<pre>Independent Submission                                       L. Cailleux
Request for Comments: 7508                                        DGA MI
Category: Experimental                                        C. Bonatti
ISSN: 2070-1721                                                     IECA
                                                              April 2015


                   <span class="h1">Securing Header Fields with S/MIME</span>

Abstract

   This document describes how the S/MIME protocol can be extended in
   order to secure message header fields defined in <a href="./rfc5322">RFC 5322</a>.  This
   technology provides security services such as data integrity, non-
   repudiation, and confidentiality.  This extension is referred to as
   'Secure Headers'.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for examination, experimental implementation, and
   evaluation.

   This document defines an Experimental Protocol for the Internet
   community.  This is a contribution to the RFC Series, independently
   of any other RFC stream.  The RFC Editor has chosen to publish this
   document at its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see <a href="./rfc5741#section-2">Section&nbsp;2 of RFC 5741</a>.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   <a href="http://www.rfc-editor.org/info/rfc7508">http://www.rfc-editor.org/info/rfc7508</a>.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.





<span class="grey">Cailleux &amp; Bonatti            Experimental                      [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


Table of Contents

   <a href="#section-1">1</a>. Introduction ....................................................<a href="#page-2">2</a>
   <a href="#section-2">2</a>. Terminology and Conventions Used in This Document ...............<a href="#page-3">3</a>
   <a href="#section-3">3</a>. Context .........................................................<a href="#page-4">4</a>
   <a href="#section-4">4</a>. Mechanisms to Secure Message Header Fields ......................<a href="#page-6">6</a>
      <a href="#section-4.1">4.1</a>. ASN.1 Syntax of Secure Header Fields .......................<a href="#page-7">7</a>
      <a href="#section-4.2">4.2</a>. Secure Header Fields Length and Format .....................<a href="#page-8">8</a>
      <a href="#section-4.3">4.3</a>. Canonicalization Algorithm .................................<a href="#page-8">8</a>
      <a href="#section-4.4">4.4</a>. Header Field Statuses ......................................<a href="#page-8">8</a>
      <a href="#section-4.5">4.5</a>. Signature Process ..........................................<a href="#page-9">9</a>
           <a href="#section-4.5.1">4.5.1</a>. Signature Generation Process ........................<a href="#page-9">9</a>
           <a href="#section-4.5.2">4.5.2</a>. Signature Verification Process .....................<a href="#page-10">10</a>
      <a href="#section-4.6">4.6</a>. Encryption and Decryption Processes .......................<a href="#page-11">11</a>
           <a href="#section-4.6.1">4.6.1</a>. Encryption Process .................................<a href="#page-11">11</a>
           <a href="#section-4.6.2">4.6.2</a>. Decryption Process .................................<a href="#page-12">12</a>
   <a href="#section-5">5</a>. Case of Triple Wrapping ........................................<a href="#page-13">13</a>
   <a href="#section-6">6</a>. Security Gateways ..............................................<a href="#page-13">13</a>
   <a href="#section-7">7</a>. Security Considerations ........................................<a href="#page-13">13</a>
   <a href="#section-8">8</a>. IANA Considerations ............................................<a href="#page-14">14</a>
   <a href="#section-9">9</a>. References .....................................................<a href="#page-14">14</a>
      <a href="#section-9.1">9.1</a>. Normative References ......................................<a href="#page-14">14</a>
      <a href="#section-9.2">9.2</a>. Informative References ....................................<a href="#page-15">15</a>
   <a href="#appendix-A">Appendix A</a>. Formal Syntax of Secure Header ........................<a href="#page-16">16</a>
   <a href="#appendix-B">Appendix B</a>. Example of Secure Header Fields .......................<a href="#page-18">18</a>
   Acknowledgements ..................................................<a href="#page-19">19</a>
   Authors' Addresses ................................................<a href="#page-19">19</a>

<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>.  Introduction</span>

   The S/MIME [<a href="./rfc5751" title="&quot;Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification&quot;">RFC5751</a>] standard defines a data encapsulation format for
   the achievement of end-to-end security services such as integrity,
   authentication, non-repudiation, and confidentiality.  By default,
   S/MIME secures message body parts, at the exclusion of the message
   header fields.

   S/MIME provides an alternative solution to secure header fields: "the
   sending client MAY wrap a full MIME message in a message/rfc822
   wrapper in order to apply S/MIME security services to header fields".
   However, the S/MIME solution doesn't provide any guidance regarding
   what subset of message header fields to secure, procedures for
   clients to reconcile the "inner" and "outer" headers, or procedures
   for client interpretation or display of any failures.

   Several other security specifications supplement S/MIME features but
   fail to address the target requirement set of this document.  Such
   other security specifications include DomainKeys Identified Mail
   (DKIM) [<a href="./rfc6376" title="&quot;DomainKeys Identified Mail (DKIM) Signatures&quot;">RFC6376</a>], STARTTLS [<a href="./rfc3207" title="&quot;SMTP Service Extension for Secure SMTP over Transport Layer Security&quot;">RFC3207</a>], TLS with IMAP [<a href="./rfc2595" title="&quot;Using TLS with IMAP, POP3 and ACAP&quot;">RFC2595</a>], and an



<span class="grey">Cailleux &amp; Bonatti            Experimental                      [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


   Internet-Draft referred to as "Protected Headers" [<a href="#ref-PRHDRS" title="&quot;Header Protection for S/MIME&quot;">PRHDRS</a>].  An
   explanation of what these services accomplish and why they do not
   solve this problem can be found in subsequent sections.

