Network Working Group                                          E. Burger
Request for Comments: 3459                            SnowShore Networks
Updates: 3204                                               January 2003
Category: Standards Track

              Critical Content Multi-purpose Internet Mail
                      Extensions (MIME) Parameter

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document describes the use of a mechanism for identifying body
   parts that a sender deems critical in a multi-part Internet mail
   message.  The mechanism described is a parameter to Content-
   Disposition, as described by RFC 3204.

   By knowing what parts of a message the sender deems critical, a
   content gateway can intelligently handle multi-part messages when
   providing gateway services to systems of lesser capability.  Critical
   content can help a content gateway to decide what parts to forward.
   It can indicate how hard a gateway should try to deliver a body part.
   It can help the gateway to pick body parts that are safe to silently
   delete when a system of lesser capability receives a message.  In
   addition, critical content can help the gateway chose the
   notification strategy for the receiving system.  Likewise, if the
   sender expects the destination to do some processing on a body part,
   critical content allows the sender to mark body parts that the
   receiver must process.

Burger                      Standards Track                     [Page 1]

RFC 3459           Critical Content of Internet Mail        January 2003

Table of Contents

   1.  Conventions used in this document..............................3
   2.  Introduction...................................................3
   3.  Handling Parameter.............................................4
       3.1. REQUIRED..................................................4
       3.2. OPTIONAL..................................................5
       3.3. Default Values............................................5
       3.4. Other Values..............................................5
   4.  Collected Syntax...............................................6
   5.  Notification...................................................6
       5.1. DSN vs. MDN Generation....................................7
       5.2. Summary...................................................7
   6.  Signed Content.................................................8
   7.  Encrypted Content..............................................9
   8.  Status Code...................................................10
   9.  Requirements for Critical Content.............................11
       9.1. Needs....................................................11
       9.2. Current Approaches.......................................12
   10. The Content Gateway...........................................13
       10.1. Integrated Content Gateway..............................14
       10.2. Disaggregated Delivery Network..........................14
   11. Backward Compatibility Considerations.........................15
   12. MIME Interactions.............................................15
       12.1. multipart/alternative...................................15
       12.2. multipart/related.......................................15
       12.3. message/rfc822..........................................15
       12.4. multipart/signed........................................16
       12.5. multipart/encrypted.....................................16
   13. Implementation Examples.......................................16
       13.1. Content Gateways........................................16
       13.2. Disaggregated Content Gateway...........................17
   14. OPES Considerations...........................................18
       14.1. Consideration (2.1): One-Party Consent..................18
       14.2. Consideration (2.2): IP-layer Communications............18
       14.3. Consideration (3.1): Notification - Sender..............18
       14.4. Consideration (3.2): Notification - Receiver............18
       14.5. Consideration (3.3): Non-Blocking.......................18
       14.6. Consideration (4.1): URI Resolution.....................18
       14.7. Consideration (4.2): Reference Validity.................19
       14.8. Consideration (4.3): Architecture Extensions............19
       14.9. Consideration (5.1): Privacy............................19
   15. Security Considerations.......................................19
   16. IANA Considerations...........................................19
   17. References....................................................20
       17.1 Normative References.....................................20
       17.2 Informative Reference....................................21
   18. Acknowledgments...............................................22

Burger                      Standards Track                     [Page 2]

RFC 3459           Critical Content of Internet Mail        January 2003

   19. Intellectual Property Notice..................................23
   20. Author's Address..............................................23
   21. Full Copyright Statement......................................24

1. Conventions used in this document

   This document refers generically to the sender of a message in the
   masculine (he/him/his) and the recipient of the message in the
   feminine (she/her/hers).  This convention is purely for convenience
   and makes no assumption about the gender of a message sender or
   recipient.

   The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT", "SHOULD",
   "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
   are to be interpreted as described in BCP 14, RFC 2119 [2].

   The word "REQUIRED" in this document does not follow the definition
   found in RFC 2119.  This is because this document defines a parameter
   named "REQUIRED".  There is no requirement in this document that is
   "REQUIRED", so there is no confusion.

   In this document, the "sending agent" is the originator of the
   message.  It could be a mail user agent (MUA) for an Internet
   message, or a SIP User Agent Client (UAC) for a SIP [3] message. The
   "endpoint" is the receiving device, of lesser capability than the
   sending agent.

   NOTE: Notes, such as this one, provide additional nonessential
   information that the reader may skip without missing anything
   essential.  The primary purpose of these non-essential notes is to
   convey information about the rationale of this document, or to place
   this document in the proper historical or evolutionary context.
   Readers whose sole purpose is to construct a conformant
   implementation may skip such information.  However, it may be of use
   to those who wish to understand why we made certain design choices.

2. Introduction

   The specification of Critical Content is small and compact.  For the
   benefit of developers, the specification comes first, the rationale
   after.

   One concept that an implementer must understand is the content
   gateway.  Section 10 describes the content gateway.  In brief, a
   content gateway has knowledge of the receiving system's capabilities.
   The content gateway passes messages the receiving system can process,
   render or store.  The content gateway can modify a message, for
   example by deleting unrenderable or storable body parts, for delivery

Burger                      Standards Track                     [Page 3]

RFC 3459           Critical Content of Internet Mail        January 2003

   to the receiving system.  Finally, the content gateway can reject a
   message that the receiving system cannot handle.

