]> Agent Attribution Header Fields Google, Inc.
weihaw@google.com
Google, Inc.
emgu@google.com
Independent Stream Agent Attribution Identity When human users communicate with autonomous computer agent users, the human users should be able to identify that communication as coming from agent users and know which humans are responsible for the agent users. This document specifies email header fields that an email sender can use to transmit agent user attribution information to email receivers. The first header field is human readable and specifies the agent's responsible humans' email address. The second header field is machine readable and specified in JSON attribution information.
Introduction Recent autonomous computer agent users have gained the capability to communicate with human users through such means such as emails (). Human users should be able to identify that communication as coming from computer agents. They should also be able to identify which humans are responsible for the agent, that is the human owner of the agent. For example when the agent misbehaves and sends unwanted email, the recipient may want to communicate with the responsible human to stop the behavior. This document specifies email header fields () that an email sender can use to transmit agent user attribution information to email receivers. The first header field Agent-of specifies the agent's responsible human's email address, and is human and machine readable. The second header field Agent-attribution is specified in JSON attribution information, and is meant to be machine readable only.
Terminology and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .
Header Fields This specification defines two header field-names () agent-of and agent-attribution. When the agent-of header field is attached to an email, it defines that a computer agent sent the message. The field value is an address-list () of the responsible humans of the agent that sent an email. This is meant to be human and machine readable. With this header field, the responsible human information here is simplified for readability. If there are multiple responsible humans of an agent, multiple addresses may be specified or an email address alias may be used to represent many users that control that agent. In other scenarios, when an agent triggers the creation of another agent, the responsible human information SHOULD be propagated so that it is always available to the newly created agent. Alternatively when the sender wishes to represent a more complex responsibility relationship, they can use the agent-attribution header field. The field value is a base64string () of JSON (). The JSON key-value of attributes about the identity of the responsible humans that allows arbitrary definition of responsibility and delegation relationship of computer agents. We expect that there will be an IANA registry for these values as well as future updates to this document to represent those relationships. It is meant to be only machine readable. When the agent-attribution header field is attached to an email, it also defines that a computer agent sent the message. If both header fields are present in a message, the receiver SHOULD take a union of the sender identities of both header fields.
Authentication Senders SHOULD sign these header fields with DKIM (). Receivers that use these headers MUST DKIM authenticate them, i.e the signature passes and the header fields are covered by the header hash. If DKIM2 (draft-ietf-dkim-dkim2-spec) authentication is available, then DKIM2 results SHOULD be used for authentication instead of DKIM. To prevent spoofing of the responsible humans, receivers that use those identities MUST check for DMARC relaxed () alignment with a passing DKIM or DKIM2 signature domain.
Security Considerations These headers MUST be DKIM authenticated before they can be used as defined in . Similarly the responsible humans' email addresses domains MUST be DKIM aligned as defined in . Presence of this header field does not infer any trustworthiness. It is simply a claim by the sender that the creator of the email is an agent and a second claim of who are the responsible humans of an agent. Receivers MUST make their own judgement of the utility of this information.
IANA Considerations This document has no IANA actions yet. --
Normative References Internet Message Format This document specifies the Internet Message Format (IMF), a syntax for text messages that are sent between computer users, within the framework of "electronic mail" messages. This specification is a revision of Request For Comments (RFC) 2822, which itself superseded Request For Comments (RFC) 822, "Standard for the Format of ARPA Internet Text Messages", updating it to reflect current practice and incorporating incremental changes that were specified in other RFCs. [STANDARDS-TRACK] Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The Base16, Base32, and Base64 Data Encodings This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] The JavaScript Object Notation (JSON) Data Interchange Format JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. DomainKeys Identified Mail (DKIM) Signatures DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author's organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer's domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature. This memo obsoletes RFC 4871 and RFC 5672. [STANDARDS-TRACK] Domain-Based Message Authentication, Reporting, and Conformance (DMARC) This document describes the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol. DMARC permits the owner of an email's Author Domain to enable validation of the domain's use to indicate the Domain Owner's or Public Suffix Operator's message handling preference regarding failed validation and to request reports about the use of the domain name. Mail-receiving organizations can use this information when evaluating handling choices for incoming mail. This document obsoletes RFCs 7489 and 9091.