< draft-ietf-smime-3850bis-05.txt   draft-ietf-smime-3850bis-06.txt >
S/MIME WG Blake Ramsdell, SendMail S/MIME WG Blake Ramsdell, Brute Squad Labs
Internet Draft Sean Turner, IECA Internet Draft Sean Turner, IECA
Intended Status: Standard Track August 20, 2008 Intended Status: Standard Track September 18, 2008
Obsoletes: 3850 (once approved) Obsoletes: 3850 (once approved)
Expires: February 20, 2009 Expires: March 18, 2009
Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2
Certificate Handling Certificate Handling
draft-ietf-smime-3850bis-05.txt draft-ietf-smime-3850bis-06.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on February 20, 2008. This Internet-Draft will expire on March 18, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This document specifies conventions for X.509 certificate usage by This document specifies conventions for X.509 certificate usage by
Secure/Multipurpose Internet Mail Extensions (S/MIME) agents. S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME) agents. S/MIME
provides a method to send and receive secure MIME messages, and provides a method to send and receive secure MIME messages, and
skipping to change at page 2, line 25 skipping to change at page 2, line 25
for the mailing list at <http://www.imc.org/ietf-smime/>. for the mailing list at <http://www.imc.org/ietf-smime/>.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
1.1. Definitions...............................................3 1.1. Definitions...............................................3
1.2. Conventions used in this document.........................4 1.2. Conventions used in this document.........................4
1.3. Compatibility with Prior Practice S/MIME..................4 1.3. Compatibility with Prior Practice S/MIME..................4
1.4. Changes From S/MIME v3 to S/MIME v3.1.....................4 1.4. Changes From S/MIME v3 to S/MIME v3.1.....................4
1.5. Changes Since S/MIME v3.1.................................5 1.5. Changes Since S/MIME v3.1.................................5
2. CMS Options....................................................5 2. CMS Options....................................................6
2.1. Certificate Revocation Lists..............................6 2.1. Certificate Revocation Lists..............................6
2.2. Certificate Choices.......................................6 2.2. Certificate Choices.......................................6
2.2.1. Historical Note About CMS Certificates...............6 2.2.1. Historical Note About CMS Certificates...............6
2.3. CertificateSet............................................7 2.3. CertificateSet............................................7
3. Using Distinguished Names For Internet Mail....................8 3. Using Distinguished Names For Internet Mail....................8
4. Certificate Processing.........................................9 4. Certificate Processing.........................................9
4.1. Certificate Revocation Lists.............................10 4.1. Certificate Revocation Lists.............................10
4.2. Certificate Path Validation..............................10 4.2. Certificate Path Validation..............................10
4.3. Certificate and CRL Signing Algorithms and Key Sizes.....11 4.3. Certificate and CRL Signing Algorithms and Key Sizes.....11
4.4. PKIX Certificate Extensions..............................11 4.4. PKIX Certificate Extensions..............................12
5. IANA Considerations...........................................14 5. IANA Considerations...........................................14
6. Security Considerations.......................................14 6. Security Considerations.......................................14
7. References....................................................16 7. References....................................................16
7.1. Normative References.....................................16 7.1. Normative References.....................................16
7.2. Informative References...................................17 7.2. Informative References...................................17
Appendix A. Moving S/MIME v2 Certificate Handling to Historic Appendix A. Moving S/MIME v2 Certificate Handling to Historic
Status...............................................19 Status...............................................20
Appendix B. Acknowledgements.....................................19 Appendix B. Acknowledgements.....................................20
1. Introduction 1. Introduction
S/MIME (Secure/Multipurpose Internet Mail Extensions), described in S/MIME (Secure/Multipurpose Internet Mail Extensions), described in
[SMIME-MSG], provides a method to send and receive secure MIME [SMIME-MSG], provides a method to send and receive secure MIME
messages. Before using a public key to provide security services, messages. Before using a public key to provide security services,
the S/MIME agent MUST verify that the public key is valid. S/MIME the S/MIME agent MUST verify that the public key is valid. S/MIME
agents MUST use PKIX certificates to validate public keys as agents MUST use PKIX certificates to validate public keys as
described in the Internet X.509 Public Key Infrastructure (PKIX) described in the Internet X.509 Public Key Infrastructure (PKIX)
Certificate and CRL Profile [KEYM]. S/MIME agents MUST meet the Certificate and CRL Profile [KEYM]. S/MIME agents MUST meet the
skipping to change at page 4, line 37 skipping to change at page 4, line 37
time, it is reasonable to expect that if a future revision of a time, it is reasonable to expect that if a future revision of a
document alters the status of a MUST- requirement, it will remain document alters the status of a MUST- requirement, it will remain
at least a SHOULD or a SHOULD-. at least a SHOULD or a SHOULD-.
