1. A Mail User Agent (MUA) that has a built-in ACME client that is aware of the extension described in this document. (We will call such MUAs "ACME-email-aware".) Such an MUA can present a nice user interface to the user and automate certificate issuance.
2. An MUA that is not ACME aware, with a separate ACME client implemented in a command-line tool or as a part of a website. While S/MIME certificate issuance is not going to be as painless as in the case of the ACME-email-aware MUA, the extra burden on a user is going to be minimal.

1. An end user initiates issuance of an S/MIME certificate for one of their email addresses. This might be done by using an email client UI, by running a command-line tool, by visiting a certificate authority web page, etc. This document doesn't prescribe a specific UI used to initiate S/MIME certificate issuance or where the ACME client is located.
2. The ACME-email-aware client component begins the certificate issuance process by sending a POST request to the server's newOrder resource, including the identifier of type "email". See Section 7.4 of RFC 8555 for more details.
3. The ACME server responds to the POST request, including an "authorizations" URL for the requested email address. The ACME client then retrieves information about the corresponding "email-reply-00" challenge, as specified in Section 7.5 of RFC 8555. The "token" field of the corresponding challenge object (from the "challenges" array) contains token-part2. token-part2 should contain at least 128 bits of entropy. The "type" field of the challenge object is "email-reply-00". The challenge object also contains the "from" field, with the email address that would be used in the From header field of the "challenge" email message (see the next step). An example challenge object might look like this:

       {
         "type": "email-reply-00",
         "url": "https://example.com/acme/chall/ABprV_B7yEyA4f",
         "from": "acme-challenge+2i211oi1204310@example.com",
         "token": "DGyRejmCefe7v4NfDGDKfA"
       }
   

4. After responding to the authorization request, the ACME server generates another token and a "challenge" email message with the subject "ACME: <token-part1>", where <token-part1> is the base64url-encoded [RFC 4648] form of the token. The ACME server MUST generate a fresh token for each S/MIME issuance request (authorization request), and token-part1 MUST contain at least 128 bits of entropy. The "challenge" email message structure is described in more details in Section 3.1.
5. The MUA retrieves and parses the "challenge" email message. If the MUA is ACME-email-aware, it ignores any "challenge" email that is not expected, e.g., if there is no ACME certificate issuance pending. The ACME-email-aware MUA also ignores any "challenge" email that has the Subject header field that indicates that it is an email reply, e.g., a subject starting with the reply prefix "Re:".
6. The ACME client concatenates "token-part1" (received over email) and "token-part2" (received over HTTPS [RFC 2818]) to create the ACME "token" and calculates keyAuthorization (as per Section 8.1 of RFC 8555). Then, it returns the base64url-encoded SHA-256 digest [RFC 6234] of the key authorization. The MUA returns the base64url-encoded SHA-256 digest obtained from the ACME client in the body of a "response" email message. The "response" email message structure is described in more details in Section 3.2. If the MUA is ACME-email-aware, it MUST NOT respond to the same "challenge" email more than once.
7. Once the MUA sends the "response" email, the ACME client notifies the ACME server by POST to the challenge URL ("url" field).
8. The ACME client can start polling the authorization URL (using POST-as-GET requests) to see if the ACME server received and validated the "response" email message. (See Section 7.5.1 of RFC 8555 for more details.) If the "status" field of the challenge switches to "valid", then the ACME client can proceed with request finalization. The Certificate Signing Request (CSR) MUST indicate the exact same set of requested identifiers as the initial newOrder request. For an identifier of type "email", the PKCS#10 [RFC 2986] CSR MUST contain the requested email address in an extensionRequest attribute [RFC 2985] requesting a subjectAltName extension. The email address MUST also match the From header field value of the "response" email message.
9. In order to request generation of signing-only or encryption-only S/MIME certificates (as opposed to requesting generation of S/MIME certificates suitable for both), the CSR needs to include the key usage extension (see Section 4.4.2 of RFC 8550). This is described in more details in Section 3.3.
10. If a request to finalize an order is successful, the ACME server will return a 200 (OK) with an updated order object. If the certificate is issued successfully, i.e., if the order "status" is "valid", then the ACME client can download the issued S/MIME certificate from the URL specified in the "certificate" field.

