Internet DRAFT - draft-chuang-bimi-certificate

draft-chuang-bimi-certificate







Network Working Group                                     W. Chuang, Ed.
Internet-Draft                                              Google, Inc.
Intended status: Standards Track                           T. Loder, Ed.
Expires: November 8, 2018                                          Agari
                                                             May 7, 2018


    Brand Indicator for Message Identification in X.509 certificates
                    draft-chuang-bimi-certificate-00

Abstract

   This document defines a X.509 certificate profile to distinguish
   those carrying logotypes and using email domain based authentication
   from other usages.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 8, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Chuang & Loder          Expires November 8, 2018                [Page 1]

Internet-DrBrand Indicator for Message Identification in X.50   May 2018


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   2
   3.  BIMI  . . . . . . . . . . . . . . . . . . . . . . . . . . . .   2
   4.  BIMI Certificate Validation . . . . . . . . . . . . . . . . .   3
   5.  BIMI Certificate Extension  . . . . . . . . . . . . . . . . .   3
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   8.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
   Appendix A.  ASN.1 Module . . . . . . . . . . . . . . . . . . . .   5
   Appendix B.  Acknowledgements . . . . . . . . . . . . . . . . . .   5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   [RFC5280] defines the Extended Key Usage extension to define
   different usages of X.509 certificates.  These certificates may carry
   logotype as defined in [RFC3709] whose format is further refined in
   [RFC6170].  This document defines a new usage for these logotype
   carrying certificates to define an identify for Electronic Mail
   senders as defined in [RFC5321] and whose sending domain is
   authenticated by either Sender Policy Framework [RFC7208] or by
   Domain Key Identified Mail signatures [RFC6376].  This new profile
   distinguishes it from other certificate usages with electronic mail
   such as S/MIME [RFC5751].

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  BIMI

   This section describes non-normatively the Brand Indicator for
   Message Identification (BIMI) electronic mail profile here.  Its
   intended that there will be a separate document that specifies the
   BIMI electronic mail sending and receiving protocol that describes
   the BIMI electronic mail headers, the sender validation process using
   domain authentication methods and the fetch of the BIMI certificates.
   BIMI follows the current practice of using domain based validation
   methods Sender Policy Framework [RFC7208] or by Domain Key Identified
   Mail signatures [RFC6376].  When an electronic mail sender has been
   validated this way, and with the fetched BIMI certificate, the
   receiver can proceed to validate the BIMI certificate with the sender
   domain as described in this document.  Upon successful validation,
   the receiver may choose to show the associated logotype and other



Chuang & Loder          Expires November 8, 2018                [Page 2]

Internet-DrBrand Indicator for Message Identification in X.50   May 2018


   identifying information contained in the BIMI certificate.  This
   document does not inform other uses of logotype with other email
   profiles such as S/MIME.

4.  BIMI Certificate Validation

   Before a BIMI certificate can be used to provide identification, the
   certificate path MUST be validated using the algorithm in [RFC5280].
   The BIMI certificate MUST contain an extended key usage extension
   specified for id-kp-BrandIndicatorforMessageIdentification as defined
   in Section 5.  It MUST also contain dnsName field of an X.509 Subject
   Alternative Name as specified in [RFC5280] and a subject LogoType as
   specified in [RFC3709].  The BIMI certificate domain name and the
   domain of the From or Sender header email address are compared.  If
   they match using the method specified in [RFC5280]), then the
   certificate identifies the sender of the electron mail and the
   certificate subject information may be used to describe the sender.

5.  BIMI Certificate Extension

   This document describes a new Extended Key Usage OID for the BIMI use
   case id-kp-BrandIndicatorforMessageIdentification.

   id-kp-BrandIndicatorforMessageIdentification OBJECT IDENTIFIER ::= {
   id-kp 31 }

6.  Security Considerations

   o  SPF maybe spoofed.  See considerations in [RFC7208].

   o  DKIM maybe spoofed.  See considerations in [RFC6376].

   o  LogoTypes identities may be spoofed.  See considerations in
      [RFC3709].