1.3. Compatibility with Prior Practice S/MIME 1.3. Compatibility with Prior Practice S/MIME
S/MIME version 3.2 agents should attempt to have the greatest S/MIME version 3.2 agents should attempt to have the greatest
interoperability possible with agents for prior versions of S/MIME. interoperability possible with agents for prior versions of S/MIME.
S/MIME version 2 is described in RFC 2311 through RFC 2315 inclusive S/MIME version 2 is described in RFC 2311 through RFC 2315 inclusive
[SMIMEv2], S/MIME version 3 is described in RFC 2630 through RFC 2634 [SMIMEv2], S/MIME version 3 is described in RFC 2630 through RFC 2634
inclusive [SMIMEv3], and S/MIME version 3.1 is described in RFC 3850 inclusive and RFC 5035 [SMIMEv3], and S/MIME version 3.1 is described
through RFC 3852 and RFC 2634 [SMIMEv3.1]. RFC 2311 also has in RFC 3850, RFC 3851, RFC 3852, RFC 2634, RFC4853, and RFC 5035
historical information about the development of S/MIME. [SMIMEv3.1]. RFC 2311 also has historical information about the
development of S/MIME.
1.4. Changes From S/MIME v3 To S/MIME v3.1 1.4. Changes From S/MIME v3 To S/MIME v3.1
Version 1 and Version 2 CRLs MUST be supported. Version 1 and Version 2 CRLs MUST be supported.
Multiple CA certificates with the same subject and public key, but Multiple CA certificates with the same subject and public key, but
with overlapping validity periods, MUST be supported. with overlapping validity periods, MUST be supported.
Version 2 attribute certificates SHOULD be supported, and version 1 Version 2 attribute certificates SHOULD be supported, and version 1
attributes certificates MUST NOT be used. attributes certificates MUST NOT be used.
skipping to change at page 5, line 33 skipping to change at page 5, line 33
Conventions Used in This Document: Moved to section 1.2. Added Conventions Used in This Document: Moved to section 1.2. Added
definitions for SHOULD+, SHOULD-, and MUST-. definitions for SHOULD+, SHOULD-, and MUST-.
Sec 1.2: Updated ASN.1 definition and reference. Sec 1.2: Updated ASN.1 definition and reference.
Sec 1.3: Added text about v3.1 RFCs. Sec 1.3: Added text about v3.1 RFCs.
Sec 3: Updated note to indicate emailAddress IA5String upper bound is Sec 3: Updated note to indicate emailAddress IA5String upper bound is
255 characters. 255 characters.
Sec 4.2: Added text to indicate how S/MIME agents locate the correct
user certificate.
Sec 4.3: RSA with SHA-256 (PKCS #1 v1.5) added as MUST, DSA with SHA- Sec 4.3: RSA with SHA-256 (PKCS #1 v1.5) added as MUST, DSA with SHA-
256 added as SHOULD, RSA with SHA-1 changed to SHOULD-, DSA with SHA- 256 added as SHOULD+, RSA with SHA-1 changed to SHOULD-, DSA with
1, and RSA with MD5 changed to SHOULD-, and RSA-PSS with SHA-256. SHA-1, and RSA with MD5 changed to SHOULD-, and RSA-PSS with SHA-256
Updated key sizes and changed pointer from [KEYM] to [KEYMALG]. added as SHOULD+. Updated key sizes and changed pointer from [KEYM]
to [KEYMALG].
Sec 4.4.1: Clarified which extension is used to constrain EEs from Sec 4.4.1: Aligned with PKIX on use of basic constraints extension in
using their keys to perform issuing authority operations. CA certificates. Clarified which extension is used to constrain EEs
from using their keys to perform issuing authority operations.
Sec 6: Updated security considerations.
Sec 7: Moved references from Appendix B to section 7. Updated the Sec 7: Moved references from Appendix B to section 7. Updated the
references. references.
Appendix A: Moved Appendix A to Appendix B. Added Appendix A to move Appendix A: Moved Appendix A to Appendix B. Added Appendix A to move
S/MIME v2 Certificate Handling to Historic Status. S/MIME v2 Certificate Handling to Historic Status.