   The goal of this document is to define end-to-end secure header field
   mechanisms compliant with S/MIME standard.  This technique is based
   on the signed attribute fields of a Cryptographic Message Syntax
   (CMS) [<a href="./rfc5652" title="&quot;Cryptographic Message Syntax (CMS)&quot;">RFC5652</a>] signature.

<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>.  Terminology and Conventions Used in This Document</span>

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [<a href="./rfc2119" title="&quot;Key words for use in RFCs to Indicate Requirement Levels&quot;">RFC2119</a>].

   The terms Message User Agent (MUA), Message Submission Agent (MSA),
   and Message Transfer Agent (MTA) are defined in the email
   architecture document [<a href="./rfc5598" title="&quot;Internet Mail Architecture&quot;">RFC5598</a>].

   The term Domain Confidentiality Authority (DCA) is defined in the
   S/MIME Domain Security specification [<a href="./rfc3183" title="&quot;Domain Security Services using S/MIME&quot;">RFC3183</a>].

   End-to-end Internet Mail exchanges are performed between message
   originators and recipients.

   The term message header fields is described in [<a href="./rfc5322" title="&quot;Internet Message Format&quot;">RFC5322</a>].  A header
   field is composed of a name and a value.

   Secure Headers technology uses header field statuses required to
   provide a confidentiality service toward message headers.  The
   following three terms are used to describe the field statuses:

   -  duplicated (the default status).  When this status is present or
      if no status is specified, the signature process embeds the header
      field value in the digital signature, but the value is also
      present in the message header fields.

   -  deleted.  When this status is present, the signature process
      embeds the header field value in the digital signature, and the
      encryption process deletes this field from the message to preserve
      its confidentiality.

   -  modified.  When this status is present, the signature process
      embeds the header field value in the digital signature, and the
      encryption process modifies the value of the header field in the
      message.  This preserves confidentiality and informs a receiver's





<span class="grey">Cailleux &amp; Bonatti            Experimental                      [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


      noncompliant MUA that secure headers are being used.  New values
      for each field might be configured by the sender (i.e., "This
      header is secured; use a compliant client.").

   The term non-repudiation is used throughout this document in
   deference to the usage in the S/MIME Message Specification [<a href="./rfc5751" title="&quot;Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification&quot;">RFC5751</a>].
   It is recognized that this term carries with it much baggage, and
   that there is some disagreement as to its proper meaning and usage.
   However, in the context of this document, the term merely refers to
   one set of possible security services that a conforming
   implementation might be able to provide.  This document specifies no
   normative requirements for non-repudiation.

<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>.  Context</span>

   Over the Internet, email use has grown and today represents a
   fundamental service.  Meanwhile, continually increasing threat levels
   are motivating the implementation of security services.

   Historically, SMTP [<a href="./rfc5321" title="&quot;Simple Mail Transfer Protocol&quot;">RFC5321</a>] and the Internet Message Format (IMF)
   [<a href="./rfc5322" title="&quot;Internet Message Format&quot;">RFC5322</a>] don't provide, by default, security services.  The S/MIME
   standard [<a href="./rfc5751" title="&quot;Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification&quot;">RFC5751</a>] was published in order to address these needs.
   S/MIME defines a data encapsulation format for the provision of end-
   to-end security services such as integrity, authentication, non-
   repudiation, and confidentiality.  By default, S/MIME secures message
   body parts, at the exclusion of the message header fields.  In order
   to protect message header fields (for instance, the "Subject", "To",
   "From", or customized fields), several solutions exist.

   In <a href="./rfc5751#section-3.1">Section&nbsp;3.1 of [RFC5751]</a>, S/MIME defines an encapsulation
   mechanism:

      [<a id="ref-...">...</a>] the sending client MAY wrap a full MIME message in a
      message/rfc822 wrapper in order to apply S/MIME security services
      to these header fields.  It is up to the receiving client to
      decide how to present this "inner" header along with the
      unprotected "outer" header.

   However, some use cases are not addressed, especially in the case of
   message encryption.  What happens when header fields are encrypted?
   How does the receiving client display these header fields?  How can a
   subset of header fields be secured?  S/MIME doesn't address these
   issues.








<span class="grey">Cailleux &amp; Bonatti            Experimental                      [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


   Some partial header protection is provided by the S/MIME Certificate
   Handling specification [<a href="./rfc5750" title="&quot;Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Certificate Handling&quot;">RFC5750</a>]:

      Receiving agents MUST check that the address in the From or Sender
      header of a mail message matches an Internet mail address, if
      present, in the signer's certificate, if mail addresses are
      present in the certificate.

   In some cases, this may provide assurance of the integrity of the
   From or Sender header values.  However, the solution in <a href="./rfc5750">RFC 5750</a> only
   provides a matching mechanism between email addresses and provides no
   protection to other header fields.