   Although Critical Content processing is not an OPES service, the
   protocol machinery described in this document meets all of the OPES
   IAB requirements as stated by RFC 3238 [4].  Section 14 describes
   this in detail.  In particular, unlike the current situation where
   content gateways silently modified messages, or had abstract rules
   for modifying them (see the content transformation rules in VPIM, for
   example), the Critical Content mechanism allows for the sending user
   to explicitly indicate desired content handling by content gateways

   NOTE: This document updates RFC 3204 [5] to separate the Handling
   parameter from the ISUP/QSIG transport mechanism.  The protocol
   described here is identical in functionality to RFC 3204 with respect
   to SIP.  Future versions of RFC 3204 should reference this document
   for the Handling parameter, as it is orthogonal to the tunneling of
   signaling.

3. Handling Parameter

   The Handling parameter is a Content-Disposition [6] parameter
   inserted by the sending agent to indicate to the content gateway
   whether to consider the marked body part critical.

   A REQUIRED body part is one the sender requires the receiving system
   to deliver for him to consider the message delivered.

   An OPTIONAL body part is one the sender doesn't care whether the
   receiving system delivers it or not.  A content gateway can silently
   delete such body parts if the receiving system cannot deliver the
   part.

   The terms "entity" and "body part" have the meanings defined in [6].

3.1. REQUIRED

   "Handling=REQUIRED" signifies that this body part is critical to the
   sender.

   If the content gateway cannot pass a body part marked REQUIRED, then
   the entire message has failed.  In this case, the content gateway
   MUST take the appropriate failure action.

   NOTE: We say "appropriate action", because the sender may have
   suppressed all notifications.  In this case, the appropriate action
   is to silently discard the message.  In addition, as a general MIME
   parameter, the MIME body part may not be in an Internet Mail message.

Burger                      Standards Track                     [Page 4]

RFC 3459           Critical Content of Internet Mail        January 2003

   Moreover, in the SIP case, the appropriate notification is a status
   return code, not a delivery notification.

3.2. OPTIONAL

   "Handling=OPTIONAL" signifies that the sender does not care about
   notification reports for this body part.

   If the content gateway cannot pass a body part marked OPTIONAL, the
   receiving system may silently delete the body part.  The receiving
   system MUST NOT return a delivery failure, unless parts marked
   REQUIRED have also failed.

3.3. Default Values

   The default value for Handling for a given body part is REQUIRED.
   This enables the existing notification mechanisms to work for sending
   agents that do not know about the content notification entity.  All
   body parts are critical, because they have the default marking of
   REQUIRED.

   NOTE: In the case of Internet mail, critical content processing is a
   function of the content gateway and not the mail transfer agent (MTA)
   or user agent (UA).  Often, the entity performing content gateway
   processing is the receiving UA.  However, in this case the UA is
   acting as a content gateway.  Thus the default action for any
   Content-Disposition [6]-compliant user agent to ignore unrecognized
   disposition parameters ensures that this mechanism is compatible with
   the Internet architecture.

   NOTE: This parameter is fully backwards compatible and works as
   expected for Internet mail and SIP.

   NOTE: Some VPIMv2 implementations can receive arbitrary e-mail from
   the Internet.  However, these systems are really acting in the
   capacity of an Internet Voice Mail system.  In this case, one would
   expect the implementation to provide Internet Voice Mail semantics to
   Internet Voice Mail messages.

3.4. Other Values

   The content gateway MUST treat unrecognized values as REQUIRED. This
   is to provide backward compatibility with future uses of the
   Content-Criticality entity.

   NOTE: A possible new value is IMPORTANT.  An IMPORTANT body part is
   something the sender wants the receiver to get, but would not want
   the message rejected outright if the IMPORTANT body part fails, but

Burger                      Standards Track                     [Page 5]

RFC 3459           Critical Content of Internet Mail        January 2003

   they do want notification of the failure.  However, as no
   implementations do IMPORTANT, it is not important to this version of
   this document.

4. Collected Syntax

   The format of the collected syntax is in accordance with the ABNF of
   [7].  Note that per RFC 2183 [6], the HANDLING Content-Disposition
   parameter is not case sensitive.  In addition, the notification-type
   is not case sensitive.

      "handling" "=" notification-type CRLF

      notification-type = "REQUIRED" / "OPTIONAL" /
                          other-handling / generic-param

      other-handling    =  token

5. Notification

   One obvious application of critical content is generating a (non-)
   delivery notification in the Internet mail environment.  If the value
   of the field is OPTIONAL, the content gateway MUST NOT generate a
   notification.  If the value of the field is REQUIRED, the content
   gateway MAY generate a notification, based on the normal notification
   request mechanisms.  Normal notification request mechanisms include
   specifying the NOTIFY parameter to the SMTP RCPT command [8] and the
   Disposition-Notification-To header [9].

   In SIP, all requests have responses.  These responses provide
   notification in the status code of the response.  For the RFC 3204
   case, a content gateway generates a 415 (Unsupported Media Type)
   response if the field is REQUIRED.