2. CMS Options 2. CMS Options
The CMS message format allows for a wide variety of options in The CMS message format allows for a wide variety of options in
skipping to change at page 6, line 24 skipping to change at page 6, line 33
All agents MUST be capable of performing revocation checks using CRLs All agents MUST be capable of performing revocation checks using CRLs
as specified in [KEYM]. All agents MUST perform revocation status as specified in [KEYM]. All agents MUST perform revocation status
checking in accordance with [KEYM]. Receiving agents MUST recognize checking in accordance with [KEYM]. Receiving agents MUST recognize
CRLs in received S/MIME messages. CRLs in received S/MIME messages.
Agents SHOULD store CRLs received in messages for use in processing Agents SHOULD store CRLs received in messages for use in processing
later messages. later messages.
2.2. Certificate Choices 2.2. Certificate Choices
Receiving agents MUST support v1 X.509 and v3 X.509 identity Receiving agents MUST support v1 X.509 and v3 X.509 certificates as
certificates as profiled in [KEYM]. End entity certificates MAY profiled in [KEYM]. End entity certificates MAY include an Internet
include an Internet mail address, as described in section 3. mail address, as described in section 3.
Receiving agents SHOULD support X.509 version 2 attribute Receiving agents SHOULD support X.509 version 2 attribute
certificates. See [ACAUTH] for details about the profile for certificates. See [ACAUTH] for details about the profile for
attribute certificates. attribute certificates.
2.2.1. Historical Note About CMS Certificates 2.2.1. Historical Note About CMS Certificates
The CMS message format supports a choice of certificate formats for The CMS message format supports a choice of certificate formats for
public key content types: PKIX, PKCS #6 Extended Certificates [PKCS6] public key content types: PKIX, PKCS #6 Extended Certificates [PKCS6]
and PKIX Attribute Certificates. and PKIX Attribute Certificates.
skipping to change at page 7, line 35 skipping to change at page 7, line 40
certificate distribution. Receiving S/MIME agents SHOULD be able to certificate distribution. Receiving S/MIME agents SHOULD be able to
handle messages without certificates using a database or directory handle messages without certificates using a database or directory
lookup scheme. lookup scheme.
A sending agent SHOULD include at least one chain of certificates up A sending agent SHOULD include at least one chain of certificates up
to, but not including, a Certificate Authority (CA) that it believes to, but not including, a Certificate Authority (CA) that it believes
that the recipient may trust as authoritative. A receiving agent that the recipient may trust as authoritative. A receiving agent
MUST be able to handle an arbitrarily large number of certificates MUST be able to handle an arbitrarily large number of certificates
and chains. and chains.
Agents MAY send CA certificates, that is, certificates which can be Agents MAY send CA certificates, that is, cross-certificates, self-
considered the "root" of other chains, and which MAY be self-signed. issued certificates, and self-signed certificates. Note that
Note that receiving agents SHOULD NOT simply trust any self-signed receiving agents SHOULD NOT simply trust any self-signed certificates
certificates as valid CAs, but SHOULD use some other mechanism to as valid CAs, but SHOULD use some other mechanism to determine if
determine if this is a CA that should be trusted. Also note that this is a CA that should be trusted. Also note that when
when certificates contain DSA public keys the parameters may be certificates contain DSA public keys the parameters may be located in
located in the root certificate. This would require that the the root certificate. This would require that the recipient possess
recipient possess both the end-entity certificate as well as the root both the end-entity certificate as well as the root certificate to
certificate to perform a signature verification, and is a valid perform a signature verification, and is a valid example of a case
example of a case where transmitting the root certificate may be where transmitting the root certificate may be required.
required.
Receiving agents MUST support chaining based on the distinguished Receiving agents MUST support chaining based on the distinguished
name fields. Other methods of building certificate chains MAY be name fields. Other methods of building certificate chains MAY be
supported. supported.
Receiving agents SHOULD support the decoding of X.509 attribute Receiving agents SHOULD support the decoding of X.509 attribute
certificates included in CMS objects. All other issues regarding the certificates included in CMS objects. All other issues regarding the
generation and use of X.509 attribute certificates are outside of the generation and use of X.509 attribute certificates are outside of the
scope of this specification. One specification that addresses scope of this specification. One specification that addresses
attribute certificate use is defined in [SECLABEL]. attribute certificate use is defined in [SECLABEL].
skipping to change at page 8, line 49 skipping to change at page 9, line 6
are present in the certificate. A receiving agent SHOULD provide are present in the certificate. A receiving agent SHOULD provide
some explicit alternate processing of the message if this comparison some explicit alternate processing of the message if this comparison
fails, which may be to display a message that shows the recipient the fails, which may be to display a message that shows the recipient the
addresses in the certificate or other certificate details. addresses in the certificate or other certificate details.
