idnits 2.17.1 

draft-ietf-smime-cmskea-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard

  == The page length should not exceed 58 lines per page, but there was 1
     longer page, the longest (page 1) being 579 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** There are 26 instances of too long lines in the document, the longest
     one being 4 characters in excess of 72.

  ** There are 3 instances of lines with control characters in the document.

  ** The abstract seems to contain references ([CMS]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 41: '...ument, the terms MUST, MUST NOT, SHOUL...'
     RFC 2119 keyword, line 47: '...es as indicated by the MUST, MUST NOT,...'
     RFC 2119 keyword, line 48: '...SHOULD and MAY terms.  The KEA and SKI...'
     RFC 2119 keyword, line 54: '...pes.  Compliant software MUST meet the...'
     RFC 2119 keyword, line 56: '...cryption process MUST be padded to a m...'
     (85 more instances...)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (2 December 1999) is 8905 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? 'CMS' on line 485 looks like a reference

  -- Missing reference section? 'MUSTSHOULD' on line 492 looks like a
     reference

  -- Missing reference section? 'SJ-KEA' on line 495 looks like a reference

  -- Missing reference section? 'KEA' on line 487 looks like a reference

  -- Missing reference section? 'INFO' on line 490 looks like a reference

  -- Missing reference section? 'USSUP1' on line 498 looks like a reference


     Summary: 8 errors (**), 0 flaws (~~), 2 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET-DRAFT				     	John Pawling
2	draft-ietf-smime-cmskea-03.txt           	J.G. Van Dyke & Associates
3	2 December 1999
4	Expires:  2 June 2000

6	           	 	CMS KEA and SKIPJACK Conventions

8	Status of this Memo

10	This document is an Internet-Draft and is in full conformance with all
11	provisions of Section 10 of RFC2026.  Internet-Drafts are working
12	documents of the Internet Engineering Task Force (IETF), its areas, and
13	its working groups. Note that other groups may also distribute working
14	documents as Internet-Drafts.

16	Internet-Drafts are draft documents valid for a maximum of six months
17	and may be updated, replaced, or obsoleted by other documents at any
18	time.  It is inappropriate to use Internet-Drafts as reference material
19	or to cite them other than as "work in progress."

21	The list of current Internet-Drafts can be accessed at
22	http://www.ietf.org/ietf/1id-abstracts.txt

24	The list of Internet-Draft Shadow Directories can be accessed at
25	http://www.ietf.org/shadow.html.

27	Abstract

29	This document describes the conventions for using the Key Exchange
30	Algorithm (KEA) and SKIPJACK encryption algorithm in conjunction with the
31	Cryptographic Message Syntax [CMS] enveloped-data and encrypted-data
32	content types.

34	This draft is being discussed on the 'ietf-smime' mailing list.  To
35	subscribe, send a message to ietf-smime-request@imc.org with the single
36	word "subscribe" in the body of the message. There is a Web site for
37	the mailing list at <http://www.imc.org/ietf-smime/>.

39	1. Introduction

41	Throughout this document, the terms MUST, MUST NOT, SHOULD and MAY are
42	used in capital letters. This conforms to the definitions in
43	[MUSTSHOULD]. [MUSTSHOULD] defines the use of these key words to help
44	make the intent of standards track documents as clear as possible. The
45	same key words are used in this document to help implementers achieve
46	interoperability. Software that claims compliance with this document
47	MUST provide the capabilities as indicated by the MUST, MUST NOT,
48	SHOULD and MAY terms.  The KEA and SKIPJACK cryptographic algorithms are
49	described in [SJ-KEA].

51	2. Content Encryption Process

53	This section applies to the construction of both the enveloped-data and
54	encrypted-data content types.  Compliant software MUST meet the
55	requirements stated in [CMS] Section 6.3, "Content-encryption Process".
56	The input to the encryption process MUST be padded to a multiple of
57	eight octets using the padding rules described in [CMS] Section 6.3.
58	The content MUST be encrypted as a single string using the SKIPJACK
59	algorithm in 64-bit Cipher Block Chaining (CBC) mode using
60	randomly-generated 8-byte Initialization Vector (IV) and 80-bit
61	SKIPJACK content-encryption key (CEK) values.