   If the sending system requests a notification, and a REQUIRED part
   fails, the content gateway MUST generate a notification for the whole
   message.  Conversely, if the gateway cannot pass on a body part
   marked OPTIONAL, the gateway MUST NOT generate a notification.

   NOTE: This implies that the content gateway must examine the entire
   message to determine whether it needs to generate a notification.
   However, the content gateway need not examine the message if it knows
   it can store and forward all media types. Said differently, Internet
   e-mail MTAs or gateways can, by default, handle any arbitrary MIME-
   encapsulated type.  Some voice mail systems, on the other hand,
   cannot store binary attachments at all, such as application/ms-word.
   The voice mail content gateway, in this example, would be scanning
   for non-renderable body parts in any event.

Burger                      Standards Track                     [Page 6]

RFC 3459           Critical Content of Internet Mail        January 2003

5.1. DSN vs. MDN Generation

   The content gateway generates a delivery status notification (DSN)
   [9] if it operates as a gateway.  The content gateway generates a
   Message Disposition Notification (MDN) [10] if it operates as a mail
   user agent.  Section 6 describes the operating modes of a content
   gateway.  In short, if there is a MTA that "delivers" the message to
   the content gateway for processing, the MTA takes responsibility for
   DSN processing.  In this case, the only option available to the
   content gateway is to generate MDNs.  If the content gateway operates
   as a MTA, then it generates DSNs.  DSN generation is the preferred
   option.

   If the content gateway is part of a SIP endpoint, then it generates
   the appropriate success or error response code.

5.2. Summary

   The following table summarizes the actions expected of a conforming
   content gateway.

   NOTE: This section is normative: it suggests what a content gateway
   should put into the DSN or MDN.

   NOTE: In the case of SIP, this section is informative.  See RFC 3204
   for the normative set of actions on failure.

                  Table 1 - Expected Actions

                        +--------------------------------------+
                        |    Sending UA Has Marked Body Part   |
                        |---------------------+----------------|
                        |      REQUIRED       |    OPTIONAL    |
   +--------------------+---------------------+----------------+
   | Body Part is       |                     |                |
   | Deliverable        | Appropriate Action  |     ignore     |
   +--------------------+---------------------+----------------+
   | Body Part is       |                     |                |
   | Undeliverable      | Fail Entire Message |     ignore     |
   +--------------------+--------------------------------------+

   The "Appropriate Action" is the action the content gateway would take
   given the context of execution.  For example, if a sender requests
   return receipt and the receiver reads a HANDLING body part, the
   receiving UA must generate the appropriate MDN (following the rules
   for MDN).  Likewise, if the content gateway cannot deliver the body
   part and the body part is critical, the content gateway generates the
   appropriate DSN or MDN.

Burger                      Standards Track                     [Page 7]

RFC 3459           Critical Content of Internet Mail        January 2003

   "Optional" means the content gateway ignores the disposition of the
   body part.  The content gateway treats the message as if the body
   part was not present in the message.

6. Signed Content

   RFC 1847 [11] describes how to apply digital signatures to a MIME
   body part.  In brief, a multipart/signed body part encapsulates the
   body part of interest, or the "content object", in a MIME body part
   and the control information needed to verify the object, or the
   "protocol" in the lexicon of RFC 1847, in a second MIME body part.
   Here is an example taken from RFC 1847.

      Content-Type: multipart/signed; protocol="TYPE/STYPE";
              micalg="MICALG"; boundary="Signed Boundary"

      --Signed Boundary
      Content-Type: text/plain; charset="us-ascii"

      This is some text to be signed although it could be
      any type of data, labeled accordingly, of course.

      --Signed Boundary
      Content-Type: TYPE/STYPE

      CONTROL INFORMATION for protocol "TYPE/STYPE" would be here

      --Signed Boundary--

                Figure 1 - Signed Content MIME Type

   There are three places where one may place the criticality indicator
   for a multipart/signed body part.  One could mark the
   multipart/signed object, the content object, the control object, or
   any combination of the three.

   The disposition of REQUIRED body parts follow the guidelines found in
   RFC 2480 [12].

   A critical content indicator on a multipart/signed body part means
   the sending party requires true end-to-end signature verification.
   Thus the gateway needs to pass the enclosure intact.  If the system
   or network of lesser capability cannot do signature verification and
   the signed enclosure is REQUIRED, the gateway MUST reject the
   message.

Burger                      Standards Track                     [Page 8]

RFC 3459           Critical Content of Internet Mail        January 2003

   A critical content indicator on a signature means that either the
   receiving endpoint must be able to do signature verification, or the
   gateway needs to verify the signature before forwarding the message.
   If the content does not pass verification, the gateway MUST reject
   the message.

   A critical content indicator on the enclosed material specifies
   whether that material is critical to the message as a whole.  If the
   signature is marked OPTIONAL and the enclosed material is marked
   REQUIRED, the gateway MAY strip out the signature information if the
   system or network of lesser capability cannot do signature
   verification.  However, if possible, we STRONGLY RECOMMEND the
   gateway do signature verification and indicate tampering to the
   recipient.

