Internet-Draft | Use of SMTPUTF8 addresses in EPP | March 2023 |
Belyavskiy & Gould | Expires 28 September 2023 | [Page] |
This document describes an EPP command-response extension that permits the usage of Internationalized Email Addresses in the EPP protocol and specifies the terms when it can be used by EPP clients and servers. The Extensible Provisioning Protocol (EPP), being developed before the standards for SMTPUTF8 compliant addresses, does not support such email addresses.¶
TO BE REMOVED on turning to RFC: The document is edited in the dedicated github repo. Please send your submissions via GitHub.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 28 September 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
[RFC6530] introduced the framework for Internationalized Email Addresses. To make such addresses more widely accepted, the changes to various protocols need to be introduced.¶
This document describes an Extensible Provisioning Protocol (EPP) command-response extension, defined in [RFC5730] , that permits usage of Internationalized Email Addresses in the EPP protocol and specifies the terms when it can be used by EPP clients and servers. The extension is used to apply the rules for the processing of email address elements in all of the [RFC5730] extensions negotiated in the EPP session, which include the object and command-responses extensions. The extension can be applied to any object or command-response extension that uses an email address.¶
The Extensible Provisioning Protocol (EPP) specified in [RFC5730] is a base document for object management operations and an extensible framework that maps protocol operations to objects. The specifics of various objects managed via EPP is described in separate documents. This document is only referring to an email address as a property of a managed object, such as the <contact:email> element in the EPP contact mapping [RFC5733] or the <org:email> element in the EPP organization mapping [RFC8543], and command-response extensions applied to a managed object.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Servers that implement this extension SHOULD provide a way for clients to progressively update their implementations when a new version of the extension is deployed. A newer version of the extension is expected to use an XML namespace URI with a higher version number than the prior versions.¶
Support of non-ASCII email address syntax is defined in RFC 6530 [RFC6530]. This mapping does not prescribe minimum or maximum lengths for character strings used to represent email addresses. The exact syntax of such addresses is described in Section 3.3 of [RFC6531]. The validation rules introduced in RFC 6531 MUST be followed when processing this extension.¶
The definition of email address in the EPP RFCs, including Section 2.6 of [RFC5733] and Section 4.1.2, 4.2.1, and 4.2.5 of [RFC8543], references [RFC5322] for the email address syntax. The XML schema definition in Section 4 of [RFC5733] and Section 5 of [RFC8543] defines the "email" element using the type "eppcom:minTokenType", which is defined in Section 4.2 of [RFC5730] as an XML schema "token" type with minimal length of one. The XML schema "token" type will fully support the use of SMTPUTF8 compliant addresses so the primary application of the extension is to apply the use of [RFC6531] instead of [RFC5322] for the email address syntax. Other EPP extensions may follow the formal syntax definition using the XML schema type "eppcom:minTokenType" and the [RFC5322] format specification, where this extension applies to all EPP extensions with the same or similar definitions.¶
The email address format is formally defined in Section 3.4.1 of [RFC5322], which only consists of printable US-ASCII characters for both the local-part and the domain ABNF rules. [RFC6531] extends the Mailbox, Local-part and Domain ABNF rules in [RFC5321] to support "UTF8-non-ascii", defined in Section 3.1 of [RFC6532], for the local-part and U-label, defined in Section 2.3.2.1 of [RFC5890], for the domain. By applying the syntax rules of [RFC6531], the EPP extensions will change from supporting only ASCII characters to supporting Internationalized characters both in the email address local-part and domain-part.¶
The extension applies to all object extensions and command-response extensions negotiated in the EPP session that include email address properties. Examples include the <contact:email> element in the EPP contact mapping [RFC5733] or the <org:email> element in the EPP organization mapping [RFC8543]. All registry zones (e.g., top-level domains) authorized for the client in the EPP session apply. There is no concept of a per-client, per-zone, per-extension, or per-field setting that is used to indicate support for SMTPUTF8 compliant addresses, but instead it's a global setting that applies to the EPP session.¶