   Other security specifications (introduced below) exist such as DKIM,
   STARTTLS and TLS with IMAP, but they meet other needs (signing
   domain, secure channels, etc.).

   STARTTLS and TLS with IMAP provide secure channels between components
   of the email system (MUA, MSA, MTA, etc.), but end-to-end integrity
   cannot be guaranteed.

   DKIM defines a domain-level authentication framework for email.
   While this permits integrity and origination checks on message header
   fields and the message body, it does this for a domain actor (usually
   the SMTP service or equivalent) and not for the entity that is
   sending, and thus signing, the message.  (Extensions to DKIM might be
   able to solve this issue by authenticating the sender and making a
   statement of this fact as part of the signed message headers.)  DKIM
   is also deficient for our purposes, as it does not provide a
   confidentially service.

   An Internet-Draft referred to as "Protected Headers" [<a href="#ref-PRHDRS" title="&quot;Header Protection for S/MIME&quot;">PRHDRS</a>] has
   been proposed.  Mechanisms described in that document are the
   following:

      [<a id="ref-...">...</a>] a digest value is computed over the canonicalized version of
      some selected header fields.  This technique resembles header
      protection in [<a href="./rfc4871">RFC4871</a>].  Then the digest value is included in a
      signed attribute field of a CMS signature.

   (Note that <a href="./rfc4871">RFC 4871</a> has been obsoleted by <a href="./rfc6376">RFC 6376</a>.)

   That specification doesn't address all conceivable requirements as
   noted below.  If the protected header field has been altered, the
   original value cannot be determined by the recipient.  In addition,
   the encryption service cannot provide confidentiality for fields that
   must remain present in the message header during transport.




<span class="grey">Cailleux &amp; Bonatti            Experimental                      [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


   This document proposes a technology for securing message header
   fields.  It's referred to as "Secure Headers".  It is based on S/MIME
   and CMS standards.  It provides security services such as data
   integrity, confidentiality, and non-repudiation of the sender.
   Secure Headers is backward compatible with other S/MIME clients.
   S/MIME clients who have not implemented Secure Headers technology
   need merely ignore specific signed attributes fields in a CMS
   signature (which is the default behavior).

<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>.  Mechanisms to Secure Message Header Fields</span>

   Secure Headers technology involves the description of a security
   policy.  This policy MUST describe a secure message profile and list
   the header fields to secure.  How this security policy is agreed upon
   or communicated is beyond the scope of this document.

   Secure headers are based on the signed attributes field as defined in
   CMS.  The details are as follows.  The message header fields to be
   secured are integrated in a structure (SecureHeaderFields structure)
   that is encapsulated in the signed attributes structure of the
   SignerInfo object.  There is only one value of HeaderFields encoded
   into a single SignedAttribute in a signature.  See <a href="#appendix-A">Appendix A</a> for an
   example.  For each header field present in the secure signature, a
   status can be set.  Then, as described in <a href="#section-5.4">Section 5.4</a> of CMS
   [<a href="./rfc5652" title="&quot;Cryptographic Message Syntax (CMS)&quot;">RFC5652</a>], the message digest calculation process computes a message
   digest on the content together with the signed attributes.  Details
   of the signature generation process are in <a href="#section-4.5.1">Section 4.5.1</a> of this
   document.

   Verification of secure header fields is based on the signature
   verification process described in CMS.  At the end of this process, a
   comparison between the secure header fields and the corresponding
   message header fields is performed.  If they match, the signature is
   valid.  Otherwise, the signature is invalid.  Details of the
   signature verification process are in <a href="#section-4.5.2">Section 4.5.2</a> of this document.

   Non-conforming S/MIME clients will ignore the signed attribute
   containing the SecureHeaderFields structure, and only perform the
   verification process described in CMS.  This guarantees backward
   compatibility.

   Secure headers provide security services such as data integrity, non-
   repudiation, and confidentiality.








<span class="grey">Cailleux &amp; Bonatti            Experimental                      [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


   For different reasons (e.g., usability, limits of IMAP [<a href="./rfc3501" title="&quot;INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1&quot;">RFC3501</a>]),
   encryption and decryption processes are performed by a third party.
   The third party that performs these processes is referred to in the
   Domain Security specification as a Domain Confidentiality Authority
   (DCA).  Details of the encryption and decryption processes are in
   Sections <a href="#section-4.6.1">4.6.1</a> and <a href="#section-4.6.2">4.6.2</a> of this document.

   The architecture of Secure Headers is presented below.  The MUA
   performs the signature generation process (C) and signature
   verification process (F).  The DCA performs the message encryption
   process (D) and message decryption process (E).  The encryption and
   decryption processes are optional.

