idnits 2.17.1 

draft-ietf-smime-msg-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in
     this document.

     Expected boilerplate is as follows today (2024-04-24) according to
     https://trustee.ietf.org/license-info :

     IETF Trust Legal Provisions of 28-dec-2009, Section 6.a:
        This Internet-Draft is submitted in full conformance with the provisions
        of BCP 78 and BCP 79.

     IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2:
        Copyright (c) 2024 IETF Trust and the persons identified as the document
        authors.  All rights reserved.

     IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3:
        This document is subject to BCP 78 and the IETF Trust's Legal Provisions
        Relating to IETF Documents
        (https://trustee.ietf.org/license-info) in effect on the date of
        publication of this document.  Please review these documents
        carefully, as they describe your rights and restrictions with
        respect to this document.  Code Components extracted from this
        document must include Simplified BSD License text as described in
        Section 4.e of the Trust Legal Provisions and are provided
        without warranty as described in the Simplified BSD License.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** Missing expiration date.  The document expiration date should appear on
     the first and last page.

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories. 

  ** The document is more than 15 pages and seems to lack a Table of Contents.

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard

  == The page length should not exceed 58 lines per page, but there was 1
     longer page, the longest (page 1) being 1514 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Abstract section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 88: '...draft, the terms MUST, MUST NOT, SHOUL...'
     RFC 2119 keyword, line 155: '...Sending and receiving agents MUST support SHA-1 [SHA1].  Receiving...'
     RFC 2119 keyword, line 156: '...agents SHOULD support MD5 [MD5] for the purpose of providing backward...'
     RFC 2119 keyword, line 161: '...Sending and receiving agents MUST support id-dsa defined in [DSS]....'
     RFC 2119 keyword, line 162: '...rithm parameters MUST be absent (not e...'
     (89 more instances...)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 89 has weird spacing: '...s. This  confo...'

  == Line 840 has weird spacing: '...gnature  is "....'

  == Line 882 has weird spacing: '...y other   unkn...'

  == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
     or 'RECOMMENDED' is not an accepted usage according to RFC 2119.  Please
     use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
     mean).
     
     Found 'MUST not' in this paragraph:
     
     Including a file name serves two purposes. It facilitates easier
     use of S/MIME objects as files on disk. It also can convey type
     information across gateways. When a MIME entity of type
     application/pkcs7-mime (for example) arrives at a gateway that has no
     special knowledge of S/MIME, it will default the entity's MIME type to
     application/octet-stream and treat it as a generic attachment, thus
     losing the type information. However, the suggested filename for an
     attachment is often carried across a gateway. This often allows the
     receiving systems to determine the appropriate application to hand the
     attachment off to, in this case a stand-alone S/MIME processing
     application. Note that this mechanism is provided as a convenience for
     implementations in certain environments. A proper S/MIME implementation
     MUST use the MIME types and MUST not rely on the file extensions.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (May 4, 1998) is 9487 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? 'MIME-SPEC' on line 1195 looks like a
     reference

  -- Missing reference section? 'CMS' on line 1175 looks like a reference

  -- Missing reference section? 'PKCS-7' on line 1209 looks like a reference

  -- Missing reference section? 'MIME-SECURE' on line 1201 looks like a
     reference

  -- Missing reference section? 'MUSTSHOULD' on line 1204 looks like a
     reference

  -- Missing reference section? 'SHA1' on line 1213 looks like a reference

  -- Missing reference section? 'MD5' on line 1193 looks like a reference

  -- Missing reference section? 'DSS' on line 1186 looks like a reference

  -- Missing reference section? 'PKCS-1' on line 1207 looks like a reference

  -- Missing reference section? 'DH' on line 1184 looks like a reference

  -- Missing reference section? '3DES' on line 1163 looks like a reference

  -- Missing reference section? 'DES' on line 1181 looks like a reference

  -- Missing reference section? 'RC2' on line 1211 looks like a reference

  -- Missing reference section? 'ESS' on line 1190 looks like a reference

  -- Missing reference section? 'CHARSETS' on line 1172 looks like a reference

  -- Missing reference section? 'CONTDISP' on line 1178 looks like a reference

  -- Missing reference section? 'APP-MIME' on line 1336 looks like a reference

  -- Missing reference section? 'SMIMEV2' on line 1408 looks like a reference

  -- Missing reference section? 'CERT3' on line 1169 looks like a reference

  -- Missing reference section? '0' on line 1089 looks like a reference

  -- Missing reference section? '1' on line 1090 looks like a reference

  -- Missing reference section? '2' on line 1091 looks like a reference


     Summary: 9 errors (**), 0 flaws (~~), 7 warnings (==), 25 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	Internet Draft                                 Editor:  Blake Ramsdell,
2	draft-ietf-smime-msg-04.txt                    Worldtalk
3	May 4, 1998
4	Expires in six months

6	                S/MIME Version 3 Message Specification

8	Status of this memo

10	This document is an Internet-Draft. Internet-Drafts are working
11	documents of the Internet Engineering Task Force (IETF), its areas,
12	and its working groups. Note that other groups may also distribute
13	working documents as Internet-Drafts.

15	Internet-Drafts are draft documents valid for a maximum of six months
16	and may be updated, replaced, or obsoleted by other documents at any
17	time. It is inappropriate to use Internet-Drafts as reference material
18	or to cite them other than as "work in progress."

20	To view the entire list of current Internet-Drafts, please check the
21	"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
22	Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
23	ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim),
24	ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).

26	1. Introduction

28	S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a
29	consistent way to send and receive secure MIME data. Based on the
30	popular Internet MIME standard, S/MIME provides the following
31	cryptographic security services for electronic messaging applications:
32	authentication, message integrity and non-repudiation of origin (using
33	digital signatures) and privacy and data security (using encryption).

35	S/MIME can be used by traditional mail user agents (MUAs) to add
36	cryptographic security services to mail that is sent, and to interpret
37	cryptographic security services in mail that is received. However,
38	S/MIME is not restricted to mail; it can be used with any transport
39	mechanism that transports MIME data, such as HTTP. As such, S/MIME
40	takes advantage of the object-based features of MIME and allows secure
41	messages to be exchanged in mixed-transport systems.

43	Further, S/MIME can be used in automated message transfer agents that
44	use cryptographic security services that do not require any human
45	intervention, such as the signing of software-generated documents and
46	the encryption of FAX messages sent over the Internet.

48	1.1 Specification Overview

50	This document describes a protocol for adding cryptographic signature
51	and encryption services to MIME data. The MIME standard [MIME-SPEC]
52	provides a general structure for the content type of Internet messages
53	and allows extensions for new content type applications.

55	This draft defines how to create a MIME body part that has been
56	cryptographically enhanced according to CMS [CMS], which is derived
57	from PKCS #7 [PKCS-7]. This draft also defines the application/pkcs7-
58	mime MIME type that can be used to transport those body parts.

60	This draft also discusses how to use the multipart/signed MIME type
61	defined in [MIME-SECURE] to transport S/MIME signed messages. This
62	draft also defines the application/pkcs7-signature MIME type, which is
63	also used to transport S/MIME signed messages.

65	In order to create S/MIME messages, an agent has to follow
66	specifications in this draft, as well as the specifications listed in
67	the Cryptographic Message Syntax [CMS].

69	Throughout this draft, there are requirements and recommendations made
70	for how receiving agents handle incoming messages. There are separate
71	requirements and recommendations for how sending agents create
72	outgoing messages. In general, the best strategy is to "be liberal in
73	what you receive and conservative in what you send". Most of the
74	requirements are placed on the handling of incoming messages while the
75	recommendations are mostly on the creation of outgoing messages.

77	The separation for requirements on receiving agents and sending agents
78	also derives from the likelihood that there will be S/MIME systems
79	that involve software other than traditional Internet mail clients.
80	S/MIME can be used with any system that transports MIME data. An
81	automated process that sends an encrypted message might not be able to
82	receive an encrypted message at all, for example. Thus, the
83	requirements and recommendations for the two types of agents are
84	listed separately when appropriate.

