idnits 2.17.1 draft-ietf-smime-msg-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-19) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 1387 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 88: '...draft, the terms MUST, MUST NOT, SHOUL...' RFC 2119 keyword, line 164: '...Sending and receiving agents MUST support SHA-1 [SHA1]. Receiving...' RFC 2119 keyword, line 165: '...agents SHOULD support MD5 [MD5] for the purpose of providing backward...' RFC 2119 keyword, line 170: '...Sending and receiving agents MUST support id-dsa defined in [DSS]....' RFC 2119 keyword, line 171: '...rithm parameters MUST be absent (not e...' (92 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 89 has weird spacing: '...s. This confo...' == Line 911 has weird spacing: '...gnature is "....' == Line 953 has weird spacing: '...y other unkn...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Including a file name serves two purposes. It facilitates easier use of S/MIME objects as files on disk. It also can convey type information across gateways. When a MIME entity of type application/pkcs7-mime (for example) arrives at a gateway that has no special knowledge of S/MIME, it will default the entity's MIME type to application/octet-stream and treat it as a generic attachment, thus losing the type information. However, the suggested filename for an attachment is often carried across a gateway. This often allows the receiving systems to determine the appropriate application to hand the attachment off to, in this case a stand-alone S/MIME processing application. Note that this mechanism is provided as a convenience for implementations in certain environments. A proper S/MIME implementation MUST use the MIME types and MUST not rely on the file extensions. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 14, 1998) is 9258 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'MIME-SPEC' on line 1266 looks like a reference -- Missing reference section? 'CMS' on line 1248 looks like a reference -- Missing reference section? 'PKCS-7' on line 1280 looks like a reference -- Missing reference section? 'MIME-SECURE' on line 1272 looks like a reference -- Missing reference section? 'MUSTSHOULD' on line 1275 looks like a reference -- Missing reference section? 'SHA1' on line 1284 looks like a reference -- Missing reference section? 'MD5' on line 1264 looks like a reference -- Missing reference section? 'DSS' on line 1307 looks like a reference -- Missing reference section? 'PKCS-1' on line 1278 looks like a reference -- Missing reference section? 'DH' on line 1257 looks like a reference -- Missing reference section? 'ESS' on line 1261 looks like a reference -- Missing reference section? '3DES' on line 1303 looks like a reference -- Missing reference section? 'DES' on line 1254 looks like a reference -- Missing reference section? 'RC2' on line 1282 looks like a reference -- Missing reference section? 'CHARSETS' on line 1245 looks like a reference -- Missing reference section? 'CONTDISP' on line 1251 looks like a reference -- Missing reference section? 'SMIMEV2' on line 1292 looks like a reference -- Missing reference section? 'CERT3' on line 1242 looks like a reference -- Missing reference section? '0' on line 1161 looks like a reference -- Missing reference section? '1' on line 1162 looks like a reference -- Missing reference section? '2' on line 1163 looks like a reference Summary: 9 errors (**), 0 flaws (~~), 6 warnings (==), 23 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Editor: Blake Ramsdell, 2 draft-ietf-smime-msg-06.txt Worldtalk 3 December 14, 1998 4 Expires in six months 6 S/MIME Version 3 Message Specification 8 Status of this memo 10 This document is an Internet-Draft. Internet-Drafts are working 11 documents of the Internet Engineering Task Force (IETF), its areas, 12 and its working groups. Note that other groups may also distribute 13 working documents as Internet-Drafts. 15 Internet-Drafts are draft documents valid for a maximum of six months 16 and may be updated, replaced, or obsoleted by other documents at any 17 time. It is inappropriate to use Internet-Drafts as reference material 18 or to cite them other than as "work in progress." 20 To view the entire list of current Internet-Drafts, please check the 21 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 22 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), 23 ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), 24 ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). 26 1. Introduction 28 S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a 29 consistent way to send and receive secure MIME data. Based on the 30 popular Internet MIME standard, S/MIME provides the following 31 cryptographic security services for electronic messaging applications: 32 authentication, message integrity and non-repudiation of origin (using 33 digital signatures) and privacy and data security (using encryption). 35 S/MIME can be used by traditional mail user agents (MUAs) to add 36 cryptographic security services to mail that is sent, and to interpret 37 cryptographic security services in mail that is received. However, 38 S/MIME is not restricted to mail; it can be used with any transport 39 mechanism that transports MIME data, such as HTTP. As such, S/MIME 40 takes advantage of the object-based features of MIME and allows secure 41 messages to be exchanged in mixed-transport systems. 