Requirements for Message Access Control

Document Type Expired Internet-Draft (individual)
Authors Trevor Freeman  , Jim Schaad  , Patrick Patterson 
Last updated 2015-09-09 (latest revision 2015-03-08)
Replaces draft-freeman-message-access-control-req
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


S/MIME delivers confidentiality, integrity, and data origination authentication for email. However, there are many situations where organizations also want robust access control applied to information in messages. The Enhanced Security Services (ESS) RFC5035 for S/MIME defines an access control mechanism for email, but the access check happens after the data is decrypted by the recipient which devalues the protection afforded by the cryptography and provides very weak guarantees of policy compliance. Another major issues for S/MIME is its dependency on a single type of identity credential, an X.509 certificate. Many users on the Internet today do not have X.509 certificates and therefore cannot use S/MIME. Furthermore, the requirement to discover the X.509 certificate for every recipient of an encrypted message by the sender has proven to be an unreliable process for a number of reasons. This document presents requirements for an alternative model to ESS to address the identified issues with access control in order to deliver more robust compliance for S/MIME protected messages. This document describes an access control model which uses cryptographic keys to enforce access control policy decisions where the policy check is performed prior to the decryption of the message contents. This authorization model can be instantiated using many existing standards and is in not intended to be a one off just for email, being applicable to other data types. This document also presents requirements for the abstraction of the specifics of the authentication technologies used by S/MIME users. The abstraction makes it possible for other forms of authentication credentials to be used with S/MIME thereby enabling much broader adoption. The authentication abstraction model also removes the dependency on the need to discover encryption keys by the sender. This abstraction can be used independently from access control to enable simple scenarios where authentication of the recipient is sufficient to grant access to the message. The name Plasma was assigned to this effort as part of the IETF process. It is derived from PoLicy enhAnced Secure eMAil.


Trevor Freeman (
Jim Schaad (
Patrick Patterson (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)