86	1.2 Terminology

88	Throughout this draft, the terms MUST, MUST NOT, SHOULD, and SHOULD
89	NOT are used in capital letters. This  conforms to the definitions in
90	[MUSTSHOULD]. [MUSTSHOULD] defines the use of these key words to help
91	make the intent of standards track documents as clear as possible. The
92	same key words are used in this document to help implementors achieve
93	interoperability.

95	1.3 Definitions

97	For the purposes of this draft, the following definitions apply.

99	ASN.1: Abstract Syntax Notation One, as defined in CCITT X.208.

101	BER: Basic Encoding Rules for ASN.1, as defined in CCITT X.209.

103	Certificate: A type that binds an entity's distinguished name to a
104	public key with a digital signature.

106	DER: Distinguished Encoding Rules for ASN.1, as defined in CCITT
107	X.509.

109	7-bit data: Text data with lines less than 998 characters long, where
110	none of the characters have the 8th bit set, and there are no NULL
111	characters. <CR> and <LF> occur only as part of a <CR><LF> end of line
112	delimiter.

114	8-bit data: Text data with lines less than 998 characters, and where
115	none of the characters are NULL characters. <CR> and <LF> occur only
116	as part of a <CR><LF> end of line delimiter.

118	Binary data: Arbitrary data.

120	Transfer Encoding: A reversible transformation made on data so 8-bit
121	or binary data may be sent via a channel that only transmits 7-bit
122	data.

124	1.4 Compatibility with Prior Practice of S/MIME

126	S/MIME version 3 agents should attempt to have the greatest
127	interoperability possible with S/MIME version 2 agents. S/MIME version
128	2 is described in RFC 2311 through RFC 2315, inclusive. RFC 2311 also
129	has historical information about the development of S/MIME.

131	1.5 Discussion of This Draft

133	This draft is being discussed on the "ietf-smime" mailing list.  To
134	subscribe, send a message to:

136	ietf-smime-request@imc.org

138	with the single word

140	     subscribe

142	in the body of the message. There is a Web site for the mailing list
143	at <http://www.imc.org/ietf-smime/>.

145	2. CMS Options

147	CMS allows for a wide variety of options in content and algorithm
148	support. This section puts forth a number of support requirements and
149	recommendations in order to achieve a base level of interoperability
150	among all S/MIME implementations. [CMS] provides additional details
151	regarding the use of the cryptographic algorithms.

153	2.1 DigestAlgorithmIdentifier

155	Sending and receiving agents MUST support SHA-1 [SHA1].  Receiving
156	agents SHOULD support MD5 [MD5] for the purpose of providing backward
157	compatibility with MD5-digested S/MIME v2 SignedData objects.

159	2.2 SignatureAlgorithmIdentifier

161	Sending and receiving agents MUST support id-dsa defined in [DSS].
162	The algorithm parameters MUST be absent (not encoded as NULL).

164	Receiving agents SHOULD support rsaEncryption, defined in [PKCS-1].
165	Receiving agents SHOULD support verification of signatures using RSA
166	public key sizes from 512 bits to 1024 bits.

168	Sending agents SHOULD support rsaEncryption. Outgoing messages are
169	signed with a user's private key. The size of the private key is
170	determined during key generation.

172	2.3 KeyEncryptionAlgorithmIdentifier

174	Sending and receiving agents MUST support Diffie-Hellman defined in
175	[DH].

177	Receiving agents SHOULD support rsaEncryption. Incoming encrypted
178	messages contain symmetric keys which are to be decrypted with a
179	user's private key. The size of the private key is determined during
180	key generation.

182	Sending agents SHOULD support rsaEncryption. If an agent supports
183	rsaEncryption, then it MUST support encryption of symmetric keys with
184	RSA public keys at key sizes from 512 bits to 1024 bits.

186	2.4 General Syntax

188	CMS defines multiple content types.  Of these, only the Data,
189	SignedData, and EnvelopedData content types are currently used for
190	S/MIME.

192	2.4.1 Data Content Type

194	Sending agents MUST use the id-data content type identifier to
195	indicate the message content which has had security services applied
196	to it. For example, when applying a digital signature to MIME data,
197	the CMS signedData encapContentInfo eContentType MUST include the id-
198	data object identifier and the MIME content MUST be stored in the
199	SignedData encapContentInfo eContent OCTET STRING.  As another
200	example, when applying encryption to MIME data, the CMS EnvelopedData
201	encryptedContentInfo ContentType MUST include the id-data object
202	identifier and the encrypted MIME content MUST be stored in the
203	envelopedData encryptedContentInfo encryptedContent OCTET STRING.

205	2.4.2 SignedData Content Type

207	Sending agents MUST use the signedData content type to apply a digital
208	signature to a message or, in a degenerate case where there is no
209	signature information, to convey certificates.

211	2.4.3 EnvelopedData Content Type

213	This content type is used to apply privacy protection to a message. A
214	sender needs to have access to a public key for each
215	intended message recipient to use this service. This content type does
216	not provide authentication.

218	2.5 Attribute SignerInfo Type

220	The SignerInfo type allows the inclusion of unauthenticated and
221	authenticated attributes to be included along with a signature.

223	Receiving agents MUST be able to handle zero or one instance of each
224	of the signed attributes described in this section.

226	Sending agents SHOULD be able to generate one instance of each of the
227	signed attributes described in this section, and SHOULD include the
228	signing time and SMIMECapabilities attribute in each signed message
229	sent.

231	Additional attributes and values for these attributes may be defined
232	in the future. Receiving agents SHOULD handle attributes or values
233	that it does not recognize in a graceful manner.

235	Sending agents that include attributes that are not listed here SHOULD
236	display those attributes to the user, so that the user is aware of all
237	of the data being signed.

239	2.5.1 Signing-Time Attribute

241	The signing-time attribute is used to convey the time that a message
242	was signed. Until there are trusted timestamping services, the time of
243	signing will most likely be created by a message originator and
244	therefore is only as trustworthy as the originator.

246	Sending agents MUST encode signing time through the year 2049 as
247	UTCTime; signing times in 2050 or later MUST be encoded as
248	GeneralizedTime. When the UTCTime CHOICE is used, agents MUST
249	interpret the year field (YY) as follows:

251	if YY is greater than or equal to 50, the year is interpreted as 19YY;
252	if YY is less than 50, the year is interpreted as 20YY.

254	2.5.2 SMIMECapabilities Attribute

256	The SMIMECapabilities attribute includes signature algorithms (such as
257	"md5WithRSAEncryption"), symmetric algorithms (such as "DES-CBC"), and
258	key encipherment algorithms (such as "rsaEncryption"). It also
259	includes a non-algorithm capability which is the preference for
260	signedData. The SMIMECapabilities were designed to be flexible and
261	extensible so that, in the future, a means of identifying other
262	capabilities and preferences such as certificates can be added in a
263	way that will not cause current clients to break.

265	The semantics of the SMIMECapabilites attribute specify a partial list
266	as to what the client announcing the SMIMECapabilites can support. A
267	client does not have to list every capability it supports, and
268	probably should not list all its capabilities so that the capabilities
269	list doesn't get too long. In an SMIMECapabilities attribute, the OIDs
270	are listed in order of their preference, but SHOULD be logically
271	separated along the lines of their categories (signature algorithms,
272	symmetric algorithms, key encipherment algorithms, etc.)

274	The structure of the SMIMECapabilities attribute is to facilitate
275	simple table lookups and binary comparisons in order to determine
276	matches. For instance, the DER-encoding for the SMIMECapability for
277	DES EDE3 CBC MUST be identically encoded regardless of the
278	implementation.

280	In the case of symmetric algorithms, the associated parameters for the
281	OID MUST specify all of the parameters necessary to differentiate
282	between two instances of the same algorithm. For instance, the number
283	of rounds and block size for RC5 must be specified in addition to the
284	key length.

286	There is a list of OIDs (the registered SMIMECapabilities list) that
287	is centrally maintained and is separate from this draft. The list of
288	OIDs is maintained by the Internet Mail Consortium at
289	<http://www.imc.org/ietf-smime/oids.html>.

