Skip to main content

La Posta Elettronica Certificata - Italian Certified Electronic Mail
draft-gennai-smime-cnipa-pec-08

Revision differences

Document history

Date Rev. By Action
2012-08-22
08 (System) post-migration administrative database adjustment to the Abstain position for Alexey Melnikov
2012-08-22
08 (System) post-migration administrative database adjustment to the No Objection position for Russ Housley
2012-08-22
08 (System) post-migration administrative database adjustment to the No Objection position for Ronald Bonica
2010-12-21
08 Tim Polk Ballot writeup text changed
2010-12-21
08 Tim Polk Ballot writeup text changed
2010-12-15
08 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2010-12-14
08 (System) IANA Action state changed to Waiting on RFC Editor from In Progress
2010-12-14
08 (System) IANA Action state changed to In Progress from Waiting on Authors
2010-12-13
08 (System) IANA Action state changed to Waiting on Authors from In Progress
2010-12-13
08 (System) IANA Action state changed to In Progress from Waiting on Authors
2010-12-07
08 (System) IANA Action state changed to Waiting on Authors from On Hold
2010-11-16
08 Tim Polk Ballot writeup text changed
2010-11-16
08 Tim Polk Ballot writeup text changed
2010-11-16
08 Tim Polk Ballot writeup text changed
2010-11-11
08 Tim Polk Ballot writeup text changed
2010-11-11
08 Tim Polk Ballot writeup text changed
2010-11-11
08 Tim Polk Ballot writeup text changed
2010-11-11
08 Tim Polk Ballot writeup text changed
2010-11-11
08 Tim Polk Ballot writeup text changed
2010-11-11
08 Tim Polk Ballot writeup text changed
2010-11-11
08 Tim Polk Ballot writeup text changed
2010-11-11
08 Tim Polk Ballot writeup text changed
2010-11-11
08 Tim Polk Ballot writeup text changed
2010-11-09
08 Cindy Morgan State changed to RFC Ed Queue from Approved-announcement sent by Cindy Morgan
2010-10-25
08 Cindy Morgan IESG state changed to Approved-announcement sent
2010-10-25
08 Cindy Morgan IESG has approved the document
2010-09-15
08 Cindy Morgan State changed to RFC Ed Queue from Approved-announcement sent by Cindy Morgan
2010-09-15
08 (System) IANA Action state changed to On Hold from In Progress
2010-09-15
08 (System) IANA Action state changed to In Progress
2010-09-15
08 Cindy Morgan IESG state changed to Approved-announcement sent
2010-09-15
08 Cindy Morgan IESG has approved the document
2010-09-15
08 Cindy Morgan Closed "Approve" ballot
2010-09-14
08 Alexey Melnikov
[Ballot comment]
I am Abstaining on this document for a couple of reasons.

First, there were some concerns raised during IETF LC suggesting that this …
[Ballot comment]
I am Abstaining on this document for a couple of reasons.

First, there were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec.

Secondly, I don;t think that it specifies well requirements it is trying to fulfil and it doesn't use email infrastructure well while doing that.

However I would support an update to this document targeted at Proposed Standard being worked on in collaboration between Application and Security Areas.

--------------------------------------------------

2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). The latter is generated only when
  a PEC transport envelopoe encounters a delivery error.
  If the delivery error concerns a normal email from the Internet
  (non-PEC message), no such notification is emitted.


PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers MUST keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.

5.3. Secure interaction

  An "MX" type record MAY be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321.



6. PEC system client technical and functional prerequisites

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?

5.6. PEC providers directory

  Each provider downloads the LDIF file through ah [HTTPS] session,
  which is authenticated using an X.509 certificate released by a
  certification authority.

I think it would be more correct to say:
  which is authenticated by checking the X.509 certificate issued by a
  certification authority.

But I think a reference to RFC 5280 or better RFC 2818 is needed here as well.

  Through the [LDIF] file, single providers HAVE TO keep a copy of the

If you meant to use an RFC 2119 keyword, then you should use "MUST" instead of "HAVE TO" here.

  directory locally, updated on a daily basis, in order to improve
  system performance by avoiding continuous request dispatches to the
  central system for every message elaboration phase.


The following used to be a DISCUSS:
Section 4.3

There are multiple ways to represent described data structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.

5)
3.3.2.2. Delivery PEC notification: brief

  The brief delivery PEC notification contains the original
  message and a ciphered hash value of each part, which
  SHOULD be calculated on base64 encoded parts.

Also, if  particular Content-Transfer-Encoding, are CRLFs included in the hash calculation?
2010-09-14
08 Alexey Melnikov [Ballot Position Update] Position for Alexey Melnikov has been changed to Abstain from Discuss by Alexey Melnikov
2010-09-03
08 Alexey Melnikov
[Ballot comment]
There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as …
[Ballot comment]
There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.



2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). The latter is generated only when
  a PEC transport envelopoe encounters a delivery error.
  If the delivery error concerns a normal email from the Internet
  (non-PEC message), no such notification is emitted.


PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers MUST keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.

5.3. Secure interaction

  An "MX" type record MAY be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321.



6. PEC system client technical and functional prerequisites

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?

5.6. PEC providers directory

  Each provider downloads the LDIF file through ah [HTTPS] session,
  which is authenticated using an X.509 certificate released by a
  certification authority.

I think it would be more correct to say:
  which is authenticated by checking the X.509 certificate issued by a
  certification authority.

But I think a reference to RFC 5280 or better RFC 2818 is needed here as well.

  Through the [LDIF] file, single providers HAVE TO keep a copy of the

If you meant to use an RFC 2119 keyword, then you should use "MUST" instead of "HAVE TO" here.

  directory locally, updated on a daily basis, in order to improve
  system performance by avoiding continuous request dispatches to the
  central system for every message elaboration phase.


The following used to be a DISCUSS:
Section 4.3

There are multiple ways to represent described data structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.

5)
3.3.2.2. Delivery PEC notification: brief

  The brief delivery PEC notification contains the original
  message and a ciphered hash value of each part, which
  SHOULD be calculated on base64 encoded parts.

Also, if  particular Content-Transfer-Encoding, are CRLFs included in the hash calculation?
2010-09-03
08 Alexey Melnikov
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-08.txt]

After discussing the document with the rest of IESG, there was an agreement that the document needs to …
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-08.txt]

After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the list of Email related issues that needs to be addressed/fixed, if this document is ever updated to be on the Standard Track.
2010-08-16
08 Ron Bonica [Ballot Position Update] Position for Ron Bonica has been changed to No Objection from Discuss by Ron Bonica
2010-08-16
08 Ron Bonica
[Ballot comment]
1) you might want to think about how the operators should respond to a very prolific virus. It is possible that you might …
[Ballot comment]
1) you might want to think about how the operators should respond to a very prolific virus. It is possible that you might see more virus infected emails in a single 30 day period than you have the resources to store. What do you do then?

2) you might want to identify critical regions of code. For example, you only want to send a receipt after having stored a message to persistent media. Otherwise, if the system were to crash between receipt transmission and storage, the message would be lost.
2010-08-16
08 Ron Bonica
[Ballot discuss]
1) you might want to think about how the operators should respond to a very prolific virus. It is possible that you might …
[Ballot discuss]
1) you might want to think about how the operators should respond to a very prolific virus. It is possible that you might see more virus infected emails in a single 30 day period than you have the resources to store. What do you do then?

2) you might want to identify critical regions of code. For example, you only want to send a receipt after having stored a message to persistent media. Otherwise, if the system were to crash between receipt transmission and storage, the message would be lost.
2010-07-31
08 Alexey Melnikov
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-08.txt]


0) After discussing the document with the rest of IESG, there was an agreement that the document needs …
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-08.txt]


0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the list of Email related issues that needs to be addressed/fixed, if this document is ever updated to be on the Standard Track.


There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.
2010-07-29
08 (System) New version available: draft-gennai-smime-cnipa-pec-08.txt
2010-07-26
08 Alexey Melnikov
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the …
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). The latter is generated only when
  a PEC transport envelopoe encounters a delivery error.
  If the delivery error concerns a normal email from the Internet
  (non-PEC message), no such notification is emitted.


PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers MUST keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.

5.3. Secure interaction

  An "MX" type record MAY be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321.



6. PEC system client technical and functional prerequisites

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?

5.6. PEC providers directory

  Each provider downloads the LDIF file through ah [HTTPS] session,
  which is authenticated using an X.509 certificate released by a
  certification authority.

I think it would be more correct to say:
  which is authenticated by checking the X.509 certificate issued by a
  certification authority.

But I think a reference to RFC 5280 or better RFC 2818 is needed here as well.

  Through the [LDIF] file, single providers HAVE TO keep a copy of the

If you meant to use an RFC 2119 keyword, then you should use "MUST" instead of "HAVE TO" here.

  directory locally, updated on a daily basis, in order to improve
  system performance by avoiding continuous request dispatches to the
  central system for every message elaboration phase.


The following used to be a DISCUSS:
Section 4.3

There are multiple ways to represent described data structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.

5)
3.3.2.2. Delivery PEC notification: brief

  The brief delivery PEC notification contains the original
  message and a ciphered hash value of each part, which
  SHOULD be calculated on base64 encoded parts.

Also, if  particular Content-Transfer-Encoding, are CRLFs included in the hash calculation?
2010-07-26
08 Alexey Melnikov
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-07.txt]


0) After discussing the document with the rest of IESG, there was an agreement that the document needs …
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-07.txt]


0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the list of Email related issues that needs to be addressed/fixed, if this document is ever updated to be on the Standard Track.


There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.


I have some concerns that this document is not detailed enough to implement an interoperable implementation:


12)
4.2. User date/time

  date-fullyear  = 4DIGIT
  date-month      = 2DIGIT  ; 01-12
  date-mday      = 2DIGIT  ; 01-28, 01-29, 01-30, 01-31 based on
                            ; month/year
  time-hour      = 2DIGIT  ; 00-23
  time-minute    = 2DIGIT  ; 00-59
  time-second    = 2DIGIT  ; 00-58, 00-59, 00-60 based on leap second
                            ; rules
  time-offset  = "(" ("+" / "-") ")" time-hour ":" time-minute

  [...]

  NOTE: This specification follows the
  same definitions and restrictions as in [TIMESTAMP].

This doesn't match RFC 3339 (e.g. time-offset ABNF). I also think that the surrounding "(" and ")" are misplaced.
2010-07-26
07 (System) New version available: draft-gennai-smime-cnipa-pec-07.txt
2010-03-31
08 Russ Housley [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley
2010-03-30
08 Alexey Melnikov
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the …
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). The latter is generated only when
  a PEC transport envelopoe encounters a delivery error.

Last sentence - what exactly are you trying to say here?

  If the delivery error concerns a normal email from the Internet
  (non-PEC message), no such notification is emitted.


PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers HAVE TO keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.

5.3. Secure interaction

  To guarantee complete traceability in the flow of PEC messages,
  these MUST NOT transit on systems external to the PEC circuit. When
  exchanging messages between different providers, all transactions
  MUST take place between machines that belong to the PEC circuit, or
  those directly managed by the provider. Secondary PEC messages
  reception systems, if present, MUST be under direct control of the
  provider. An "MX" type record MUST be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321. I am not sure why presence of MX records is a MUST-level requirement, email system works with A records just fine.




5.5.1. Provider-related information (subject)

  More precisely, the Subject DN MUST contain the PEC provider's name
  as it is in the "providerName" attribute published in the PEC
  providers directory (section 4.5). The providerName MUST be present
  in the CommonName or OrganizationName attributes of the Subject
  field in the certificate.