7. Encrypted Content

   RFC 1847 [11] describes how to encrypt a MIME body part.  In brief, a
   multipart/encrypted body part encapsulates the control information
   ("protocol" in the lexicon of RFC 1847) for the encrypted object and
   the second containing the encrypted data (application/octet-stream).
   Here is an example taken from RFC 1847.

      Content-Type: multipart/encrypted; protocol="TYPE/STYPE";
              boundary="Encrypted Boundary"

      --Encrypted Boundary
      Content-Type: TYPE/STYPE

      CONTROL INFORMATION for protocol "TYPE/STYPE" would be here

      --Encrypted Boundary
      Content-Type: application/octet-stream

          Content-Type: text/plain; charset="us-ascii"
          All of this indented text, including the indented headers,
          would be unreadable since it would have been encrypted by
          the protocol "TYPE/STYPE".  Also, this encrypted data could
          be any type of data, labeled accordingly, of course.

      --Encrypted Boundary--

   One may sensibly place a criticality indicator on the encrypted
   enclosure (multipart/encrypted) body part.  If the endpoint can
   decrypt the message, then the gateway passes the body part in its
   entirety.

Burger                      Standards Track                     [Page 9]

RFC 3459           Critical Content of Internet Mail        January 2003

   If one marks the control object REQUIRED, then the sending UA
   requires end-to-end encryption.  If the endpoint cannot decrypt the
   message, then the gateway MUST reject the message.

   If the control object is OPTIONAL, and the endpoint cannot decrypt
   the message, and the gateway can decrypt the message, then the
   gateway MAY decrypt the message and forward the cleartext message.
   The sending user has explicitly given permission for the gateway to
   decrypt the message by marking the control object OPTIONAL. Recall
   that the default indication for MIME body parts is REQUIRED.  Thus if
   the user takes no explicit action, the content gateway will assume
   the user wished end-to-end encryption.

   Marking the encrypted content, without marking the encrypted
   enclosure, is problematic.  This is because the gateway has to
   decrypt the encrypted data to retrieve the header.  However, it is
   unlikely for the gateway to have the capability (e.g., keys) to
   decrypt the encrypted data.  If a sending UA wishes to mark encrypted
   data as not REQUIRED, the sending UA MUST mark the encrypted content
   as not REQUIRED.  Clearly, if the sending UA marks the encrypted
   content as REQUIRED, the gateway will apply the REQUIRED processing
   rules.  Moreover, if the sending UA does not mark the encrypted
   content as REQUIRED, the gateway, unless it can decrypt the data,
   will treat the encrypted content as REQUIRED.  This occurs because
   gateways always treat unmarked content as REQUIRED (see Section 3.3).

8. Status Code

   The critical content indication, in itself, does not guarantee any
   notification.  Notification follows the rules described in [3], [8],
   and [9].

   NOTE: The content of actual DSNs or MDNs are beyond the scope of this
   document.  This document only specifies how to mark a critical body
   part.  On the other hand, we do envision sensible DSN and MDN
   contents.  For example, DSNs should include the appropriate failure
   code as enumerated in [13].  Likewise, MDNs should include the
   failure code in the MDN "Failure:" field.

   If the receiving system is to generate a notification based on its
   inability to render or store the media type, the notification should
   use the status code 5.6.1, "Media not supported", from [10].

   For the SIP case, all requests have notification provided by the
   status response message.  Per RFC 3204, a content gateway generates a
   415 (Unsupported Media Type) response.

Burger                      Standards Track                    [Page 10]

RFC 3459           Critical Content of Internet Mail        January 2003

9. Requirements for Critical Content

   This section is informative.

9.1. Needs

   The need for a critical content identification mechanism comes about
   because of the internetworking of Internet mail systems with
   messaging systems that do not fulfill all of the semantics of
   Internet mail.  Such legacy systems have a limited ability to render
   or store all parts of a given message.  This document will use the
   case of an Internet mail system exchanging electronic messages with a
   legacy voice messaging system for illustrative purposes.

   Electronic mail has historically been text-centric.  Extensions such
   as MIME [14] enable the user agents to send and receive multi-part,
   multimedia messages.  Popular multimedia data types include binary
   word processing documents, binary business presentation graphics,
   voice, and video.

   Voice mail has historically been audio-centric.  Many voice-messaging
   systems only render voice.  Extensions such as fax enable the voice
   mail system to send and receive fax images as well as create multi-
   part voice and fax messages.  A few voice mail systems can render
   text using text-to-speech or text-to-fax technology.  Although
   theoretically possible, none can today render video.

   An important aspect of the interchange between voice messaging
   services and desktop e-mail client applications is that the rendering
   capability of the voice-messaging platform is often much less than
   the rendering capability of a desktop e-mail client.  In the e-mail
   case, the sender has the expectation that the recipient receives all
   components of a multimedia message.  This is so even if the recipient
   cannot render all body parts.  In most cases, the recipient can
   either find the appropriate rendering tool or tell the sender that
   she cannot read the particular attachment.