291	The OIDs that correspond to algorithms SHOULD use the same OID as the
292	actual algorithm, except in the case where the algorithm usage is
293	ambiguous from the OID. For instance, in an earlier draft,
294	rsaEncryption was ambiguous because it could refer to either a
295	signature algorithm or a key encipherment algorithm. In the event that
296	an OID is ambiguous, it needs to be arbitrated by the maintainer of
297	the registered SMIMECapabilities list as to which type of algorithm
298	will use the OID, and a new OID MUST be allocated under the
299	smimeCapabilities OID to satisfy the other use of the OID.

301	The registered SMIMECapabilities list specifies the parameters for
302	OIDs that need them, most notably key lengths in the case of variable-
303	length symmetric ciphers. In the event that there are no
304	differentiating parameters for a particular OID, the parameters MUST
305	be omitted, and MUST NOT be encoded as NULL.

307	Additional values for the SMIMECapabilities attribute may be defined
308	in the future. Receiving agents MUST handle a SMIMECapabilities object
309	that has values that it does not recognize in a graceful manner.

311	2.5.3 Encryption Key Preference Attribute

313	The encryption key preference attribute allows for the signer to
314	unambiguously describe which of the certificates issued to the signer
315	should be used when sending encrypted content.  This attribute allows
316	for the signer to state a preference, but not a requirement, as to the
317	certificate to be used.  This attribute is designed to enhance
318	behavior for interoperating with those clients which use separate keys
319	for encryption and signing.  This attribute is used to convey to the
320	receiver which of the certificates should be used for encrypting the
321	session key.

323	The sending agent SHOULD include the referenced certificate in the set
324	of certificates included in the signed message if this attribute is
325	used.  The certificate may be omitted if it has been previously made
326	available to the receiving agent.  Sending agents SHOULD use this
327	attribute if the commonly used or preferred encryption certificate is
328	not the same as the certificate used to sign the message.

330	Receiving agents SHOULD store the preference data if the signature on
331	the message is valid and the signing time is greater than the
332	currently stored value.  (As with the SMIMECapabilities, the clock
333	skew should be checked and the data not used if the skew is to great.)
334	Receiving agents SHOULD respect the senders encryption key preference
335	attribute if possible.  This however represents only a preference and
336	the receiving agent may use any certificate in replying to the sender
337	that is valid.

339	2.5.3.1 Selection of Recipient Key Management Certificate

341	In order to determine the key management certificate to be used when
342	sending a CMS envelopedData message for a particular recipient, the
343	following steps SHOULD be followed:

345	- If an SMIMEEncryptionKeyPreference attribute is found in a
346	signedData object received from the desired recipient, this identifies
347	the X.509 certificate that should be used as the X.509 key management
348	certificate for the recipient.

350	- If an SMIMEEncryptionKeyPreference attribute is not found in a
351	signedData object received from the desired recipient, the set of
352	X.509 certificates should be searched for a X.509 certificate with the
353	same subject name as the signing X.509 certificate which can be used
354	for key management.

356	- Or use some other method of determining the user's key management
357	key. If a X.509 key management certificate is not found, then
358	encryption cannot be done with the signer of the message. If multiple
359	X.509 key management certificates are found, the S/MIME agent can make
360	an arbitrary choice between them.

362	2.6 ContentEncryptionAlgorithmIdentifier

364	Sending and receiving agents MUST support encryption and decryption
365	with DES EDE3 CBC, hereinafter called "tripleDES" [3DES] [DES].
366	Receiving agents SHOULD support encryption and decryption using the
367	RC2 [RC2] or a compatible algorithm at a key size of 40 bits,
368	hereinafter called "RC2/40".

370	2.6.1 Deciding Which Encryption Method To Use

372	When a sending agent creates an encrypted message, it has to decide
373	which type of encryption to use. The decision process involves using
374	information garnered from the capabilities lists included in messages
375	received from the recipient, as well as out-of-band information such
376	as private agreements, user preferences, legal restrictions, and so
377	on.

379	Section 2.5 defines a method by which a sending agent can optionally
380	announce, among other things, its decrypting capabilities in its order
381	of preference. The following method for processing and remembering the
382	encryption capabilities attribute in incoming signed messages SHOULD
383	be used.

385	- If the receiving agent has not yet created a list of capabilities
386	   for the sender's public key, then, after verifying the signature
387	   on the incoming message and checking the timestamp, the receiving
388	   agent SHOULD create a new list containing at least the signing
389	   time and the symmetric capabilities.
390	 - If such a list already exists, the receiving agent SHOULD verify
391	   that the signing time in the incoming message is greater than
392	   the signing time stored in the list and that the signature is
393	   valid. If so, the receiving agent SHOULD update both the signing
394	   time and capabilities in the list. Values of the signing time that
395	   lie far in the future (that is, a greater discrepancy than any
396	   reasonable clock skew), or a capabilities list in messages whose
397	   signature could not be verified, MUST NOT be accepted.

399	The list of capabilities SHOULD be stored for future use in creating
400	messages.

402	Before sending a message, the sending agent MUST decide whether it is
403	willing to use weak encryption for the particular data in the message.
404	If the sending agent decides that weak encryption is unacceptable for
405	this data, then the sending agent MUST NOT use a weak algorithm such
406	as RC2/40.  The decision to use or not use weak encryption overrides
407	any other decision in this section about which encryption algorithm to
408	use.

410	Sections 2.6.2.1 through 2.6.2.4 describe the decisions a sending
411	agent SHOULD use in deciding which type of encryption should be
412	applied to a message.  These rules are ordered, so the sending agent
413	SHOULD make its decision in the order given.

415	2.6.1.1 Rule 1: Known Capabilities

417	If the sending agent has received a set of capabilities from the
418	recipient for the message the agent is about to encrypt, then the
419	sending agent SHOULD use that information by selecting the first
420	capability in the list (that is, the capability most preferred by the
421	intended recipient) for which the sending agent knows how to encrypt.
422	The sending agent SHOULD use one of the capabilities in the list if
423	the agent reasonably expects the recipient to be able to decrypt the
424	message.

426	2.6.1.2 Rule 2: Unknown Capabilities, Known Use of Encryption

428	If:
429	 - the sending agent has no knowledge of the encryption capabilities
430	   of the recipient,
431	 - and the sending agent has received at least one message from the
432	recipient,
433	 - and the last encrypted message received from the recipient had a
434	   trusted signature on it,
435	then the outgoing message SHOULD use the same encryption algorithm as
436	was used on the last signed and encrypted message received from the
437	recipient.

439	2.6.1.3 Rule 3: Unknown Capabilities, Unknown Version of S/MIME

441	If:
442	 - the sending agent has no knowledge of the encryption capabilities
443	   of the recipient,
444	 - and the sending agent has no knowledge of the version of S/MIME
445	   of the recipient,
446	then the sending agent SHOULD use tripleDES because it is a stronger
447	algorithm and is required by S/MIME v3. If the sending agent chooses
448	not to use tripleDES in this step, it SHOULD use RC2/40.

450	2.6.2 Choosing Weak Encryption

452	Like all algorithms that use 40 bit keys, RC2/40 is considered by many
453	to be weak encryption. A sending agent that is controlled by a human
454	SHOULD allow a human sender to determine the risks of sending data
455	using RC2/40 or a similarly weak encryption algorithm before sending
456	the data, and possibly allow the human to use a stronger encryption
457	method such as tripleDES.

459	2.6.3 Multiple Recipients

461	If a sending agent is composing an encrypted message to a group of
462	recipients where the encryption capabilities of some of the recipients
463	do not overlap, the sending agent is forced to send more than one
464	message. It should be noted that if the sending agent chooses to send
465	a message encrypted with a strong algorithm, and then send the same
466	message encrypted with a weak algorithm, someone watching the
467	communications channel can decipher the contents of the strongly-
468	encrypted message simply by decrypting the weakly-encrypted message.