Is the certificate Subject DN required to match Provider entry DN as used
in Directory (section 4.5)? Examples later in this section say otherwise,
but an explicit statement one way or another would be helpful here.


6. PEC system client technical and functional prerequisites

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?

5.6. PEC providers directory

  Each provider downloads the LDIF file through ah [HTTPS] session,
  which is authenticated using an X.509 certificate released by a
  certification authority.

I think it would be more correct to say:
  which is authenticated by checking the X.509 certificate issued by a
  certification authority.

But I think a reference to RFC 5280 or better RFC 2818 is needed here as well.

  Through the [LDIF] file, single providers HAVE TO keep a copy of the

If you meant to use an RFC 2119 keyword, then you should use "MUST" instead of "HAVE TO" here.

  directory locally, updated on a daily basis, in order to improve
  system performance by avoiding continuous request dispatches to the
  central system for every message elaboration phase.


The following used to be a DISCUSS:
Section 4.3

There are multiple ways to represent described data structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.
2010-03-30
08 Alexey Melnikov
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-06.txt]


0) After discussing the document with the rest of IESG, there was an agreement that the document needs …
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-06.txt]


0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the list of Email related issues that needs to be addressed/fixed, if this document is ever updated to be on the Standard Track.


There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.


I have some concerns that this document is not detailed enough to implement an interoperable implementation:

1)
3.1.1. Formal checks on messages

  When the access point receives a message the user wishes to send, it
  MUST guarantee said message's formal conformity, verifying that the:

  o message body contains a "From:" field holding a [EMAIL]-compliant
    email address;

  o message body contains a "To:" field holding one or more [EMAIL]-
    compliant email addresses;

Is this trying to redefine validation checks on message Submission (RFC 4409) and message validity requirements defined in RFC 5322?
Are these checks sufficient?

5)
3.3.2.2. Delivery PEC notification: brief

  The brief delivery PEC notification contains the original
  message and a ciphered hash value of each part, which
  SHOULD be calculated on base64 encoded parts.

Note that an intermediate MTA can change Content-Transfer-Encoding of a message body part. How do changes to the Content-Transfer-Encoding of an attachment affect hash values?

Also, if  particular Content-Transfer-Encoding, are CRLFs included in the hash calculation? How does the change to base64 line length would affect that?

6)
5.2. Authentication

  User access to PEC services through the access point MUST be allowed
  upon user authentication on the system.

I am not sure what this is trying to say. Is this requiring user authentication by the submission service?

9)
Appendix A: Italian fields and values in English

  X-Riferimento-Message-ID        X-Reference-Message-ID
  X-Ricevuta                      X-Notification
    non-accettazione                non-acceptance
    accettazione                    acceptance
    preavviso-errore-consegna      delivery-error-advance-notice
    presa-in-carico                take-charge
    rilevazione-virus              virus-detection
    errore-consegna                delivery-error
    avvenuta-consegna              message-delivered
  X-VerificaSicurezza            X-SecurityVerification
  X-Trasporto                    X-Transport
    posta-certificata              certified-mail
    errore                          error
  X-VerificaSicurezza            X-SecurityVerification
    errore                          error
  X-TipoRicevuta                  X-NotificationType
    completa                        complete
    breve                          brief
    sintetica                      concise

A. Are both Italian and English variants of these fields in use?
If only Italian versions are in use, the table should be clearer
that the right column just contains English translations.

11)
2.2.2. Incoming point

  When a virus is detected inside a PEC transport envelope during the
  reception phase, the receiver's provider emits a virus detection PEC
  notification to the sender provider. The sender provider then MUST:

  o check what virus typologies were not detected by its own
    antivirus to verify the possibility of interventions;

How can this MUST be achieved?
The virus is either detected or not, if it is not detected, there is
no virus as far as the system is concerned.

12)
4.2. User date/time

  date-fullyear  = 4DIGIT
  date-month      = 2DIGIT  ; 01-12
  date-mday      = 2DIGIT  ; 01-28, 01-29, 01-30, 01-31 based on
                            ; month/year
  time-hour      = 2DIGIT  ; 00-23
  time-minute    = 2DIGIT  ; 00-59
  time-second    = 2DIGIT  ; 00-58, 00-59, 00-60 based on leap second
                            ; rules
  time-offset  = "(" ("+" / "-") ")" time-hour ":" time-minute

  [...]

  NOTE: This specification follows the
  same definitions and restrictions as in [TIMESTAMP].

This doesn't match RFC 3339 (e.g. time-offset ABNF). I also think that the surrounding "(" and ")" are misplaced.
2010-03-19
08 Alexey Melnikov
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the …
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). The latter is generated only when
  a PEC transport envelopoe encounters a delivery error.

Last sentence - what exactly are you trying to say here?

  If the delivery error concerns a normal email from the Internet
  (non-PEC message), no such notification is emitted.


PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers HAVE TO keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.

5.3. Secure interaction

  To guarantee complete traceability in the flow of PEC messages,
  these MUST NOT transit on systems external to the PEC circuit. When
  exchanging messages between different providers, all transactions
  MUST take place between machines that belong to the PEC circuit, or
  those directly managed by the provider. Secondary PEC messages
  reception systems, if present, MUST be under direct control of the
  provider. An "MX" type record MUST be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321. I am not sure why presence of MX records is a MUST-level requirement, email system works with A records just fine.




5.5.1. Provider-related information (subject)

  More precisely, the Subject DN MUST contain the PEC provider's name
  as it is in the "providerName" attribute published in the PEC
  providers directory (section 4.5). The providerName MUST be present
  in the CommonName or OrganizationName attributes of the Subject
  field in the certificate.

Is the certificate Subject DN required to match Provider entry DN as used
in Directory (section 4.5)? Examples later in this section say otherwise,
but an explicit statement one way or another would be helpful here.


6. PEC system client technical and functional prerequisites

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?

5.6. PEC providers directory

  Each provider downloads the LDIF file through ah [HTTPS] session,
  which is authenticated using an X.509 certificate released by a
  certification authority.

I think it would be more correct to say:
  which is authenticated by checking the X.509 certificate issued by a
  certification authority.

But I think a reference to RFC 5280 or better RFC 2818 is needed here as well.

  Through the [LDIF] file, single providers HAVE TO keep a copy of the

If you meant to use an RFC 2119 keyword, then you should use "MUST" instead of "HAVE TO" here.

  directory locally, updated on a daily basis, in order to improve
  system performance by avoiding continuous request dispatches to the
  central system for every message elaboration phase.


The following used to be a DISCUSS:
Section 4.3

There are multiple ways to represent described data structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.
2010-03-19
08 Alexey Melnikov
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-06.txt]


0) After discussing the document with the rest of IESG, there was an agreement that the document needs …
[Ballot discuss]
[Updated as per draft-gennai-smime-cnipa-pec-06.txt]


0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the list of Email related issues that needs to be addressed/fixed, if this document is ever updated to be on the Standard Track.


There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.


I have some concerns that this document is not detailed enough to implement an interoperable implementation. I also think the document is missing some IANA registrations (see below):

1)
3.1.1. Formal checks on messages

  When the access point receives a message the user wishes to send, it
  MUST guarantee said message's formal conformity, verifying that the:

  o message body contains a "From:" field holding a [EMAIL]-compliant
    email address;

  o message body contains a "To:" field holding one or more [EMAIL]-
    compliant email addresses;

Is this trying to redefine validation checks on message Submission
and message validity requirements defined in RFC 5321?
Are these checks sufficient?

5)
3.3.2.2. Delivery PEC notification: brief

  The brief delivery PEC notification contains the original
  message and a ciphered hash value of each part, which
  SHOULD be calculated on base64 encoded parts.

Note that an intermediate MTA can change Content-Transfer-Encoding of a message body part. How do changes to the Content-Transfer-Encoding of an attachment affect hash values?

Also, if  particular Content-Transfer-Encoding, are CRLFs included in the hash calculation? How does the change to base64 line length would affect that?

6)
5.2. Authentication

  User access to PEC services through the access point MUST be allowed
  upon user authentication on the system.

I am not sure what this is trying to say. Is this requiring user authentication by the submission service?

9)
Appendix A: Italian fields and values in English

  X-Riferimento-Message-ID        X-Reference-Message-ID
  X-Ricevuta                      X-Notification
    non-accettazione                non-acceptance
    accettazione                    acceptance
    preavviso-errore-consegna      delivery-error-advance-notice
    presa-in-carico                take-charge
    rilevazione-virus              virus-detection
    errore-consegna                delivery-error
    avvenuta-consegna              message-delivered
  X-VerificaSicurezza            X-SecurityVerification
  X-Trasporto                    X-Transport
    posta-certificata              certified-mail
    errore                          error
  X-VerificaSicurezza            X-SecurityVerification
    errore                          error
  X-TipoRicevuta                  X-NotificationType
    completa                        complete
    breve                          brief
    sintetica                      concise

A. Are both Italian and English variants of these fields in use?
If only Italian versions are in use, the table should be clearer
that the right column just contains English translations.

11)
2.2.2. Incoming point

  When a virus is detected inside a PEC transport envelope during the
  reception phase, the receiver's provider emits a virus detection PEC
  notification to the sender provider. The sender provider then MUST:

  o check what virus typologies were not detected by its own
    antivirus to verify the possibility of interventions;

How can this MUST be achieved?
The virus is either detected or not, if it is not detected, there is
no virus as far as the system is concerned.

12)
4.2. User date/time

  date-fullyear  = 4DIGIT
  date-month      = 2DIGIT  ; 01-12
  date-mday      = 2DIGIT  ; 01-28, 01-29, 01-30, 01-31 based on
                            ; month/year
  time-hour      = 2DIGIT  ; 00-23
  time-minute    = 2DIGIT  ; 00-59
  time-second    = 2DIGIT  ; 00-58, 00-59, 00-60 based on leap second
                            ; rules
  time-offset  = "(" ("+" / "-") ")" time-hour ":" time-minute

  [...]

  NOTE: This specification follows the
  same definitions and restrictions as in [TIMESTAMP].

This doesn't match RFC 3339 (e.g. time-offset ABNF). I also think that the surrounding "(" and ")" are misplaced.
2010-03-11
08 Alexey Melnikov
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the …
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). The latter is generated only when
  a PEC transport envelopoe encounters a delivery error.

Last sentence - what exactly are you trying to say here?

  If the delivery error concerns a normal email from the Internet (non-PEC
  message), no such notification is emitted.


PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers HAVE TO keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.


  The LDIF file that encompasses the data of all the PEC providers
  is available, signed using the method described for single providers
  as an HTTPS object, and can be found at the URL to which the

This would need an Informative Reference to the document that
defines HTTPS URI scheme.

  "LDIFLocationURL" attribute in the "dn: o=certmail" record points.


      dn: o=postacert
      objectclass: top
      objectclass: organization
      objectClass: LDIFLocationURLObject
      o: postacert
      LDIFLocationURL: https://igpec.rupa.it/igpec.ldif.p7m

This should be using example.com/org/net domains.

      mailReceipt: takecharge@postalser.it
      LDIFLocationURL: https://services.postalser.it/ldif.txt.p7m
      managedDomains: postal-services.it
      managedDomains: receivedmail.it
      description: Certified mail services for the public

As above. There are other places in example LDIF files where this applies.


