Internet Engineering Task Force (IETF) M. Kucherawy
Request for Comments: 6212 Cloudmark, Inc.
Category: Standards Track April 2011
ISSN: 2070-1721
Internet Engineering Task Force (IETF) M. Kucherawy
Request for Comments: 6212 Cloudmark, Inc.
Category: Standards Track April 2011
ISSN: 2070-1721
Authentication-Results Registration for Vouch by Reference Results
验证结果注册以按引用结果验证
Abstract
摘要
This memo updates the registry of properties in Authentication-Results: message header fields to allow relaying of the results of a Vouch By Reference query.
此备忘录更新“身份验证结果:消息头”字段中属性的注册表,以允许中继“凭单引用”查询的结果。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6212.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6212.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2
2. Keywords ........................................................2
3. Discussion ......................................................2
4. Definition ......................................................3
5. IANA Considerations .............................................4
6. Security Considerations .........................................5
7. References ......................................................5
7.1. Normative References .......................................5
7.2. Informative References .....................................5
Appendix A. Authentication-Results Examples .......................6
A.1. VBR Results ................................................6
Appendix B. Acknowledgements ......................................7
1. Introduction ....................................................2
2. Keywords ........................................................2
3. Discussion ......................................................2
4. Definition ......................................................3
5. IANA Considerations .............................................4
6. Security Considerations .........................................5
7. References ......................................................5
7.1. Normative References .......................................5
7.2. Informative References .....................................5
Appendix A. Authentication-Results Examples .......................6
A.1. VBR Results ................................................6
Appendix B. Acknowledgements ......................................7
[AUTHRES] defined a new header field for electronic mail messages that presents the results of a message authentication effort in a machine-readable format. In the interim, a proposal for rudimentary domain-level reputation assessment, called Vouch By Reference, [VBR] was published and is now beginning to see popular use.
[AUTHRES]为电子邮件定义了一个新的标题字段,该字段以机器可读的格式显示邮件身份验证工作的结果。在此期间,发布了一项名为“参考担保”(Vouch By Reference)[VBR]的基本领域级声誉评估提案,现在开始得到广泛使用。
This memo thus registers an additional reporting property allowing a VBR result to be relayed as an annotation in a message header.
因此,此备忘录注册了一个附加的报告属性,允许VBR结果作为注释中继到消息头中。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[关键词]中所述进行解释。
Vouch By Reference [VBR] introduced a mechanism by which a message receiver can query a "vouching" service to determine whether or not a trusted third party is willing to state that mail from a particular source can be considered legitimate. When this assessment is done at an inbound border mail gateway, it would be useful to relay the result of that assessment to internal mail entities such as filters or user agents.
引用担保[VBR]引入了一种机制,通过该机制,消息接收方可以查询“担保”服务,以确定受信任的第三方是否愿意声明来自特定来源的邮件可以被视为合法邮件。当此评估在入站边界邮件网关上完成时,将评估结果转发给内部邮件实体(如过滤器或用户代理)将非常有用。
Reactions to the information contained in an Authentication-Results header field that contains VBR (or any) results are not specified here, as they are entirely a matter of local policy at the receiver.
此处未指定对包含VBR(或任何)结果的身份验证结果标头字段中包含的信息的反应,因为它们完全是接收方的本地策略问题。
This memo adds to the "Email Authentication Methods" registry, created by IANA upon publication of [AUTHRES], the following:
本备忘录在[AUTHRES]发布后由IANA创建的“电子邮件验证方法”注册表中添加了以下内容:
o The method "vbr"; and
o “vbr”方法;和
o Associated with that method, the properties (reporting items) "header.md" and "header.mv".
o 与该方法关联的属性(报告项)“header.md”和“header.mv”。
If "header.md" is present, its value MUST be the DNS domain name about which a VBR query was made. If "header.mv" is present, its value MUST be the DNS domain name that was queried as the potential voucher for the "header.md" domain.
如果存在“header.md”,则其值必须是进行VBR查询的DNS域名。如果存在“header.mv”,则其值必须是作为“header.md”域的潜在凭证查询的DNS域名。
If the VBR query was made based on the content of a "VBR-Info" header field present on an incoming message, "header.md" is typically taken from the "md" tag of the "VBR-Info" header field, and "header.mv" is typically one of the values of the "mv" tag in the "VBR-Info" header field on that message. However, [VBR] permits a different mechanism for selection of the subject domain and/or list of vouchers, ignoring those present in any "VBR-Info" header field the message might have included. A server could even conduct a VBR query when no "VBR-Info" field was present, based on locally configured policy options. Where such mechanisms are applied, the verifying server MAY generate an Authentication-Results field to relay the results of the VBR query.