470	3. Creating S/MIME Messages

472	This section describes the S/MIME message formats and how they are
473	created. S/MIME messages are a combination of MIME bodies and CMS
474	objects. Several MIME types as well as several CMS objects are used.
475	The data to be secured is always a canonical MIME entity. The MIME
476	entity and other data, such as certificates and algorithm identifiers,
477	are given to CMS processing facilities which produces a CMS object.
478	The CMS object is then finally wrapped in MIME. The Enhanced Security
479	Services for S/MIME [ESS] document provides examples of how nested,
480	secured S/MIME messages are formatted.  ESS provides an example of how
481	a triple-wrapped S/MIME message is formatted using multipart/signed
482	and application/pkcs7-mime for the signatures.

484	S/MIME provides one format for enveloped-only data, several formats
485	for signed-only data, and several formats for signed and enveloped
486	data. Several formats are required to accommodate several
487	environments, in particular for signed messages. The criteria for
488	choosing among these formats are also described.

490	The reader of this section is expected to understand MIME as described
491	in [MIME-SPEC] and [MIME-SECURE].

493	3.1 Preparing the MIME Entity for Signing or Enveloping

495	S/MIME is used to secure MIME entities. A MIME entity may be a sub-
496	part, sub-parts of a message, or the whole message with all its sub-
497	parts. A MIME entity that is the whole message includes only the MIME
498	headers and MIME body, and does not include the RFC-822 headers.  Note
499	that S/MIME can also be used to secure MIME entities used in
500	applications other than Internet mail.

502	The MIME entity that is secured and described in this section can be
503	thought of as the "inside" MIME entity. That is, it is the "innermost"
504	object in what is possibly a larger MIME message. Processing "outside"
505	MIME entities into CMS objects is described in Section 3.2, 3.4 and
506	elsewhere.

508	The procedure for preparing a MIME entity is given in [MIME-SPEC]. The
509	same procedure is used here with some additional restrictions when
510	signing. Description of the procedures from [MIME-SPEC] are repeated
511	here, but the reader should refer to that document for the exact
512	procedure. This section also describes additional requirements.

514	A single procedure is used for creating MIME entities that are to be
515	signed, enveloped, or both signed and enveloped. Some additional steps
516	are recommended to defend against known corruptions that can occur
517	during mail transport that are of particular importance for clear-
518	signing using the multipart/signed format. It is recommended that
519	these additional steps be performed on enveloped messages, or signed
520	and enveloped messages in order that the message can be forwarded to
521	any environment without modification.

523	These steps are descriptive rather than prescriptive. The implementor
524	is free to use any procedure as long as the result is the same.

526	Step 1. The MIME entity is prepared according to the local conventions

528	Step 2. The leaf parts of the MIME entity are converted to canonical
529	form

531	Step 3. Appropriate transfer encoding is applied to the leaves of the
532	MIME entity

534	When an S/MIME message is received, the security services on the
535	message are removed, and the result is the MIME entity. That MIME
536	entity is typically passed to a MIME-capable user agent where, it is
537	further decoded and presented to the user or receiving application.

539	3.1.1 Canonicalization

541	Each MIME entity MUST be converted to a canonical form that is
542	uniquely and unambiguously representable in the environment where the
543	signature is created and the environment where the signature will be
544	verified.  MIME entities MUST be canonicalized for enveloping as well
545	as signing.

547	The exact details of canonicalization depend on the actual MIME type
548	and subtype of an entity, and are not described here. Instead, the
549	standard for the particular MIME type should be consulted. For
550	example, canonicalization of type text/plain is different from
551	canonicalization of audio/basic. Other than text types, most types
552	have only one representation regardless of computing platform or
553	environment which can be considered their canonical representation. In
554	general, canonicalization will be performed by the sending agent
555	rather than the S/MIME implementation.

557	The most common and important canonicalization is for text, which is
558	often represented differently in different environments. MIME entities
559	of major type "text" must have both their line endings and character
560	set canonicalized. The line ending must be the pair of characters
561	<CR><LF>, and the charset should be a registered charset [CHARSETS].
562	The details of the canonicalization are specified in [MIME-SPEC]. The
563	chosen charset SHOULD be named in the charset parameter so that
564	the receiving agent can unambiguously determine the charset used.

566	Note that some charsets such as ISO-2022 have multiple representations
567	for the same characters. When preparing such text for signing, the
568	canonical representation specified for the charset MUST be used.

570	3.1.2 Transfer Encoding

572	When generating any of the secured MIME entities below, except the
573	signing using the multipart/signed format, no transfer encoding at all
574	is required.  S/MIME implementations MUST be able to deal with binary
575	MIME objects. If no Content-Transfer-Encoding header is present, the
576	transfer encoding should be considered 7BIT.

578	S/MIME implementations SHOULD however use transfer encoding described
579	in section 3.1.3 for all MIME entities they secure. The reason for
580	securing only 7-bit MIME entities, even for enveloped data that are
581	not exposed to the transport, is that it allows the MIME entity to be
582	handled in any environment without changing it. For example, a trusted
583	gateway might remove the envelope, but not the signature, of a
584	message, and then forward the signed message on to the end recipient
585	so that they can verify the signatures directly. If the transport
586	internal to the site is not 8-bit clean, such as on a wide-area
587	network with a single mail gateway, verifying the signature will not
588	be possible unless the original MIME entity was only 7-bit data.

590	3.1.3 Transfer Encoding for Signing Using multipart/signed

592	If a multipart/signed entity is EVER to be transmitted over the
593	standard Internet SMTP infrastructure or other transport that is
594	constrained to 7-bit text, it MUST have transfer encoding applied so
595	that it is represented as 7-bit text. MIME entities that are 7-bit
596	data already need no transfer encoding. Entities such as 8-bit text
597	and binary data can be encoded with quoted-printable or base-64
598	transfer encoding.

600	The primary reason for the 7-bit requirement is that the Internet mail
601	transport infrastructure cannot guarantee transport of 8-bit or binary
602	data. Even though many segments of the transport infrastructure now
603	handle 8-bit and even binary data, it is sometimes not possible to
604	know whether the transport path is 8-bit clear. If a mail message with
605	8-bit data were to encounter a message transfer agent that can not
606	transmit 8-bit or binary data, the agent has three options, none of
607	which are acceptable for a clear-signed message:

609	- The agent could change the transfer encoding; this would invalidate
610	the signature.
611	- The agent could transmit the data anyway, which would most likely
612	result in the 8th bit being corrupted; this too would invalidate the
613	signature.
614	- The agent could return the message to the sender.

616	[MIME-SECURE] prohibits an agent from changing the transfer encoding
617	of the first part of a multipart/signed message. If a compliant agent
618	that can not transmit 8-bit or binary data encounters a
619	multipart/signed message with 8-bit or binary data in the first part,
620	it would have to return the message to the sender as undeliverable.

622	3.1.4 Sample Canonical MIME Entity

624	This example shows a multipart/mixed message with full transfer
625	encoding. This message contains a text part and an attachment. The
626	sample message text includes characters that are not US-ASCII and thus
627	must be transfer encoded. Though not shown here, the end of each line
628	is <CR><LF>. The line ending of the MIME headers, the text, and
629	transfer encoded parts, all must be <CR><LF>.

631	Note that this example is not of an S/MIME message.

633	    Content-Type: multipart/mixed; boundary=bar

635	    --bar
636	    Content-Type: text/plain; charset=iso-8859-1
637	    Content-Transfer-Encoding: quoted-printable

639	    =A1Hola Michael!

641	    How do you like the new S/MIME specification?

643	    I agree. It's generally a good idea to encode lines that begin with
644	    From=20because some mail transport agents will insert a greater-
645	    than (>) sign, thus invalidating the signature.