5.3. Secure interaction

  To guarantee complete traceability in the flow of PEC messages,
  these MUST NOT transit on systems external to the PEC circuit. When
  exchanging messages between different providers, all transactions
  MUST take place between machines that belong to the PEC circuit, or
  those directly managed by the provider. Secondary PEC messages
  reception systems, if present, MUST be under direct control of the
  provider. An "MX" type record MUST be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321. I am not sure why presence of MX records is a MUST-level requirement, email system works with A records just fine.




5.5.1. Provider-related information (subject)

  More precisely, the Subject DN MUST contain the PEC provider's name
  as it is in the "providerName" attribute published in the PEC
  providers directory (section 4.5). The providerName MUST be present
  in the CommonName or OrganizationName attributes of the Subject
  field in the certificate.

Is the certificate Subject DN required to match Provider entry DN as used
in Directory (section 4.5)? Examples later in this section say otherwise,
but an explicit statement one way or another would be helpful here.


6. PEC system client technical and functional prerequisites

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?

5.6. PEC providers directory

  Each provider downloads the LDIF file through ah [HTTPS] session,
  which is authenticated using an X.509 certificate released by a
  certification authority.

I think it would be more correct to say:
  which is authenticated by checking the X.509 certificate issued by a
  certification authority.

But I think a reference to RFC 5280 or better RFC 2818 is needed here as well.
2010-03-11
08 Alexey Melnikov
[Ballot discuss]
0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the …
[Ballot discuss]
0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the list of Email related issues that needs to be addressed/fixed, if this document is ever updated to be on the Standard Track.


There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.


I have some concerns that this document is not detailed enough to implement an interoperable implementation. I also think the document is missing some IANA registrations (see below):

1)
3.1.1. Formal checks on messages

  When the access point receives a message the user wishes to send, it
  MUST guarantee said message's formal conformity, verifying that the:

  o message body contains a "From:" field holding a [EMAIL]-compliant
    email address;

  o message body contains a "To:" field holding one or more [EMAIL]-
    compliant email addresses;

Is this trying to redefine validation checks on message Submission
and message validity requirements defined in RFC 5321?
Are these checks sufficient?

4) In the same section:

  The same certification information is inserted within an XML file
  to be attached to the notification message, allowing automatic
  checks on the message (section 4.4).

Here and in sections 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.1, 3.2.2, 3.2.3, 3.2.4 ...:
There are multiple ways to represent this structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.

<>

5)
3.3.2.2. Delivery PEC notification: brief

  The brief delivery PEC notification contains the original
  message and a ciphered hash value of each part, which
  SHOULD be calculated on base64 encoded parts.

Note that an intermediate MTA can change Content-Transfer-Encoding of a message body part. How do changes to the Content-Transfer-Encoding of an attachment affect hash values?

Also, if  particular Content-Transfer-Encoding, are CRLFs included in the hash calculation? How does the change to base64 line length would affect
that?

6)
5.2. Authentication

  User access to PEC services through the access point MUST be allowed
  upon user authentication on the system.

I am not sure what this is trying to say. Is this requiring user authentication by the submission service?

8)
8. IANA Considerations

  This document does not require any consideration from the IANA.

Are think this is an error.  Firstly, you need to register the new
LDAP attributes:

  "LDIFLocationURL"
  "managedDomains"
  "mailReceipt"
  "providerCertificateHash"
  "providerCertificate"
  "providerName"
  "providerUnit"

Secondly, you should register the header fields (see my comments for the
Appendix A below).

<>

9)
Appendix A: Italian fields and values in English

  X-Riferimento-Message-ID        X-Reference-Message-ID
  X-Ricevuta                      X-Notification
    non-accettazione                non-acceptance
    accettazione                    acceptance
    preavviso-errore-consegna      delivery-error-advance-notice
    presa-in-carico                take-charge
    rilevazione-virus              virus-detection
    errore-consegna                delivery-error
    avvenuta-consegna              message-delivered
  X-VerificaSicurezza            X-SecurityVerification
  X-Trasporto                    X-Transport
    posta-certificata              certified-mail
    errore                          error
  X-VerificaSicurezza            X-SecurityVerification
    errore                          error
  X-TipoRicevuta                  X-NotificationType
    completa                        complete
    breve                          brief
    sintetica                      concise

A. Are both Italian and English variants of these fields in use?
If only Italian versions are in use, the table should be clearer
that the right column just contains English translations.

B. Why are they not registered with the IANA? This is especially
important if there are multiple deployments of the spec.

<>

11)
2.2.2. Incoming point

  When a virus is detected inside a PEC transport envelope during the
  reception phase, the receiver's provider emits a virus detection PEC
  notification to the sender provider. The sender provider then MUST:

  o check what virus typologies were not detected by its own
    antivirus to verify the possibility of interventions;

How can this MUST be achieved?
The virus is either detected or not, if it is not detected, there is
no virus as far as the system is concerned.

12)
4.2. User date/time

  date-fullyear  = 4DIGIT
  date-month      = 2DIGIT  ; 01-12
  date-mday      = 2DIGIT  ; 01-28, 01-29, 01-30, 01-31 based on
                            ; month/year
  time-hour      = 2DIGIT  ; 00-23
  time-minute    = 2DIGIT  ; 00-59
  time-second    = 2DIGIT  ; 00-58, 00-59, 00-60 based on leap second
                            ; rules
  time-offset  = "(" ("+" / "-") ")" time-hour ":" time-minute

  [...]

  NOTE: This specification follows the
  same definitions and restrictions as in [TIMESTAMP].

This doesn't match RFC 3339 (e.g. time-offset ABNF). I also think that the surrounding "(" and ")" are misplaced.
2010-03-11
08 Alexey Melnikov
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the …
[Ballot comment]
2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). The latter is generated only when
  a PEC transport envelopoe encounters a delivery error.

Last sentence - what exactly are you trying to say here?

  If the delivery error concerns a normal email from the Internet (non-PEC
  message), no such notification is emitted.


PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers HAVE TO keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.


  The LDIF file that encompasses the data of all the PEC providers
  is available, signed using the method described for single providers
  as an HTTPS object, and can be found at the URL to which the

This would need an Informative Reference to the document that
defines HTTPS URI scheme.

  "LDIFLocationURL" attribute in the "dn: o=certmail" record points.


      dn: o=postacert
      objectclass: top
      objectclass: organization
      objectClass: LDIFLocationURLObject
      o: postacert
      LDIFLocationURL: https://igpec.rupa.it/igpec.ldif.p7m

This should be using example.com/org/net domains.

      mailReceipt: takecharge@postalser.it
      LDIFLocationURL: https://services.postalser.it/ldif.txt.p7m
      managedDomains: postal-services.it
      managedDomains: receivedmail.it
      description: Certified mail services for the public

As above. There are other places in example LDIF files where this applies.


5.3. Secure interaction

  To guarantee complete traceability in the flow of PEC messages,
  these MUST NOT transit on systems external to the PEC circuit. When
  exchanging messages between different providers, all transactions
  MUST take place between machines that belong to the PEC circuit, or
  those directly managed by the provider. Secondary PEC messages
  reception systems, if present, MUST be under direct control of the
  provider. An "MX" type record MUST be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321. I am not sure why presence of MX records is a MUST-level requirement, email system works with A records just fine.




5.5.1. Provider-related information (subject)

  More precisely, the Subject DN MUST contain the PEC provider's name
  as it is in the "providerName" attribute published in the PEC
  providers directory (section 4.5). The providerName MUST be present
  in the CommonName or OrganizationName attributes of the Subject
  field in the certificate.

Is the certificate Subject DN required to match Provider entry DN as used
in Directory (section 4.5)? Examples later in this section say otherwise,
but an explicit statement one way or another would be helpful here.


6. PEC system client technical and functional prerequisites

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?
2010-03-11
08 Alexey Melnikov
[Ballot discuss]
0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the …
[Ballot discuss]
0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the list of Email related issues that needs to be addressed/fixed, if this document is ever updated to be on the Standard Track.


There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.


I have some concerns that this document is not detailed enough to implement an interoperable implementation. I also think the document is missing some IANA registrations (see below):

1)
3.1.1. Formal checks on messages

  When the access point receives a message the user wishes to send, it
  MUST guarantee said message's formal conformity, verifying that the:

  o message body contains a "From:" field holding a [EMAIL]-compliant
    email address;

  o message body contains a "To:" field holding one or more [EMAIL]-
    compliant email addresses;

Is this trying to redefine validation checks on message Submission
and message validity requirements defined in RFC 5321?
Are these checks sufficient?

4) In the same section:

  The same certification information is inserted within an XML file
  to be attached to the notification message, allowing automatic
  checks on the message (section 4.4).

Here and in sections 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.1, 3.2.2, 3.2.3, 3.2.4 ...:
There are multiple ways to represent this structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.

<>

5)
3.3.2.2. Delivery PEC notification: brief

  The brief delivery PEC notification contains the original
  message and a ciphered hash value of each part, which
  SHOULD be calculated on base64 encoded parts.

Note that an intermediate MTA can change Content-Transfer-Encoding of a message body part. How do changes to the Content-Transfer-Encoding of an attachment affect hash values?

Also, if  particular Content-Transfer-Encoding, are CRLFs included in the hash calculation? How does the change to base64 line length would affect
that?

6)
5.2. Authentication

  User access to PEC services through the access point MUST be allowed
  upon user authentication on the system.

I am not sure what this is trying to say. Is this requiring user authentication by the submission service?

8)
8. IANA Considerations

  This document does not require any consideration from the IANA.

Are think this is an error.  Firstly, you need to register the new
LDAP attributes:

  "LDIFLocationURL"
  "managedDomains"
  "mailReceipt"
  "providerCertificateHash"
  "providerCertificate"
  "providerName"
  "providerUnit"

Secondly, you should register the header fields (see my comments for the
Appendix A below).

<>

9)
Appendix A: Italian fields and values in English

  X-Riferimento-Message-ID        X-Reference-Message-ID
  X-Ricevuta                      X-Notification
    non-accettazione                non-acceptance
    accettazione                    acceptance
    preavviso-errore-consegna      delivery-error-advance-notice
    presa-in-carico                take-charge
    rilevazione-virus              virus-detection
    errore-consegna                delivery-error
    avvenuta-consegna              message-delivered
  X-VerificaSicurezza            X-SecurityVerification
  X-Trasporto                    X-Transport
    posta-certificata              certified-mail
    errore                          error
  X-VerificaSicurezza            X-SecurityVerification
    errore                          error
  X-TipoRicevuta                  X-NotificationType
    completa                        complete
    breve                          brief
    sintetica                      concise

A. Are both Italian and English variants of these fields in use?
If only Italian versions are in use, the table should be clearer
that the right column just contains English translations.

B. Why are they not registered with the IANA? This is especially
important if there are multiple deployments of the spec.

<>

11)
2.2.2. Incoming point

  When a virus is detected inside a PEC transport envelope during the
  reception phase, the receiver's provider emits a virus detection PEC
  notification to the sender provider. The sender provider then MUST:

  o check what virus typologies were not detected by its own
    antivirus to verify the possibility of interventions;

How can this MUST be achieved?
The virus is either detected or not, if it is not detected, there is
no virus as far as the system is concerned.

12)
4.2. User date/time

  date-fullyear  = 4DIGIT
  date-month      = 2DIGIT  ; 01-12
  date-mday      = 2DIGIT  ; 01-28, 01-29, 01-30, 01-31 based on
                            ; month/year
  time-hour      = 2DIGIT  ; 00-23
  time-minute    = 2DIGIT  ; 00-59
  time-second    = 2DIGIT  ; 00-58, 00-59, 00-60 based on leap second
                            ; rules
  time-offset  = "(" ("+" / "-") ")" time-hour ":" time-minute

  [...]