63	3. Content Decryption Process

65	This section applies to the processing of both the enveloped-data and
66	encrypted-data content types.  The encryptedContent MUST be decrypted as
67	a single string using the SKIPJACK algorithm in 64-bit CBC mode.  The 80-
68	bit SKIPJACK CEK and the 8-byte IV MUST be used as inputs to the SKIPJACK
69	decryption process.  Following decryption, the padding MUST be removed
70	from the decrypted data.  The padding rules are described in [CMS]
71	Section 6.3, "Content-encryption Process".

73	4. Enveloped-data Conventions

75	The CMS enveloped-data content type consists of an encrypted content and
76	wrapped CEKs for one or more recipients.  Compliant software MUST
77	meet the requirements for constructing an enveloped-data content type
78	stated in [CMS] Section 6, "Enveloped-data Content Type".  [CMS] Section 6
79	should be studied before reading this section, because this section
80	does not repeat the [CMS] text.

82	An 8-byte IV and 80-bit CEK MUST be randomly generated for each instance
83	of an enveloped-data content type as inputs to the SKIPJACK algorithm for
84	use to encrypt the content.  The SKIPJACK CEK MUST only be used for
85	encrypting the content of a single instance of an enveloped-data content
86	type.

88	KEA and SKIPJACK can be used with the enveloped-data content type using
89	either of the following key management techniques defined in [CMS]
90	Section 6:

92	1) Key Agreement:  The SKIPJACK CEK is uniquely wrapped for each
93	recipient using a pairwise symmetric key-encryption key (KEK) generated
94	using KEA using the originator's private KEA key, recipient's public KEA
95	key and other values. Section 4.2 describes the use of KEA and SKIPJACK
96	to provide key agreement.

98	2) "Previously Distributed" Symmetric KEK:  The SKIPJACK CEK is wrapped
99	using a "previously distributed" symmetric KEK (such as a Mail List Key)
100	generated using KEA.  The methods by which KEA is used to generate the
101	symmetric KEK and by which the symmetric KEK is distributed are beyond
102	the scope of this document. Section 4.3 describes the use of KEA and
103	SKIPJACK to support "previously distributed" KEKs.

105	[CMS] Section 6 also defines the concept of the key transport key
106	management technique.  The key transport technique MUST NOT be used with
107	KEA.

109	4.1. EnvelopedData Fields

111	The enveloped-data content type is Abstract Syntax Notation.1 (ASN.1)
112	encoded using the EnvelopedData syntax.  The fields of the EnvelopedData
113	syntax must be populated as follows:

115	The EnvelopedData version MUST be 2.

117	If key agreement is being used, then the EnvelopedData originatorInfo
118	field SHOULD be present and SHOULD include the originator's KEA X.509 v3
119	certificate containing the KEA public key associated with the KEA private
120	key used to form each pairwise symmetric KEK used to wrap each copy of
121	the SKIPJACK CEK.  The issuers' X.509 v3 certificates required to form
122	the complete certification path for the originator's KEA X.509 v3
123	certificate MAY be included in the EnvelopedData originatorInfo field.
124	Self-signed certificates SHOULD NOT be included in the EnvelopedData
125	originatorInfo field.

127	The EnvelopedData RecipientInfo CHOICE is dependent on the key management
128	technique used.  Sections 4.2 and 4.3 provide more information.

130	The EnvelopedData encryptedContentInfo contentEncryptionAlgorithm
131	algorithm field MUST be the id-fortezzaConfidentialityAlgorithm
132	object identifier (OID).  The EnvelopedData encryptedContentInfo
133	contentEncryptionAlgorithm parameters field MUST include the random 8-
134	byte IV used as the input to the content encryption process.

136	The EnvelopedData unprotectedAttrs MAY be present.

138	4.2.  Key Agreement

140	This section describes the conventions for using KEA and SKIPJACK with
141	the CMS enveloped-data content type to support key agreement.  When key
142	agreement is used, then the RecipientInfo keyAgreeRecipientInfo CHOICE
143	MUST be used.