647	    Also, in some cases it might be desirable to encode any   =20
648	    trailing whitespace that occurs on lines in order to ensure  =20
649	    that the message signature is not invalidated when passing =20
650	    a gateway that modifies such whitespace (like BITNET). =20

652	    --bar
653	    Content-Type: image/jpeg
654	    Content-Transfer-Encoding: base64

656	    iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC//
657	    jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq
658	    uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn
659	    HOxEa44b+EI=

661	    --bar--

663	3.2 The application/pkcs7-mime Type

665	The application/pkcs7-mime type is used to carry CMS objects of
666	several types including envelopedData and signedData. The details of
667	constructing these entities is described in subsequent sections. This
668	section describes the general characteristics of the application/pkcs7-
669	mime type.

671	The carried CMS object always contains a MIME entity that is prepared
672	as described in section 3.1 if the eContentType is id-data. Other
673	contents may be carried when the eContentType contains different
674	values. See [ESS] for an example of this with signed receipts.

676	Since CMS objects are binary data, in most cases base-64 transfer
677	encoding is appropriate, in particular when used with SMTP transport.
678	The transfer encoding used depends on the transport through which the
679	object is to be sent, and is not a characteristic of the MIME type.

681	Note that this discussion refers to the transfer encoding of the CMS
682	object or "outside" MIME entity. It is completely distinct from, and
683	unrelated to, the transfer encoding of the MIME entity secured by the
684	CMS object, the "inside" object, which is described in section 3.1.

686	Because there are several types of application/pkcs7-mime objects, a
687	sending agent SHOULD do as much as possible to help a receiving agent
688	know about the contents of the object without forcing the receiving
689	agent to decode the ASN.1 for the object. The MIME headers of all
690	application/pkcs7-mime objects SHOULD include the optional "smime-
691	type" parameter, as described in the following sections.

693	3.2.1 The name and filename Parameters

695	For the application/pkcs7-mime, sending agents SHOULD emit the
696	optional "name" parameter to the Content-Type field for compatibility
697	with older systems. Sending agents SHOULD also emit the optional
698	Content-Disposition field [CONTDISP] with the "filename" parameter. If
699	a sending agent emits the above parameters, the value of the
700	parameters SHOULD be a file name with the appropriate extension:

702	MIME Type                                File Extension

704	application/pkcs7-mime (signedData,      .p7m
705	envelopedData)

707	application/pkcs7-mime (degenerate       .p7c
708	signedData "certs-only" message)

710	application/pkcs7-signature              .p7s

712	In addition, the file name SHOULD be limited to eight characters
713	followed by a three letter extension. The eight character filename
714	base can be any distinct name; the use of the filename base "smime"
715	SHOULD be used to indicate that the MIME entity is associated with
716	S/MIME.

718	Including a file name serves two purposes. It facilitates easier use
719	of S/MIME objects as files on disk. It also can convey type
720	information across gateways. When a MIME entity of type
721	application/pkcs7-mime (for example) arrives at a gateway that has no
722	special knowledge of S/MIME, it will default the entity's MIME type to
723	application/octet-stream and treat it as a generic attachment, thus
724	losing the type information. However, the suggested filename for an
725	attachment is often carried across a gateway. This often allows the
726	receiving systems to determine the appropriate application to hand the
727	attachment off to, in this case a stand-alone S/MIME processing
728	application. Note that this mechanism is provided as a convenience for
729	implementations in certain environments. A proper S/MIME
730	implementation MUST use the MIME types and MUST not rely on the file
731	extensions.

733	3.3 Creating an Enveloped-only Message

735	This section describes the format for enveloping a MIME entity without
736	signing it.

738	Step 1. The MIME entity to be enveloped is prepared according to
739	section 3.1.

741	Step 2. The MIME entity and other required data is processed into a
742	CMS object of type envelopedData. In addition to encrypting a copy of
743	the content-encryption key for each recipient, a copy of the content
744	encryption key SHOULD be encrypted for the originator and included in
745	the envelopedData (see CMS Section 6).

747	Step 3. The CMS object is inserted into an application/pkcs7-mime MIME
748	entity.

750	The smime-type parameter for enveloped-only messages is "enveloped-
751	data". The file extension for this type of message is ".p7m".

753	A sample message would be:

755	    Content-Type: application/pkcs7-mime; smime-type=enveloped-data;
756	         name=smime.p7m
757	    Content-Transfer-Encoding: base64
758	    Content-Disposition: attachment; filename=smime.p7m

760	    rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6
761	    7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H
762	    f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
763	    0GhIGfHfQbnj756YT64V

765	3.4 Creating a Signed-only Message

767	There are two formats for signed messages defined for S/MIME:
768	application/pkcs7-mime with SignedData, and multipart/signed. In
769	general, the multipart/signed form is preferred for sending, and
770	receiving agents SHOULD be able to handle both.

772	3.4.1 Choosing a Format for Signed-only Messages

774	There are no hard-and-fast rules when a particular signed-only format
775	should be chosen because it depends on the capabilities of all the
776	receivers and the relative importance of receivers with S/MIME
777	facilities being able to verify the signature versus the importance of
778	receivers without S/MIME software being able to view the message.

780	Messages signed using the multipart/signed format can always be viewed
781	by the receiver whether they have S/MIME software or not. They can
782	also be viewed whether they are using a MIME-native user agent or they
783	have messages translated by a gateway. In this context, "be viewed"
784	means the ability to process the message essentially as if it were not
785	a signed message, including any other MIME structure the message might
786	have.

788	Messages signed using the signedData format cannot be viewed by a
789	recipient unless they have S/MIME facilities. However, if they have
790	S/MIME facilities, these messages can always be verified if they were
791	not changed in transit.

793	3.4.2 Signing Using application/pkcs7-mime with SignedData

795	This signing format uses the application/pkcs7-mime MIME type. The
796	steps to create this format are:

798	Step 1. The MIME entity is prepared according to section 3.1

800	Step 2. The MIME entity and other required data is processed into a
801	CMS object of type signedData

803	Step 3. The CMS object is inserted into an application/pkcs7-mime MIME
804	entity

806	The smime-type parameter for messages using application/pkcs7-mime
807	with SignedData is "signed-data". The file extension for this type of
808	message is ".p7m".

810	A sample message would be:

812	    Content-Type: application/pkcs7-mime; smime-type=signed-data;
813	         name=smime.p7m
814	    Content-Transfer-Encoding: base64
815	    Content-Disposition: attachment; filename=smime.p7m

817	    567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7
818	    77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH
819	    HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh
820	    6YT64V0GhIGfHfQbnj75

822	3.4.3 Signing Using the multipart/signed Format

824	This format is a clear-signing format. Recipients without any S/MIME
825	or CMS processing facilities are able to view the message. It makes
826	use of the multipart/signed MIME type described in [MIME-SECURE]. The
827	multipart/signed MIME type has two parts. The first part contains the
828	MIME entity that is signed; the second part contains the "detached
829	signature" CMS SignedData object in which the encapContentInfo
830	eContent field is absent.

832	3.4.3.1 The application/pkcs7-signature MIME Type

834	This MIME type always contains a single CMS object of type signedData.
835	The signedData encapContentInfo eContent field MUST be absent. The
836	signerInfos field contains the signatures for the MIME entity. The
837	details of the registered type are given in Appendix E.

839	The file extension for signed-only messages using application/pkcs7-
840	signature  is ".p7s".

842	3.4.3.2 Creating a multipart/signed Message

844	Step 1. The MIME entity to be signed is prepared according to section
845	3.1, taking special care for clear-signing.

847	Step 2. The MIME entity is presented to CMS processing in order to
848	obtain an object of type signedData in which the encapContentInfo
849	eContent field is absent.

851	Step 3. The MIME entity is inserted into the first part of a
852	multipart/signed message with no processing other than that described
853	in section 3.1.

855	Step 4. Transfer encoding is applied to the "detached signature" CMS
856	SignedData object and it is inserted into a MIME entity of type
857	application/pkcs7-signature.

859	Step 5. The MIME entity of the application/pkcs7-signature is inserted
860	into the second part of the multipart/signed entity.

862	The multipart/signed Content type has two required parameters: the
863	protocol parameter and the micalg parameter.

865	The protocol parameter MUST be "application/pkcs7-signature". Note
866	that quotation marks are required around the protocol parameter
867	because MIME requires that the "/" character in the parameter value
868	MUST be quoted.