  NOTE: This specification follows the
  same definitions and restrictions as in [TIMESTAMP].

This doesn't match RFC 3339 (e.g. time-offset ABNF). I also think that the surrounding "(" and ")" are misplaced.
2010-03-11
08 Alexey Melnikov
[Ballot comment]
1.2.3. Terminology and Definitions

  Time stamp: A digital evidence with which a temporal reference, that
  can be opposed by third parties, …
[Ballot comment]
1.2.3. Terminology and Definitions

  Time stamp: A digital evidence with which a temporal reference, that
  can be opposed by third parties, is attributed to one or more

"opposed"?

  documents.


2.1. System-generated messages

  For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). This notification is generated
  when an error relative to the delivery of a correct PEC transport
  envelope is encountered.

Last sentence - what exactly are you trying to say here?

PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers HAVE TO keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.


  The LDIF file that encompasses the data of all the PEC providers
  is available, signed using the method described for single providers
  as an HTTPS object, and can be found at the URL to which the

This would need an Informative Reference to the document that
defines HTTPS URI scheme.

  "LDIFLocationURL" attribute in the "dn: o=certmail" record points.


      dn: o=postacert
      objectclass: top
      objectclass: organization
      objectClass: LDIFLocationURLObject
      o: postacert
      LDIFLocationURL: https://igpec.rupa.it/igpec.ldif.p7m

This should be using example.com/org/net domains.

      mailReceipt: takecharge@postalser.it
      LDIFLocationURL: https://services.postalser.it/ldif.txt.p7m
      managedDomains: postal-services.it
      managedDomains: receivedmail.it
      description: Certified mail services for the public

As above. There are other places in example LDIF files where this applies.


5.3. Secure interaction

  To guarantee complete traceability in the flow of PEC messages,
  these MUST NOT transit on systems external to the PEC circuit. When
  exchanging messages between different providers, all transactions
  MUST take place between machines that belong to the PEC circuit, or
  those directly managed by the provider. Secondary PEC messages
  reception systems, if present, MUST be under direct control of the
  provider. An "MX" type record MUST be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321. I am not sure why presence of MX records is a MUST-level requirement, email system works with A records just fine.




5.5.1. Provider-related information (subject)

  More precisely, the Subject DN MUST contain the PEC provider's name
  as it is in the "providerName" attribute published in the PEC
  providers directory (section 4.5). The providerName MUST be present
  in the CommonName or OrganizationName attributes of the Subject
  field in the certificate.

Is the certificate Subject DN required to match Provider entry DN as used
in Directory (section 4.5)? Examples later in this section say otherwise,
but an explicit statement one way or another would be helpful here.


6. PEC system client technical and functional prerequisites

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?
2010-03-11
08 Alexey Melnikov
[Ballot discuss]
0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the …
[Ballot discuss]
0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the list of Email related issues that needs to be addressed/fixed, if this document is ever updated to be on the Standard Track.


There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.


I have some concerns that this document is not detailed enough to implement an interoperable implementation. I also think the document is missing some IANA registrations (see below):

1)
3.1.1. Formal checks on messages

  When the access point receives a message the user wishes to send, it
  MUST guarantee said message's formal conformity, verifying that the:

  o message body contains a "From:" field holding a [EMAIL]-compliant
    email address;

  o message body contains a "To:" field holding one or more [EMAIL]-
    compliant email addresses;

Is this trying to redefine validation checks on message Submission
and message validity requirements defined in RFC 5321?
Are these checks sufficient?

3) In section 3.1.2:

      To: [original sender]
      X-Riferimento-Message-ID: [Message-ID of original message]

  The body of this notification is composed of text that
  constitutes the actual notification in readable format according
  to a model that relates the following information:

      Error in message acceptance
      On [date] at [time] ([time zone]), in the message "[subject]"
      originating from "[original sender]" and addressed to:
      [recipient_1]
      [recipient_2]
      .
      .
      .
      [recipient_n]
      a problem was detected which prevents its acceptance due to
      [error description].
      The message was not accepted.
      Message identification: [Message-ID]

(Here and in all other similar sections.)
The way this is defined might encourage lazy implementations that
would try to parse data from the human readable part instead of the
XML version of it. A statement saying that only the XML part must
be parsed would be very useful here.

<>

4) In the same section:

  The same certification information is inserted within an XML file
  to be attached to the notification message, allowing automatic
  checks on the message (section 4.4).

Here and in sections 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.1, 3.2.2, 3.2.3, 3.2.4 ...:
There are multiple ways to represent this structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.

<>

5)
3.3.2.2. Delivery PEC notification: brief

  The brief delivery PEC notification contains the original
  message and a ciphered hash value of each part, which
  SHOULD be calculated on base64 encoded parts.

Note that an intermediate MTA can change Content-Transfer-Encoding of a message body part. How do changes to the Content-Transfer-Encoding of an attachment affect hash values?

Also, if  particular Content-Transfer-Encoding, are CRLFs included in the hash calculation? How does the change to base64 line length would affect
that?

6)
5.2. Authentication

  User access to PEC services through the access point MUST be allowed
  upon user authentication on the system.

I am not sure what this is trying to say. Is this requiring user authentication by the submission service?

8)
8. IANA Considerations

  This document does not require any consideration from the IANA.

Are think this is an error.  Firstly, you need to register the new
LDAP attributes:

  "LDIFLocationURL"
  "managedDomains"
  "mailReceipt"
  "providerCertificateHash"
  "providerCertificate"
  "providerName"
  "providerUnit"

Secondly, you should register the header fields (see my comments for the
Appendix A below).

9)
Appendix A: Italian fields and values in English

  X-Riferimento-Message-ID        X-Reference-Message-ID
  X-Ricevuta                      X-Notification
    non-accettazione                non-acceptance
    accettazione                    acceptance
    preavviso-errore-consegna      delivery-error-advance-notice
    presa-in-carico                take-charge
    rilevazione-virus              virus-detection
    errore-consegna                delivery-error
    avvenuta-consegna              message-delivered
  X-VerificaSicurezza            X-SecurityVerification
  X-Trasporto                    X-Transport
    posta-certificata              certified-mail
    errore                          error
  X-VerificaSicurezza            X-SecurityVerification
    errore                          error
  X-TipoRicevuta                  X-NotificationType
    completa                        complete
    breve                          brief
    sintetica                      concise

A. Are both Italian and English variants of these fields in use?
If only Italian versions are in use, the table should be clearer
that the right column just contains English translations.

B. Why are they not registered with the IANA? This is especially
important if there are multiple deployments of the spec.

11)
2.2.2. Incoming point

  When a virus is detected inside a PEC transport envelope during the
  reception phase, the receiver's provider emits a virus detection PEC
  notification to the sender provider. The sender provider then MUST:

  o check what virus typologies were not detected by its own
    antivirus to verify the possibility of interventions;

How can this MUST be achieved?
The virus is either detected or not, if it is not detected, there is
no virus as far as the system is concerned.

12)
4.2. User date/time

  date-fullyear  = 4DIGIT
  date-month      = 2DIGIT  ; 01-12
  date-mday      = 2DIGIT  ; 01-28, 01-29, 01-30, 01-31 based on
                            ; month/year
  time-hour      = 2DIGIT  ; 00-23
  time-minute    = 2DIGIT  ; 00-59
  time-second    = 2DIGIT  ; 00-58, 00-59, 00-60 based on leap second
                            ; rules
  time-offset  = "(" ("+" / "-") ")" time-hour ":" time-minute

  [...]

  NOTE: This specification follows the
  same definitions and restrictions as in [TIMESTAMP].

This doesn't match RFC 3339. I also think that the surrounding "(" and ")"
are misplaced.
2010-03-08
08 (System) Sub state has been changed to AD Follow up from New Id Needed
2010-03-08
06 (System) New version available: draft-gennai-smime-cnipa-pec-06.txt
2010-01-21
08 Cindy Morgan State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Cindy Morgan
2010-01-21
08 Alexey Melnikov
[Ballot comment]
1.2.3. Terminology and Definitions

  Time stamp: A digital evidence with which a temporal reference, that
  can be opposed by third parties, …
[Ballot comment]
1.2.3. Terminology and Definitions

  Time stamp: A digital evidence with which a temporal reference, that
  can be opposed by third parties, is attributed to one or more

"opposed"?

  documents.


2.1. System-generated messages

  The PEC system generates messages in MIME format.

This is missing the [MIME1] reference.

  In order for the receiving mail client to verify the signature,
  the sender address MUST coincide with the one indicated within the
  X.509v3 certificate. For this mechanism, PEC transport envelopes
  MUST indicate in the "From:" field a single author's address which
  is different from the one contained in the original message. To
  allow for better message usability by the receiving user, the
  author's mail address in the original message is inserted as a
  "display name". For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.

2.2.2. Incoming point

  o Signature origin - the system verifies whether or not the
    signature belongs to a PEC provider by extracting the certificate
    used for signing and verifying its presence in the PEC providers
    directory. To ease the check, it is possible to calculate the
    certificate's SHA1 hash value and perform a case-insensitive

The reference to SHA-1 definition document is missing.

    search of its hexadecimal representation within the
    "providerCertificateHash" attribute found in the PEC providers
    directory. This operation allows to easily identify the sender
    provider for subsequent and necessary matching checks between the
    extracted certificate and the one present in the provider's
    record;

  o Signature validity - S/MIME signature correctness is verified by
    recalculating the signature value, checking the entire
    certification path, and verifying the CRL and temporal validity of
    the certificate. In case some caching mechanism is used for CRL
    contents, an update interval MUST be adopted so that the most up-
    to-date data is guaranteed, thus minimizing the possible delay
    between a publication revocation by the Certification Authority
    and the variation acknowledgment by the provider;

As above: the reference for CRL checking is missing.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). This notification is generated
  when an error relative to the delivery of a correct PEC transport
  envelope is encountered.

Last sentence - what exactly are you trying to say here?

PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


3.5. Example: Complete transaction between 2 PEC domains

You might want to point out that some of the steps mentioned in this section might occur in parallel (and thus can complete in a different order).




4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers HAVE TO keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.


  The LDIF file that encompasses the data of all the PEC providers
  is available, signed using the method described for single providers
  as an HTTPS object, and can be found at the URL to which the

This would need an Informative Reference to the document that
defines HTTPS URI scheme.

  "LDIFLocationURL" attribute in the "dn: o=certmail" record points.


      dn: o=postacert
      objectclass: top
      objectclass: organization
      objectClass: LDIFLocationURLObject
      o: postacert
      LDIFLocationURL: https://igpec.rupa.it/igpec.ldif.p7m

This should be using example.com/org/net domains.

      mailReceipt: takecharge@postalser.it
      LDIFLocationURL: https://services.postalser.it/ldif.txt.p7m
      managedDomains: postal-services.it
      managedDomains: receivedmail.it
      description: Certified mail services for the public

As above. There are other places in example LDIF files where this applies.


5.3. Secure interaction

  To guarantee complete traceability in the flow of PEC messages,
  these MUST NOT transit on systems external to the PEC circuit. When
  exchanging messages between different providers, all transactions
  MUST take place between machines that belong to the PEC circuit, or
  those directly managed by the provider. Secondary PEC messages
  reception systems, if present, MUST be under direct control of the
  provider. An "MX" type record MUST be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321. I am not sure why presence of MX records is a MUST-level requirement, email system works with A records just fine.