145	If the EnvelopedData originatorInfo field does not include the
146	originator's KEA X.509 v3 certificate, then each recipientInfos
147	KeyAgreementRecipientInfo originator field MUST include the
148	issuerAndSerialNumber CHOICE identifying the originator's KEA X.509 v3
149	certificate.  If the EnvelopedData originatorInfo field includes the
150	originator's KEA X.509 v3 certificate, then each recipientInfos
151	KeyAgreementRecipientInfo originator field MUST include either the
152	subjectKeyIdentifier CHOICE containing the value from the
153	subjectKeyIdentifier extension of the originator's KEA v3 X.509
154	certificate or the issuerAndSerialNumber CHOICE identifying the
155	originator's KEA X.509 v3 certificate.  To minimize the size of the
156	EnvelopedData, it is recommended that the subjectKeyIdentifier CHOICE be
157	used.

159	In some environments, the KeyAgreementRecipientInfo originator field MAY
160	include the originatorKey CHOICE.  The originatorKey CHOICE SHOULD NOT be
161	used with KEA for e-mail transactions.  Within a controlled security
162	architecture, a module may produce KEA key pairs for use in conjunction
163	with internal/local storage of encrypted data.  In this case, there may
164	not be an X.509 certificate associated with a (possibly) short term or
165	one time use public KEA key.  When originatorKey is used, then the KEA
166	public key MUST be conveyed in the publicKey BIT STRING as specified in
167	[KEA] Section 3.1.2.  The originatorKey algorithm identifier MUST be the
168	id-keyExchangeAlgorithm OID.  The originatorKey algorithm parameters
169	field MUST contain the KEA "domain identifier" (ASN.1 encoded as an OCTET
170	STRING) identifying the KEA algorithm parameters (i.e., p/q/g values)
171	associated with the KEA public key.  [KEA] Section 3.1.1 describes the
172	method for computing the KEA domain identifier value.

174	4.2.1.  SKIPJACK CEK Wrap Process

176	The SKIPJACK CEK is uniquely wrapped for each recipient of the
177	EnvelopedData using a pairwise KEK generated using the KEA
178	material of the originator and the recipient along with the
179	originator's User Keying Material (UKM) (i.e. Ra).  The CMS
180	EnvelopedData syntax provides two options for wrapping the SKIPJACK
181	CEK for each recipient using a KEA-generated KEK.  The "shared
182	Originator UKM" option SHOULD be used when constructing EnvelopedData
183	objects.  The "unique originator UKM" option MAY be used when
184	constructing EnvelopedData objects.  Compliant software MUST be capable
185	of processing EnvelopedData objects constructed using either option or
186	both options.

188	1) Shared Originator UKM Option:  CMS provides the ability for a
189	single, shared originator's UKM to be used to generate each pairwise
190	KEK used to wrap the SKIPJACK CEK for each recipient.  When using
191	the shared originator UKM option, a single RecipientInfo
192	KeyAgreeRecipientInfo structure MUST be constructed to contain the
193	wrapped SKIPJACK CEKs for all of the KEA recipients sharing the same
194	KEA parameters.  The KeyAgreeRecipientInfo structure includes multiple
195	RecipientEncryptedKey fields that each contain the SKIPJACK CEK wrapped
196	for a specific recipient.

198	2) Unique Originator UKM Option:  CMS also provides the ability for a
199	unique originator UKM to be used to generate each pairwise KEK used to
200	wrap the SKIPJACK CEK for each recipient.  When using the unique
201	originator UKM option, a separate RecipientInfo KeyAgreeRecipientInfo
202	structure MUST be constructed for each recipient.  Each
203	KeyAgreeRecipientInfo structure includes a single RecipientEncryptedKey
204	field containing the SKIPJACK CEK wrapped for the recipient.  This
205	option requires more overhead than the shared UKM option because the
206	KeyAgreeRecipientInfo fields (i.e. version, originator, ukm,
207	keyEncryptionAlgorithm) must be repeated for each recipient.

209	The next two paragraphs apply to both options.

211	The KeyAgreeRecipientInfo keyEncryptionAlgorithm algorithm field MUST
212	include the id-kEAKeyEncryptionAlgorithm OID.  The KeyAgreeRecipientInfo
213	keyEncryptionAlgorithm parameters field MUST contain a KeyWrapAlgorithm
214	as specified in [CMS] Appendix A, "ASN.1 Module".  The algorithm field
215	of KeyWrapAlgorithm MUST be the id-fortezzaWrap80 OID indicating that
216	the FORTEZZA 80-bit wrap function is used to wrap the 80-bit SKIPJACK
217	CEK.  The parameters field of KeyWrapAlgorithm MUST be absent.