如果VBR查询是基于传入消息中“VBR Info”标题字段的内容进行的,“header.md”通常取自“VBR Info”标题字段的“md”标记,“header.mv”通常是该消息“VBR Info”标题字段中“mv”标记的值之一。但是,[VBR]允许使用不同的机制选择主题域和/或凭证列表,忽略消息可能包含的任何“VBR Info”标题字段中的内容。基于本地配置的策略选项,当不存在“VBR信息”字段时,服务器甚至可以执行VBR查询。在应用此类机制的情况下,验证服务器可生成认证结果字段以中继VBR查询的结果。
This memo also adds to the "Email Authentication Result Names" registry the following result codes and definitions:
此备忘录还向“电子邮件身份验证结果名称”注册表添加了以下结果代码和定义:
none: No valid VBR-Info header was found in the message, or a domain name to be queried could not be determined.
无:在邮件中找不到有效的VBR Info标头,或者无法确定要查询的域名。
pass: A VBR query was completed, and the vouching service queried gave a positive response.
通过:VBR查询已完成,查询的凭证服务给出了肯定的响应。
fail: A VBR query was completed, and the vouching service queried did not give a positive response, or the message contained multiple VBR-Info header fields with different "mc" values (see [VBR]).
失败:VBR查询已完成,查询的担保服务未给出肯定响应,或者消息包含多个具有不同“mc”值的VBR信息标题字段(请参见[VBR])。
temperror: A VBR query was attempted but could not be completed due to some error that is likely transient in nature, such as a temporary DNS error. A later attempt may produce a final result.
temperror:已尝试VBR查询,但由于某些可能是暂时性错误(如临时DNS错误)而无法完成。以后的尝试可能会产生最终结果。
permerror: A VBR query was attempted but could not be completed due to some error that is likely not transient in nature, such as a permanent DNS error. A later attempt is unlikely to produce a final result.
permerror:已尝试VBR查询,但由于某些可能不是暂时性的错误(例如永久性DNS错误)而无法完成。以后的尝试不太可能产生最终结果。
Per [IANA], the following items have been added to the "Email Authentication Methods" registry:
根据[IANA],以下项目已添加到“电子邮件身份验证方法”注册表中:
+------------+----------+--------+----------------+-----------------+
| Method | Defined | ptype | property | value |
+------------+----------+--------+----------------+-----------------+
| vbr | RFC 6212 | header | md | DNS domain name |
| | | | | used as the |
| | | | | subject of a |
| | | | | VBR query |
+------------+----------+--------+----------------+-----------------+
| vbr | RFC 6212 | header | mv | DNS domain name |
| | | | | of the entity |
| | | | | acting as |
| | | | | the voucher |
+------------+----------+--------+----------------+-----------------+
+------------+----------+--------+----------------+-----------------+
| Method | Defined | ptype | property | value |
+------------+----------+--------+----------------+-----------------+
| vbr | RFC 6212 | header | md | DNS domain name |
| | | | | used as the |
| | | | | subject of a |
| | | | | VBR query |
+------------+----------+--------+----------------+-----------------+
| vbr | RFC 6212 | header | mv | DNS domain name |
| | | | | of the entity |
| | | | | acting as |
| | | | | the voucher |
+------------+----------+--------+----------------+-----------------+
Also, the following items have been added to the "Email Authentication Result Names" registry:
此外,以下项目已添加到“电子邮件身份验证结果名称”注册表中:
+-----------+--------------+------------+---------+-----------------+
| Code | Existing/New | Defined In | Method | Meaning |
+-----------+--------------+------------+---------+-----------------+
| none | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
| pass | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
| fail | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
| temperror | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
| permerror | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
+-----------+--------------+------------+---------+-----------------+
| Code | Existing/New | Defined In | Method | Meaning |
+-----------+--------------+------------+---------+-----------------+
| none | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
| pass | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
| fail | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
| temperror | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
| permerror | existing | RFC 5451 | vbr | Section 4 of |
| | | | (added) | RFC 6212 |
+-----------+--------------+------------+---------+-----------------+
This memo creates a mechanism for relaying [VBR] results using the structure already defined by [AUTHRES]. The Security Considerations sections of those documents should be consulted.
此备忘录创建了一种使用[AUTHRES]已定义的结构中继[VBR]结果的机制。应查阅这些文件的安全考虑部分。
[AUTHRES] Kucherawy, M., "Message Header Field for Indicating Message Authentication Status", RFC 5451, April 2009.