   This is an important issue.  By definition, a MIME-enabled user
   agent, conforming to [15], will present or make available all of the
   body parts to the recipient.  However, a voice mail system may not be
   capable of storing non-voice objects.  Moreover, the voice mail
   system may not be capable of notifying the recipient that there were
   undeliverable message parts.

   The inability of the receiving system to render a body part is
   usually a permanent failure.  Retransmission of the message will not
   improve the likelihood of a future successful delivery. Contrast this
   with the case with normal data delivery. Traditional message

Burger                      Standards Track                    [Page 11]

RFC 3459           Critical Content of Internet Mail        January 2003

   failures, such as a garbled message or disabled link will benefit
   from retransmission.

   This situation is fundamentally different from normal Internet mail.
   In the Internet mail case, either the system delivered the message,
   or it didn't.  There is no concept of a system partially delivering a
   message.

   In addition, there are many situations where the sender would not
   mind if the system did not deliver non-critical parts of a message.
   For example, the sender's user agent may add body parts to a message
   unbeknownst to the sender.  If the receiving system rejected the
   message because it could not render a hidden body part, the sender
   would be understandably confused and upset.

   Thus, there is a need for a method of indicating to a Mail Transfer
   Agent (MTA) or User Agent (UA) that the sender considers parts of a
   message to be critical.  From the sender's perspective, he would not
   consider the message delivered if the system did not deliver the
   critical parts.

9.2. Current Approaches

   One method of indicating critical content of a message is to define a
   profile.  The profile defines rules for silently deleting mail body
   parts based on knowledge of the UA capabilities.  Citing the example
   above, a voice profile can easily declare that MTAs or UAs can
   silently delete TNEF data and yet consider the message successfully
   delivered.  This is, in fact, the approach taken by VPIMv2 [16].

   Since one aspect of the issue is deciding when to notify the sender
   that the system cannot deliver part of a message, one could use a
   partial non-delivery notification mechanism to indicate a problem
   with delivering a given body part.  However, this requires the user
   request a delivery notification.  In addition, the sender may not be
   aware of parts added by the sending user agent.  In this case, a
   failure notice would mystify the sender.

   A straightforward alternative implementation method for marking a
   body part critical is to use a Critical-Content MIME entity.  This
   has the benefit that criticality is meta information for the body
   part.  However, IMAP servers in particular would need to either put
   Critical-Content into the BODYSTRUCTURE method or create a new method
   to retrieve arbitrary MIME entities.  Given the experience of trying
   to get Content-Location accepted by IMAP vendors, we chose not to go
   that route.

Burger                      Standards Track                    [Page 12]

RFC 3459           Critical Content of Internet Mail        January 2003

   What we need is a way of letting the sender indicate what body parts
   he considers to be critical.  The mechanism must not burden the
   sender with failure notifications for non-critical body parts.  The
   mechanism must conform to the general notification status request
   mechanism for positive or negative notification.  When requested, the
   mechanism must indicate to the sender when a receiving system cannot
   deliver a critical body part.

10. The Content Gateway

   This section is informative.

   In this section, we use the definition found in RFC 2156 [17] for the
   term "gateway."

   We do not strictly use the definition found in RFC 2821 [18] for the
   term "gateway."  In particular, RFC 2821 is discussing a gateway that
   should not examine the message itself.  An RFC 2821 gateway is a
   transport gateway, that mostly deals with transformations of the SMTP
   information.

   A content gateway is a gateway that connects a first network to a
   second network.  The second network often has lesser capability than
   the first network.  The canonical topology follows.  "[MTA]", with
   square brackets, signifies an optional component.

                             +---------+
   +---------+     +-----+   |         |     +-------+   +-----------+
   | Sending |=...=|[MTA]|===| Content |=...=| [MTA] |===| Receiving |
   |   UA    |     +-----+   | Gateway |     +-------+   |    UA     |
   +---------+               |         |                 +-----------+
                             +---------+
          First Network                         Second Network

                 Figure 2 - Content Gateway Topology

   The content gateway can be the last hop before the receiving MTA. The
   content gateway can be between networks, and thus not the last hop
   before the receiving MTA.  The content gateway can be the first MTA
   the sending UA contacts.  Finally, the content gateway can be an
   integrated component of the receiving MTA.

   For the SIP case, consider each MTA as a SIP Proxy, the Sending UA as
   a SIP User Agent Client, and the Receiving UA as a SIP User Agent
   Server.

Burger                      Standards Track                    [Page 13]

RFC 3459           Critical Content of Internet Mail        January 2003

10.1. Integrated Content Gateway

   In this situation, the receiving user agent is integrated with the
   content gateway. The integrated content gateway knows the
   capabilities of the user agent.  The topology is as follows.

                             +---------------------+
   +---------+     +-----+   |         :           |
   | Sending |=...=|[MTA]|===| Content : Receiving |
   |   UA    |     +-----+   | Gateway :    UA     |
   +---------+               |         :           |
                             +---------------------+
          First Network           Second Network

                  Figure 3 - Integrated Content Gateway

   The processing of ISUP and QSIG objects, as described in [5], is an
   example of an integrated gateway.