7.  IANA Considerations

   In Section 5 and the ASN.1 module identifier defined in Appendix A.
   IANA is kindly requested to reserve the following assignments for:

   o  The LAMPS-Bimi-Certificate-2018 ASN.1 module in the "SMI Security
      for PKIX Extended Key Purpose" registry (1.3.6.1.5.5.7.3).

   o  The BIMI certificate extended key usage (1.3.6.1.5.5.7.3.31).







Chuang & Loder          Expires November 8, 2018                [Page 3]

Internet-DrBrand Indicator for Message Identification in X.50   May 2018


8.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <https://www.rfc-editor.org/info/rfc3629>.

   [RFC3709]  Santesson, S., Housley, R., and T. Freeman, "Internet
              X.509 Public Key Infrastructure: Logotypes in X.509
              Certificates", RFC 3709, DOI 10.17487/RFC3709, February
              2004, <https://www.rfc-editor.org/info/rfc3709>.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <https://www.rfc-editor.org/info/rfc5234>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC5321]  Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
              DOI 10.17487/RFC5321, October 2008,
              <https://www.rfc-editor.org/info/rfc5321>.

   [RFC5751]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Message
              Specification", RFC 5751, DOI 10.17487/RFC5751, January
              2010, <https://www.rfc-editor.org/info/rfc5751>.

   [RFC6170]  Santesson, S., Housley, R., Bajaj, S., and L. Rosenthol,
              "Internet X.509 Public Key Infrastructure -- Certificate
              Image", RFC 6170, DOI 10.17487/RFC6170, May 2011,
              <https://www.rfc-editor.org/info/rfc6170>.

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              <https://www.rfc-editor.org/info/rfc6376>.






Chuang & Loder          Expires November 8, 2018                [Page 4]

Internet-DrBrand Indicator for Message Identification in X.50   May 2018


   [RFC7208]  Kitterman, S., "Sender Policy Framework (SPF) for
              Authorizing Use of Domains in Email, Version 1", RFC 7208,
              DOI 10.17487/RFC7208, April 2014,
              <https://www.rfc-editor.org/info/rfc7208>.

   [RFC7299]  Housley, R., "Object Identifier Registry for the PKIX
              Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014,
              <https://www.rfc-editor.org/info/rfc7299>.

Appendix A.  ASN.1 Module

   The following ASN.1 module normatively specifies the BIMI extended
   key usage name.  This specification uses the ASN.1 definitions from
   [RFC7299].

  LAMPS-BIMI-Certificate-2018
    { iso(1) identified-organization(3) dod(6)
      internet(1) security(5) mechanisms(5) pkix(7) id-kp(3)
      id-kp-BrandIndicatorforMessageIdentification(TBD) }

  DEFINITIONS IMPLICIT TAGS ::=
  BEGIN

  IMPORTS
    id-pkix
    FROM PKIX1Explicit-2009
      { iso(1) identified-organization(3)
                 dod(6) internet(1) security(5) mechanisms(5) pkix(7) } ;


  -- Extended key purpose identifiers
      id-kp   OBJECT IDENTIFIER ::= { id-pkix 3 }

    id-kp-BrandIndicatorforMessageIdentification OBJECT IDENTIFIER ::= { id-kp TBD }

  END

Appendix B.  Acknowledgements

   Thank you to Kefeng Chen and Kirk Hall for their help with the BIMI
   certificate profile.  Thanks to the other document reviewers.

Authors' Addresses








Chuang & Loder          Expires November 8, 2018                [Page 5]

Internet-DrBrand Indicator for Message Identification in X.50   May 2018


   Weihaw Chuang (editor)
   Google, Inc.
   1600 Amphitheater Parkway
   Mountain View, CA  94043
   US

   Email: weihaw@google.com


   Thede Loder (editor)
   Agari
   100 S. Ellsworth Ave
   San Mateo, CA  94401
   US

   Email: tloder@agari.com



































Chuang & Loder          Expires November 8, 2018                [Page 6]