5.5.1. Provider-related information (subject)

  More precisely, the Subject DN MUST contain the PEC provider's name
  as it is in the "providerName" attribute published in the PEC
  providers directory (section 4.5). The providerName MUST be present
  in the CommonName or OrganizationName attributes of the Subject
  field in the certificate.

Is the certificate Subject DN required to match Provider entry DN as used
in Directory (section 4.5)? Examples later in this section say otherwise,
but an explicit statement one way or another would be helpful here.


6. PEC system client technical and functional prerequisites

  This section lists the prerequisites that must be respected by a
  client in order to guarantee the minimal operative functionalities
  to the user of a general PEC system:

  o handling of access and delivery points through secure channels;

  o handling of user authentication in message dispatch and reception
    phases;

Message reception requires use of IMAP, POP3 or HTTP.
The document doesn't say anything about these.

  o support for MIME format according to [MIME1] and [MIME5];

  o handling of media type "message.rfc822";

I think you meant "message/rfc822" here.
But isn't this implied by the previous item?

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?


9.1. Normative References

  [LDAP]    Legg, S., Editor, "Lightweight Directory Access Protocol
            (LDAP): Syntaxes and Matching Rules", RFC 4517, eB2Bcom,
            June 2006

This should be RFC 4510.
2010-01-21
08 Alexey Melnikov
[Ballot discuss]
0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the …
[Ballot discuss]
0) After discussing the document with the rest of IESG, there was an agreement that the document needs to explain in details the list of Email related issues that needs to be addressed/fixed, if this document is ever updated to be on the Standard Track.


There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.


I have some concerns that this document is not detailed enough to implement an interoperable implementation. I also think the document is missing some IANA registrations (see below):

1)
3.1.1. Formal checks on messages

  When the access point receives a message the user wishes to send, it
  MUST guarantee said message's formal conformity, verifying that the:

  o message body contains a "From:" field holding a [EMAIL]-compliant
    email address;

  o message body contains a "To:" field holding one or more [EMAIL]-
    compliant email addresses;

Is this trying to redefine validation checks on message Submission
and message validity requirements defined in RFC 5321?
Are these checks sufficient?

2)
3.1.2. Non-acceptance PEC notification due to formal exceptions

  The header for such a notification will contain the following
  fields:

      X-Ricevuta: non-accettazione
      Date: [date of notification emission]
      Subject: AVVISO DI NON ACCETTAZIONE: [original subject]
      From: certified-mail@[mail domain]

Is this trying to register a special purpose email address at all participating domains? If yes, the document should call this out explicitly.

3) In the same section:

      To: [original sender]
      X-Riferimento-Message-ID: [Message-ID of original message]

  The body of this notification is composed of text that
  constitutes the actual notification in readable format according
  to a model that relates the following information:

      Error in message acceptance
      On [date] at [time] ([time zone]), in the message "[subject]"
      originating from "[original sender]" and addressed to:
      [recipient_1]
      [recipient_2]
      .
      .
      .
      [recipient_n]
      a problem was detected which prevents its acceptance due to
      [error description].
      The message was not accepted.
      Message identification: [Message-ID]

(Here and in all other similar sections.)
The way this is defined might encourage lazy implementations that
would try to parse data from the human readable part instead of the
XML version of it. A statement saying that only the XML part must
be parsed would be very useful here.

4) In the same section:

  The same certification information is inserted within an XML file
  to be attached to the notification message, allowing automatic
  checks on the message (section 4.4).

Here and in sections 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.1, 3.2.2, 3.2.3, 3.2.4 ...:
There are multiple ways to represent this structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.

5)
3.3.2.2. Delivery PEC notification: brief

  In order to decrease the amount of data flowing, it is possible
  for the sender to ask for a delivery PEC notification in "brief"
  format. The brief delivery PEC notification contains the original
  message and a ciphered hash value of each attachment.

Note that an intermediate MTA can change Content-Transfer-Encoding of a message body part. How do changes to the Content-Transfer-Encoding of an attachment affect hash values?

6)
5.2. Authentication

  User access to PEC services through the access point MUST be allowed
  upon authentication on the system by the user himself.

I am not sure what this is trying to say. Is this requiring user authentication by the submission service?

7)
5.6. PEC providers directory

  The contents of the PEC providers directory MUST be queried via
  HTTP on SSL, as described in [TLS], exclusively by licensed
  providers that have the necessary user certificates; this access
  modality guarantees authenticity, integrity and confidentiality
  of data.

This doesn't say enough about Web interfaces to be used for querying data.

Also, what about protecting LDAP access itself?

8)
8. IANA Considerations

  This document does not require any consideration from the IANA.

Are think this is an error.  Firstly, you need to register the new
LDAP attributes:

  "LDIFLocationURL"
  "managedDomains"
  "mailReceipt"
  "providerCertificateHash"
  "providerCertificate"
  "providerName"
  "providerUnit"

Secondly, you should register the header fields (see my comments for the
Appendix A below).

9)
Appendix A: Italian fields and values in English

  X-Riferimento-Message-ID        X-Reference-Message-ID
  X-Ricevuta                      X-Notification
    non-accettazione                non-acceptance
    accettazione                    acceptance
    preavviso-errore-consegna      delivery-error-advance-notice
    presa-in-carico                take-charge
    rilevazione-virus              virus-detection
    errore-consegna                delivery-error
    avvenuta-consegna              message-delivered
  X-VerificaSicurezza            X-SecurityVerification
  X-Trasporto                    X-Transport
    posta-certificata              certified-mail
    errore                          error
  X-VerificaSicurezza            X-SecurityVerification
    errore                          error
  X-TipoRicevuta                  X-NotificationType
    completa                        complete
    breve                          brief
    sintetica                      concise

A. Are both Italian and English variants of these fields in use?
If only Italian versions are in use, the table should be clearer
that the right column just contains English translations.

B. Why are they not registered with the IANA? This is especially
important if there are multiple deployments of the spec.

10)
2.2.1. Access point

  This is what the user client at the sender side interacts with,
  giving the user access to PEC services set up by the provider.
  Such access MUST be preceded by user authentication on the system
  (see section 6.2).

There is no section 6.2 as far as I can see.

11)
2.2.2. Incoming point

  When a virus is detected inside a PEC transport envelope during the
  reception phase, the receiver's provider emits a virus detection PEC
  notification to the sender provider. The sender provider then MUST:

  o check what virus typologies were not detected by its own
    antivirus, to understand the motivations and verify the
    possibility of interventions;

How can this MUST be achieved?
The virus is either detected or not, if it is not detected, there is
no virus as far as the system is concerned.

12)
4.2. User date/time

  Temporal indications supplied by the service in readable format
  (text in PEC notifications, transport envelopes, etc) are provided
  with reference to the legal time at the moment of the operation.
  The date employs the format, "dd/mm/yyyy", whereas the hour uses
  the format, "hh:mm:ss", where "hh" is in 24hour format. The date
  and time are followed by the time zone, i.e. the difference (hours
  and minutes) between local time and UTC, inserted between
  parentheses. Representation of such a value is in the "[+|-]hhmm"
  format, where the first character indicates a positive or negative
  difference.

This seems to be inventing a new date/time format.
If not, can you please point to the exact syntax in ABNF?
(Using a reference to another document defining the format would be fine.)
2010-01-21
08 Cullen Jennings [Ballot discuss]
2010-01-21
08 Cullen Jennings [Ballot Position Update] Position for Cullen Jennings has been changed to No Objection from Discuss by Cullen Jennings
2010-01-21
08 Adrian Farrel [Ballot comment]
I agree that this would be better taken off the Standards Track. To me it looks Informational
2010-01-20
08 Cullen Jennings
[Ballot discuss]
I like to understand the level of review this has received, which track it is on, and who has change control. There seems …
[Ballot discuss]
I like to understand the level of review this has received, which track it is on, and who has change control. There seems to be conflicting comments.
2010-01-20
08 Cullen Jennings [Ballot Position Update] New position, Discuss, has been recorded by Cullen Jennings
2010-01-20
08 Robert Sparks [Ballot Position Update] New position, No Objection, has been recorded by Robert Sparks
2010-01-20
08 (System) State Changes to IESG Evaluation from IESG Evaluation - Defer by system
2010-01-19
08 Ralph Droms [Ballot Position Update] New position, No Objection, has been recorded by Ralph Droms
2010-01-19
08 Lars Eggert
[Ballot comment]
>                        Certified Electronic Mail

  The title should make it clear that …
[Ballot comment]
>                        Certified Electronic Mail

  The title should make it clear that this spec is specific to a
  national deployment in Italy.

I also agree with Alexey's DISCUSS on why this is standards track, esp. if change control doesn't lie with the IETF (as Ben pointed out i the gen-art review.) Informational appears to be a much more appropriate category.
2010-01-19
08 Lars Eggert [Ballot Position Update] New position, No Objection, has been recorded by Lars Eggert
2010-01-18
08 Ron Bonica
[Ballot discuss]
1) you might want to think about how the operators should respond to a very prolific virus. It is possible that you might …
[Ballot discuss]
1) you might want to think about how the operators should respond to a very prolific virus. It is possible that you might see more virus infected emails in a single 30 day period than you have the resources to store. What do you do then?

2) you might want to identify critical regions of code. For example, you only want to send a receipt after having stored a message to persistent media. Otherwise, if the system were to crash between receipt transmission and storage, the message would be lost.
2010-01-18
08 Russ Housley
[Ballot discuss]
The Gen-ART Review Ben Campbell on 05-Jan-2010 raised a few issues:

  If this is an English version of another document, then the …
[Ballot discuss]
The Gen-ART Review Ben Campbell on 05-Jan-2010 raised a few issues:

  If this is an English version of another document, then the front of
  the document should make this clear.  If it includes material that is
  not availble elsewhere, it should be more clear about this too.

  Please add references to the Italian documents.  I assume that those
  documents are authoratative, so change control does not rest with the
  IETF.  The document describes the use of Italian specifications at a
  point in time, but it doesn't give the reader any way to assess
  whether this version will still valid at any point in the future.

  You might want to include a statement recommending that implementors
  follow the authoritative Italian documents, not this one.
2010-01-18
08 Russ Housley [Ballot Position Update] New position, Discuss, has been recorded by Russ Housley
2010-01-18
08 Ron Bonica [Ballot Position Update] New position, Discuss, has been recorded by Ron Bonica
2010-01-17
08 Alexey Melnikov
[Ballot comment]
1.2.3. Terminology and Definitions

  Time stamp: A digital evidence with which a temporal reference, that
  can be opposed by third parties, …
[Ballot comment]
1.2.3. Terminology and Definitions

  Time stamp: A digital evidence with which a temporal reference, that
  can be opposed by third parties, is attributed to one or more

"opposed"?

  documents.


2.1. System-generated messages

  The PEC system generates messages in MIME format.

This is missing the [MIME1] reference.

  In order for the receiving mail client to verify the signature,
  the sender address MUST coincide with the one indicated within the
  X.509v3 certificate. For this mechanism, PEC transport envelopes
  MUST indicate in the "From:" field a single author's address which
  is different from the one contained in the original message. To
  allow for better message usability by the receiving user, the
  author's mail address in the original message is inserted as a
  "display name". For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.