10.2. Disaggregated Delivery Network

   A degenerate case, although one that does occur, is where the content
   gateway sits behind the final MTA.  This happens when one implements
   the content gateway as a post-processing step to a normal delivery.
   For example, one could configure a mail handling system to deliver
   the message to a queue or directory, where the content gateway
   process picks up the message.  If there were any directives for DSN
   processing, the delivering MTA would execute them.  For example, the
   message could have requested notification on successful delivery.
   The delivering MTA, having delivered the message to the queue, would
   consider the message delivered and thus notify the sender of such.
   However, the content gateway process could then discover that the
   receiving UA cannot render the message.  In this case, the content
   gateway generates a NDN, as it is the only option available.

                           Delivered
                               |      +---------+
   +---------+     +-----+     v      |         |     +-----------+
   | Sending |=...=| MTA |--> File -->| Content |=...=| Receiving |
   |   UA    |     +-----+            | Gateway |     |    UA     |
   +---------+                        |         |     +-----------+
                                      +---------+
          First Network              Second Network

              Figure 4 - Disaggregated Delivery Network

Burger                      Standards Track                    [Page 14]

RFC 3459           Critical Content of Internet Mail        January 2003

11. Backward Compatibility Considerations

   DSN requires ESMTP.  If MTAs in the path from the sending UA to the
   receiving UA do not support ESMTP, then that MTA will reject the DSN
   request.  In addition, the message will default to notification on
   delay or failure.  While not ideal, the sender will know that DSN is
   not available, and that critical content that fails will get
   notification.

12. MIME Interactions

12.1. multipart/alternative

   As is true for all Content-Disposition parameters, handling is only
   in effect for the selected alternative.  If the selected alternative
   has the critical content indicator, then the entire alternative takes
   on the criticality indicated.  That is, if the alternative selected
   has HANDLING=OPTIONAL, then the content gateway MUST NOT generate any
   delivery notifications.

   NOTE: This statement explicitly shows that HANDLING overrides the DSN
   and MDN request mechanisms.

   It is unlikely for a selected alternative to fail, as the content
   gateway presumably picks the alternative specifically because it can
   render it.

   If the selected alternative is a message/rfc822 that encloses a
   multipart MIME message or the selected alternative is itself a
   multipart MIME type, the individual top-level body parts follow the
   HANDLING mechanism described in this document.

   NOTE: This means that a forwarded message's criticality will not
   affect the forwarding agent's intentions.

12.2. multipart/related

   Criticality fits in rather well with the multipart/related
   construction.  For example, consider a multipart/related message
   consisting of a Macintosh data fork and a Macintosh resource fork.
   For a Microsoft Word document, the data fork is likely to be
   critical.  The receiving system can safely ignore the resource fork.

12.3. message/rfc822

   Criticality only affects the outermost level of the message or, in
   the case of multipart/alternative, the outermost level of the
   selected alternative.  Specifically, the receiving system ignores

Burger                      Standards Track                    [Page 15]

RFC 3459           Critical Content of Internet Mail        January 2003

   criticality indicators in embedded body parts.  This avoids the
   situation of a forwarded message triggering or suppressing undesired
   reporting.  This simply implements the procedures described in [6].

12.4. multipart/signed

   See Section 6.

12.5. multipart/encrypted

   See Section 7.

13. Implementation Examples

   This section is an informative part of the definition of Criticality.
   We hope it helps implementers understand the mechanics of the
   Handling mechanism.

   We will examine two cases.  They are how a content gateway processes
   a message and how a disaggregated content gateway processes a
   message.

13.1. Content Gateways

   Content gateways examine the contents of a message from a first
   network before the gateway forwards the message to a second network.
   For the purposes of this example, we assume the second network has
   less capability than the first network.  In particular, we expect
   there will be certain message body types that the gateway cannot pass
   onto the second network.

   Consider a gateway between the Internet and a text-only short message
   service.  A message comes through the gateway containing a text part
   and a tnef part.  The sender marks the text part REQUIRED.  The
   gateway, knowing the capability of the short message service,
   silently deletes the non-critical, tnef part, passing the critical
   content to the short message service network. Any subsequent
   notifications, such as failure notices or delivery notices, follow
   the normal rules for notification.

   Note the gateway, by silently deleting non-critical content, may
   affect proprietary message correlation schemes.  One can envision the
   sending UA inserting a body part for tracking purposes.  By deleting
   non-critical content, the content gateway will break such a scheme.
   If a sending UA understands how to mark critical content, it should
   use Internet standard mechanisms for tracking messages, such as
   Message-ID [19].

Burger                      Standards Track                    [Page 16]

RFC 3459           Critical Content of Internet Mail        January 2003

   What if no body parts have critical content indicators?  In this
   case, the entire message is critical.  Thus, when the gateway sees
   the tnef part, it will reject the entire message, generating a DSN
   with a status code 5.6.1, "Media not supported".

   Likewise, consider a three part message with a text annotation (part
   1) to a voice message (part 2) with a vCard [20] (part 3). The sender
   marks the first two parts REQUIRED.  Now, let us assume the receiving
   MTA (gateway) is a voice mail only system, without even the
   capability to store text.  In this case, the gateway, acting as the
   receiving MTA, will reject the message, generating a DSN with the
   status code 5.6.1, "Media not supported".