43 Further, S/MIME can be used in automated message transfer agents that 44 use cryptographic security services that do not require any human 45 intervention, such as the signing of software-generated documents and 46 the encryption of FAX messages sent over the Internet. 48 1.1 Specification Overview 50 This document describes a protocol for adding cryptographic signature 51 and encryption services to MIME data. The MIME standard [MIME-SPEC] 52 provides a general structure for the content type of Internet messages 53 and allows extensions for new content type applications. 55 This draft defines how to create a MIME body part that has been 56 cryptographically enhanced according to CMS [CMS], which is derived 57 from PKCS #7 [PKCS-7]. This draft also defines the application/pkcs7- 58 mime MIME type that can be used to transport those body parts. 60 This draft also discusses how to use the multipart/signed MIME type 61 defined in [MIME-SECURE] to transport S/MIME signed messages. This 62 draft also defines the application/pkcs7-signature MIME type, which is 63 also used to transport S/MIME signed messages. 65 In order to create S/MIME messages, an S/MIME agent has to follow 66 specifications in this draft, as well as the specifications listed in 67 the Cryptographic Message Syntax [CMS]. 69 Throughout this draft, there are requirements and recommendations made 70 for how receiving agents handle incoming messages. There are separate 71 requirements and recommendations for how sending agents create 72 outgoing messages. In general, the best strategy is to "be liberal in 73 what you receive and conservative in what you send". Most of the 74 requirements are placed on the handling of incoming messages while the 75 recommendations are mostly on the creation of outgoing messages. 77 The separation for requirements on receiving agents and sending agents 78 also derives from the likelihood that there will be S/MIME systems 79 that involve software other than traditional Internet mail clients. 80 S/MIME can be used with any system that transports MIME data. An 81 automated process that sends an encrypted message might not be able to 82 receive an encrypted message at all, for example. Thus, the 83 requirements and recommendations for the two types of agents are 84 listed separately when appropriate. 86 1.2 Terminology 88 Throughout this draft, the terms MUST, MUST NOT, SHOULD, and SHOULD 89 NOT are used in capital letters. This conforms to the definitions in 90 [MUSTSHOULD]. [MUSTSHOULD] defines the use of these key words to help 91 make the intent of standards track documents as clear as possible. The 92 same key words are used in this document to help implementors achieve 93 interoperability. 95 1.3 Definitions 97 For the purposes of this draft, the following definitions apply. 99 ASN.1: Abstract Syntax Notation One, as defined in CCITT X.208. 101 BER: Basic Encoding Rules for ASN.1, as defined in CCITT X.209. 103 Certificate: A type that binds an entity's distinguished name to a 104 public key with a digital signature. 106 DER: Distinguished Encoding Rules for ASN.1, as defined in CCITT 107 X.509. 109 7-bit data: Text data with lines less than 998 characters long, where 110 none of the characters have the 8th bit set, and there are no NULL 111 characters. and occur only as part of a end of line 112 delimiter. 114 8-bit data: Text data with lines less than 998 characters, and where 115 none of the characters are NULL characters. and occur only 116 as part of a end of line delimiter. 118 Binary data: Arbitrary data. 120 Transfer Encoding: A reversible transformation made on data so 8-bit 121 or binary data may be sent via a channel that only transmits 7-bit 122 data. 124 Receiving agent: software that interprets and processes S/MIME CMS 125 objects, MIME body parts that contain CMS objects, or both. 127 Sending agent: software that creates S/MIME CMS objects, MIME body 128 parts that contain CMS objects, or both. 130 S/MIME agent: user software that is a receiving agent, a sending 131 agent, or both. 133 1.4 Compatibility with Prior Practice of S/MIME 135 S/MIME version 3 agents should attempt to have the greatest 136 interoperability possible with S/MIME version 2 agents. S/MIME version 137 2 is described in RFC 2311 through RFC 2315, inclusive. RFC 2311 also 138 has historical information about the development of S/MIME. 140 1.5 Discussion of This Draft 142 This draft is being discussed on the "ietf-smime" mailing list. To 143 subscribe, send a message to: 145 ietf-smime-request@imc.org 147 with the single word 149 subscribe 151 in the body of the message. There is a Web site for the mailing list 152 at . 154 2. CMS Options 156 CMS allows for a wide variety of options in content and algorithm 157 support. This section puts forth a number of support requirements and 158 recommendations in order to achieve a base level of interoperability 159 among all S/MIME implementations. [CMS] provides additional details 160 regarding the use of the cryptographic algorithms. 162 2.1 DigestAlgorithmIdentifier 164 Sending and receiving agents MUST support SHA-1 [SHA1]. Receiving 165 agents SHOULD support MD5 [MD5] for the purpose of providing backward 166 compatibility with MD5-digested S/MIME v2 SignedData objects. 168 2.2 SignatureAlgorithmIdentifier 170 Sending and receiving agents MUST support id-dsa defined in [DSS]. 171 The algorithm parameters MUST be absent (not encoded as NULL). 173 Receiving agents SHOULD support rsaEncryption, defined in [PKCS-1]. 