             A Domain                             B Domain
     +----------------------+             +----------------------+

     +-----+          +-----+             +-----+          +-----+
     | MUA | -------&gt; | DCA | ----------&gt; | DCA |--------&gt; | MUA |
     |  C  |          |  D  |             |  E  |          |  F  |
     +-----+          +-----+             +-----+          +-----+
             SignedMsg        EncryptedMsg        SignedMsg

                  Figure 1: Architecture of Secure Headers

<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>.  ASN.1 Syntax of Secure Header Fields</span>

   The ASN.1 syntax [<a href="#ref-ASN1-88" title="Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1)">ASN1-88</a>] of the SecureHeaderFields structure is as
   follows:

      SecureHeaderFields ::= SET {
         canonAlgorithm Algorithm,
         secHeaderFields HeaderFields }

      id-aa-secureHeaderFieldsIdentifier OBJECT IDENTIFIER ::= {
         iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
         pkcs-9(9) smime(16) id-aa(2) secureHeaderFieldsIdentifier(55) }

      Algorithm ::= ENUMERATED {
         canonAlgorithmSimple(0),
         canonAlgorithmRelaxed(1) }

      HeaderFields ::= SEQUENCE SIZE (1..MAX) OF HeaderField

      HeaderField ::= SEQUENCE {
         field-Name HeaderFieldName,
         field-Value HeaderFieldValue,
         field-Status HeaderFieldStatus DEFAULT duplicated }




<span class="grey">Cailleux &amp; Bonatti            Experimental                      [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


      HeaderFieldName ::= VisibleString (FROM (ALL EXCEPT (":")))
           -- This description matches the description of
           -- field name in Sections <a href="#section-2.2">2.2</a> and <a href="#section-3.6.8">3.6.8</a> of <a href="./rfc5322">RFC 5322</a>

      HeaderFieldValue ::= UTF8String
           -- This description matches the description of
           -- field body in <a href="./rfc5322#section-2.2">Section&nbsp;2.2 of RFC 5322</a> as
           -- extended by <a href="./rfc6532#section-3.1">Section&nbsp;3.1 of RFC 6532</a>.

      HeaderFieldStatus ::= INTEGER {
         duplicated(0), deleted(1), modified(2) }

<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>.  Secure Header Fields Length and Format</span>

   This specification requires MUA security capabilities in order to
   process well-formed headers, as specified in IMF.  Notice that it
   includes long header fields and folded header fields.

<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>.  Canonicalization Algorithm</span>

   During a message transfer through a messaging system, some components
   might modify headers (i.e., adding or deleting space, changing or
   lowercase or uppercase).  This might lead to a comparison mismatch of
   header fields.  This emphasizes the need of a conversion process in
   order to transform data to their canonical form.  This process is
   named the canonicalization process.

   Two canonicalization algorithms are considered here, according to
   <a href="#section-3.4">Section 3.4</a> of the DKIM specification [<a href="./rfc6376" title="&quot;DomainKeys Identified Mail (DKIM) Signatures&quot;">RFC6376</a>].  The "simple"
   algorithm doesn't allow any modification, whereas the "relaxed"
   algorithm accepts slight modifications like space replacement or line
   reformatting.  Given the scope of this document, canonicalization
   mechanisms only involve header fields.

   Implementations SHOULD use the "relaxed" algorithm to promote
   interoperability with non-conforming SMTP products.

<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>.  Header Field Statuses</span>

   Header field statuses are necessary to provide a confidentiality
   service for message headers.  In this specification, the
   confidentiality of header fields is provided by the DCA.  This point
   is described in <a href="#section-4">Section 4</a>.  The DCA performs the message encryption
   process and message decryption process; these processes are described
   in detail in Sections <a href="#section-4.6.1">4.6.1</a> and <a href="#section-4.6.2">4.6.2</a>.  Although header field
   statuses are embedded in the signature, the signature processes





<span class="grey">Cailleux &amp; Bonatti            Experimental                      [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


   (generation and verification) ignore them.  The header field status
   defaults to "duplicated".  If the header field is confidential, the
   header field status MUST be either "deleted" or "modified".

<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>.  Signature Process</span>

<span class="h4"><a class="selflink" id="section-4.5.1" href="#section-4.5.1">4.5.1</a>.  Signature Generation Process</span>

   During the signature generation process, the sender's MUA MUST embed
   the SecureHeaderFields structure in the signed attributes, as
   described in CMS.  The SecureHeaderFields structure MUST include a
   canonicalization algorithm.

   The sender's MUA MUST have a list of header fields to secure,
   statuses, and a canonicalization algorithm, as defined by the
   security policy.

   Header fields (names and values) embedded in signed attributes MUST
   be the same as those included in the initial message.

   If different headers share the same name, all instances MUST be
   included in the SecureHeaderFields structure.

   If multiple signatures are used, as explained in the CMS and Multiple
   Signer [<a href="./rfc4853" title="&quot;Cryptographic Message Syntax (CMS) Multiple Signer Clarification&quot;">RFC4853</a>] specifications, the SecureHeaderFields structure
   MUST be the same in each SignerInfos object.

   If a header field is present and its value is empty, HeaderFieldValue
   MUST have a zero-length field-Value.

   Considering secure header mechanisms, the signature generation
   process MUST perform the following steps:

      1) Select the relevant header fields to secure.  This subset of
         headers is defined according the security policy.

      2) Apply the canonicalization algorithm for each selected header
         field.

      3) Complete the following fields in the SecureHeaderFields
         structure according to the initial message: HeaderFieldName,
         HeaderFieldValue, and HeaderFieldStatus.

      4) Complete the algorithm field according to the canonicalization
         algorithm configured.