219	If the originator is not already an explicit recipient, then a copy of
220	the SKIPJACK CEK SHOULD be wrapped for the originator and included in
221	the EnvelopedData.  This allows the originator to decrypt the contents
222	of the EnvelopedData.

224	4.2.1.1. SKIPJACK CEK Wrap Process Using A Shared Originator UKM Value

226	This section describes how a shared originator UKM value is used as an
227	input to KEA to generate each pairwise KEK used to wrap the SKIPJACK CEK
228	for each recipient.

230	When using the shared originator UKM option, a single RecipientInfo
231	KeyAgreeRecipientInfo structure MUST be constructed to contain the
232	wrapped SKIPJACK CEKs for all of the KEA recipients using the same
233	set of KEA parameters.  If all recipients' KEA public keys were
234	generated using the same set of KEA parameters, then there MUST only be
235	a single RecipientInfo KeyAgreeRecipientInfo structure for all of the
236	KEA recipients.  If the recipients' KEA public keys were generated
237	using different sets of KEA parameters, then multiple RecipientInfo
238	KeyAgreeRecipientInfo fields MUST be constructed because the
239	originatorIdentifierOrKey will be different for each distinct set of
240	recipients' KEA parameters.

242	A unique 128-byte originator's UKM MUST be generated for each distinct
243	set of recipients' KEA parameters.  The originator's UKM MUST be placed
244	in each KeyAgreeRecipientInfo ukm OCTET STRING.

246	The originator's and recipient's KEA parameters MUST be identical to use
247	KEA to successfully generate a pairwise KEK.  [KEA] describes how a KEA
248	public key is conveyed in an X.509 v3 certificate.  [KEA] states that the
249	KEA parameters are not included in KEA certificates; instead, a "domain
250	identifier" is supplied in the subjectPublicKeyInfo algorithm parameters
251	field of every KEA certificate. The values of the KEA domain identifiers
252	in the originator's and recipient's KEA X.509 v3 certificates can be
253	compared to determine if the originator's and recipient's KEA parameters
254	are identical.

256	The following steps MUST be repeated for each recipient:

258	1) KEA MUST be used to generate the pairwise KEK based on the
259	originator's UKM, originator's private KEA key, recipient's 128 byte
260	public KEA key (obtained from the recipient's KEA X.509 v3 certificate)
261	and the recipient's 128-byte public KEA key used as the Rb value.

263	2) The SKIPJACK CEK MUST be wrapped using the KEA-generated pairwise
264	KEK as input to the FORTEZZA 80-bit wrap function. The FORTEZZA 80-bit
265	wrap function takes the 80-bit SKIPJACK CEK along with a 16-bit check
266	value and produces a 96-bit result using the KEA-generated pairwise KEK.

268	3) A new RecipientEncryptedKey SEQUENCE MUST be constructed for the
269	recipient.

271	4) The value of the subjectKeyIdentifier extension from the recipient's
272	KEA X.509 v3 certificate MUST be placed in the recipient's
273	RecipientEncryptedKey rid rKeyId subjectKeyIdentifier field.  The
274	KeyAgreeRecipientIdentifier CHOICE MUST be rKeyId.  The date and other
275	fields MUST be absent from the recipientEncryptedKey rid rKeyId
276	SEQUENCE.

278	5) The wrapped SKIPJACK CEK MUST be placed in the recipient's
279	RecipientEncryptedKey encryptedKey OCTET STRING.

281	6) The recipient's RecipientEncryptedKey MUST be included in the
282	KeyAgreeRecipientInfo recipientEncryptedKeys SEQUENCE OF
283	RecipientEncryptedKey.

285	4.2.1.2. SKIPJACK CEK Wrap Process Using Unique Originator UKM Values

287	This section describes how a unique originator UKM value is generated
288	for each recipient to be used as an input to KEA to generate that
289	recipient's pairwise KEK.

291	The following steps MUST be repeated for each recipient:

293	1) A new RecipientInfo KeyAgreeRecipientInfo structure MUST be
294	constructed.

296	2) A unique 128-byte originator's UKM MUST be generated.  The
297	originator's UKM MUST be placed in the KeyAgreeRecipientInfo ukm OCTET
298	STRING.

