Internet DRAFT - draft-vanrein-dkim-lenient
draft-vanrein-dkim-lenient
Network Working Group R. Van Rein
Internet-Draft ARPA2.net
Intended status: Standards Track September 25, 2017
Expires: March 29, 2018
Lenient DKIM
draft-vanrein-dkim-lenient-00
Abstract
DKIM is a framework for signed messages, especially for email. While
in transit, changes are sometimes made, and these break the DKIM-
Signature. This specification makes DKIM more lenient, without
changes to its core. It adds leniency towards MIME body rewrites,
removal of alternatives and annotation with bits of text. The
intention is to allow these changes such that they can be clearly
shown to the user, while indicating that the remainder of the
signedmessage is still in tact.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 29, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Van Rein Expires March 29, 2018 [Page 1]
Internet-Draft Lenient DKIM September 2017
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Annotating DKIM-Signed-Content . . . . . . . . . . . . . . . 3
2.1. Header Definition . . . . . . . . . . . . . . . . . . . . 4
2.2. Signing MIME bodies . . . . . . . . . . . . . . . . . . . 5
3. Canonicalisation for MIME Content . . . . . . . . . . . . . . 5
3.1. MIME headers . . . . . . . . . . . . . . . . . . . . . . 6
3.2. MIME body parts . . . . . . . . . . . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
DKIM standardises a header that signs content and headers of (email)
messages. This is a practical system to validate (the origin of) a
message to not have changed; unfortunely however, it breaks on a few
patterns of communication that are in common use xref-
target-"RFCnnnn". As a result, it is difficult to assign the full
weight of evidence that DKIM could otherwise provide.
DKIM signs content based on their wire format, which may include a
transfer-encoding when the MIME extensions are used. MTAs may have
to alter this transfer-encoding to accommodate a downgrade of
communication capabilities, and are therefore permitted to do so, but
this is not compatible with current DKIM. This specification
introduces a new canonicalisation algorithm to remedy this problem,
based on fixating the binary content of a MIME body part.
Another common practice is the introduction of extra text in the
Subject header of an email, or in the body or body parts. As a
general principle, it need not be problemtic to introduce extra data
to an email, as long as this is clearly shown in the MUA. Given that
email is usually rendered in a manner that has information fields in
clearly distinct graphical framing, it should be possible for a MUA
to unambiguously mark any additions made. This specification
introduces a manner of locating the parts of a message that were not
modified since it was signed, and leaves it to the MUA to decide on a
method of distinct rendering for original and modified parts. The
same mechanisms may be useful for MTAs for distinguishing common
patterns from abusive ones. When unsupportive or incapable, a MUA or
Van Rein Expires March 29, 2018 [Page 2]
Internet-Draft Lenient DKIM September 2017
MTA is always free to not incorporate DKIM's confirmations of message
content.
A more debatable practice is the removal of complete MIME
attachments. This is sometimes done for content in an undesirable
format, usually for operational considerations. Such removals can be
clearly marked, and it is up to the MUA whether to accept the
removal. When one part of an originally sent multipart/alternative
is removed, it may not be as bad as when the composition is altered,
as would be the case with other multipart types, such as multipart/
form-data.
The general handling of a MIME multipart/* message body involves a
number of independently encoded body parts. When this Content-Type
is used, a separate DKIM-Signature will be made on each of the body
parts, and a dedicated canonicalisation method will be used to
compose the parts. This will list the hashes of the various body
parts, thus enabling the detection of a removed part.
2. Annotating DKIM-Signed-Content
When changes are made to parts of the message, be it to headers or
body, then a DKIM-Signature is invalidated. Although this is a clear
sign of modification, it is not always a sign of a rogue change.
Ideally, the changed content would be presented to the user, but in
such a manner that original content can be easily distinguished from
changed content. When the changed message is subsequently signed by
an intermediate mailer, it is also clear where any concerns about the
change should be redirected, which is helpful for reputation
management.