      5) Embed the SecureHeaderFields structure in the signed attributes
         of the SignerInfos object.



<span class="grey">Cailleux &amp; Bonatti            Experimental                      [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


      6) Compute the signature generation process as described in
         <a href="#section-5.5">Section 5.5</a> of CMS [<a href="./rfc5652" title="&quot;Cryptographic Message Syntax (CMS)&quot;">RFC5652</a>].

<span class="h4"><a class="selflink" id="section-4.5.2" href="#section-4.5.2">4.5.2</a>.  Signature Verification Process</span>

   During the signature verification process, the receiver's MUA
   compares header fields embedded in the SecureHeaderFields structure
   with those present in the message.  For this purpose, it uses the
   canonicalization algorithm identified in the signed attributes.  If a
   mismatch appears during the comparison process, the receiver's MUA
   MUST invalidate the signature.  The MUA MUST display information on
   the validity of each header field.  It MUST also display the values
   embedded in the signature.

   The receiver's MUA MUST know the list of mandatory header fields in
   order to verify their presence in the message.  If a header field
   defined in a message is in the secure header list, it MUST be
   included in the SecureHeaderFields structure.  Otherwise, the
   receiver's MUA MUST warn the user that a non-secure header is
   present.

   Considering secure header mechanisms, the signature verification
   process MUST perform the following steps:

      1) Execute the signature verification process as described <a href="#section-5.6">Section</a>
         <a href="#section-5.6">5.6</a> of CMS [<a href="./rfc5652" title="&quot;Cryptographic Message Syntax (CMS)&quot;">RFC5652</a>].  If the signature appears to be invalid,
         the process ends.  Otherwise, the process continues.

      2) Read the type of canonicalization algorithm specified in the
         SecureHeaderFields structure.

      3) For each field present in the signature, find the matching
         header in the message.  If there is no matching header, the
         verification process MUST warn the user, specifying the missing
         header name.  The signature is tagged as invalid.  Note that
         any header fields encrypted as per <a href="#section-4.6">Section 4.6</a> (i.e., status of
         "deleted" or "modified") have been are already restored by the
         DCA when the signature verification process is performed by the
         MUA.

      4) Compute the canonicalization algorithm for each header field
         value in the message.  If the "simple" algorithm is used, the
         steps described in <a href="#section-3.4.1">Section 3.4.1</a> of DKIM [<a href="./rfc6376" title="&quot;DomainKeys Identified Mail (DKIM) Signatures&quot;">RFC6376</a>] are
         performed.  If the relaxed algorithm is used, the steps
         described in <a href="#section-3.4.2">Section 3.4.2</a> of DKIM [<a href="./rfc6376" title="&quot;DomainKeys Identified Mail (DKIM) Signatures&quot;">RFC6376</a>] are performed.






<span class="grey">Cailleux &amp; Bonatti            Experimental                     [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


      5) For each field, compare the value stored in the
         SecureHeaderFields structure with the value returned by the
         canonicalization algorithm.  If the values don't match, the
         verification process MUST warn the user.  This warning MUST
         mention mismatching fields.  The signature is tagged as
         invalid.  If all the comparisons succeed, the verification
         process MUST also notify the user (i.e., using an appropriate
         icon).

      6) Verify that no secure header has been added to the message
         header, given the initial fields.  If an extra header field has
         been added, the verification process MUST warn the user.  This
         warning MUST mention extra fields.  The signature is tagged as
         invalid.  This step is only performed if the sender and the
         recipient share the same security policy.

      7) Verify that each mandatory header in the security policy and
         present in the message is also embedded in the
         SecureHeaderFields structure.  If such headers are missing, the
         verification process MUST warn the user and indicate the names
         of the missing headers.

   The MUA MUST display the properties of each secure header field
   (name, value, and status) and the canonicalization algorithm used.

<span class="h3"><a class="selflink" id="section-4.6" href="#section-4.6">4.6</a>.  Encryption and Decryption Processes</span>

   Encryption and decryption operations are not performed by MUAs.  This
   is mainly justified by limitations of existing email delivery
   protocols, for example, IMAP.  The solution developed here relies on
   concepts explained in <a href="#section-4">Section 4</a> of the Domain Security specification
   [<a href="./rfc3183" title="&quot;Domain Security Services using S/MIME&quot;">RFC3183</a>].  A fundamental component of the architecture is the Domain
   Confidentiality Authority (DCA).  Its purpose is to encrypt and
   decrypt messages instead of that being performed by senders and
   receivers (respectively).

<span class="h4"><a class="selflink" id="section-4.6.1" href="#section-4.6.1">4.6.1</a>.  Encryption Process</span>

   All the computations presented in this section MUST be performed only
   if the following conditions are verified:

      -  The content to be encrypted MUST consist of a signed message
         (application/pkcs7-mime with SignedData, or multipart/signed)
         as shown in <a href="#section-3.4">Section 3.4</a> of the S/MIME specification [<a href="./rfc5751" title="&quot;Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification&quot;">RFC5751</a>].

      -  A SecureHeaderFields structure MUST be included in the
         signedAttrs field of the SignerInfo object of the signature.