A receiving agent SHOULD display a subject name or other certificate A receiving agent SHOULD display a subject name or other certificate
details when displaying an indication of successful or unsuccessful details when displaying an indication of successful or unsuccessful
signature verification. signature verification.
All subject and issuer names MUST be populated (i.e., not an empty All subject and issuer names MUST be populated (i.e., not an empty
SEQUENCE) in S/MIME-compliant X.509 identity certificates, except SEQUENCE) in S/MIME-compliant X.509 certificates, except that the
that the subject DN in a user's (i.e., end-entity) certificate MAY be subject DN in a user's (i.e., end-entity) certificate MAY be an empty
an empty SEQUENCE in which case the subjectAltName extension will SEQUENCE in which case the subjectAltName extension will include the
include the subject's identifier and MUST be marked as critical. subject's identifier and MUST be marked as critical.
4. Certificate Processing 4. Certificate Processing
A receiving agent needs to provide some certificate retrieval S/MIME agents need to provide some certificate retrieval mechanism in
mechanism in order to gain access to certificates for recipients of order to gain access to certificates for recipients of digital
digital envelopes. There are many ways to implement certificate envelopes. There are many ways to implement certificate retrieval
retrieval mechanisms. X.500 directory service is an excellent mechanisms. [X.500] directory service is an excellent example of a
example of a certificate retrieval-only mechanism that is compatible certificate retrieval-only mechanism that is compatible with classic
with classic X.500 Distinguished Names. Another method under X.500 Distinguished Names. Another method under consideration by the
consideration by the IETF is to provide certificate retrieval IETF is to provide certificate retrieval services as part of the
services as part of the existing Domain Name System (DNS). Until existing Domain Name System (DNS). Until such mechanisms are widely
such mechanisms are widely used, their utility may be limited by the used, their utility may be limited by the small number of the
small number of the correspondent's certificates that can be correspondent's certificates that can be retrieved. At a minimum, for
retrieved. At a minimum, for initial S/MIME deployment, a user agent initial S/MIME deployment, a user agent could automatically generate
could automatically generate a message to an intended recipient a message to an intended recipient requesting the recipient's
requesting the recipient's certificate in a signed return message. certificate in a signed return message.
Receiving and sending agents SHOULD also provide a mechanism to allow Receiving and sending agents SHOULD also provide a mechanism to allow
a user to "store and protect" certificates for correspondents in such a user to "store and protect" certificates for correspondents in such
a way so as to guarantee their later retrieval. In many a way so as to guarantee their later retrieval. In many
environments, it may be desirable to link the certificate environments, it may be desirable to link the certificate
retrieval/storage mechanisms together in some sort of certificate retrieval/storage mechanisms together in some sort of certificate
database. In its simplest form, a certificate database would be database. In its simplest form, a certificate database would be
local to a particular user and would function in a similar way as an local to a particular user and would function in a similar way as an
"address book" that stores a user's frequent correspondents. In this "address book" that stores a user's frequent correspondents. In this
way, the certificate retrieval mechanism would be limited to the way, the certificate retrieval mechanism would be limited to the
skipping to change at page 11, line 7 skipping to change at page 11, line 11
procedure in two ways: a) incoming messages, and b) certificate and procedure in two ways: a) incoming messages, and b) certificate and
CRL retrieval mechanisms. Certificates and CRLs in incoming messages CRL retrieval mechanisms. Certificates and CRLs in incoming messages
are not required to be in any particular order nor are they required are not required to be in any particular order nor are they required
to be in any way related to the sender or recipient of the message to be in any way related to the sender or recipient of the message
(although in most cases they will be related to the sender). Incoming (although in most cases they will be related to the sender). Incoming
certificates and CRLs SHOULD be cached for use in path validation and certificates and CRLs SHOULD be cached for use in path validation and
optionally stored for later use. This temporary certificate and CRL optionally stored for later use. This temporary certificate and CRL
cache SHOULD be used to augment any other certificate and CRL cache SHOULD be used to augment any other certificate and CRL
retrieval mechanisms for path validation on incoming signed messages. retrieval mechanisms for path validation on incoming signed messages.