870	The micalg parameter allows for one-pass processing when the signature
871	is being verified. The value of the micalg parameter is dependent on
872	the message digest algorithm(s) used in the calculation of the Message
873	Integrity Check. If multiple message digest algorithms are used they
874	MUST be separated by commas per [MIME-SECURE]. The values to be placed
875	in the micalg parameter SHOULD be from the following:

877	Algorithm   Value
878	used

880	MD5         md5
881	SHA-1       sha1
882	Any other   unknown

884	(Historical note: some early implementations of S/MIME emitted and
885	expected "rsa-md5" and "rsa-sha1" for the micalg parameter.) Receiving
886	agents SHOULD be able to recover gracefully from a micalg parameter
887	value that they do not recognize.

889	3.4.3.3 Sample multipart/signed Message

891	    Content-Type: multipart/signed;
892	       protocol="application/pkcs7-signature";
893	       micalg=sha1; boundary=boundary42

895	    --boundary42
896	    Content-Type: text/plain

898	    This is a clear-signed message.

900	    --boundary42
901	    Content-Type: application/pkcs7-signature; name=smime.p7s
902	    Content-Transfer-Encoding: base64
903	    Content-Disposition: attachment; filename=smime.p7s

905	    ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
906	    4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
907	    n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
908	    7GhIGfHfYT64VQbnj756

910	    --boundary42--

912	3.4.3.4 Encapsulating multipart/signed Messages

914	Some mail gateways will split or alter a multipart/signed message in
915	ways that might invalidate the signature. Sending agents that create
916	multipart/signed messages may encapsulate those messages using the
917	application/mime construct [APP-MIME], as described in Appendix F.

919	3.5 Signing and Encrypting

921	To achieve signing and enveloping, any of the signed-only and
922	encrypted-only formats may be nested. This is allowed because the
923	above formats are all MIME entities, and because they all secure MIME
924	entities.

926	An S/MIME implementation MUST be able to receive and process
927	arbitrarily nested S/MIME within reasonable resource limits of the
928	recipient computer.

930	It is possible to either sign a message first, or to envelope the
931	message first. It is up to the implementor and the user to choose.
932	When signing first, the signatories are then securely obscured by the
933	enveloping. When enveloping first the signatories are exposed, but it
934	is possible to verify signatures without removing the enveloping. This
935	may be useful in an environment were automatic signature verification
936	is desired, as no private key material is required to verify a
937	signature.

939	3.6 Creating a Certificates-only Message

941	The certificates only message or MIME entity is used to transport
942	certificates, such as in response to a registration request. This
943	format can also be used to convey CRLs.

945	Step 1. The certificates are made available to the CMS generating
946	process which creates a CMS object of type signedData. The signedData
947	encapContentInfo eContent field MUST be absent and signerInfos field
948	MUST be empty.

950	Step 2. The CMS signedData object is enclosed in an application/pkcs7-
951	mime MIME entity

953	The smime-type parameter for a certs-only message is "certs-only".
954	The file extension for this type of message is ".p7c".

956	3.7 Registration Requests

958	A sending agent that signs messages MUST have a certificate for the
959	signature so that a receiving agent can verify the signature. There
960	are many ways of getting certificates, such as through an exchange
961	with a certificate authority, through a hardware token or diskette,
962	and so on.

964	S/MIME v2 [SMIMEV2] specified a method for "registering" public keys
965	with certificate authorities using an application/pkcs10 body part.
966	The IETF's PKIX Working Group is preparing another method for
967	requesting certificates; however, that work was not finished at the
968	time of this draft. S/MIME v3 does not specify how to request a
969	certificate, but instead mandates that every sending agent already has
970	a certificate. Standardization of certificate management is being
971	pursued separately in the IETF.

973	3.8 Identifying an S/MIME Message

975	Because S/MIME takes into account interoperation in non-MIME
976	environments, several different mechanisms are employed to carry the
977	type information, and it becomes a bit difficult to identify S/MIME
978	messages. The following table lists criteria for determining whether
979	or not a message is an S/MIME message. A message is considered an
980	S/MIME message if it matches any below.

982	The file suffix in the table below comes from the "name" parameter in
983	the content-type header, or the "filename" parameter on the content-
984	disposition header. These parameters that give the file suffix are not
985	listed below as part of the parameter section.

987	MIME type:   application/pkcs7-mime
988	parameters:  any
989	file suffix: any

991	MIME type:   multipart/signed
992	parameters:  protocol="application/pkcs7-signature"
993	file suffix: any

995	MIME type:   application/mime
996	parameters:  content-type="multipart/signed";
997	                protocol="application/pkcs7-signature"
998	file suffix: any

1000	MIME type:   application/octet-stream
1001	parameters:  any
1002	file suffix: p7m, p7s, aps, p7c

1004	4. Certificate Processing

1006	A receiving agent MUST provide some certificate retrieval mechanism in
1007	order to gain access to certificates for recipients of digital
1008	envelopes. This draft does not cover how S/MIME agents handle
1009	certificates, only what they do after a certificate has been validated
1010	or rejected. S/MIME certification issues are covered in [CERT3].

1012	At a minimum, for initial S/MIME deployment, a user agent could
1013	automatically generate a message to an intended recipient requesting
1014	that recipient's certificate in a signed return message. Receiving and
1015	sending agents SHOULD also provide a mechanism to allow a user to
1016	"store and protect" certificates for correspondents in such a way so
1017	as to guarantee their later retrieval.

1019	4.1 Key Pair Generation

1021	If an S/MIME agent needs to generate a key pair, then the S/MIME agent
1022	or some related administrative utility or function MUST be capable of
1023	generating separate DH and DSS public/private key pairs on behalf of
1024	the user. Each key pair MUST be generated from a good source of non-
1025	deterministic random input and the private key MUST be protected in a
1026	secure fashion.

1028	If an S/MIME agent needs to generate a key pair, then the S/MIME agent
1029	or some related administrative utility or function SHOULD generate RSA
1030	key pairs.

1032	A user agent SHOULD generate RSA key pairs at a minimum key size of
1033	768 bits. A user agent MUST NOT generate RSA key pairs less than 512
1034	bits long. Creating keys longer than 1024 bits may cause some older
1035	S/MIME receiving agents to not be able to verify signatures, but gives
1036	better security and is therefore valuable. A receiving agent SHOULD be
1037	able to verify signatures with keys of any size over 512 bits. Some
1038	agents created in the United States have chosen to create 512 bit keys
1039	in order to get more advantageous export licenses. However, 512 bit
1040	keys are considered by many to be cryptographically insecure.
1041	Implementors should be aware that multiple (active) key pairs may be
1042	associated with a single individual. For example, one key pair may be
1043	used to support confidentiality, while a different key pair may be
1044	used for authentication.

1046	5. Security

1048	This entire draft discusses security. Security issues not covered in
1049	other parts of the draft include:

1051	40-bit encryption is considered weak by most cryptographers. Using
1052	weak cryptography in S/MIME offers little actual security over sending
1053	plaintext. However, other features of S/MIME, such as the
1054	specification of tripleDES and the ability to announce stronger
1055	cryptographic capabilities to parties with whom you communicate, allow
1056	senders to create messages that use strong encryption. Using weak
1057	cryptography is never recommended unless the only alternative is no
1058	cryptography. When feasible, sending and receiving agents should
1059	inform senders and recipients the relative cryptographic strength of
1060	messages.

1062	It is impossible for most software or people to estimate the value of
1063	a message. Further, it is impossible for most software or people to
1064	estimate the actual cost of decrypting a message that is encrypted
1065	with a key of a particular size. Further, it is quite difficult to
1066	determine the cost of a failed decryption if a recipient cannot decode
1067	a message. Thus, choosing between different key sizes (or choosing
1068	whether to just use plaintext) is also impossible. However, decisions
1069	based on these criteria are made all the time, and therefore this
1070	draft gives a framework for using those estimates in choosing
1071	algorithms.