<span class="grey">Cailleux &amp; Bonatti            Experimental                     [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


   All the mechanisms described below MUST start at the beginning of the
   encryption process, as explained in CMS.  They are performed by the
   sender's DCA.  For extraction of the field status, the following
   steps MUST be performed for each field included in the
   SecureHeaderFields structure:

      1. If the status is "duplicated", the field is left at its
         existing value.

      2. If the status is "deleted", the header field (name and value)
         is removed from the message.  Mandatory header fields specified
         in [<a href="./rfc5322" title="&quot;Internet Message Format&quot;">RFC5322</a>] MUST be kept.

      3. If the status is "modified", the header value is replaced by a
         new value, as configured in the DCA.

<span class="h4"><a class="selflink" id="section-4.6.2" href="#section-4.6.2">4.6.2</a>.  Decryption Process</span>

   All the computations presented in this section MUST be performed only
   if the following conditions are verified:

      -  The decrypted content MUST consist of a signature object or a
         multipart object, where one part is a detached signature, as
         shown in <a href="#section-3.4">Section 3.4</a> of the S/MIME specification [<a href="./rfc5751" title="&quot;Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification&quot;">RFC5751</a>].

      -  A SecureHeaderFields structure MUST be included in the
         SignerInfo object of the signature.

   All the mechanisms described below MUST start at the end of the
   decryption process, as explained in CMS.  They are executed by the
   receiver's DCA.  The following steps MUST be performed for each field
   included in the SecureHeaderFields structure:

      1. If the status is "duplicated", the field is left at its
         existing value.

      2. If the status is "deleted", the DCA MUST write a header field
         (name and value) in the message.  This header MUST be compliant
         with the information embedded in the signature.

      3. If the status is "modified", the DCA MUST rewrite a header
         field in the message.  This header MUST be compliant with the
         SecureHeaderFields structure.








<span class="grey">Cailleux &amp; Bonatti            Experimental                     [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>.  Case of Triple Wrapping</span>

   Secure Headers mechanisms MAY be used with triple wrapping, as
   described in Enhanced Security Services (ESS) [<a href="./rfc2634" title="&quot;Enhanced Security Services for S/MIME&quot;">RFC2634</a>].  In this
   case, a SecureHeaderFields structure MAY be present in the inner
   signature, the outer signature, or both.  In the last case, the two
   SecureHeaderFields structures MAY differ.  One MAY consider the
   encapsulation of a header field in the inner signature in order to
   satisfy confidentiality needs.  On the contrary, an outer signature
   encapsulation MAY help for delivery purposes.  The sender's MUA and
   receiver's MUA must have a security policy for triple wrapping.  This
   security policy MUST be composed of two parts -- one for the inner
   signature and the other for the outer signature.

<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>.  Security Gateways</span>

   Some security gateways sign or verify messages that pass through
   them.  Compliant gateways MUST apply the process described in <a href="#section-4.5">Section</a>
   <a href="#section-4.5">4.5</a>.

   For noncompliant gateways, the presence of a SecureHeaderFields
   structure does not change their behavior.

   In some case, gateways MUST generate a new signature or insert
   signerInfos into the signedData block.  The format of signatures
   generated by gateways is outside the scope of this document.

<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>.  Security Considerations</span>

   This specification describes an extension of the S/MIME standard.  It
   provides message header integrity, non-repudiation, and
   confidentiality.  The signature and encryption processes are
   complementary.  However, according to the security policy, only the
   signature mechanism is applicable.  In this case, the signature
   process is implemented between MUAs.  The encryption process requires
   signed messages with the Secure Headers extension.  If required, the
   encryption process is implemented by DCAs.

   This specification doesn't address end-to-end confidentiality for
   message header fields.  Messages sent and received by MUAs could be
   transmitted as plaintext.  In order to avoid interception, the use of
   TLS is recommended between MUAs and DCAs (uplink and downlink).
   Another solution might be the use of S/MIME between MUAs and DCAs in
   the same domain.

   For the header field confidentiality mechanism to be effective, all
   DCAs supporting confidentiality must support Secure Headers
   processing.  Otherwise, there is a risk that headers are not obscured



<span class="grey">Cailleux &amp; Bonatti            Experimental                     [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


   upon encryption or not restored upon decryption.  In the former case,
   confidentiality of the header fields is compromised.  In the latter
   case, the integrity of the headers will appear to be compromised.

<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>.  IANA Considerations</span>

   IANA has registered value 65, mod-sMimeSecureHeadersV1, in the "SMI
   Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)"
   registry.

   IANA has also registered value 55,
   id-aa-secureHeaderFieldsIdentifier, in the "SMI Security for S/MIME
   Attributes (1.2.840.113549.1.9.16.2)" registry.  This value will be
   used to identify an authenticated attribute carried within a CMS
   wrapper [<a href="./rfc5652" title="&quot;Cryptographic Message Syntax (CMS)&quot;">RFC5652</a>].  This attribute OID appears in <a href="#section-4.1">Section 4.1</a> and
   again in the reference definition in <a href="#appendix-A">Appendix A</a>.

<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>.  References</span>

<span class="h3"><a class="selflink" id="section-9.1" href="#section-9.1">9.1</a>.  Normative References</span>

   [<a id="ref-RFC2119">RFC2119</a>]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997,
              &lt;<a href="http://www.rfc-editor.org/info/rfc2119">http://www.rfc-editor.org/info/rfc2119</a>&gt;.