1. The Subject header field has the following syntax: "ACME: <token-part1>", where the prefix "ACME:" is followed by folding white space (FWS; see [RFC 5322]) and then by <token-part1>, which is the base64url-encoded first part of the ACME token that MUST be at least 128 bits long after decoding. Due to the recommended 78-octet line-length limit in [RFC 5322], the subject line can be folded, so white spaces (if any) within the <token-part1> MUST be ignored. [RFC 2231] encoding of the Subject header field MUST be supported, and, when used, only the "UTF-8" and "US-ASCII" charsets are allowed; other charsets MUST NOT be used. The US-ASCII charset SHOULD be used.
2. The From header field MUST be the same email address as specified in the "from" field of the challenge object.
3. The To header field MUST be the email address of the entity that requested the S/MIME certificate to be generated.
4. The message MAY contain a Reply-To and/or CC header field.
5. The message MUST include the Auto-Submitted header field with the value "auto-generated" [RFC 3834]. To aid in debugging (and, for some implementations, to make automated processing easier), the Auto-Submitted header field SHOULD include the "type=acme" parameter. It MAY include other optional parameters, as allowed by the syntax of the Auto-Submitted header field.
6. In order to prove authenticity of a challenge message, it MUST be signed using either DomainKeys Identified Mail (DKIM) [RFC 6376] or S/MIME [RFC 8551].
   • If DKIM signing is used, the resulting DKIM-Signature header field MUST contain the "h=" tag that includes at least the From, Sender, Reply-To, To, CC, Subject, Date, In-Reply-To, References, Message-ID, Auto-Submitted, Content-Type, and Content-Transfer-Encoding header fields. The DKIM-Signature header field's "h=" tag SHOULD also include the Resent-Date, Resent-From, Resent-To, Resent-Cc, List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive, and List-Unsubscribe-Post header fields. The domain from the "d=" tag of the DKIM-Signature header field MUST be the same as the domain from the From header field of the "challenge" email.
   • If S/MIME signing is used, the certificate corresponding to the signer MUST have an rfc822Name subjectAltName extension with the value equal to the From header field email address of the "challenge" email.
7. The body of the challenge message is not used for automated processing, so it can be any media type. (However, there are extra requirements on S/MIME signing, if used. See below.) Typically, it is text/plain or text/html containing a human-readable explanation of the purpose of the message. If S/MIME signing is used to prove authenticity of the challenge message, then the multipart/signed or "application/pkcs7-mime; smime-type=signed-data;" media type should be used. Either way, it MUST use S/MIME header protection.

  
  Auto-Submitted: auto-generated; type=acme
  Date: Sat, 5 Dec 2020 10:08:55 +0100
  Message-ID: <A2299BB.FF7788@example.org>
  From: acme-generator@example.org
  To: alexey@example.com
  Subject: ACME: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME=
  Content-Type: text/plain
  MIME-Version: 1.0
   
  This is an automatically generated ACME challenge for email address
  "alexey@example.com". If you haven't requested an S/MIME
  certificate generation for this email address, be very afraid.
  If you did request it, your email client might be able to process
  this request automatically, or you might have to paste the first
  token part into an external program.

1. The Subject header field is formed as a reply to the ACME "challenge" email (see Section 3.1). Its syntax is the same as that of the challenge message except that it may be prefixed by a US-ASCII reply prefix (typically "Re:") and FWS (see [RFC 5322]), as is normal in reply messages. When parsing the subject, ACME servers MUST decode [RFC 2231] encoding (if any), and then they can ignore any prefix before the "ACME:" label.
2. The From header field contains the email address of the user that is requesting S/MIME certificate issuance.
3. The To header field of the response contains the value from the Reply-To header field from the challenge message (if set). Otherwise, it contains the value from the From header field of the challenge message.
4. The Cc header field is ignored if present in the "response" email message.
5. The In-Reply-To header field SHOULD be set to the Message-ID header field of the challenge message according to rules in Section 3.6.4 of RFC 5322.
6. List-* header fields [RFC 4021][RFC 8058] MUST be absent (i.e., the reply can't come from a mailing list).
7. The media type of the "response" email message is either text/plain or multipart/alternative [RFC 2046], containing text/plain as one of the alternatives. (Note that the requirement to support multipart/alternative is to allow use of ACME-unaware MUAs, which can't always generate pure text/plain, e.g., if they reply to a text/html). The text/plain body part (whether or not it is inside multipart/alternative) MUST contain a block of lines starting with the line "-----BEGIN ACME RESPONSE-----", followed by one or more lines containing the base64url-encoded SHA-256 digest [RFC 6234] of the key authorization, calculated from concatenated token-part1 (received over email) and token-part2 (received over HTTPS), as outlined in the 5th bullet in Section 3. (Note that each line of text/plain is terminated by CRLF. Bare LFs or bare CRs are not allowed.) Due to historical line-length limitations in email, line endings (CRLFs) can be freely inserted in the middle of the encoded digest, so they MUST be ignored when processing it. The final line of the encoded digest is followed by a line containing:

   -----END ACME RESPONSE-----
   

   Any text before and after this block is ignored. For example, such text might explain what to do with it for ACME-unaware clients.
8. There is no need to use any Content-Transfer-Encoding other than 7bit for the text/plain body part. Use of quoted-printable or base64 in a "response" email message is not necessary and should be avoided, though it is permitted.
9. In order to prove authenticity of a response message, it MUST be DKIM [RFC 6376] signed. The resulting DKIM-Signature header field MUST contain the "h=" tag that includes at least the From, Sender, Reply-To, To, CC, Subject, Date, In-Reply-To, References, Message-ID, Content-Type, and Content-Transfer-Encoding header fields. The DKIM-Signature header field's "h=" tag SHOULD also include the Resent-Date, Resent-From, Resent-To, Resent-Cc, List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive, and List-Unsubscribe-Post header fields. The domain from the "d=" tag of DKIM-Signature header field MUST be the same as the domain from the From header field of the "response" email.

