| < draft-ietf-lamps-cms-update-alg-id-protect-00.txt | draft-ietf-lamps-cms-update-alg-id-protect-01.txt > | |||
|---|---|---|---|---|
| Network Working Group R. Housley | Network Working Group R. Housley | |||
| Internet-Draft Vigil Security | Internet-Draft Vigil Security | |||
| Updates: 5652 (if approved) January 21, 2020 | Updates: 5652 (if approved) March 09, 2020 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: July 24, 2020 | Expires: September 10, 2020 | |||
| Update to the Cryptographic Message Syntax (CMS) for Algorithm | Update to the Cryptographic Message Syntax (CMS) for Algorithm | |||
| Identifier Protection | Identifier Protection | |||
| draft-ietf-lamps-cms-update-alg-id-protect-00 | draft-ietf-lamps-cms-update-alg-id-protect-01 | |||
| Abstract | Abstract | |||
| This document updates the Cryptographic Message Syntax (CMS) | This document updates the Cryptographic Message Syntax (CMS) | |||
| specified in RFC 5652 to ensure that algorithm identifiers are | specified in RFC 5652 to ensure that algorithm identifiers are | |||
| adequately protected. | adequately protected. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 24, 2020. | This Internet-Draft will expire on September 10, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Require use the same hash algorithm . . . . . . . . . . . . . 3 | 3. Require use the same hash algorithm . . . . . . . . . . . . . 3 | |||
| 3.1. RFC 5652, Section 5.3 . . . . . . . . . . . . . . . . . . 3 | 3.1. RFC 5652, Section 5.3 . . . . . . . . . . . . . . . . . . 3 | |||
| 3.2. RFC 5652, Section 5.4 . . . . . . . . . . . . . . . . . . 4 | 3.2. RFC 5652, Section 5.4 . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. RFC 5652, Section 5.6 . . . . . . . . . . . . . . . . . . 4 | 3.3. RFC 5652, Section 5.6 . . . . . . . . . . . . . . . . . . 4 | |||
| 3.4. Backward Compatibility Considerations . . . . . . . . . . 5 | 3.4. Backward Compatibility Considerations . . . . . . . . . . 5 | |||
| 3.5. Timestamp Compatibility Considerations . . . . . . . . . 5 | 3.5. Timestamp Compatibility Considerations . . . . . . . . . 5 | |||
| 4. Recommend inclusion of the CMSAlgorithmProtection attribute . 5 | 4. Recommend inclusion of the CMSAlgorithmProtection attribute . 6 | |||
| 4.1. RFC 5652, Section 14 . . . . . . . . . . . . . . . . . . 6 | 4.1. RFC 5652, Section 14 . . . . . . . . . . . . . . . . . . 6 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 7 | 8.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| This document updates the Cryptographic Message Syntax (CMS) | This document updates the Cryptographic Message Syntax (CMS) | |||
| [RFC5652] to ensure that algorithm identifiers are adequately | [RFC5652] to ensure that algorithm identifiers are adequately | |||
| protected. | protected. | |||
| The CMS Signed-data Content Type [RFC5652], unlike X.509 certificates | The CMS Signed-data Content Type [RFC5652], unlike X.509 certificates | |||
| skipping to change at page 5, line 41 ¶ | skipping to change at page 5, line 41 ¶ | |||
| and the digest of signed attributes, please tell us on the | and the digest of signed attributes, please tell us on the | |||
| spasm@ietf.org mail list. | spasm@ietf.org mail list. | |||
| 3.5. Timestamp Compatibility Considerations | 3.5. Timestamp Compatibility Considerations | |||
| The new requirement introduced above might lead to compatibility | The new requirement introduced above might lead to compatibility | |||
| issues for timestamping systems when the originator does not wish to | issues for timestamping systems when the originator does not wish to | |||
| share the message content with the Time Stamp Authority (TSA) | share the message content with the Time Stamp Authority (TSA) | |||
| [RFC3161]. In this situation, the originator sends a TimeStampReq to | [RFC3161]. In this situation, the originator sends a TimeStampReq to | |||
| the TSA that includes a MessageImprint, which consists of a digest | the TSA that includes a MessageImprint, which consists of a digest | |||
| algorithm identifier and a digest value, then the TSA uses the digest | algorithm identifier and a digest value, then the TSA uses the | |||
| in the MessageImprint. As a result, the signature algorithm used by | originator-provided digest in the MessageImprint. | |||
| the TSA needs to be compatible with the digest algorithm selected by | ||||
| the originator for the MessageImprint. | When producing the TimeStampToken, the TSA MUST use same digest | |||
| algorithm to compute the digest of the encapContentInfo eContent, | ||||
| which is an OCTET STRING that contains the TSTInfo, and the message- | ||||
| digest attribute within the SignerInfo. | ||||
| To ensure that TimeStampToken values that were generated before this | ||||
| update remain valid, no requirement is placed on a TSA to ensure that | ||||
| the digest algorithm for the TimeStampToken matches the digest | ||||
| algorithm for the MessageImprint embedded within the TSTTokenInfo. | ||||
| 4. Recommend inclusion of the CMSAlgorithmProtection attribute | 4. Recommend inclusion of the CMSAlgorithmProtection attribute | |||
| This section updates [RFC5652] to recommend that the originator | This section updates [RFC5652] to recommend that the originator | |||
| include the CMSAlgorithmProtection attribute [RFC6211] whenever | include the CMSAlgorithmProtection attribute [RFC6211] whenever | |||
| signed attributes or authenticated attributes are present. | signed attributes or authenticated attributes are present. | |||
| 4.1. RFC 5652, Section 14 | 4.1. RFC 5652, Section 14 | |||
| Add the following paragraph as the eighth paragraph in Section 14: | Add the following paragraph as the eighth paragraph in Section 14: | |||
| End of changes. 7 change blocks. | ||||
| 11 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||