The DKIM-Signed-Content header can be inserted after a DKIM-
Signature, possibly at the origin or at a later stage of the message,
to mark parts of the message that are incorporated into the signature
as a whole header, or as a whole body. It may in turn be
incorporated into a DKIM-Signature of a modified-forwarding party
such as an email list, where the new DKIM-Signature implies taking
responsibility over the changes made locally. But even when this is
not done, the DKIM-Signed-Content header allows a receiving MTA, MUA
or user to learn standard patterns of change by such intermediates,
and hopefully trigger alarms after deviations from a pattern.
To detect extra text, the DKIM-Signed-Content header describes the
range that was originally signed, describing the text in canonical
representation through its size, a rolling checksum and a secure
hash. The size and rolling checksum can be used to quickly pass
through a text in search of the original text; the secure hash is
then used to validate that it is indeed a good match.
Van Rein Expires March 29, 2018 [Page 3]
Internet-Draft Lenient DKIM September 2017
Originators could insert DKIM-Signed-Content headers before or after
inserting the DKIM-Signature header to allow non-compliant forwarders
to be easily recognised. Forwarders who add their own DKIM-Signature
on modified content are advised to retain the existing ones, validate
or remove any DKIM-Signed-Content headers inserted after the last
DKIM-Signature, add any missing DKIM-Signed-Content headers over what
will be modified, then make the desired modifications and then insert
the new DKIM-Signature header. This procedure ensures that the
forwarder only takes responsibility over their own work, which helps
in building their reputation.
DKIM-Signature and DKIM-Signed-Content headers MUST be inserted on
top of the message, and MUST NOT be reordered in transit. This is a
common and reasonable requirement for current messaging systems.
The DKIM-Signed-Content header works for complete headers or for
complete bodies, and will fail to work when content is being removed.
This is to protect users from information being held back; the one
exception is in the handling of multipart/alternative, defined below.
2.1. Header Definition
The DKIM-Signed-Content header consists of one or more sets of the
following four components, with whitespace to separate components:
(1) the path to the content; (2) the decimal notation for the length
in bytes; (3) the hexadecimal notation for a rolling hash; (4) the
secure hash of the content.
The path to the content is either a header name or the special word
"Body" to notify the message body. When multiple instances exist, an
optional extension is permitted, namely a colon and a decimal
sequence number, counting from 0. Headers count in the order of
insertion, so in the opposite order of their occurrence in the
message. Bodies count in the order in which they occur in th
message, but this is only meaningful for multipart MIME-types.
TODO:ALT:0 is the last value inserted before the DKIM-Signature; no
going back. TODO:EXT:Allow header:index:header:index:...
The values that follow all apply to the canonical form of the
information, be it a header or body, as specified in the "c"
parameter of the DKIM-Signature that was last inserted into the
message.
The rolling hash is TODO:AS_IN_RSYNC? cyclic polynomials looks best.
Implementation note: either have the full message in memory or have
to files open on it for reading.
Van Rein Expires March 29, 2018 [Page 4]
Internet-Draft Lenient DKIM September 2017
The secure hash matches the representation and algorithm of the "bh"
field in the related DKIM-Signature.
2.2. Signing MIME bodies
When a body with MIME content is signed, then more headers should be
considered for inclusion in the DKIM-Signature; notably, MIME-
Version, Content-Type, Content-Disposition SHOULD be included; on the
other hand, Content-Transfer-Encoding SHOULD NOT be included when the
intention is to support changes to the transfer encoding. When
headers are absent, their inclusion into the DKIM-Signature header
list disables later-on addition of these headers. TODO:CHECK
Special processing is required for the Content-Type header; it
includes a field named boundary, whose contents MUST be set to an
empty string, included in double quotes, before computing the header
checksum. This assures that changes to the boundary tag are
permitted while the message moves between MTAs. TODO:ALT: Move this
parameter to the end of the header and take it out from the DKIM-
Signed-Content as well as the DKIM-Signature; this requires MTAs and
MUAs to recognise this missing information as correctly absent.