   Date: Sat, 5 Dec 2020 12:01:45 +0100
   Message-ID: <111-22222-3333333@example.com>
   In-Reply-To: <A2299BB.FF7788@example.org>
   From: alexey@example.com
   To: acme-generator@example.org
   Subject: Re: ACME: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME=
   Content-Type: text/plain
   MIME-Version: 1.0
   
   -----BEGIN ACME RESPONSE-----
   LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowy
   jxAjEuX0=
   -----END ACME RESPONSE-----

1. An entity that compromised an email account would be able to request S/MIME certificates using the protocol specified in this document, and such entity couldn't be distinguished from the legitimate email account owner (unless some external sources of information are consulted).
2. For email addresses with legitimate shared access/control by multiple users, any such user would be able to request S/MIME certificates using the protocol specified in this document; such requests can't be attributed to a specific user without consulting external systems (such as IMAP/SMTP access logs).
3. The protocol specified in this document is not suitable for use with email addresses associated with mailing lists [RFC 5321]. While it is not always possible to guarantee that a particular S/MIME certificate request is not from a mailing list address, prohibition on inclusion of List-* header fields helps certificate issuers to handle most common cases.

[RFC2046]

N. Freed, and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, DOI 10.17487/RFC2046, November 1996,
<https://www.rfc-editor.org/info/rfc2046>.

[RFC2119]

S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.

[RFC2231]

N. Freed, and K. Moore, "MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations", RFC 2231, DOI 10.17487/RFC2231, November 1997,
<https://www.rfc-editor.org/info/rfc2231>.

[RFC2818]

E. Rescorla, "HTTP Over TLS", RFC 2818, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>.

[RFC2985]

M. Nystrom, and B. Kaliski, "PKCS #9: Selected Object Classes and Attribute Types Version 2.0", RFC 2985, DOI 10.17487/RFC2985, November 2000,
<https://www.rfc-editor.org/info/rfc2985>.

[RFC2986]

M. Nystrom, and B. Kaliski, "PKCS #10: Certification Request Syntax Specification Version 1.7", RFC 2986, DOI 10.17487/RFC2986, November 2000,
<https://www.rfc-editor.org/info/rfc2986>.

[RFC3834]

K. Moore, "Recommendations for Automatic Responses to Electronic Mail", RFC 3834, DOI 10.17487/RFC3834, August 2004,
<https://www.rfc-editor.org/info/rfc3834>.

[RFC4648]

S. Josefsson, "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>.

[RFC5321]

J. Klensin, "Simple Mail Transfer Protocol", RFC 5321, DOI 10.17487/RFC5321, October 2008,
<https://www.rfc-editor.org/info/rfc5321>.

[RFC5322]

P. Resnick, "Internet Message Format", RFC 5322, DOI 10.17487/RFC5322, October 2008,
<https://www.rfc-editor.org/info/rfc5322>.

[RFC5890]

J. Klensin, "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>.

[RFC6234]

D. Eastlake 3rd, and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.

[RFC6376]

D. Crocker, T. Hansen, and M. Kucherawy, "DomainKeys Identified Mail (DKIM) Signatures", STD 76, RFC 6376, DOI 10.17487/RFC6376, September 2011,
<https://www.rfc-editor.org/info/rfc6376>.

[RFC6531]

J. Yao, and W. Mao, "SMTP Extension for Internationalized Email", RFC 6531, DOI 10.17487/RFC6531, February 2012,
<https://www.rfc-editor.org/info/rfc6531>.

[RFC8174]

B. Leiba, "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.

[RFC8398]

A. Melnikov, and W. Chuang, "Internationalized Email Addresses in X.509 Certificates", RFC 8398, DOI 10.17487/RFC8398, May 2018,
<https://www.rfc-editor.org/info/rfc8398>.

[RFC8550]

J. Schaad, B. Ramsdell, and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Certificate Handling", RFC 8550, DOI 10.17487/RFC8550, April 2019,
<https://www.rfc-editor.org/info/rfc8550>.

[RFC8551]

J. Schaad, B. Ramsdell, and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification", RFC 8551, DOI 10.17487/RFC8551, April 2019,
<https://www.rfc-editor.org/info/rfc8551>.

[RFC8555]

R. Barnes, J. Hoffman-Andrews, D. McCarney, and J. Kasten, "Automatic Certificate Management Environment (ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019,
<https://www.rfc-editor.org/info/rfc8555>.

[RFC8616]

J. Levine, "Email Authentication for Internationalized Mail", RFC 8616, DOI 10.17487/RFC8616, June 2019,
<https://www.rfc-editor.org/info/rfc8616>.

[RFC4021]

G. Klyne, and J. Palme, "Registration of Mail and MIME Header Fields", RFC 4021, DOI 10.17487/RFC4021, March 2005,
<https://www.rfc-editor.org/info/rfc4021>.

[RFC8058]

J. Levine, and T. Herkula, "Signaling One-Click Functionality for List Email Headers", RFC 8058, DOI 10.17487/RFC8058, January 2017,
<https://www.rfc-editor.org/info/rfc8058>.

Alexey Melnikov