13.2. Disaggregated Content Gateway

   For this example, we will examine the processing of a three-part
   message.  The first part is a text annotation of the second part, an
   audio message.  The third part is the sender's vCard.  The sender
   marks the first and second parts REQUIRED.  In addition, the sender
   marks the message for read receipt.

   For the purposes of example, the telephone user interface (TUI) does
   not perform text-to-speech conversion.  A TUI is a mail user agent
   (UA) that uses DTMF touch-tone digits for input and audio for output
   (display).

   The TUI is unable to render the first part of the message, the text
   part.  In addition, it is unable to render the third part of the
   message, the vCard part.  Since the sender did not mark the third
   part of the message REQUIRED, the system ignores the failure of the
   TUI to render the third part of the message.  However, since the
   sender did mark the first part REQUIRED, and the TUI is unable to
   render text, the message fails.

   What happens next is implementation dependent.  If the TUI is part of
   a unified messaging system, a reasonable action is to hold the
   message for the user.  The user can access the message at a later
   time from a terminal that can render all of the critical body parts.
   It would be reasonable for the TUI to notify the user about the
   undeliverable body part.

   If the TUI is part of a voice messaging system, or if the user does
   not subscribe to a text-to-speech service, a reasonable action is for
   the TUI to return a MDN with the disposition "failed" and the failure
   modifier "5.6.1 (Media not supported)".

Burger                      Standards Track                    [Page 17]

RFC 3459           Critical Content of Internet Mail        January 2003

14. OPES Considerations

   Critical Content processing is not a web service.  However, some in
   the Internet community may draw parallels between web services that
   modify content and an e-mail, SIP, or other MIME-transport service
   that modifies content.

   This section will analyze the Critical Content protocol machinery
   against the requirements stated in RFC 3238 [4].  The summary is that
   the protocol described in this document meets all of the requirements
   of RFC 3238.

14.1. Consideration (2.1): One-Party Consent

   This is the heart of Critical Content.  Critical Content enables the
   sending party to give consent to have the message modified. Gateways
   that conform to this document will ensure that gateways only modify
   messages that the sending party has given consent to modify.

14.2. Consideration (2.2): IP-layer Communications

   The content gateway is an addressable IP-entity.  Moreover, all of
   the relevant protocols (SMTP, SIP, HTTP, etc.) all explicitly make
   the presence of the gateway known to the endpoints.

14.3. Consideration (3.1): Notification - Sender

   Again, this is the point of this document.  The sender explicitly
   gets notification if the gateway would remove a Critical Content body
   part.

14.4. Consideration (3.2): Notification - Receiver

   The nature of the receiving system dictates that end users understand
   that the messages have been changed.

14.5. Consideration (3.3): Non-Blocking

   By definition, the endpoint cannot receive non-modified content, so
   this requirement does not apply.

14.6. Consideration (4.1): URI Resolution

   Clearly, one is sending mail (SMTP), a message (SIP), or fetching a
   document (HTTP).  The machinery described in this document does not
   alter the content itself or the access mechanism.  Thus it is
   compliant with this requirement.

Burger                      Standards Track                    [Page 18]

RFC 3459           Critical Content of Internet Mail        January 2003

14.7. Consideration (4.2): Reference Validity

   Since the protocol described in this document does not alter the
   content itself, inter- and intra-document references are not altered.
   However, intra-document references to removed body parts will fail.
   On the other hand, the sender explicitly marked those body parts as
   being disposable.  Thus the sender is aware of the possibility the
   parts may not arrive at the receiver.

14.8. Consideration (4.3): Architecture Extensions

   Since the protocol described in this document meets Considerations
   4.1 and 4.2, this requirement does not apply.

14.9. Consideration (5.1): Privacy

   The privacy policy of this protocol is explicit.  In particular, the
   protocol honors end-to-end security.

15. Security Considerations

   Sending UA's can use signatures over critical content indicators to
   ensure the integrity of the indicator.

   The gateway MUST honor signature processing.  In particular, if the
   sending UA marks the signature components REQUIRED, and the endpoint
   cannot do MIME signature processing, the gateway MUST establish an
   appropriate signature mechanism between the gateway and the endpoint.
   In this case, the gateway must be secure, as it can become a target
   point for tampering with the signed components of the message.

   Receiving systems and users should not place any authentication value
   on the Handling parameter.

   Note that by design, and under the sending user's request, a content
   gateway will silently delete unimportant body parts. Critical content
   gives the sender the ability to determine the acceptable level
   integrity of the delivered message.  That is, the message as the
   content gateway actually passes it on is, in fact, representative of
   the sender's intentions.

16. IANA Considerations

   RFC 3204 already registered the Handling parameter.  It is collected
   here only for reference and as a placeholder for use both for further
   expansion in the future and as the normative reference for other
   documents that need to reference the Handling parameter.

Burger                      Standards Track                    [Page 19]

RFC 3459           Critical Content of Internet Mail        January 2003

   Per section 9 of [6], here is the IANA registration for Handling.