1073	If a sending agent is sending the same message using different
1074	strengths of cryptography, an attacker watching the communications
1075	channel can determine the contents of the strongly-encrypted message
1076	by decrypting the weakly-encrypted version. In other words, a sender
1077	should not send a copy of a message using weaker cryptography than
1078	they would use for the original of the message.

1080	A. Object Identifiers and Syntax

1082	SMIMECapability ::= SEQUENCE {
1083	   capabilityID OBJECT IDENTIFIER,
1084	   parameters ANY DEFINED BY capabilityID OPTIONAL }

1086	SMIMECapabilities ::= SEQUENCE OF SMIMECapability

1088	SMIMEEncryptionKeyPreference ::= CHOICE {
1089	   issuerAndSerialNumber   [0] IssuerAndSerialNumber,
1090	   receipentKeyId          [1] RecipientKeyIdentifier,
1091	   subjectAltKeyIdentifier [2] KeyIdentifier
1092	}

1094	A.1 Content Encryption Algorithms

1096	RC2-CBC OBJECT IDENTIFIER ::=
1097	   {iso(1) member-body(2) us(840) rsadsi(113549) encryptionAlgorithm(3)
1098	2}

1100	For the effective-key-bits (key size) greater than 32 and less than
1101	256, the RC2-CBC algorithm parameters are encoded as:

1103	RC2-CBC parameter ::=  SEQUENCE {
1104	   rc2ParameterVersion  INTEGER,
1105	   iv                   OCTET STRING (8)}

1107	For the effective-key-bits of 40, 64, and 128, the rc2ParameterVersion
1108	values are 160, 120, 58 respectively.

1110	DES-EDE3-CBC OBJECT IDENTIFIER ::=
1111	   {iso(1) member-body(2) us(840) rsadsi(113549) encryptionAlgorithm(3)
1112	7}

1114	For DES-CBC and DES-EDE3-CBC, the parameter should be encoded as:

1116	CBCParameter :: IV

1118	where IV ::= OCTET STRING -- 8 octets.

1120	A.2 Digest Algorithms

1122	md5 OBJECT IDENTIFIER ::=
1123	   {iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5}

1125	sha-1 OBJECT IDENTIFIER ::=
1126	   {iso(1) identified-organization(3) oiw(14) secsig(3) algorithm(2) 26}

1128	A.3 Asymmetric Encryption Algorithms

1130	rsaEncryption OBJECT IDENTIFIER ::=
1131	   {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1}

1133	rsa OBJECT IDENTIFIER ::=
1134	   {joint-iso-ccitt(2) ds(5) algorithm(8) encryptionAlgorithm(1) 1}

1136	id-dsa OBJECT IDENTIFIER ::=
1137	   {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 }

1139	A.4 Signature Algorithms

1141	md2WithRSAEncryption OBJECT IDENTIFIER ::=
1142	   {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2}

1144	md5WithRSAEncryption OBJECT IDENTIFIER ::=
1145	   {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4}

1147	sha-1WithRSAEncryption OBJECT IDENTIFIER ::=
1148	   {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5}

1150	id-dsa-with-sha1 OBJECT IDENTIFIER ::=
1151	   {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3}

1153	A.5 Signed Attributes

1155	signingTime OBJECT IDENTIFIER ::=
1156	   {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 5}

1158	smimeCapabilities OBJECT IDENTIFIER ::=
1159	   {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 15}

1161	B. References

1163	[3DES] W. Tuchman, "Hellman Presents No Shortcut Solutions To DES,"
1164	IEEE Spectrum, v. 16, n. 7, July 1979, pp40-41.

1166	[APP-MIME] "Wrapping MIME Objects:  Application/MIME", Internet Draft
1167	draft-crocker-wrap-*.txt.

1169	[CERT3] "S/MIME Version 3 Certificate Handling", Internet Draft draft-
1170	ietf-smime-cert-*.txt.

1172	[CHARSETS] Character sets assigned by IANA. See <ftp://ftp.isi.edu/in-
1173	notes/iana/assignments/character-sets>.

1175	[CMS] "Cryptographic Message Syntax", Internet Draft draft-ietf-smime-
1176	cms-*.txt.

1178	[CONTDISP] "Communicating Presentation Information in Internet
1179	Messages: The Content-Disposition Header Field", RFC 2183

1181	[DES] ANSI X3.106, "American National Standard for Information Systems-
1182	Data Link Encryption," American National Standards Institute, 1983.

1184	[DH] ANSI X9.42 TBD

1186	[DSS] ANSI X9.57-199x, "Public Key Cryptography For The Financial
1187	Services Industry: Certificate Management" (Working Draft), 21 June,
1188	1996.

1190	[ESS] "Enhanced Security Services for S/MIME", Internet draft, draft-
1191	ietf-smime-ess-*.txt.

1193	[MD5] "The MD5 Message Digest Algorithm", RFC 1321

1195	[MIME-SPEC] The primary definition of MIME. "MIME Part 1: Format of
1196	Internet Message Bodies", RFC 2045; "MIME Part 2: Media Types", RFC
1197	2046; "MIME Part 3: Message Header Extensions for Non-ASCII Text", RFC
1198	2047; "MIME Part 4: Registration Procedures", RFC 2048; "MIME Part 5:
1199	Conformance Criteria and Examples", RFC 2049

1201	[MIME-SECURE] "Security Multiparts for MIME: Multipart/Signed and
1202	Multipart/Encrypted", RFC 1847

1204	[MUSTSHOULD] "Key words for use in RFCs to Indicate Requirement
1205	Levels", RFC 2119

1207	[PKCS-1] "PKCS #1: RSA Encryption Version 1.5", RFC 2313

1209	[PKCS-7] "PKCS #7: Cryptographic Message Syntax Version 1.5", RFC 2315

1211	[RC2] "A Description of the RC2 (r) Encryption Algorithm", RFC 2268

1213	[SHA1] NIST FIPS PUB 180-1, "Secure Hash Standard," National Institute
1214	of Standards and Technology, U.S. Department of Commerce, DRAFT, 31May
1215	1994.

1217	[SMIMEV2] "S/MIME Version 2 Message Specification", RFC 2311

1219	C. Encapsulating Signed Messages for Internet Transport

1221	The rationale behind the multiple formats for signing has to do with
1222	the MIME subtype defaulting rules of the application and multipart top-
1223	level types, and the behavior of currently deployed gateways and mail
1224	user agents.

1226	Ideally, the multipart/signed format would be the only format used
1227	because it provides a truly backwards compatible way to sign MIME
1228	entities. In a pure MIME environment with very capable user agents,
1229	this would be possible. The world, however, is more complex than this.
1230	One problem with the multipart/signed format occurs with gateways to
1231	non-MIME environments. In these environments, the gateway will
1232	generally not be S/MIME aware, will not recognize the multipart/signed
1233	type, and will default its treatment to multipart/mixed as is
1234	prescribed by the MIME standard. The real problem occurs when the
1235	gateway also applies conversions to the MIME structure of the original
1236	message that is being signed and is contained in the first part of the
1237	multipart/signed structure, such as the gateway converting text and
1238	attachments to the local format. Because the signature is over the
1239	MIME structure of the original message, but the original message is
1240	now decomposed and transformed, the signature cannot be verified.
1241	Because MIME encoding of a particular set of body parts can be done in
1242	many different ways, there is no way to reconstruct the original MIME
1243	entity over which the signature was computed.

1245	A similar problem occurs when an attempt is made to combine an
1246	existing user agent with a stand-alone S/MIME facility. Typical user
1247	agents do not have the ability to make a multipart sub-entity
1248	available to a stand-alone application in the same way they make leaf
1249	MIME entities available to "viewer" applications. This user agent
1250	behavior is not required by the MIME standard and thus not widely
1251	implemented. The result is that it is impossible for most user agents
1252	to hand off the entire multipart/signed entity to a stand-alone
1253	application.