The client and the server can signal support for the extension using a namespace URI in the login and greeting extension services respectively. The namespace URI "urn:ietf:params:xml:ns:epp:smtputf8-1.0" is used to signal support for the extension. The client includes the namespace URI in an <svcExtension> <extURI> element of the [RFC5730] <login> Command. The server includes the namespace URI in an <svcExtension> <extURI> element of the [RFC5730] Greeting.¶
If both client and server have indicated the support of the SMTPUTF8 addresses during the session establishment, they MUST be able to process the SMTPUTF8 address in any message having an email property during the established EPP session. Below are the server and client obligations when the SMTPUTF8 extension has been successfuly negotiated in the EPP session.¶
The server MUST satisfy the following obligations when the SMTPUTF8 extension has been negotiated:¶
The client MUST satisfy the following obligations when the SMTPUTF8 extension has been negotiated:¶
The lack of SMTPUTF8 adresses support can cause data and functional issues, so an SMTPUTF8 supporting client or server needs to handle cases where the opposite party doesn't support SMTPUTF8 addresses processing. Below are the server and client obligations when the SMTPUTF8 extension is not negotiated due to the lack of support by the peer.¶
The SMTPUTF8 supporting server MUST satisfy the following obligations when the client does not support the SMTPUTF8 extension:¶
The SMTPUTF8 supporting client MUST satisfy the following obligations when the server does not support the SMTPUTF8 extension:¶
This document uses URNs to describe XML namespaces conforming to a registry mechanism described in RFC 3688 [RFC3688]. The following URI assignment should be made by IANA:¶
Registration request for the smtputf8 namespace:¶
URI: urn:ietf:params:xml:ns:epp:smtputf8-1.0 Registrant Contact: IESG XML: None. Namespace URIs do not represent an XML specification.¶
The EPP extension described in this document should be registered by IANA in the "Extensions for the Extensible Provisioning Protocol (EPP)" registry described in RFC 7451 [RFC7451]. The details of the registration are as follows:¶
Note to RFC Editor: Please remove this section and the reference to RFC 7942 [RFC7942] before publication.¶
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942 [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.¶
According to RFC 7942 [RFC7942], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".¶
Organization: Verisign Inc.¶
Name: Verisign EPP SDK¶
Description: The Verisign EPP SDK includes both a full client implementation and a full server stub implementation of draft-ietf-regext-epp-smtputf8.¶
Level of maturity: Development¶
Coverage: All aspects of the protocol are implemented.¶
Licensing: GNU Lesser General Public License¶
Contact: jgould@verisign.com¶
URL: https://www.verisign.com/en_US/channel-resources/domain-registry-products/epp-sdks¶
As is noted in Section 10.1 and Section 13 of [RFC6530], unconstrained Unicode in email addresses can introduce a class of security threats that do not exist with all-ASCII email addresses. As EPP exists in ecosystems where email addresses passed in EPP are displayed in RDAP and other services and copy-and-paste of these email addresses is common for businesses transferring domains via EPP, there should be safeguards against these threats. Therefore, usage of the SMTPUTF8 email addresses as specified in this document SHOULD be done with policies that disallow the use of unconstrained Unicode. The domain-part of these SMTPUTF8 email addresses SHOULD conform to IDNA2008. The local-part of these SMTPUTF8 email addresses SHOULD be restricted to Unicode that does not introduce the threats noted in [RFC6530]. One such possible solution would be to disallow characters outside of Unicode Annex 31 (https://unicode.org/reports/tr31/).¶
As email address is often a primary end user contact, an invalid email address may put the communication with the end user into risk in case when such contact is necessary. In case of an invalid domain name in the email address a malicious actor can register a valid domain name with similar U-label (homograph attack) and get a control over the domain name associated with the contact using social engineering techniques. To reduce the risk of the use of invalid domain names in email addresses, registries SHOULD validate the domain name syntax in the provided email addresses and validate whether the domain name consists of the code points allowed by IDNA Rules and Derived Property Values.¶
When the SMTPUTF8 extension is negotiated by both the client and the server, the client and server obligations defined in Section 5.3.1 MUST be satisfied. If the obligations are not satisfied by either the client or server, the SMTPUTF8 address may be mishandled in processing or storage and be unusable.¶
The authors would like to thank Alexander Mayrhofer, Andy Newton, Chris Lonvick, Gustavo Lozano, Jody Kolker, John C Klensin, John Levine, Klaus Malorny, Marc Blanchet, Marco Schrieck, Mario Loffredo, Murray S. Kucherawy, Patrick Mevzek, Pete Resnick, Scott Hollenbeck, Takahiro Nemoto, Taras Heichenko, and Thomas Corte for their careful review and valuable comments.¶