Independent Submission S. Ser Internet-Draft March 11, 2019 Intended status: Informational Expires: September 12, 2019 Authentication-Results Registration for OpenPGP Signature Verification draft-ser-authentication-results-openpgp-00 Abstract RFC 7601 specifies the Authentication-Results header field for conveying results of message authentication checks. This document defines a new authentication method to be used in the Authentication- Results header field for PGP-related signature checks. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 12, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Ser Expires September 12, 2019 [Page 1]
Internet-Draft Authentication-Results for OpenPGP March 2019 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. "pgp" Authentication Method . . . . . . . . . . . . . . . . . 2 2.1. OpenPGP Results . . . . . . . . . . . . . . . . . . . . . 2 2.2. Email Authentication Parameters for OpenPGP . . . . . . . 4 2.2.1. body.pgp-fingerprint . . . . . . . . . . . . . . . . 4 2.2.2. body.pgp-user-id . . . . . . . . . . . . . . . . . . 4 2.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Normative References . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction [RFC7601] specifies the Authentication-Results header field for conveying results of message authentication checks. OpenPGP signature verification is sometimes implemented in border message transfer agents (for instance some MTAs have their own OpenPGP PKI), there is a need to convey signature verification status to Mail User Agents (MUAs) and downstream filters. This document defines a new authentication method to be used in the Authentication-Results header field for OpenPGP-related signature checks. 2. "pgp" Authentication Method OpenPGP signature verification is represented by the "pgp" method and is defined in [RFC4880]. 2.1. OpenPGP Results The result values used by OpenPGP [RFC4880] are as follows: Ser Expires September 12, 2019 [Page 2]
Internet-Draft Authentication-Results for OpenPGP March 2019 +-----------+-------------------------------------------------------+ | Result | Meaning | | Code | | +-----------+-------------------------------------------------------+ | none | The message was not signed. | | pass | The message was signed, the signature or signatures | | | were acceptable to the verifier, and the signature(s) | | | passed verification tests. | | fail | The message was signed and the signature or | | | signatures were acceptable to the verifier, but they | | | failed the verification test(s). | | policy | The message was signed and signature(s) passed | | | verification tests, but the signature or signatures | | | were not acceptable to the verifier. | | neutral | The message was signed but the signature or | | | signatures contained syntax errors or were not | | | otherwise able to be processed. This result is also | | | used for other failures not covered elsewhere in this | | | list. | | temperror | The message could not be verified due to some error | | | that is likely transient in nature, such as a | | | temporary inability to retrieve a key. A later | | | attempt may produce a final result. | | permerror | The message could not be verified due to some error | | | that is unrecoverable, such as a required header | | | field being absent or the signer's key not being | | | available. A later attempt is unlikely to produce a | | | final result. | +-----------+-------------------------------------------------------+ OpenPGP Results A signature is "acceptable to the verifier" if it passes local policy checks (or there are no specific local policy checks). For example, a verifier might require that the domain in the user ID in the signing OpenPGP key matches the domain in the address of the author of the message (value of the From header field), thus making third- party signatures unacceptable. [RFC5751] advises that if a message fails verification, it should be treated as an unsigned message. A report of "fail" here permits the receiver of the report to decide how to handle the failure. A report of "neutral" or "none" preempts that choice, ensuring that the message will be treated as if it had not been signed. Ser Expires September 12, 2019 [Page 3]
Internet-Draft Authentication-Results for OpenPGP March 2019 2.2. Email Authentication Parameters for OpenPGP This document defines several new authentication parameters for conveying OpenPGP-related information, such as the identity associated with the entity that signed the message or one of its body parts. 2.2.1. body.pgp-fingerprint body.pgp-fingerprint contains the fingerprint [RFC4880] of the key used to generate the OpenPGP signature referenced in the corresponding body.pgp-part. 2.2.2. body.pgp-user-id body.pgp-user-id contains the signer's user ID [RFC4880] associated with the OpenPGP signature referenced in the corresponding body.pgp- part. 2.3. Examples Ser Expires September 12, 2019 [Page 4]
Internet-Draft Authentication-Results for OpenPGP March 2019 Return-Path: <elkins@aero.org> Authentication-Results: example.net; pgp=pass (1024-bit key) body.pgp-fingerprint=89A8DCE5EAE72D530905C65241BA574B8FBB172B body.pgp-user-id="Michael Elkins <elkins@aero.org>" Received: from ietfa.example.com (localhost [IPv6:::1]) by ietfa.example.com (Postfix) with ESMTP id 2875111E81A0; Fri, 06 Sep 2002 00:35:14 -0700 (PDT) From: Michael Elkins <elkins@aero.org> To: Michael Elkins <elkins@aero.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary=bar; micalg=pgp-md5; protocol="application/pgp-signature" --bar Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable =A1Hola! Did you know that talking to yourself is a sign of senility? It's generally a good idea to encode lines that begin with From=20because some mail transport agents will insert a greater- than (>) sign, thus invalidating the signature. Also, in some cases it might be desirable to encode any =20 trailing whitespace that occurs on lines in order to ensure =20 that the message signature is not invalidated when passing =20 a gateway that modifies such whitespace (like BITNET). =20 me --bar Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC// jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn HOxEa44b+EI= =ndaj -----END PGP MESSAGE----- --bar-- Ser Expires September 12, 2019 [Page 5]
Internet-Draft Authentication-Results for OpenPGP March 2019 3. IANA Considerations IANA has added the following entries to the "Email Authentication Methods" sub-registry of the "Email Authentication Parameters" registry: TBD IANA has added the following entries to the "Email Authentication Result Names" sub-registry of the "Email Authentication Parameters" registry: TBD 4. Security Considerations TODO 5. Normative References [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, DOI 10.17487/RFC4880, November 2007, <https://www.rfc-editor.org/info/rfc4880>. [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification", RFC 5751, DOI 10.17487/RFC5751, January 2010, <https://www.rfc-editor.org/info/rfc5751>. [RFC7601] Kucherawy, M., "Message Header Field for Indicating Message Authentication Status", RFC 7601, DOI 10.17487/RFC7601, August 2015, <https://www.rfc-editor.org/info/rfc7601>. Author's Address Simon Ser 14, rue Girardot Villebon-sur-Yvette 91140 France Email: contact@emersion.fr Ser Expires September 12, 2019 [Page 6]