1255	C.1 Solutions to the Problem

1257	To work around these two problems, the application/pkcs7-mime type can
1258	be used. When going through a gateway, it will be defaulted to the
1259	MIME type of application/octet-stream and treated as a single opaque
1260	entity. That is, the message will be treated as an attachment of
1261	unknown type, converted into the local representation for an
1262	attachment and thus can be made available to an S/MIME facility
1263	completely intact. A similar result is achieved when a user agent
1264	similarly treats the application/pkcs7-mime MIME entity as a simple
1265	leaf node of the MIME structure and makes it available to viewer
1266	applications.

1268	Another way to work around these problems is to encapsulate the
1269	multipart/signed MIME entity in a MIME entity of type
1270	application/mime. The result is similar to that obtained using
1271	application/pkcs7-mime. When the application/mime entity arrives at a
1272	gateway that does not recognize it, its type will be defaulted to
1273	application/octet-stream and it will be treated as a single opaque
1274	entity. A similar situation will happen with a receiving client that
1275	does not recognize the entity. It will usually be treated as a file
1276	attachment. It can then be made available to the S/MIME facility.

1278	The major difference between the two alternatives (application/pkcs7-
1279	mime or multipart/signed wrapped with application/mime ) is when the
1280	S/MIME facility opens the attachment. In the latter case, the S/MIME
1281	agent will find a multipart/signed entity rather than a BER encoded
1282	CMS object. Considering the two representations abstractly, the only
1283	difference is syntax.

1285	Application/mime is a general mechanism for encapsulating MIME, and in
1286	particular delaying its interpretation until it can be done in the
1287	appropriate environment or at the request of the user. The
1288	application/mime specification does not permit a user agent to
1289	automatically interpret the encapsulated MIME unless it can be
1290	processed entirely and properly. The parameters to the
1291	application/mime entity give the type of the encapsulated entity so it
1292	can be determined whether or not the entity can be processed before it
1293	is expanded.

1295	Application/mime is a general encapsulation mechanism that can be
1296	built into a gateway or user agent, allowing expansion of the
1297	encapsulated entity under user control. Because it is a general
1298	mechanism, it is in many cases more likely to be available than an
1299	S/MIME facility. Thus, it enables users to expand or to verify signed
1300	messages based on their local facilities and choices. It provides
1301	exactly the same advantages that the application/pkcs7-mime with
1302	signedData does. It also has the added benefit of allowing expansion
1303	in non-S/MIME environments and expansion under the recipient's
1304	control.

1306	C.2 Encapsulation Using application/mime

1308	In some cases, multipart/signed entities are automatically decomposed
1309	in such a way as to make computing the hash of the first part, the
1310	signed part, impossible; in such a situation, the signature becomes
1311	unverifiable. In order to prevent such decomposition until the MIME
1312	entity can be processed in a proper S/MIME environment, a
1313	multipart/signed entity may be encapsulated in an application/mime
1314	entity.

1316	All S/MIME implementations SHOULD be able to generate and receive
1317	application/mime encapsulations of multipart/signed entities which
1318	have their signature of type application/pkcs7-mime. In particular, on
1319	receipt of a MIME entity of type application/mime with the type
1320	parameter "multipart/signed" and the protocol parameter
1321	"application/pkcs7-mime", a receiving agent SHOULD be able to process
1322	the entity correctly. This is required even if the local environment
1323	has facilities for processing application/mime because
1324	application/mime requires that the encapsulated entity only be
1325	processed on request of the user, or if processing software can
1326	process the entity completely and correctly. In this case, an S/MIME
1327	facility can always process the entity completely and SHOULD do so.

1329	The steps to create an application/mime encapsulation of a
1330	multipart/signed entity are:

1332	Step 1. Prepare a multipart/signed message as described in section
1333	3.4.3.2

1335	Step 2. Insert the multipart/signed entity into an application/mime
1336	according to [APP-MIME]. This requires that the parameters of the
1337	multipart/signed entity be included as parameters on the
1338	application/mime entity.

1340	Note that messages using application/mime are subject to the same
1341	encoding rules as message/* and multipart/* types. The encoding of the
1342	application/mime part MUST NOT be binary.

1344	In addition, the application/mime entity SHOULD have a name parameter
1345	giving a file name ending with ".aps". It SHOULD also have a content-
1346	disposition parameter with the same filename. The ".aps" extension
1347	SHOULD be used exclusively for application/mime encapsulated
1348	multipart/signed entities containing a signature of type
1349	application/pkcs7-signature. This is necessary so that the receiving
1350	agent can correctly dispatch to software that verifies S/MIME
1351	signatures in environments where the MIME type and parameters have
1352	been lost or can't be used for such dispatch. Basically, the file
1353	extension becomes the sole carrier of type information.

1355	A sample application/mime encapsulation of a signed message might be:

1357	    Content-type: application/mime; content-type="multipart/signed";
1358	         protocol="application/pkcs7-signature";
1359	         micalg=sha1; name=smime.aps
1360	    Content-disposition: attachment; filename=smime.aps

1362	    Content-Type: multipart/signed;
1363	       protocol="application/pkcs7-signature";
1364	       micalg=sha1; boundary=boundary42

1366	    --boundary42
1367	    Content-Type: text/plain

1369	    This is a very short clear-signed message. However, at least you
1370	    can read it!

1372	    --boundary42
1373	    Content-Type: application/pkcs7-signature; name=smime.p7s
1374	    Content-Transfer-Encoding: base64
1375	    Content-Disposition: attachment; filename=smime.p7s

1377	    ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
1378	    4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
1379	    n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
1380	    7GhIGfHfYT64VQbnj756

1382	    --boundary42--

1384	C.3 Encapsulation in an Non-MIME Environment

1386	While this document primarily addresses the Internet, it is useful to
1387	compose and receive S/MIME secured messages in non-MIME environments.
1388	This is particularly the case when it is desired that security be
1389	implemented end-to-end. Other discussion here addresses the receipt of
1390	S/MIME messages in non-MIME environments. Here the composition of
1391	multipart/signed entities is addressed.

1393	When a message is to be sent in such an environment, the
1394	multipart/signed entity is created as described above. That entity is
1395	then treated as an opaque stream of bits and added to the message as
1396	an attachment. It must have a file name that ends with ".aps", as this
1397	is the sole mechanism for recognizing it as an S/MIME message by the
1398	receiving agent.

1400	When this message arrives in a MIME environment, it is likely to have
1401	a MIME type of application/octet-stream, with MIME parameters giving
1402	the filename for the attachment. If the intervening gateway has
1403	carried the file type, it will end in ".aps" and be recognized as an
1404	S/MIME message.

1406	D. Acknowledgements

1408	This document is largely derived from [SMIMEV2] written by Steve
1409	Dusse, Paul Hoffman, Blake Ramsdell, Laurence Lundblade, and Lisa
1410	Repka.

1412	Significant comments and additions were made by John Pawling and Jim
1413	Schaad.

1415	E. Needed changes

1417	4.1 keylengths for RSA need to move to CMS
1418	Should SMIMEEncryptionKeyPreference move to CMS?
1419	2.5.3.1 to determine the "same subject name" should this be a check
1420	against the subject DN, or both the DN and the subjectAltName
1421	extension?
1422	Should most of appendix A be in CMS?

1424	F. Changes from last draft

1426	Changed "Status of this memo" paragraph to reflect new IETF text (Paul
1427	Hoffman)
1428	Removed PKCS #1 from 1.1 (this will be covered in CMS)
1429	Removed 2.6.1.4 and changed 2.6.1.3 (Jim Schaad and Paul Hoffman)
1430	Added 2.5.3.1 (Selection of Recipient Key Management Certificate) (Jim
1431	Schaad)
1432	Yanked appendix C (MIME type registration) (Paul Hoffman)
1433	Fixed duplicate sentence in 3.7 (Jim Schaad)
1434	Added language to 2.5 to explain that other attributes should be
1435	displayed to the user (Paul Hoffman)

1437	G. Editor's address

1439	Blake Ramsdell
1440	Worldtalk
1441	13122 NE 20th St., Suite C
1442	Bellevue, WA 98005
1443	(425) 882-8861
1444	blaker@deming.com