300	3) KEA MUST be used to generate the pairwise KEK based on the
301	originator's UKM, originator's private KEA key, recipient's 128-byte
302	public KEA key and recipient's 128-byte public KEA key used as the Rb
303	value.

305	4) The SKIPJACK CEK MUST be wrapped using the KEA-generated pairwise
306	KEK as input to the FORTEZZA 80-bit wrap function.  The FORTEZZA 80-bit
307	wrap function takes the 80-bit SKIPJACK CEK along with a 16-bit check
308	value and produces a 96-bit result using the KEA-generated pairwise KEK.

310	5) A new RecipientEncryptedKey SEQUENCE MUST be constructed.

312	6) The value of the subjectKeyIdentifier extension from the recipient's
313	KEA X.509 v3 certificate MUST be placed in the RecipientEncryptedKey
314	rid rKeyId subjectKeyIdentifier field.  The KeyAgreeRecipientIdentifier
315	CHOICE MUST be rKeyId.  The date and other fields MUST be absent from
316	the RecipientEncryptedKey rid rKeyId SEQUENCE.

318	7) The wrapped SKIPJACK CEK MUST be placed in the RecipientEncryptedKey
319	encryptedKey OCTET STRING.

321	8) The recipient's RecipientEncryptedKey MUST be the only
322	RecipientEncryptedKey present in the KeyAgreeRecipientInfo
323	recipientEncryptedKeys SEQUENCE OF RecipientEncryptedKey.

325	9) The RecipientInfo containing the recipient's KeyAgreeRecipientInfo
326	MUST be included in the EnvelopedData RecipientInfos SET OF
327	RecipientInfo.

329	4.2.2.  SKIPJACK CEK Unwrap Process

331	1) Compliant software MUST be capable of processing EnvelopedData
332	objects constructed using the shared and/or unique originator UKM
333	options.  To support the shared UKM option, the receiving software MUST
334	be capable of searching for the recipient's RecipientEncryptedKey in a
335	KeyAgreeRecipientInfo recipientEncryptedKeys SEQUENCE OF
336	RecipientEncryptedKey.  To support the unique UKM option, the receiving
337	software MUST be capable of searching for the recipient's
338	RecipientEncryptedKey in the EnvelopedData recipientInfos SET OF
339	RecipientInfo, with each RecipientInfo containing exactly one
340	RecipientEncryptedKey.  For each RecipientEncryptedKey, if the rid
341	rkeyId CHOICE is present, then the receiving software MUST attempt to
342	match the value of the subjectKeyIdentifier extension from the
343	recipient's KEA X.509 v3 certificate with the RecipientEncryptedKey rid
344	rKeyId subjectKeyIdentifier field.  If the rid issuerAndSerialNumber
345	CHOICE is present, then the receiving software MUST attempt to match
346	the values of the issuer name and serial number from the recipient's
347	KEA X.509 v3 certificate with the RecipientEncryptedKey rid
348	issuerAndSerialNumber field.

350	2) The receiving software MUST extract the originator's UKM from the
351	ukm OCTET STRING contained in the same KeyAgreeRecipientInfo that
352	includes the recipient's RecipientEncryptedKey.

354	3) The receiving software MUST locate the originator's KEA X.509 v3
355	certificate identified by the originator field contained in the same
356	KeyAgreeRecipientInfo that includes the recipient's
357	RecipientEncryptedKey.

359	4) KEA MUST be used to generate the pairwise KEK based on the
360	originator's UKM, originator's 128-byte public KEA key (extracted from
361	originator's KEA X.509 v3 certificate), recipient's private KEA key
362	(associated with recipient's KEA X.509 v3 certificate identified by the
363	RecipientEncryptedKey rid field) and the originator's 128-byte public KEA
364	key used as the Rb value.

366	5) The SKIPJACK CEK MUST be unwrapped using the KEA-generated pairwise
367	KEK as input to the FORTEZZA 80-bit unwrap function.

369	6) The unwrapped 80-bit SKIPJACK CEK resulting from the SKIPJACK CEK
370	unwrap process and the 8-byte IV obtained from the EnvelopedData
371	encryptedContentInfo contentEncryptionAlgorithm parameters field are
372	used as inputs to the SKIPJACK content decryption process to decrypt the
373	EnvelopedData encryptedContent.