When verifying a signature and the certificates are included in the
message, if a signingCertificate or a signingCertificateV2 attribute
is found in an S/MIME message, it SHALL be used to identify the
signer's certificate. Otherwise, the certificate is identified in an
S/MIME message, either using the issuerAndSerialNumber which
identifies the signer's certificate by the issuer's distinguished
name and the certificate serial number, or the subjectKeyIdentifier
which identifies the signer's certificate by a key identifier.
When decrypting an encrypted message, if a
SMIMEEncryptionKeyPreference attribute is found in an encapsulating
SignedData, it SHALL be used to identify the originator's certificate
found in OriginatorInfo. Otherwise, a) for DH encrypted messages the
certificate is identified by the KeyAgreeRecipientInfo originator
field using either the issuer and serial number or subject public key
identifier choice or the certificate is omitted and the originator's
public key is included in originatorKey b) for RSA encrypted messages
the originator's certificate is not required for decryption.
4.3. Certificate and CRL Signing Algorithms and Key Sizes 4.3. Certificate and CRL Signing Algorithms and Key Sizes
Certificates and Certificate Revocation Lists (CRLs) are signed by Certificates and Certificate Revocation Lists (CRLs) are signed by
the certificate issuer. Receiving agents: the certificate issuer. Receiving agents:
- MUST support RSA with SHA-256, as specified in [CMS-SHA2] - MUST support RSA with SHA-256, as specified in [CMS-SHA2]
- SHOULD+ support DSA with SHA-256, as specified in [CMS-SHA2] - SHOULD+ support DSA with SHA-256, as specified in [CMS-SHA2]
- SHOULD+ support RSA-PSS with SHA-256, as specified in [RSAPSS] - SHOULD+ support RSA-PSS with SHA-256, as specified in [RSAPSS]
- SHOULD- support RSA with SHA-1, as specified in [CMSALG] - SHOULD- support RSA with SHA-1, as specified in [CMSALG]
- SHOULD- support DSA with SHA-1, as specified in [CMSALG] - SHOULD- support DSA with SHA-1, as specified in [CMSALG]
- SHOULD- support RSA with MD5, as specified in [CMSALG] - SHOULD- support RSA with MD5, as specified in [CMSALG]
The following are the RSA key size requirements for S/MIME receiving The following are the RSA key size requirements for S/MIME receiving
agents during certificate and CRL signature verification: agents during certificate and CRL signature verification:
0 < key size < 512 : MAY (see Section 6 [SMIME-MSG]) 0 < key size < 512 : MAY (see Section 6)
512 <= key size <= 4096 : MUST (see Section 6 [SMIME-MSG]) 512 <= key size <= 4096 : MUST (see Section 6)
4096 < key size : MAY (see Section 6 [SMIME-MSG]) 4096 < key size : MAY (see Section 6)
The following are the RSA key size requirements for S/MIME receiving The following are the DSA key size requirements for S/MIME receiving
agents during certificate and CRL signature verification: agents during certificate and CRL signature verification:
512 <= key size <= 1024 : MAY (see Section 6 [SMIME-MSG]) 512 <= key size <= 1024 : MAY (see Section 6)
4.4. PKIX Certificate Extensions 4.4. PKIX Certificate Extensions
PKIX describes an extensible framework in which the basic certificate PKIX describes an extensible framework in which the basic certificate
information can be extended and describes how such extensions can be information can be extended and describes how such extensions can be
used to control the process of issuing and validating certificates. used to control the process of issuing and validating certificates.
The PKIX Working Group has ongoing efforts to identify and create The PKIX Working Group has ongoing efforts to identify and create
extensions which have value in particular certification environments. extensions which have value in particular certification environments.
Further, there are active efforts underway to issue PKIX certificates Further, there are active efforts underway to issue PKIX certificates
for business purposes. This document identifies the minimum required for business purposes. This document identifies the minimum required
skipping to change at page 12, line 32 skipping to change at page 13, line 17
The basic constraints extension serves to delimit the role and The basic constraints extension serves to delimit the role and
position that an issuing authority or end-entity certificate plays in position that an issuing authority or end-entity certificate plays in
a certification path. a certification path.
For example, certificates issued to CAs and subordinate CAs contain a For example, certificates issued to CAs and subordinate CAs contain a
basic constraint extension that identifies them as issuing authority basic constraint extension that identifies them as issuing authority
certificates. End-entity certificates contain the key usage certificates. End-entity certificates contain the key usage
extension which restrains EEs from using the key to performing extension which restrains EEs from using the key to performing
issuing authority operations (see Section 4.4.2). issuing authority operations (see Section 4.4.2).