2.2.2. Incoming point

  o Signature origin - the system verifies whether or not the
    signature belongs to a PEC provider by extracting the certificate
    used for signing and verifying its presence in the PEC providers
    directory. To ease the check, it is possible to calculate the
    certificate's SHA1 hash value and perform a case-insensitive

The reference to SHA-1 definition document is missing.

    search of its hexadecimal representation within the
    "providerCertificateHash" attribute found in the PEC providers
    directory. This operation allows to easily identify the sender
    provider for subsequent and necessary matching checks between the
    extracted certificate and the one present in the provider's
    record;

  o Signature validity - S/MIME signature correctness is verified by
    recalculating the signature value, checking the entire
    certification path, and verifying the CRL and temporal validity of
    the certificate. In case some caching mechanism is used for CRL
    contents, an update interval MUST be adopted so that the most up-
    to-date data is guaranteed, thus minimizing the possible delay
    between a publication revocation by the Certification Authority
    and the variation acknowledgment by the provider;

As above: the reference for CRL checking is missing.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). This notification is generated
  when an error relative to the delivery of a correct PEC transport
  envelope is encountered.

Last sentence - what exactly are you trying to say here?

PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


3.5. Example: Complete transaction between 2 PEC domains

You might want to point out that some of the steps mentioned in this section might occur in parallel (and thus can complete in a different order).




4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers HAVE TO keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.


  The LDIF file that encompasses the data of all the PEC providers
  is available, signed using the method described for single providers
  as an HTTPS object, and can be found at the URL to which the

This would need an Informative Reference to the document that
defines HTTPS URI scheme.

  "LDIFLocationURL" attribute in the "dn: o=certmail" record points.


      dn: o=postacert
      objectclass: top
      objectclass: organization
      objectClass: LDIFLocationURLObject
      o: postacert
      LDIFLocationURL: https://igpec.rupa.it/igpec.ldif.p7m

This should be using example.com/org/net domains.

      mailReceipt: takecharge@postalser.it
      LDIFLocationURL: https://services.postalser.it/ldif.txt.p7m
      managedDomains: postal-services.it
      managedDomains: receivedmail.it
      description: Certified mail services for the public

As above. There are other places in example LDIF files where this applies.


5.3. Secure interaction

  To guarantee complete traceability in the flow of PEC messages,
  these MUST NOT transit on systems external to the PEC circuit. When
  exchanging messages between different providers, all transactions
  MUST take place between machines that belong to the PEC circuit, or
  those directly managed by the provider. Secondary PEC messages
  reception systems, if present, MUST be under direct control of the
  provider. An "MX" type record MUST be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321. I am not sure why presence of MX records is a MUST-level requirement, email system works with A records just fine.




5.5.1. Provider-related information (subject)

  More precisely, the Subject DN MUST contain the PEC provider's name
  as it is in the "providerName" attribute published in the PEC
  providers directory (section 4.5). The providerName MUST be present
  in the CommonName or OrganizationName attributes of the Subject
  field in the certificate.

Is the certificate Subject DN required to match Provider entry DN as used
in Directory (section 4.5)? Examples later in this section say otherwise,
but an explicit statement one way or another would be helpful here.


6. PEC system client technical and functional prerequisites

  This section lists the prerequisites that must be respected by a
  client in order to guarantee the minimal operative functionalities
  to the user of a general PEC system:

  o handling of access and delivery points through secure channels;

  o handling of user authentication in message dispatch and reception
    phases;

Message reception requires use of IMAP, POP3 or HTTP.
The document doesn't say anything about these.

  o support for MIME format according to [MIME1] and [MIME5];

  o handling of media type "message.rfc822";

I think you meant "message/rfc822" here.
But isn't this implied by the previous item?

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?


9.1. Normative References

  [LDAP]    Legg, S., Editor, "Lightweight Directory Access Protocol
            (LDAP): Syntaxes and Matching Rules", RFC 4517, eB2Bcom,
            June 2006

This should be RFC 4510.
2010-01-17
08 Alexey Melnikov
[Ballot discuss]
DISCUSS DISCUSS (I would like to discuss this with the rest of IESG)

There were some concerns raised during IETF LC suggesting that …
[Ballot discuss]
DISCUSS DISCUSS (I would like to discuss this with the rest of IESG)

There were some concerns raised during IETF LC suggesting that this document should not be published even as Informational, should be published as Historic, or should be published as Information with a big note discouraging new implementations of this spec. I would like to discuss what should be done with this document.


I have some concerns that this document is not detailed enough to implement an interoperable implementation. I also think the document is missing some IANA registrations (see below):

1)
3.1.1. Formal checks on messages

  When the access point receives a message the user wishes to send, it
  MUST guarantee said message's formal conformity, verifying that the:

  o message body contains a "From:" field holding a [EMAIL]-compliant
    email address;

  o message body contains a "To:" field holding one or more [EMAIL]-
    compliant email addresses;

Is this trying to redefine validation checks on message Submission
and message validity requirements defined in RFC 5321?
Are these checks sufficient?

2)
3.1.2. Non-acceptance PEC notification due to formal exceptions

  The header for such a notification will contain the following
  fields:

      X-Ricevuta: non-accettazione
      Date: [date of notification emission]
      Subject: AVVISO DI NON ACCETTAZIONE: [original subject]
      From: certified-mail@[mail domain]

Is this trying to register a special purpose email address at all participating domains? If yes, the document should call this out explicitly.

3) In the same section:

      To: [original sender]
      X-Riferimento-Message-ID: [Message-ID of original message]

  The body of this notification is composed of text that
  constitutes the actual notification in readable format according
  to a model that relates the following information:

      Error in message acceptance
      On [date] at [time] ([time zone]), in the message "[subject]"
      originating from "[original sender]" and addressed to:
      [recipient_1]
      [recipient_2]
      .
      .
      .
      [recipient_n]
      a problem was detected which prevents its acceptance due to
      [error description].
      The message was not accepted.
      Message identification: [Message-ID]

(Here and in all other similar sections.)
The way this is defined might encourage lazy implementations that
would try to parse data from the human readable part instead of the
XML version of it. A statement saying that only the XML part must
be parsed would be very useful here.

4) In the same section:

  The same certification information is inserted within an XML file
  to be attached to the notification message, allowing automatic
  checks on the message (section 4.4).

Here and in sections 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.1, 3.2.2, 3.2.3, 3.2.4 ...:
There are multiple ways to represent this structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.

5)
3.3.2.2. Delivery PEC notification: brief

  In order to decrease the amount of data flowing, it is possible
  for the sender to ask for a delivery PEC notification in "brief"
  format. The brief delivery PEC notification contains the original
  message and a ciphered hash value of each attachment.

Note that an intermediate MTA can change Content-Transfer-Encoding of a message body part. How do changes to the Content-Transfer-Encoding of an attachment affect hash values?

6)
5.2. Authentication

  User access to PEC services through the access point MUST be allowed
  upon authentication on the system by the user himself.

I am not sure what this is trying to say. Is this requiring user authentication by the submission service?

7)
5.6. PEC providers directory

  The contents of the PEC providers directory MUST be queried via
  HTTP on SSL, as described in [TLS], exclusively by licensed
  providers that have the necessary user certificates; this access
  modality guarantees authenticity, integrity and confidentiality
  of data.

This doesn't say enough about Web interfaces to be used for querying data.

Also, what about protecting LDAP access itself?

8)
8. IANA Considerations

  This document does not require any consideration from the IANA.

Are think this is an error.  Firstly, you need to register the new
LDAP attributes:

  "LDIFLocationURL"
  "managedDomains"
  "mailReceipt"
  "providerCertificateHash"
  "providerCertificate"
  "providerName"
  "providerUnit"

Secondly, you should register the header fields (see my comments for the
Appendix A below).

9)
Appendix A: Italian fields and values in English

  X-Riferimento-Message-ID        X-Reference-Message-ID
  X-Ricevuta                      X-Notification
    non-accettazione                non-acceptance
    accettazione                    acceptance
    preavviso-errore-consegna      delivery-error-advance-notice
    presa-in-carico                take-charge
    rilevazione-virus              virus-detection
    errore-consegna                delivery-error
    avvenuta-consegna              message-delivered
  X-VerificaSicurezza            X-SecurityVerification
  X-Trasporto                    X-Transport
    posta-certificata              certified-mail
    errore                          error
  X-VerificaSicurezza            X-SecurityVerification
    errore                          error
  X-TipoRicevuta                  X-NotificationType
    completa                        complete
    breve                          brief
    sintetica                      concise

A. Are both Italian and English variants of these fields in use?
If only Italian versions are in use, the table should be clearer
that the right column just contains English translations.

B. Why are they not registered with the IANA? This is especially
important if there are multiple deployments of the spec.

10)
2.2.1. Access point

  This is what the user client at the sender side interacts with,
  giving the user access to PEC services set up by the provider.
  Such access MUST be preceded by user authentication on the system
  (see section 6.2).

There is no section 6.2 as far as I can see.

11)
2.2.2. Incoming point

  When a virus is detected inside a PEC transport envelope during the
  reception phase, the receiver's provider emits a virus detection PEC
  notification to the sender provider. The sender provider then MUST:

  o check what virus typologies were not detected by its own
    antivirus, to understand the motivations and verify the
    possibility of interventions;

How can this MUST be achieved?
The virus is either detected or not, if it is not detected, there is
no virus as far as the system is concerned.

12)
4.2. User date/time

  Temporal indications supplied by the service in readable format
  (text in PEC notifications, transport envelopes, etc) are provided
  with reference to the legal time at the moment of the operation.
  The date employs the format, "dd/mm/yyyy", whereas the hour uses
  the format, "hh:mm:ss", where "hh" is in 24hour format. The date
  and time are followed by the time zone, i.e. the difference (hours
  and minutes) between local time and UTC, inserted between
  parentheses. Representation of such a value is in the "[+|-]hhmm"
  format, where the first character indicates a positive or negative
  difference.

This seems to be inventing a new date/time format.
If not, can you please point to the exact syntax in ABNF?
(Using a reference to another document defining the format would be fine.)
2010-01-17
08 Alexey Melnikov
[Ballot comment]
1.2.3. Terminology and Definitions

  Time stamp: A digital evidence with which a temporal reference, that
  can be opposed by third parties, …
[Ballot comment]
1.2.3. Terminology and Definitions

  Time stamp: A digital evidence with which a temporal reference, that
  can be opposed by third parties, is attributed to one or more

"opposed"?

  documents.


2.1. System-generated messages

  The PEC system generates messages in MIME format.

This is missing the [MIME1] reference.

  In order for the receiving mail client to verify the signature,
  the sender address MUST coincide with the one indicated within the
  X.509v3 certificate. For this mechanism, PEC transport envelopes
  MUST indicate in the "From:" field a single author's address which
  is different from the one contained in the original message. To
  allow for better message usability by the receiving user, the
  author's mail address in the original message is inserted as a
  "display name". For example, a "From:" field such as:

        From: "John Smith"

  would result in the following "From:" value in the respective
  PEC transport envelope:

        From: "On behalf of: john.smith@domain.example.com"
                               

This is really hackish. Display names are not intended to be used like this.



2.1.1.2. PEC envelopes

  Messages entering the PEC network are inserted within specific PEC
  messages, called envelopes, before they are allowed to circulate
  further within the network. These envelopes MUST inherit the
  following header fields, along with their unmodified values, from
  the message itself:

  o Received

One can argue that PEC messages are new messages, so they shouldn't be
inheriting Received headers.