   [<a id="ref-RFC2634">RFC2634</a>]  Hoffman, P., Ed., "Enhanced Security Services for S/MIME",
              <a href="./rfc2634">RFC 2634</a>, June 1999,
              &lt;<a href="http://www.rfc-editor.org/info/rfc2634">http://www.rfc-editor.org/info/rfc2634</a>&gt;.

   [<a id="ref-RFC4853">RFC4853</a>]  Housley, R., "Cryptographic Message Syntax (CMS) Multiple
              Signer Clarification", <a href="./rfc4853">RFC 4853</a>, April 2007,
              &lt;<a href="http://www.rfc-editor.org/info/rfc4853">http://www.rfc-editor.org/info/rfc4853</a>&gt;.

   [<a id="ref-RFC5322">RFC5322</a>]  Resnick, P., Ed., "Internet Message Format", <a href="./rfc5322">RFC 5322</a>,
              October 2008, &lt;<a href="http://www.rfc-editor.org/info/rfc5322">http://www.rfc-editor.org/info/rfc5322</a>&gt;.

   [<a id="ref-RFC5652">RFC5652</a>]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              <a href="./rfc5652">RFC 5652</a>, September 2009,
              &lt;<a href="http://www.rfc-editor.org/info/rfc5652">http://www.rfc-editor.org/info/rfc5652</a>&gt;.

   [<a id="ref-RFC6376">RFC6376</a>]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              <a href="./rfc6376">RFC 6376</a>, September 2011,
              &lt;<a href="http://www.rfc-editor.org/info/rfc6376">http://www.rfc-editor.org/info/rfc6376</a>&gt;.

   [<a id="ref-ASN1-88">ASN1-88</a>]  CCITT, Recommendation X.208: Specification of Abstract
              Syntax Notation One (ASN.1), 1988.




<span class="grey">Cailleux &amp; Bonatti            Experimental                     [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


<span class="h3"><a class="selflink" id="section-9.2" href="#section-9.2">9.2</a>.  Informative References</span>

   [<a id="ref-PRHDRS">PRHDRS</a>]   Liao, L. and J. Schwenk, "Header Protection for S/MIME",
              <a href="./draft-liao-smimeheaderprotect-05">draft-liao-smimeheaderprotect-05</a>, Work in Progress, June
              2009.

   [<a id="ref-RFC2595">RFC2595</a>]  Newman, C., "Using TLS with IMAP, POP3 and ACAP", <a href="./rfc2595">RFC</a>
              <a href="./rfc2595">2595</a>, June 1999, &lt;<a href="http://www.rfc-editor.org/info/rfc2595">http://www.rfc-editor.org/info/rfc2595</a>&gt;.

   [<a id="ref-RFC3183">RFC3183</a>]  Dean, T. and W. Ottaway, "Domain Security Services using
              S/MIME", <a href="./rfc3183">RFC 3183</a>, October 2001,
              &lt;<a href="http://www.rfc-editor.org/info/rfc3183">http://www.rfc-editor.org/info/rfc3183</a>&gt;.

   [<a id="ref-RFC3207">RFC3207</a>]  Hoffman, P., "SMTP Service Extension for Secure SMTP over
              Transport Layer Security", <a href="./rfc3207">RFC 3207</a>, February 2002,
              &lt;<a href="http://www.rfc-editor.org/info/rfc3207">http://www.rfc-editor.org/info/rfc3207</a>&gt;.

   [<a id="ref-RFC3501">RFC3501</a>]  Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
              4rev1", <a href="./rfc3501">RFC 3501</a>, March 2003,
              &lt;<a href="http://www.rfc-editor.org/info/rfc3501">http://www.rfc-editor.org/info/rfc3501</a>&gt;.

   [<a id="ref-RFC5321">RFC5321</a>]  Klensin, J., "Simple Mail Transfer Protocol", <a href="./rfc5321">RFC 5321</a>,
              October 2008, &lt;<a href="http://www.rfc-editor.org/info/rfc5321">http://www.rfc-editor.org/info/rfc5321</a>&gt;.

   [<a id="ref-RFC5598">RFC5598</a>]  Crocker, D., "Internet Mail Architecture", <a href="./rfc5598">RFC 5598</a>, July
              2009, &lt;<a href="http://www.rfc-editor.org/info/rfc5598">http://www.rfc-editor.org/info/rfc5598</a>&gt;.

   [<a id="ref-RFC5750">RFC5750</a>]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Certificate
              Handling", <a href="./rfc5750">RFC 5750</a>, January 2010,
              &lt;<a href="http://www.rfc-editor.org/info/rfc5750">http://www.rfc-editor.org/info/rfc5750</a>&gt;.

   [<a id="ref-RFC5751">RFC5751</a>]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Message
              Specification", <a href="./rfc5751">RFC 5751</a>, January 2010,
              &lt;<a href="http://www.rfc-editor.org/info/rfc5751">http://www.rfc-editor.org/info/rfc5751</a>&gt;.