375	4.3. "Previously Distributed" Symmetric KEK

377	This section describes the conventions for using KEA and SKIPJACK with
378	the CMS enveloped-data content type to support "previously distributed"
379	symmetric KEKs.  When a "previously distributed" symmetric KEK is used to
380	wrap the SKIPJACK CEK, then the RecipientInfo KEKRecipientInfo CHOICE
381	MUST be used. The methods by which KEA is used to generate the symmetric
382	KEK and by which the symmetric KEK is distributed are beyond the scope of
383	this document.

385	The KEKRecipientInfo fields MUST be populated as specified in [CMS] Section
386	6.2.3, "KEKRecipientInfo Type". The KEKRecipientInfo keyEncryptionAlgorithm
387	algorithm field MUST be the id-fortezzaWrap80 OID indicating that the
388	FORTEZZA 80-bit wrap function is used to wrap the 80-bit SKIPJACK CEK.
389	The KEKRecipientInfo keyEncryptionAlgorithm parameters field MUST be absent.
390	The KEKRecipientInfo encryptedKey field MUST include the SKIPJACK CEK
391	wrapped using the "previously distributed" symmetric KEK as input to the
392	FORTEZZA 80-bit wrap function.

394	5. Encrypted-data Conventions

396	The CMS encrypted-data content type consists of an encrypted content,
397	but no recipient information.  The method for conveying the SKIPJACK CEK
398	required to decrypt the encrypted-data encrypted content is beyond the
399	scope of this document.  Compliant software MUST meet the requirements
400	for constructing an encrypted-data content type stated [CMS] Section 8,
401	"Encrypted-data Content Type".  [CMS] Section 8 should be studied before
402	reading this section, because this section does not repeat the [CMS]
403	text.

405	The encrypted-data content type is ASN.1 encoded using the EncryptedData
406	syntax.  The fields of the EncryptedData syntax must be populated as
407	follows:

409	The EncryptedData version MUST be set according to [CMS] Section 8.

411	The EncryptedData encryptedContentInfo contentEncryptionAlgorithm
412	algorithm field MUST be the id-fortezzaConfidentialityAlgorithm
413	OID.  The EncryptedData encryptedContentInfo contentEncryptionAlgorithm
414	parameters field MUST include the random 8-byte IV used as the input to
415	the content encryption process.

417	The EncryptedData unprotectedAttrs MAY be present.

419	6. FORTEZZA 80-bit Wrap Function

421	The United States Government has not published the description of the
422	FORTEZZA 80-bit wrap function.

424	7.   SMIMECapabilities Attribute Conventions

426	RFC 2633, Section 2.5.2 defines the SMIMECapabilities signed attribute
427	(defined as a SEQUENCE of SMIMECapability SEQUNCEs) to be used to specify a
428	partial list of algorithms that the software announcing the
429	SMIMECapabilities can support.  When constructing a signedData object,
430	compliant software MAY include the SMIMECapabilities signed attribute
431	announcing that it supports the KEA and SKIPJACK algorithms.

433	The SMIMECapability SEQUENCE representing KEA MUST include the
434	id-kEAKeyEncryptionAlgorithm OID in the capabilityID field and MUST include
435	a KeyWrapAlgorithm SEQUENCE in the parameters field.  The algorithm field of
436	KeyWrapAlgorithm MUST be the id-fortezzaWrap80 OID.  The parameters field of
437	KeyWrapAlgorithm MUST be absent. The SMIMECapability SEQUENCE for KEA SHOULD
438	be included in the key management algorithms portion of the
439	SMIMECapabilities list.  The SMIMECapability SEQUENCE representing KEA MUST
440	be DER-encoded as follows: 3018 0609 6086 4801 6502 0101 1830 0b06 0960 8648
441	0165 0201 0117.

443	The SMIMECapability SEQUENCE representing SKIPJACK MUST include the
444	id-fortezzaConfidentialityAlgorithm OID in the capabilityID field and the
445	parameters field MUST be absent.  The SMIMECapability SEQUENCE for SKIPJACK
446	SHOULD be included in the symmetric encryption algorithms portion of the
447	SMIMECapabilities list.  The SMIMECapability SEQUENCE representing SKIPJACK
448	MUST be DER-encoded as follows: 300b 0609 6086 4801 6502 0101 0400.