2.2.2. Incoming point

  o Signature origin - the system verifies whether or not the
    signature belongs to a PEC provider by extracting the certificate
    used for signing and verifying its presence in the PEC providers
    directory. To ease the check, it is possible to calculate the
    certificate's SHA1 hash value and perform a case-insensitive

The reference to SHA-1 definition document is missing.

    search of its hexadecimal representation within the
    "providerCertificateHash" attribute found in the PEC providers
    directory. This operation allows to easily identify the sender
    provider for subsequent and necessary matching checks between the
    extracted certificate and the one present in the provider's
    record;

  o Signature validity - S/MIME signature correctness is verified by
    recalculating the signature value, checking the entire
    certification path, and verifying the CRL and temporal validity of
    the certificate. In case some caching mechanism is used for CRL
    contents, an update interval MUST be adopted so that the most up-
    to-date data is guaranteed, thus minimizing the possible delay
    between a publication revocation by the Certification Authority
    and the variation acknowledgment by the provider;

As above: the reference for CRL checking is missing.


2.2.3. Delivery point

  If the message received at the delivery point can't be delivered
  to the destination mailbox, the delivery point emits a non-delivery
  PEC notification (section 3.3.3). This notification is generated
  when an error relative to the delivery of a correct PEC transport
  envelope is encountered.

Last sentence - what exactly are you trying to say here?

PECs are used as Non-Delivert Notifications DSNs. Why not use DSNs?

3.1.2. Non-acceptance PEC notification due to formal exceptions

  When the access point cannot forward the message received, due to
  failure in passing the formal checks, the sender is notified of such
  an outcome. If the error is caused by the message failing size
  checks, a non-acceptance PEC notification is sent as long as the
  size remains bound by a certain limit. If the size exceeds said
  limit, error handling is left to SMTP.

SMTP SIZE extension on message submission would have been much better here.

3.1.5. PEC Transport envelope

  As was mentioned in section 2.1.1.2, the PEC transport envelope
  inherits from the original message the values of the following
  header fields, which MUST be related unmodified:

  o Received

  o Return-Path

[...]

  On the other hand, the following fields MUST be modified, or
  inserted if necessary:

      X-Trasporto: posta-certificata
      Date: [actual date of acceptance]
      Subject: POSTA CERTIFICATA: [original subject]
      From: "On behalf of: [original sender]"
                           
      Reply-To: [original sender] (inserted only if not present)
      Message-ID: [PEC message ID generated as explained in 2.2.1]

This is a new message, yet it contains a copy of the original Received headers?

      X-Riferimento-Message-ID: [message ID of original message]
      X-TipoRicevuta: [completa/breve/sintetica]


3.3.2. Delivery PEC notification

  A delivery PEC notification is issued only after a correct PEC
  transport envelope has been delivered to the recipient's mailbox.
  The PEC transport envelope can be easily determined from the
  presence of the following header field:

      X-Trasporto: posta-certificata

How difficult would be to spoof this when S/MIME is used?
If I remember correctly, typically it doesn't protect email header fields.


3.3.2.2. Delivery PEC notification: brief

  The MIME structure of the original message is unaltered as it is
  attached to the notification, but its attachment(s) are substituted
  with as many text files as the attachments are, each containing the
  hash value of the file it substitutes. The attachments are
  identified through the presence of the "name" parameter in the
  header "content-type", or "filename" in the header "content-
  disposition" of the MIME part.

This doesn't seem to be a very reliable way of identifying attachments.


3.5. Example: Complete transaction between 2 PEC domains

You might want to point out that some of the steps mentioned in this section might occur in parallel (and thus can complete in a different order).




4.3. Attachments

  This section describes the characteristics of the various components
  of PEC messages and notifications generated by a PEC system. If one
  of the message parts contains characters with values outside of the
  range 0-127 (7-bit ASCII), that part will have to be adequately
  encoded so that 7-bit transportation compatibility is guaranteed
  (e.g. quoted-printable, base64).

Technically speaking this is not quite correct, because many email
clients/servers support 8BITMIME SMTP extension that allows 8bit Content-Transfer-Encoding.



4.3.1. Message body

  Character set: ISO-8859-1 (Latin-1)
  MIME type: text/plain or multipart/alternative

Nitpicking: ISO-8859-1 is only relevant for text/plain.

In general, use of charsets other than UTF-8 shouldn't be recommended,
unless backward compatibility dictates otherwise.



4.3.3. Certification data

  Character set: UTF-8
  MIME type: application/xml
  Attachment name: certdata.xml

It would have been better if this would have been a new MIME type
(application/...+xml).


4.5. PEC providers directory scheme

  Through the LDIF file, single providers HAVE TO keep a local copy of
  the directory, updated on a daily basis, in order to improve system
  performance by avoiding continuous request dispatches to the central
  system for every message elaboration phase.

This recommendation is ignoring the fact that LDAP Directories support replication and caching, so each provider can use own Directory
which is a shadow copy of the master Directory.


  The LDIF file that encompasses the data of all the PEC providers
  is available, signed using the method described for single providers
  as an HTTPS object, and can be found at the URL to which the

This would need an Informative Reference to the document that
defines HTTPS URI scheme.

  "LDIFLocationURL" attribute in the "dn: o=certmail" record points.


      dn: o=postacert
      objectclass: top
      objectclass: organization
      objectClass: LDIFLocationURLObject
      o: postacert
      LDIFLocationURL: https://igpec.rupa.it/igpec.ldif.p7m

This should be using example.com/org/net domains.

      mailReceipt: takecharge@postalser.it
      LDIFLocationURL: https://services.postalser.it/ldif.txt.p7m
      managedDomains: postal-services.it
      managedDomains: receivedmail.it
      description: Certified mail services for the public

As above. There are other places in example LDIF files where this applies.


5.3. Secure interaction

  To guarantee complete traceability in the flow of PEC messages,
  these MUST NOT transit on systems external to the PEC circuit. When
  exchanging messages between different providers, all transactions
  MUST take place between machines that belong to the PEC circuit, or
  those directly managed by the provider. Secondary PEC messages
  reception systems, if present, MUST be under direct control of the
  provider. An "MX" type record MUST be associated to each PEC domain,
  defined within the system for name resolution.

It would be helpful to point out that that this is in conformance with
RFC 5321. I am not sure why presence of MX records is a MUST-level requirement, email system works with A records just fine.




5.5.1. Provider-related information (subject)

  More precisely, the Subject DN MUST contain the PEC provider's name
  as it is in the "providerName" attribute published in the PEC
  providers directory (section 4.5). The providerName MUST be present
  in the CommonName or OrganizationName attributes of the Subject
  field in the certificate.

Is the certificate Subject DN required to match Provider entry DN as used
in Directory (section 4.5)? Examples later in this section say otherwise,
but an explicit statement one way or another would be helpful here.


6. PEC system client technical and functional prerequisites

  This section lists the prerequisites that must be respected by a
  client in order to guarantee the minimal operative functionalities
  to the user of a general PEC system:

  o handling of access and delivery points through secure channels;

  o handling of user authentication in message dispatch and reception
    phases;

Message reception requires use of IMAP, POP3 or HTTP.
The document doesn't say anything about these.

  o support for MIME format according to [MIME1] and [MIME5];

  o handling of media type "message.rfc822";

I think you meant "message/rfc822" here.
But isn't this implied by the previous item?

  o support for "ISO-8859-1 (Latin-1)" character set;

What about UTF-8 (as used in application/xml)?


9.1. Normative References

  [LDAP]    Legg, S., Editor, "Lightweight Directory Access Protocol
            (LDAP): Syntaxes and Matching Rules", RFC 4517, eB2Bcom,
            June 2006

This should be RFC 4510.
2010-01-17
08 Alexey Melnikov
[Ballot discuss]
I have some concerns that this document is not detailed enough to implement an interoperable implementation. I also think the document is missing …
[Ballot discuss]
I have some concerns that this document is not detailed enough to implement an interoperable implementation. I also think the document is missing some IANA registrations (see below):

1)
3.1.1. Formal checks on messages

  When the access point receives a message the user wishes to send, it
  MUST guarantee said message's formal conformity, verifying that the:

  o message body contains a "From:" field holding a [EMAIL]-compliant
    email address;

  o message body contains a "To:" field holding one or more [EMAIL]-
    compliant email addresses;

Is this trying to redefine validation checks on message Submission
and message validity requirements defined in RFC 5321?
Are these checks sufficient?

2)
3.1.2. Non-acceptance PEC notification due to formal exceptions

  The header for such a notification will contain the following
  fields:

      X-Ricevuta: non-accettazione
      Date: [date of notification emission]
      Subject: AVVISO DI NON ACCETTAZIONE: [original subject]
      From: certified-mail@[mail domain]

Is this trying to register a special purpose email address at all participating domains? If yes, the document should call this out explicitly.

3) In the same section:

      To: [original sender]
      X-Riferimento-Message-ID: [Message-ID of original message]

  The body of this notification is composed of text that
  constitutes the actual notification in readable format according
  to a model that relates the following information:

      Error in message acceptance
      On [date] at [time] ([time zone]), in the message "[subject]"
      originating from "[original sender]" and addressed to:
      [recipient_1]
      [recipient_2]
      .
      .
      .
      [recipient_n]
      a problem was detected which prevents its acceptance due to
      [error description].
      The message was not accepted.
      Message identification: [Message-ID]

(Here and in all other similar sections.)
The way this is defined might encourage lazy implementations that
would try to parse data from the human readable part instead of the
XML version of it. A statement saying that only the XML part must
be parsed would be very useful here.

4) In the same section:

  The same certification information is inserted within an XML file
  to be attached to the notification message, allowing automatic
  checks on the message (section 4.4).

Here and in sections 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.1, 3.2.2, 3.2.3, 3.2.4 ...:
There are multiple ways to represent this structure in email.
In order to insure interoperability you need to describe which choices
are acceptable. For example, if you mean that the message is a multipart/mixed (or multipart/alternative) with the first part being the textual part and the second part being the XML data, you should say so.

5)
3.3.2.2. Delivery PEC notification: brief

  In order to decrease the amount of data flowing, it is possible
  for the sender to ask for a delivery PEC notification in "brief"
  format. The brief delivery PEC notification contains the original
  message and a ciphered hash value of each attachment.

Note that an intermediate MTA can change Content-Transfer-Encoding of a message body part. How do changes to the Content-Transfer-Encoding of an attachment affect hash values?

6)
5.2. Authentication

  User access to PEC services through the access point MUST be allowed
  upon authentication on the system by the user himself.

I am not sure what this is trying to say. Is this requiring user authentication by the submission service?

7)
5.6. PEC providers directory

  The contents of the PEC providers directory MUST be queried via
  HTTP on SSL, as described in [TLS], exclusively by licensed
  providers that have the necessary user certificates; this access
  modality guarantees authenticity, integrity and confidentiality
  of data.

This doesn't say enough about Web interfaces to be used for querying data.

Also, what about protecting LDAP access itself?

8)
8. IANA Considerations

  This document does not require any consideration from the IANA.

Are think this is an error.  Firstly, you need to register the new
LDAP attributes:

  "LDIFLocationURL"
  "managedDomains"
  "mailReceipt"
  "providerCertificateHash"
  "providerCertificate"
  "providerName"
  "providerUnit"

Secondly, you should register the header fields (see my comments for the
Appendix A below).