<span class="grey">Cailleux &amp; Bonatti            Experimental                     [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>.  Formal Syntax of Secure Header</span>

   Note: The ASN.1 module contained herein uses the 1988 version of
   ASN.1 notation [<a href="#ref-ASN1-88" title="Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1)">ASN1-88</a>] for the purposes of alignment with the
   existing S/MIME specifications.  The SecureHeaderFields structure is
   defined as follows:

     mod-SMimeSecureHeadersV1
       { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
       pkcs-9(9) smime(16) modules(0) secure-headers-v1(65) }

     DEFINITIONS IMPLICIT TAGS ::=

     BEGIN

     IMPORTS

       id-aa
            FROM SecureMimeMessageV3dot1
                 { iso(1) member-body(2) us(840) rsadsi(113549)
                 pkcs(1) pkcs-9(9) smime(16) modules(0)
                 msg-v3dot1(21) };

     -- id-aa is the arc with all new authenticated and
     -- unauthenticated attributes produced by the S/MIME
     -- Working Group

      id-aa-secureHeaderFieldsIdentifier OBJECT IDENTIFIER ::= {
         id-aa secure-headers(55) }

      SecureHeaderFields ::= SET {
           canonAlgorithm Algorithm,
           secHeaderFields HeaderFields }

      Algorithm ::= ENUMERATED {
           canonAlgorithmSimple(0),
           canonAlgorithmRelaxed(1) }

      HeaderFields ::= SEQUENCE SIZE (1..MAX) OF HeaderField

      HeaderField ::= SEQUENCE {
           field-Name HeaderFieldName,
           field-Value HeaderFieldValue,
           field-Status HeaderFieldStatus DEFAULT duplicated }

      HeaderFieldName ::= VisibleString (FROM (ALL EXCEPT (":")))
           -- This description matches with the description of
           -- field name in the Sections <a href="#section-2.2">2.2</a> and <a href="#section-3.6.8">3.6.8</a> of <a href="./rfc5322">RFC 5322</a>



<span class="grey">Cailleux &amp; Bonatti            Experimental                     [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


      HeaderFieldValue ::= UTF8String
           -- This description matches with the description of
           -- field body in the <a href="./rfc5322#section-2.2">Section&nbsp;2.2 of RFC 5322</a> as
           -- extended by <a href="./rfc6532#section-3.1">Section&nbsp;3.1 of RFC 6532</a>.

      HeaderFieldStatus ::= INTEGER {
           duplicated(0), deleted(1), modified(2) }

      END










































<span class="grey">Cailleux &amp; Bonatti            Experimental                     [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


<span class="h2"><a class="selflink" id="appendix-B" href="#appendix-B">Appendix B</a>.  Example of Secure Header Fields</span>

   In the following example, the header fields subject,
   x-ximf-primary-precedence, and x-ximf-correspondance-type are secured
   and integrated in a SecureHeaderFields structure.  This example
   should produce a valid signature.

   Extract from the message header fields:

      From: John Doe &lt;jdoe@example.com&gt;
      To: Mary Smith &lt;mary@example.com&gt;
      subject: This is a test of Ext.
      x-ximf-primary-precedence: priority
      x-ximf-correspondance-type: official

   The SecureHeaderFields structure extracted from the signature:

   2286  150: SEQUENCE {
   2289   11:   OBJECT IDENTIFIER '1 2 840 113549 1 9 16 2 80'
   2302  134:   SET {
   2305  131:     SET {
   2308    4:       ENUMERATED 1
   2314  123:       SEQUENCE {
   2316   40:         SEQUENCE {
   2318   25:           VisibleString 'x-ximf-primary-precedence'
   2345    8:           UTF8String 'priority'
   2355    1:           INTEGER 0
            :           }
   2358   41:         SEQUENCE {
   2360   26:           VisibleString 'x-ximf-correspondance-type'
   2388    8:           UTF8String 'official'
   2398    1:           INTEGER 0
            :           }
   2401   36:         SEQUENCE {
   2403    7:           VisibleString 'subject'
   2412   22:           UTF8String 'This is a test of Ext.'
   2436    1:           INTEGER 0
            :           }
            :         }
            :       }
            :     }
            :   }

   The example is displayed as an output of Peter Gutmann's "dumpasn1"
   program.

   OID used in this example is nonofficial.




<span class="grey">Cailleux &amp; Bonatti            Experimental                     [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7508">RFC 7508</a>           Securing Header Fields with S/MIME         April 2015</span>


Acknowledgements

   The authors would like to thank Jim Schaad, Alexey Melnikov, Damien
   Roque, Thibault Cassan, William Ottaway, and Sean Turner who kindly
   provided reviews of the document and/or suggestions for improvement.
   As always, all errors and omissions are the responsibility of the
   authors.

Authors' Addresses

   Laurent CAILLEUX
   DGA MI
   BP 7
   35998 RENNES CEDEX 9
   France

   EMail: laurent.cailleux@intradef.gouv.fr


   Chris Bonatti
   IECA, Inc.
   3057 Nutley Street, Suite 106
   Fairfax, VA  22031
   United States

   EMail: bonatti252@ieca.com

























Cailleux &amp; Bonatti            Experimental                     [Page 19]
</pre>