All body parts of a multipart MIME message SHOULD have a DKIM-
Signature inserted. In this case, the Content-Type, Content-
Disposition and Content-ID headers SHOULD be included, even when they
are not presented as headers, in which case they could not be added
later. Note that the remarks made above for the boundary tag in a
Content-Type header may apply recursively.
When signing a multipart message, a DKIM-Signed-Content header SHOULD
include the DKIM-Signature headers of the directly subordinate body
parts. Indirect subordinates are included recursively by these
nested DKIM-Signature headers.
This practice enables the detection of removed as well as added body
parts. A common example is the removal of a text/html form from
multipart/alternative, so as to leave the text/plain form. This may
be tolerated on account of the semantics of multipart/alternative
messages.
3. Canonicalisation for MIME Content
MIME messages require special handling. The descriptions below
define how headers and bodies are canonicalised for MIME handling.
When a message has a MIME-Version header, it MAY want ot use c=mime/
mime in its DKIM-Signature headers.
Van Rein Expires March 29, 2018 [Page 5]
Internet-Draft Lenient DKIM September 2017
This is an extension to the version of DKIM that is currently in use,
but it is not a change to the header format, merely a matter of new
canonicalisation rules and handling for contained body parts. This
means that no new version number is defined for DKIM. The changes
may however lead to interpretation problems in older software. To
serve these somewhat, it is possible for DKIM signers to add not only
a DKIM-Signature with c=mime/mime, but also with other
canonicalisation mechanisms. It is advised to plan a final date for
any such policy.
3.1. MIME headers
Header canonicalisation for MIME headers is a modified form of the
relaxed algorithm. Its added function is to change any boundary tag
in a Content-Type header to an empty string, denoted as two double
quotes.
3.2. MIME body parts
When an MTA carries a binary message over a degraded link, it may
need to change the encoding of the message body. The simple and
relaxed canonicalisation algorithms both relate to the wire format of
the message and will break on such valid changes of form. For MIME
body parts however, this wire format is representative of an exactly
reproduced binary format, which can serve as a canonical format for
these body parts.
The body canonicalisation algorithm "mime" is used to reduce the wire
format of a MIME message body to the binary content that it
represents, before applying hashing and signing algorithms. This
should make it neutral to changes to the transfer encoding. Note
that it is vital that the Message-Transfer-Encoding header MUST NOT
be included in the header list when the "content" algorithm is used.
The "mime" algorithm MUST NOT be used on multipart messages. For
those, an zero-byte body is used with headers including a DKIM-
Signed-Content header that references that various body parts
individually.
Some MIME body parts include an URI reference, and it is possible for
an MDA or MUA to replace a body part with such a reference to an
external store. In such cases, a DKIM-Signature on the body part is
bound to fail; it would however serve to validate the downloaded
content together with the descriptive headers that are signed along
with it. This means that components of the mail system that replace
a body part by an URI reference should try to retain any DKIM-
Signature header. Especially when a bh field is included, it would
be easy to verify a downloaded body part.
Van Rein Expires March 29, 2018 [Page 6]
Internet-Draft Lenient DKIM September 2017
4. IANA Considerations
TODO:REGISTER:HEADER:DKIM-SIGNED-CONTENT
TODO:REGISTER:DKIMCANONALG:CONTENT
5. Security Considerations
TODO: Parts before/after MIME body parts
TODO: Modified MIME separators that also appear in body parts.
Appendix A. Acknowledgements
Author's Address
Rick van Rein
ARPA2.net
Haarlebrink 5
Enschede, Overijssel 7544 WP
The Netherlands
Email: rick@openfortress.nl
Van Rein Expires March 29, 2018 [Page 7]