450	8. Object Identifier Definitions

452	The following OIDs are specified in [INFO], but are repeated here for
453	the reader's convenience:

455	id-fortezzaConfidentialityAlgorithm OBJECT IDENTIFIER ::= {joint-iso-
456	ccitt(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1)
457	algorithms(1) fortezzaConfidentialityAlgorithm (4)}

459	As specified in [USSUP1], when the id-fortezzaConfidentialityAlgorithm
460	OID is present in the AlgorithmIdentifier algorithm field, then the
461	AlgorithmIdentifier parameters field MUST be present and MUST include
462	the SKIPJACK IV ASN.1 encoded using the following syntax:

464	Skipjack-Parm ::= SEQUENCE { initialization-vector   OCTET STRING }

466	Note: [CMS] Section 2, "General Overview" describes the ASN.1 encoding
467	conventions for the CMS content types including the enveloped-data and
468	encrypted-data content types in which the
469	id-fortezzaConfidentialityAlgorithm OID and parameters will be present.

471	id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= {joint-iso-ccitt(2)
472	country(16) us(840) organization(1) gov(101) dod(2) infosec(1)
473	algorithms(1) keyExchangeAlgorithm (22)}

475	id-fortezzaWrap80 OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) country(16)
476	us(840) organization(1) gov(101) dod(2) infosec(1) algorithms(1)
477	fortezzaWrap80Algorithm (23)}

479	id-kEAKeyEncryptionAlgorithm OBJECT IDENTIFIER ::= {joint-iso-ccitt(2)
480	country(16) us(840) organization(1) gov(101) dod(2) infosec(1)
481	algorithms(1) kEAKeyEncryptionAlgorithm (24)}

483	A. References

485	[CMS] RFC 2630, Cryptographic Message Syntax, June 1999.

487	[KEA] RFC 2528, Representation of Key Exchange Algorithm (KEA) Keys in
488	Internet X.509 Public Key Infrastructure Certificates, March 1999.

490	[INFO] Registry of INFOSEC Technical Objects, 22 July 1999.

492	[MUSTSHOULD] RFC 2119, Key Words for Use in RFCs to Indicate
493	Requirement Levels.

495	[SJ-KEA] SKIPJACK and KEA Algorithm Specifications, Version 2.0,
496	http://csrc.nist.gov/encryption/skipjack-kea.htm.

498	[USSUP1] Allied Communication Publication 120 (ACP120) Common
499	Security Protocol (CSP) United States (US) Supplement No. 1, June 1998;
500	http://www.armadillo.huntsville.al.us/Fortezza_docs/missi2.html#specs.

502	B. Acknowledgments

504	The following people have made significant contributions to this draft:
505	David Dalkowski, Phillip Griffin, Russ Housley, Pierce Leonberger,
506	Rich Nicholas, Bob Relyea and Jim Schaad.

508	C. Changes between CMSKEA-02 and CMSKEA-03:

510	1) Changed all section references to CMS to include section numbers
511	rather than just section titles.

513	2) Added Section 7, SMIMECapabilities Attribute Conventions.

515	D. Author's Address

517	John Pawling
518	J.G. Van Dyke & Associates, Inc., a Wang Government Services Company
519	141 National Business Pkwy, Suite 210
520	Annapolis Junction, MD  20701
521	jsp@jgvandyke.com
522	(301) 939-2739
523	(410) 880-6095

525	E. Full Copyright Statement

527	   Copyright (C) The Internet Society (date).  All Rights Reserved.
528	   This document and translations of it may be copied and furnished to
529	   others, and derivative works that comment on or otherwise explain it
530	   or assist in its implementation may be prepared, copied, published
531	   and distributed, in whole or in part, without restriction of any
532	   kind, provided that the above copyright notice and this paragraph
533	   are included on all such copies and derivative works.  However, this
534	   document itself may not be modified in any way, such as by removing
535	   the copyright notice or references to the Internet Society or other
536	   Internet organizations, except as needed for the purpose of
537	   developing Internet standards in which case the procedures for
538	   copyrights defined in the Internet Standards process shall be
539	   followed, or as required to translate it into languages other than
540	   English.

542	   The limited permissions granted above are perpetual and will not be
543	   revoked by the Internet Society or its successors or assigns.  This
544	   document and the information contained herein is provided on an "AS
545	   IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
546	   FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
547	   NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
548	   WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
549	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.