[AUTHRES]Kucherawy,M.,“用于指示消息身份验证状态的消息头字段”,RFC 54512009年4月。
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[关键词]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[VBR] Hoffman, P., Levine, J., and A. Hathcock, "Vouch By Reference", RFC 5518, April 2009.
[VBR]Hoffman,P.,Levine,J.和A.Hathcock,“参考凭证”,RFC 5518,2009年4月。
[IANA] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.
[IANA]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,2008年5月。
This section presents an example of the use of this new header field to indicate VBR results.
本节介绍使用此新标题字段指示VBR结果的示例。
A message that triggered a VBR query, returning a result:
触发VBR查询并返回结果的消息:
Authentication-Results: mail-router.example.net;
dkim=pass (good signature) header.d=newyork.example.com
header.b=oINEO8hg;
vbr=pass (voucher.example.net)
header.md=newyork.example.com
header.mv=voucher.example.org
Received: from newyork.example.com
(newyork.example.com [192.0.2.250])
by mail-router.example.net (8.11.6/8.11.6)
for <recipient@example.net>
with ESMTP id i7PK0sH7021929;
Fri, Feb 15 2002 17:19:22 -0800
DKIM-Signature: v=1; a=rsa-sha256; s=rashani;
d=newyork.example.com;
t=1188964191; c=relaxed/simple;
h=From:Date:To:VBR-Info:Message-Id:Subject;
bh=sEu28nfs9fuZGD/pSr7ANysbY3jtdaQ3Xv9xPQtS0m7=;
b=oINEO8hgn/gnunsg ... 9n9ODSNFSDij3=
From: sender@newyork.example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: meetings@example.net
VBR-Info: md=newyork.example.com; mc=list;
mv=voucher.example.org
Message-Id: <12345.abc@newyork.example.com>
Subject: here's a sample
Authentication-Results: mail-router.example.net;
dkim=pass (good signature) header.d=newyork.example.com
header.b=oINEO8hg;
vbr=pass (voucher.example.net)
header.md=newyork.example.com
header.mv=voucher.example.org
Received: from newyork.example.com
(newyork.example.com [192.0.2.250])
by mail-router.example.net (8.11.6/8.11.6)
for <recipient@example.net>
with ESMTP id i7PK0sH7021929;
Fri, Feb 15 2002 17:19:22 -0800
DKIM-Signature: v=1; a=rsa-sha256; s=rashani;
d=newyork.example.com;
t=1188964191; c=relaxed/simple;
h=From:Date:To:VBR-Info:Message-Id:Subject;
bh=sEu28nfs9fuZGD/pSr7ANysbY3jtdaQ3Xv9xPQtS0m7=;
b=oINEO8hgn/gnunsg ... 9n9ODSNFSDij3=
From: sender@newyork.example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: meetings@example.net
VBR-Info: md=newyork.example.com; mc=list;
mv=voucher.example.org
Message-Id: <12345.abc@newyork.example.com>
Subject: here's a sample
Example 1: Header Field Reporting Results from a VBR Query
示例1:VBR查询的标题字段报告结果
Here we see an example of a message that was signed using DomainKeys Identified Mail (DKIM) and that also included a VBR-Info header field. On receipt, it is found that the "md=" field in the latter and the "d=" field in the former matched, and also that the DKIM signature verified, so a VBR query was performed. The vouching service, voucher.example.org, indicated that the sender can be trusted, so a "pass" result is included in the Authentication-Results field affixed prior to delivery.
这里我们看到一个使用域密钥标识邮件(DKIM)签名的消息示例,其中还包括一个VBR信息头字段。收到后,发现后者中的“md=”字段与前者中的“d=”字段匹配,并且DKIM签名已验证,因此执行了VBR查询。凭证服务,voucher.example.org,表明发送者可以被信任,因此“通过”结果包含在交付前粘贴的验证结果字段中。
The author wishes to acknowledge the following for their review and constructive criticism of this proposal: JD Falk, John Levine, and Alessandro Vesely.
作者希望感谢以下各方对本提案的审查和建设性批评:JD Falk、John Levine和Alessandro Vesely。
Author's Address
作者地址
Murray S. Kucherawy Cloudmark, Inc. 128 King St., 2nd Floor San Francisco, CA 94107 US
MurayS.KuCaWaWy CuldMax公司,128国王圣,第二楼旧金山,CA 94107美国
Phone: +1 415 946 3800
EMail: msk@cloudmark.com
Phone: +1 415 946 3800
EMail: msk@cloudmark.com