Certificates SHOULD contain a basicConstraints extension in CA As per [KEYM], Certificates MUST contain a basicConstraints extension
certificates, and SHOULD NOT contain that extension in end entity in CA certificates, and SHOULD NOT contain that extension in end
certificates. entity certificates.
4.4.2. Key Usage Certificate Extension 4.4.2. Key Usage Certificate Extension
The key usage extension serves to limit the technical purposes for The key usage extension serves to limit the technical purposes for
which a public key listed in a valid certificate may be used. Issuing which a public key listed in a valid certificate may be used. Issuing
authority certificates may contain a key usage extension that authority certificates may contain a key usage extension that
restricts the key to signing certificates, certificate revocation restricts the key to signing certificates, certificate revocation
lists and other data. lists and other data.
For example, a certification authority may create subordinate issuer For example, a certification authority may create subordinate issuer
skipping to change at page 15, line 29 skipping to change at page 16, line 14
certificate, or cause an improper result when checking the Validity certificate, or cause an improper result when checking the Validity
field of a certificate. field of a certificate.
In addition to the Security Considerations identified in [KEYM], In addition to the Security Considerations identified in [KEYM],
caution should be taken when processing certificates which have not caution should be taken when processing certificates which have not
first been validated to a trust anchor. Certificates could be first been validated to a trust anchor. Certificates could be
manufactured by untrusted sources for the purpose of mounting denial manufactured by untrusted sources for the purpose of mounting denial
of service or other attacks. For example, keys selected to require of service or other attacks. For example, keys selected to require
excessive cryptographic processing, or extensive lists of CDP and/or excessive cryptographic processing, or extensive lists of CDP and/or
AIA addresses in the certificate, could be used to mount denial of AIA addresses in the certificate, could be used to mount denial of
service attacks. Similarly, originator-specified CDP and/or AIA service attacks. Similarly, attacker-specified CRL Distribution
addresses could be inserted into bogus certificates to allow the Point (CRLDP) and/or Authority Information Access (AIA) addresses
originator to detect receipt of the message even if signature could be included in fake certificates to allow the originator to
verification fails. detect receipt of the message even if signature verification fails.
In addition to the Security Considerations identified in [KEYM], The 4096-bit RSA key size requirement for certificate and CRL
caution should be taken when processing certificates which have not verification is larger than the 2048-bit RSA key sizes for message
first been validated to a trust anchor. Certificates could be signature generation/verification or message encryption/decryption in
manufactured by untrusted sources for the purpose of mounting denial [SMIME-MSG] because many Root CAs included in certificate stores have
of service or other attacks. For example, keys selected to require already issued Root certificates with 4096-bit key. The standard
excessive cryptographic processing, or extensive lists of CDP and/or that defines comparable key sizes for DSA is not yet available. In
AIA addresses in the certificate, could be used to mount denial of particular, [FIPS186-3] only defines DSA key sizes up to 1024 bits.
service attacks. Similarly, attacker-specified CRL distribution A revision to support larger key sizes is being developed, and once
point and/or authority information access addresses could be included it is available, implementors ought to support DSA key sizes
into fake certificates to allow the originator to detect receipt of comparable to the RSA key sizes recommended in this specification.
the message even if signature verification fails.
Today, 512-bit RSA and DSA keys are considered by many experts to be
cryptographically insecure.
7. References 7. References
7.1. Normative References 7.1. Normative References
[ACAUTH] Farrell, S. and R. Housley, "An Internet Attribute [ACAUTH] Farrell, S. and R. Housley, "An Internet Attribute
Certificate Profile for Authorization", RFC 3281, April Certificate Profile for Authorization", RFC 3281, April
2002. 2002.
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
3852, July 2004. 3852, July 2004.
Housley, R., "Cryptographic Message Syntax (CMS) Housley, R., "Cryptographic Message Syntax (CMS)
Multiple Signer Clarification", RFC 4852, April 2007. Multiple Signer Clarification", RFC 4852, April 2007.
[CMSALG] Housley, R., "Cryptographic Message Syntax (CMS) [CMSALG] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002. Algorithms", RFC 3370, August 2002.
[CMS-SHA2] Turner. S., "Using SHA2 Algorithms with Cryptographic [CMS-SHA2] Turner. S., "Using SHA2 Algorithms with Cryptographic
Message Syntax", work in progress. Message Syntax", draft-ietf-smime-sha2, work-in-
progress.
