id 2875111E81A0;
Fri, 06 Sep 2002 00:35:14 -0700 (PDT) Fri, 06 Sep 2002 00:35:14 -0700 (PDT)
MIME-Version: 1.0 MIME-Version: 1.0
To: User2@example.com To: User2@example.com
skipping to change at page 6, line 21 skipping to change at page 7, line 21
+------+----------+-------+------------+----------------+-------+------+ +------+----------+-------+------------+----------------+-------+------+
|Method| Defined | ptype | Property | Value |Status | Ver- | |Method| Defined | ptype | Property | Value |Status | Ver- |
| | in | | | | | sion | | | in | | | | | sion |
+------+----------+-------+------------+----------------+-------+------+ +------+----------+-------+------------+----------------+-------+------+
| smime| [RFC5751]| body | smime-part | A reference to |active | 1 | | smime| [RFC5751]| body | smime-part | A reference to |active | 1 |
| | | | | the MIME body | | | | | | | | the MIME body | | |
| | | | | part that | | | | | | | | part that | | |
| | | | | contains the | | | | | | | | contains the | | |
| | | | | signature, as | | | | | | | | signature, as | | |
| | | | | defined in | | | | | | | | defined in | | |
| | | | | Section 4.1 of | | | | | | | | Section 3.2.1 | | |
| | | | | [RFC7281]. | | | | | | | | of [RFC7281]. | | |
| | | | | | | | | | | | | | | |
| smime| [RFC5751]| body | smime- | The email |active | 1 | | smime| [RFC5751]| body | smime- | The email |active | 1 |
| | | | identifier | address | | | | | | | identifier | address | | |
| | | | | [RFC5322] | | | | | | | | [RFC5322] | | |
| | | | | associated | | | | | | | | associated | | |
| | | | | with the | | | | | | | | with the | | |
| | | | | S/MIME | | | | | | | | S/MIME | | |
| | | | | signature. | | | | | | | | signature. | | |
| | | | | The email | | | | | | | | The email | | |
| | | | | address can be | | | | | | | | address can be | | |
skipping to change at page 7, line 20 skipping to change at page 8, line 21
| | | | | certificate | | | | | | | | certificate | | |
| | | | | associated | | | | | | | | associated | | |
| | | | | with the | | | | | | | | with the | | |
| | | | | S/MIME | | | | | | | | S/MIME | | |
| | | | | signature (see | | | | | | | | signature (see | | |
| | | | | Section | | | | | | | | Section | | |
| | | | | 4.1.2.4 of | | | | | | | | 4.1.2.4 of | | |
| | | | | [RFC5280]. | | | | | | | | [RFC5280]. | | |
+------+----------+-------+------------+----------------+-------+------+ +------+----------+-------+------------+----------------+-------+------+
Either both or neither of body.smime-serial and body.smime-issuer
should be present in an Authentication-Results header field.
body.smime-serial and body.smime-issuer are used for cases when
body.smime-identifier (email address) can't be derived by the entity
adding the corresponding Authentication-Results header field. For
example, this can be used when gatewaying from X.400.
IANA has added the following entries to the "Email Authentication IANA has added the following entries to the "Email Authentication
Result Names" sub-registry of the "Email Authentication Parameters" Result Names" sub-registry of the "Email Authentication Parameters"
registry: registry:
+-----------+-----------+----------+-----------------------+--------+ +-----------+-----------+----------+-----------------------+--------+
| Code | Defined | Auth | Meaning | Status | | Code | Defined | Auth | Meaning | Status |
| | | Method | | | | | | Method | | |
+-----------+-----------+----------+-----------------------+--------+ +-----------+-----------+----------+-----------------------+--------+
| none | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | none | [RFC7281] | smime | [RFC7281] Section 3.1 | active |
| | | | | | | | | | | |
skipping to change at page 8, line 5 skipping to change at page 8, line 44
| | | | | | | | | | | |
| policy | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | policy | [RFC7281] | smime | [RFC7281] Section 3.1 | active |
| | | | | | | | | | | |
| neutral | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | neutral | [RFC7281] | smime | [RFC7281] Section 3.1 | active |
| | | | | | | | | | | |
| temperror | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | temperror | [RFC7281] | smime | [RFC7281] Section 3.1 | active |
| | | | | | | | | | | |
| permerror | [RFC7281] | smime | [RFC7281] Section 3.1 | active | | permerror | [RFC7281] | smime | [RFC7281] Section 3.1 | active |
+-----------+-----------+----------+-----------------------+--------+ +-----------+-----------+----------+-----------------------+--------+
4.1. body.smime-part
body.smime-part contains the MIME body part reference that contains
the S/MIME signature. The syntax of this property is described by
the smime-part ABNF production below. application/pkcs7-signature or
application/pkcs7-mime (containing SignedData) media type body parts
are referenced using the <section> syntax (see Section 6.4.5 of
[RFC3501]). If the signature being verified is encapsulated by
another Cryptographic Message Syntax (CMS) content type (e.g.,
application/pkcs7-mime containing EnvelopedData, which contains
SignedData), such an inner signature body part can be referenced
using "section[/section..." syntax.
smime-part = section ["/" smime-subpart]
smime-subpart = smime-part
section = <Defined in Section 6.4.5 of [RFC3501]>
5. Security Considerations 5. Security Considerations
This document doesn't add new security considerations not already This document doesn't add new security considerations not already
covered by [RFC7001] and [RFC5751]. In particular, security covered by [RFC7001] and [RFC5751]. In particular, security
considerations related to the use of weak cryptography over considerations related to the use of weak cryptography over
plaintext, weakening and breaking of cryptographic algorithms over plaintext, weakening and breaking of cryptographic algorithms over
time, and changing the behavior of message processing based on time, and changing the behavior of message processing based on
presence of a signature specified in [RFC5751] are relevant to this presence of a signature specified in [RFC5751] are relevant to this
document. Similarly, the following security considerations specified document. Similarly, the following security considerations specified
in [RFC7001] are particularly relevant to this document: Forged in [RFC7001] are particularly relevant to this document: Forged
 End of changes. 6 change blocks. 
31 lines changed or deleted 61 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/