9)
Appendix A: Italian fields and values in English

  X-Riferimento-Message-ID        X-Reference-Message-ID
  X-Ricevuta                      X-Notification
    non-accettazione                non-acceptance
    accettazione                    acceptance
    preavviso-errore-consegna      delivery-error-advance-notice
    presa-in-carico                take-charge
    rilevazione-virus              virus-detection
    errore-consegna                delivery-error
    avvenuta-consegna              message-delivered
  X-VerificaSicurezza            X-SecurityVerification
  X-Trasporto                    X-Transport
    posta-certificata              certified-mail
    errore                          error
  X-VerificaSicurezza            X-SecurityVerification
    errore                          error
  X-TipoRicevuta                  X-NotificationType
    completa                        complete
    breve                          brief
    sintetica                      concise

A. Are both Italian and English variants of these fields in use?
If only Italian versions are in use, the table should be clearer
that the right column just contains English translations.

B. Why are they not registered with the IANA? This is especially
important if there are multiple deployments of the spec.

10)
2.2.1. Access point

  This is what the user client at the sender side interacts with,
  giving the user access to PEC services set up by the provider.
  Such access MUST be preceded by user authentication on the system
  (see section 6.2).

There is no section 6.2 as far as I can see.

11)
2.2.2. Incoming point

  When a virus is detected inside a PEC transport envelope during the
  reception phase, the receiver's provider emits a virus detection PEC
  notification to the sender provider. The sender provider then MUST:

  o check what virus typologies were not detected by its own
    antivirus, to understand the motivations and verify the
    possibility of interventions;

How can this MUST be achieved?
The virus is either detected or not, if it is not detected, there is
no virus as far as the system is concerned.

12)
4.2. User date/time

  Temporal indications supplied by the service in readable format
  (text in PEC notifications, transport envelopes, etc) are provided
  with reference to the legal time at the moment of the operation.
  The date employs the format, "dd/mm/yyyy", whereas the hour uses
  the format, "hh:mm:ss", where "hh" is in 24hour format. The date
  and time are followed by the time zone, i.e. the difference (hours
  and minutes) between local time and UTC, inserted between
  parentheses. Representation of such a value is in the "[+|-]hhmm"
  format, where the first character indicates a positive or negative
  difference.

This seems to be inventing a new date/time format.
If not, can you please point to the exact syntax in ABNF?
(Using a reference to another document defining the format would be fine.)
2010-01-14
08 Sam Weiler Request for Last Call review by SECDIR Completed. Reviewer: Eric Rescorla.
2010-01-08
08 (System) Removed from agenda for telechat - 2010-01-07
2010-01-07
08 Alexey Melnikov State Changes to IESG Evaluation - Defer from IESG Evaluation by Alexey Melnikov
2010-01-06
08 Tim Polk Ballot has been issued by Tim Polk
2010-01-06
08 Tim Polk [Ballot Position Update] New position, Yes, has been recorded by Tim Polk
2010-01-06
08 Jari Arkko
[Ballot comment]
Tools issue: How is it possible that this document is on the agenda, yet
without a Yes marked for the sponsoring AD? And …
[Ballot comment]
Tools issue: How is it possible that this document is on the agenda, yet
without a Yes marked for the sponsoring AD? And I can't get to the
ballot from the tracker page, even if I can get to it from the
agenda page.

The document says:

  Whether the virus be
  detected by the sender's access point or the receiver's incoming
  point, the provider that detects it MUST store the mail message in
  its own storage, and keep it for 30 months.

I fail to see the usefulness of this mechanism, except perhaps for
hard disk manufacturers. There is a non-delivery message in any case.
But I understand that all this is required by Italian law...

I am also troubled by the specification of virus processing details,
particularly with MUST keywords. The virus detection mechanisms are by
their nature heuristic, and there will always be some amount of false
positives and negatives.

Why does the specification handle viruses but no spam? Authentication
of e-mail senders does not prevent unsolicited commercial e-mail.

I did not see the security considerations section mentioning the
possibility that despite strong authentication of users with passwords,
it is possible that that malicious code on the user's machine
has sent the mail on his behalf.

I would have preferred to see some of the X-header definitions in
ABNF, as opposed to verbal descriptions.
2010-01-06
08 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded by Jari Arkko
2010-01-06
08 Jari Arkko
[Ballot comment]
How is it possible that this document is on the agenda, yet without a Yes
marked for the sponsoring AD?

The document says: …
[Ballot comment]
How is it possible that this document is on the agenda, yet without a Yes
marked for the sponsoring AD?

The document says:

  Whether the virus be
  detected by the sender's access point or the receiver's incoming
  point, the provider that detects it MUST store the mail message in
  its own storage, and keep it for 30 months.

I fail to see the usefulness of this mechanism, except perhaps for
hard disk manufacturers. There is a non-delivery message in any case.
But I understand that all this is required by Italian law...

I am also troubled by the specification of virus processing details,
particularly with MUST keywords. The virus detection mechanisms are by
their nature heuristic, and there will always be some amount of false
positives and negatives.

Why does the specification handle viruses but no spam? Authentication
of e-mail senders does not prevent unsolicited commercial e-mail.

I did not see the security considerations section mentioning the
possibility that despite strong authentication of users with passwords,
it is possible that that malicious code on the user's machine
has sent the mail on his behalf.
2010-01-06
08 Jari Arkko
[Ballot comment]
How is it possible that this document is on the agenda, yet without a Yes
marked for the sponsoring AD?

The document says: …
[Ballot comment]
How is it possible that this document is on the agenda, yet without a Yes
marked for the sponsoring AD?

The document says:

  Whether the virus be
  detected by the sender's access point or the receiver's incoming
  point, the provider that detects it MUST store the mail message in
  its own storage, and keep it for 30 months.

I fail to see the usefulness of this mechanism, except perhaps for
hard disk manufacturers. There is a non-delivery message in any case.

I am also troubled by the specification of virus processing details,
particularly with MUST keywords. The virus and spam detection
mechanisms are by their nature heuristic, and there will always be
some amount of false positives and negatives.
2010-01-06
08 Jari Arkko [Ballot comment]
How is it possible that this document is on the agenda, yet without a Yes
marked for the sponsoring AD?
2010-01-06
08 Amy Vezza State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Amy Vezza
2009-12-28
08 Alexey Melnikov [Ballot Position Update] New position, Discuss, has been recorded by Alexey Melnikov
2009-12-28
08 Alexey Melnikov Created "Approve" ballot
2009-12-10
08 Tim Polk Placed on agenda for telechat - 2010-01-07 by Tim Polk
2009-12-10
08 Tim Polk Intended Status has been changed to Informational from Proposed Standard
2009-12-10
08 Tim Polk Intended Status has been changed to Informational from Proposed Standard
2009-11-10
08 (System) State has been changed to Waiting for AD Go-Ahead from In Last Call by system
2009-11-06
08 Amanda Baber IANA comments:

As described in the IANA Considerations section, we understand this
document to have NO IANA Actions.
2009-10-16
08 Sam Weiler Request for Last Call review by SECDIR is assigned to Eric Rescorla
2009-10-16
08 Sam Weiler Request for Last Call review by SECDIR is assigned to Eric Rescorla
2009-10-13
08 Cindy Morgan Last call sent
2009-10-13
08 Cindy Morgan State Changes to In Last Call from Last Call Requested by Cindy Morgan
2009-10-13
08 Tim Polk Last Call was requested by Tim Polk
2009-10-13
08 Tim Polk State Changes to Last Call Requested from Publication Requested by Tim Polk
2009-10-13
08 (System) Ballot writeup text was added
2009-10-13
08 (System) Last call text was added
2009-10-13
08 (System) Ballot approval text was added
2009-10-13
08 Tim Polk Intended Status has been changed to Proposed Standard from None
2009-10-13
08 Tim Polk [Note]: 'Sean Turner <turners@ieca.com> is the document shepherd.' added by Tim Polk
2009-10-13
08 Tim Polk
Title: Certified Electronic Mail
ID: http://www.ietf.org/internet-drafts/draft-gennai-smime-cnipa-pec-05
Intended Status: Proposed Standard

1.a - Sean Turner is the document Shepherd.  He has personally reviewed
the document and …
Title: Certified Electronic Mail
ID: http://www.ietf.org/internet-drafts/draft-gennai-smime-cnipa-pec-05
Intended Status: Proposed Standard

1.a - Sean Turner is the document Shepherd.  He has personally reviewed
the document and asserts that it is ready for IESG publication.
1.b - The document was presented to the SMIME WG at IETF 71 and has been
reviewed by a few SMIME WG members. There are no concerns about depth or
breadth of the reviews.
1.c - I so no need for wider review.
1.d - There are no specific concerns that the AD and/or IESG should be
aware of.
1.e - N/A
1.f - There has been no threat of appeal.
1.g - The document satisfies all ID nits.
1.h - The document splits its references.
1.i - The document has an IANA consideration and it is consistent with
the main body (there are no IANA considerations).
1.j - The XML contained in the document is verified.

***I have to take you word for 1.j!?

Technical Summary

Posta Elettronica Certificata (PEC) defines an official electronic
delivery service analogous to the postal service's registered mail with
return receipt.  Originators use an unaltered User Agent (UA) to submit
emails to a PEC provider who performs checks  (e.g., formatting, virus)
on the message and then returns an acceptance receipt to the originator.
After returning the acceptance receipt the PEC provider, the PEC
provider generates the signed "transport message" that includes the
original message and certification data (e.g., date and time of
dispatch, sender email address, recipient(s) email address(es), subject,
and message ID) and sends it to the recipient's PEC provider.  Upon
receipt of the transport message, the recipient's PEC provider returns a
signed  take charge receipt, which also includes certification data, to
the originator's PEC provider indicating that the recipient's PEC
provider has agreed to deliver the message.  The recipient's PEC
provider then delivers the message to the recipients mailbox.  After
successful delivery, the recipient's PEC provider returns a signed
delivery notification to the originator.  Both terse and verbose
responses are supported as well as error conditions.  The above system
also relies on an PEC Direcotry (LDAP-based) to store certificates and
CRLs, which are checked during signature verifications by the originator
and recipient PEC providers.

Working Group Summary

The PEC concept was pitched to the SMIME WG at IETF 71.  Numerous
questions were asked and answered to the satisfaction of the WG.  The WG
did not adopt the PEC ID as a WG item not due to lack of interest, but
due to lack of man power (SMIME is not very active at this point). The
WG did agree to discuss it on the mailing list.  Reviews, comments, and
revisions were posted on the mailing list.

Document Quality

This document has already been implemented by the following vendors:
Tmail, OpenPec, In Rete PEC, Microsoft, Critical Path, Babel,
InnovaPuglia, and Infocert.  In addition, the vendors undergo
interoperability testing amongst each other to ensure they have properly
implemented PEC.

Note that the SMTP header fields use Italian as opposed to English.  The
Shepherd assumed that this was acceptable from a standardization
perspective.  An Italian-to-English translation is provided in an Appendix.

Personnel

Sean Turner is the document Shepherd.  Tim Polk is the sponsoring AD.
2009-10-13
08 Tim Polk Draft Added by Tim Polk in state Publication Requested
2009-10-13
08 Tim Polk [Note]: 'Sean Turner  is the document shepherd.' added by Tim Polk
2009-09-17
05 (System) New version available: draft-gennai-smime-cnipa-pec-05.txt
2009-06-24
04 (System) New version available: draft-gennai-smime-cnipa-pec-04.txt
2009-06-08
03 (System) New version available: draft-gennai-smime-cnipa-pec-03.txt
2009-02-06
02 (System) New version available: draft-gennai-smime-cnipa-pec-02.txt
2008-10-27
01 (System) New version available: draft-gennai-smime-cnipa-pec-01.txt
2008-06-30
00 (System) New version available: draft-gennai-smime-cnipa-pec-00.txt