[FIPS186-3] National Institute of Standards and Technology (NIST),
"Digital Signature Standard (DSS)", FIPS Publication
186-3, March 2006.
[KEYM] Cooper, D., Santesson, S., Farrell, S., Boeyen, S. [KEYM] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", RFC 5280, May 2008. List (CRL) Profile", RFC 5280, May 2008.
[KEYMALG] Bassham, L., Polk, W., and R. Housley, "Algorithms and [KEYMALG] Bassham, L., Polk, W., and R. Housley, "Algorithms and
Identifiers for the Internet X.509 Public Key Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", RFC 3279, April 2002. List (CRL) Profile", RFC 3279, April 2002.
skipping to change at page 16, line 50 skipping to change at page 17, line 38
November 2000. November 2000.
[IMF] Resnick, P., "Internet Message Format", work-in- [IMF] Resnick, P., "Internet Message Format", work-in-
progress. progress.
[RSAPSS] Schaad, J., "Use of RSASA-PSS Signature Algorithm in [RSAPSS] Schaad, J., "Use of RSASA-PSS Signature Algorithm in
Cryptographic Message Syntax (CMS)", RFC 4056, June Cryptographic Message Syntax (CMS)", RFC 4056, June
2005. 2005.
[SMIME-MSG] Ramsdell, B., and S. Turner, "S/MIME Version 3.2 [SMIME-MSG] Ramsdell, B., and S. Turner, "S/MIME Version 3.2
Message Specification", work in progress. Message Specification", draft-ietf-smime-3851bis, work-
in-progress.
[X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824- [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-
1:2002. Information Technology - Abstract Syntax 1:2002. Information Technology - Abstract Syntax
Notation One (ASN.1): Specification of basic notation. Notation One (ASN.1): Specification of basic notation.
7.2. Informative References 7.2. Informative References
[PKCS6] RSA Laboratories, "PKCS #6: Extended-Certificate Syntax [PKCS6] RSA Laboratories, "PKCS #6: Extended-Certificate Syntax
Standard", November 1993. Standard", November 1993.
skipping to change at page 17, line 33 skipping to change at page 18, line 24
"S/MIME Version 2 Certificate Handling", RFC 2312, "S/MIME Version 2 Certificate Handling", RFC 2312,
March 1998. March 1998.
Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC
2313, March 1998. 2313, March 1998.
Kaliski, B., "PKCS #10: Certificate Request Syntax Kaliski, B., "PKCS #10: Certificate Request Syntax
Version 1.5", RFC 2314, March 1998. Version 1.5", RFC 2314, March 1998.
Kaliski, B., "PKCS #7: Certificate Message Syntax Kaliski, B., "PKCS #7: Certificate Message Syntax
Version 1.5", RFC 2314, March 1998. Version 1.5", RFC 2315, March 1998.
[SMIMEv3] Housley, R., "Cryptographic Message Syntax", RFC 2630, [SMIMEv3] Housley, R., "Cryptographic Message Syntax", RFC 2630,
June 1999. June 1999.
Rescorla, E., "Diffie-Hellman Key Agreement Method", Rescorla, E., "Diffie-Hellman Key Agreement Method",
RFC 2631, June 1999. RFC 2631, June 1999.
Ramsdell, B., "S/MIME Version 3 Certificate Handling", Ramsdell, B., "S/MIME Version 3 Certificate Handling",
RFC 2632, June 1999. RFC 2632, June 1999.
Ramsdell, B., "S/MIME Version 3 Message Specification", Ramsdell, B., "S/MIME Version 3 Message Specification",
RFC 2633, June 1999. RFC 2633, June 1999.
Hoffman, P., "Enhanced Security Services for S/MIME", Hoffman, P., "Enhanced Security Services for S/MIME",
RFC 2634, June 1999. RFC 2634, June 1999.
Schaad, J., "ESS Update: Adding CertID Algorithm
Agility", RFC 5035, August 2007.
[SMIMEv3.1] Housley, R., "Cryptographic Message Syntax", RFC 3852, [SMIMEv3.1] Housley, R., "Cryptographic Message Syntax", RFC 3852,
July 2004. July 2004.
Housley, R., "Cryptographic Message Syntax (CMS)
Multiple Signer Clarification", RFC 4853, April 2007.
Ramsdell, B., "S/MIME Version 3.1 Certificate Ramsdell, B., "S/MIME Version 3.1 Certificate
Handling", RFC 3850, July 2004. Handling", RFC 3850, July 2004.