   To: IANA@IANA.ORG Subject: Registration of new Content-Disposition
   parameter

   Content-Disposition parameter name: HANDLING

   Allowable values for this parameter: REQUIRED OPTIONAL

   Description: Marks the body part as required for delivery (REQUIRED)
   or can be silently discarded (OPTIONAL).  See RFC  and
   RFC 3204.

   Per RFC 2183, the Content-Disposition parameter name is not case
   sensitive.  Per RFC 3459, the values of the parameter are also not
   case sensitive.

17. References

17.1 Normative References

   [1]  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
        9, RFC 2026, October 1996.

   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [3]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
        Peterson, P., Sparks, R., Handley, M. and E. Schooler, "SIP:
        Session Initiation Protocol", RFC 3261, June 2002.

   [4]  IAB, Floyd, S. and L. Daigle,  "IAB Architectural and Policy
        Considerations for Open Pluggable Edge Services", RFC 3238,
        January 2002.

   [5]  Zimmerer, E., Peterson, E., Vemuri, A., Ong, L., Audet, F.,
        Watson, M. and M. Zonoun, "MIME media types for ISUP and QSIG
        Objects", RFC 3204, December 2001.

   [6]  Troost, R., Dorner, S. and K. Moore, Ed., "Communicating
        Presentation Information in Internet Messages: The Content-
        Disposition Header Field", RFC 2183, August 1997.

   [7]  Crocker, D. and P. Overell, Eds., "Augmented BNF for Syntax
        Specifications: ABNF", RFC 2234, November 1997.

Burger                      Standards Track                    [Page 20]

RFC 3459           Critical Content of Internet Mail        January 2003

   [8]  Moore, K., "Simple Mail Transfer Protocol (SMTP) Service
        Extension for Delivery Status Notifications (DSNs)", RFC 3461,
        January 2003.

   [9]  Moore, K. and G. Vaudreuil, "An Extensible Message Format for
        Delivery Status Notifications", RFC 3464, January 2003.

   [10] Fajman, R., "An Extensible Message Format for Message
        Disposition Notifications", RFC 2298, March 1998.

   [11] Galvin, J., Murphy, S., Crocker, S. and N. Freed, "Security
        Multiparts for MIME: Multipart/Signed and Multipart/Encrypted",
        RFC 1847, October 1995.

   [12] Freed, N., "Gateways and MIME Security Multiparts", RFC 2480,
        January 1999.

   [13] Vaudreuil, G., "Enhanced Mail System Status Codes", RFC 3463,
        January 2003.

   [14] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
        Extensions (MIME) Part One: Format of Internet Message Bodies",
        RFC 2045, November 1996.

   [15] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
        Extensions (MIME) Part Two: Media Types", RFC 2046, November
        1996.

   [16] Vaudreuil, G. and G. Parsons, "Voice Profile for Internet Mail -
        version 2", RFC 2421, September 1998.

   [17] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay): Mapping
        between X.400 and RFC 822/MIME", RFC 2156, January 1998.

   [18] Klensin, J., Ed., "Simple Mail Transfer Protocol", RFC 2821,
        April 2001.

   [19] Crocker, D., "Standard for the Format of ARPA Internet Text
        Messages", RFC 822, August 1982.

17.2 Informative Reference

   [20] Dawson, F. and T. Howes, "vCard MIME Directory Profile", RFC
        2426, September 1998.

Burger                      Standards Track                    [Page 21]

RFC 3459           Critical Content of Internet Mail        January 2003

18. Acknowledgments

   Emily Candell of Comverse Network Systems was instrumental in helping
   work out the base issues in the -00 document in Adelaide.

   Ned Freed pointed out that this mechanism was about criticality, not
   notification.  That insight made the concept and descriptions
   infinitely more straightforward.  If it's still confusing, it's my
   fault!

   Ned Freed also was instrumental in crafting the sections on
   multipart/signed and multipart/encrypted.  As AD, he provided
   invaluable commentary to help progress this document.

   Keith Moore for helped tighten-up the explanations, and he approved
   of the use of Content-Disposition.

   Dropping the IMPORTANT critical content type took away one of the
   reasons for partial non-delivery notification.  That makes Jutta
   Degener very happy!

   Harald Alvestrand and Chris Newman suggested some implementation
   examples.

   Greg White asked THE key question that let us realize that critical
   content processing was a gateway function, and not a MTA or UA
   function.

   Jon Peterson cleared up how handling actually does work in the SIP
   environment.

   An enormous thank you to Michelle S. Cotton at IANA for helping me
   craft the original IANA Considerations section in 2000, and for
   catching the functional overlap with RFC 3204 in January 2002.

   Any errors, omissions, or silliness are my fault.

Burger                      Standards Track                    [Page 22]

RFC 3459           Critical Content of Internet Mail        January 2003

19. Intellectual Property Rights Notice

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.  Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementers or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.

20. Author's Address

   Eric Burger
   SnowShore Networks, Inc.
   285 Billerica Rd.
   Chelmsford, MA  01824-4120
   USA

   Phone: +1 978 367 8400
   Fax:   +1 603 457 5944
   EMail: e.burger@ieee.org

Burger                      Standards Track                    [Page 23]

RFC 3459           Critical Content of Internet Mail        January 2003

21.  Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Burger                      Standards Track                    [Page 24]