Ramsdell, B., "S/MIME Version 3.1 Message Ramsdell, B., "S/MIME Version 3.1 Message
Specification", RFC 3851, July 2004. Specification", RFC 3851, July 2004.
Hoffman, P., "Enhanced Security Services for S/MIME", Hoffman, P., "Enhanced Security Services for S/MIME",
RFC 2634, June 1999. RFC 2634, June 1999.
Schaad, J., "ESS Update: Adding CertID Algorithm
Agility", RFC 5035, August 2007.
[X.500] ITU-T Recommendation X.500 (1997) | ISO/IEC 9594- [X.500] ITU-T Recommendation X.500 (1997) | ISO/IEC 9594-
1:1997, Information technology - Open Systems 1:1997, Information technology - Open Systems
Interconnection - The Directory: Overview of concepts, Interconnection - The Directory: Overview of concepts,
models and services. models and services.
[X.501] ITU-T Recommendation X.501 (1997) | ISO/IEC 9594-
2:1997, Information technology - Open Systems
Interconnection - The Directory: Models.
[X.509] ITU-T Recommendation X.509 (1997) | ISO/IEC 9594-
8:1997, Information technology - Open Systems
Interconnection - The Directory: Authentication
Framework.
[X.520] ITU-T Recommendation X.520 (1997) | ISO/IEC 9594-
6:1997, Information technology - Open Systems
Interconnection - The Directory: Selected Attribute
Types.
Appendix A. Moving S/MIME v2 Certificate Handling to Historic Status Appendix A. Moving S/MIME v2 Certificate Handling to Historic Status
The S/MIME v3 [SMIMEv3], v3.1 [SMIMEv3.1], and v3.2 (this document) The S/MIME v3 [SMIMEv3], v3.1 [SMIMEv3.1], and v3.2 (this document)
Certificate Handling documents are backwards S/MIME v2 Message are backwards compatible with the S/MIME v2 Certificate Handling
Specification RFC 2312 [SMIMEv2], with the exception of the Specification [SMIMEv2], with the exception of the algorithms
algorithms (dropped RC2/40 requirement and added DSA and RSA-PSS (dropped RC2/40 requirement and added DSA and RSA-PSS requirements).
requirements). Therefore, it is recommended that RFC 2312 [SMIMEv2] Therefore, it is recommended that RFC 2312 [SMIMEv2] be moved to
be moved to Historic status. Historic status.
Appendix B. Acknowledgements Appendix B. Acknowledgements
Many thanks go out to the other authors of the S/MIME v2 RFC: Steve Many thanks go out to the other authors of the S/MIME v2 RFC: Steve
Dusse, Paul Hoffman and Jeff Weinstein. Without v2, there wouldn't Dusse, Paul Hoffman and Jeff Weinstein. Without v2, there wouldn't
be a v3, v3.1 or v3.2. be a v3, v3.1 or v3.2.
A number of the members of the S/MIME Working Group have also worked A number of the members of the S/MIME Working Group have also worked
very hard and contributed to this document. Any list of people is very hard and contributed to this document. Any list of people is
doomed to omission and for that I apologize. In alphabetical order, doomed to omission and for that I apologize. In alphabetical order,
the following people stand out in my mind due to the fact that they the following people stand out in my mind due to the fact that they
made direct contributions to this document. made direct contributions to this document.
Bill Flanigan, Trevor Freeman, Elliott Ginsburg, Alfred Hoenes, Paul Bill Flanigan, Trevor Freeman, Elliott Ginsburg, Alfred Hoenes, Paul
Hoffman, Russ Housley, David P. Kemp, Michael Myers, John Pawling, Hoffman, Russ Housley, David P. Kemp, Michael Myers, John Pawling,
Denis Pinkas, and Jim Schaad. Denis Pinkas, and Jim Schaad.
Author's Addresses Author's Addresses
Blake Ramsdell Blake Ramsdell
SendMail Brute Squad Labs, Inc.
Email: blake@sendmail.com Email: blaker@gmail.com
Sean Turner Sean Turner
IECA, Inc. IECA, Inc.
3057 Nutley Street, Suite 106 3057 Nutley Street, Suite 106
Fairfax, VA 22031 Fairfax, VA 22031
USA USA
Email: turners@ieca.com Email: turners@ieca.com
 End of changes. 33 change blocks. 
95 lines changed or deleted 124 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/