175 Sending agents SHOULD support rsaEncryption. Outgoing messages are 176 signed with a user's private key. The size of the private key is 177 determined during key generation. 179 2.3 KeyEncryptionAlgorithmIdentifier 181 Sending and receiving agents MUST support Diffie-Hellman defined in 182 [DH]. 184 Receiving agents SHOULD support rsaEncryption. Incoming encrypted 185 messages contain symmetric keys which are to be decrypted with a 186 user's private key. The size of the private key is determined during 187 key generation. 189 Sending agents SHOULD support rsaEncryption. 191 2.4 General Syntax 193 CMS defines multiple content types. Of these, only the Data, 194 SignedData, and EnvelopedData content types are currently used for 195 S/MIME. 197 2.4.1 Data Content Type 199 Sending agents MUST use the id-data content type identifier to 200 indicate the message content which has had security services applied 201 to it. For example, when applying a digital signature to MIME data, 202 the CMS signedData encapContentInfo eContentType MUST include the id- 203 data object identifier and the MIME content MUST be stored in the 204 SignedData encapContentInfo eContent OCTET STRING. As another 205 example, when applying encryption to MIME data, the CMS EnvelopedData 206 encryptedContentInfo ContentType MUST include the id-data object 207 identifier and the encrypted MIME content MUST be stored in the 208 envelopedData encryptedContentInfo encryptedContent OCTET STRING. 210 2.4.2 SignedData Content Type 212 Sending agents MUST use the signedData content type to apply a digital 213 signature to a message or, in a degenerate case where there is no 214 signature information, to convey certificates. 216 2.4.3 EnvelopedData Content Type 218 This content type is used to apply privacy protection to a message. A 219 sender needs to have access to a public key for each 220 intended message recipient to use this service. This content type does 221 not provide authentication. 223 2.5 Attribute SignerInfo Type 225 The SignerInfo type allows the inclusion of unsigned and signed 226 attributes to be included along with a signature. 228 Receiving agents MUST be able to handle zero or one instance of each 229 of the signed attributes listed here. Sending agents SHOULD generate 230 one instance of each of the following signed attributes in each S/MIME 231 message: 232 - signingTime (section 2.5.1 in this document) 233 - sMIMECapabilities (section 2.5.2 in this document) 234 - sMIMEEncryptionKeyPreference (section 2.5.3 in this document) 236 Further, receiving agents SHOULD be able to handle zero or one 237 instance of each of the signed attributes listed here. 238 - receiptRequest (section 2 in [ESS]) 239 - signingCertificate (section 5 in [ESS]) 241 Sending agents SHOULD generate one instance of the signingCertificate 242 signed attribute in each S/MIME message. 244 Additional attributes and values for these attributes may be defined 245 in the future. Receiving agents SHOULD handle attributes or values 246 that it does not recognize in a graceful manner. 248 Sending agents that include signed attributes that are not listed here 249 SHOULD display those attributes to the user, so that the user is aware 250 of all of the data being signed. 252 2.5.1 Signing-Time Attribute 254 The signing-time attribute is used to convey the time that a message 255 was signed. Until there are trusted timestamping services, the time of 256 signing will most likely be created by a message originator and 257 therefore is only as trustworthy as the originator. 259 Sending agents MUST encode signing time through the year 2049 as 260 UTCTime; signing times in 2050 or later MUST be encoded as 261 GeneralizedTime. When the UTCTime CHOICE is used, S/MIME agents MUST 262 interpret the year field (YY) as follows: 264 if YY is greater than or equal to 50, the year is interpreted as 19YY; 265 if YY is less than 50, the year is interpreted as 20YY. 267 2.5.2 SMIMECapabilities Attribute 269 The SMIMECapabilities attribute includes signature algorithms (such as 270 "sha1WithRSAEncryption"), symmetric algorithms (such as "DES-EDE3- 271 CBC"), and key encipherment algorithms (such as "rsaEncryption"). It 272 also includes a non-algorithm capability which is the preference for 273 signedData. The SMIMECapabilities were designed to be flexible and 274 extensible so that, in the future, a means of identifying other 275 capabilities and preferences such as certificates can be added in a 276 way that will not cause current clients to break. 278 If present, the SMIMECapabilities attribute MUST be a SignedAttribute; 279 it MUST NOT be an UnsignedAttribute. CMS defines SignedAttributes as a 280 SET OF Attribute. The SignedAttributes in a signerInfo MUST NOT 281 include multiple instances of the SMIMECapabilities attribute. CMS 282 defines the ASN.1 syntax for Attribute to include attrValues SET OF 283 AttributeValue. A SMIMECapabilities attribute MUST only include a 284 single instance of AttributeValue. There MUST NOT be zero or multiple 285 instances of AttributeValue present in the attrValues SET OF 286 AttributeValue. 288 The semantics of the SMIMECapabilites attribute specify a partial list 289 as to what the client announcing the SMIMECapabilites can support. A 290 client does not have to list every capability it supports, and 291 probably should not list all its capabilities so that the capabilities 292 list doesn't get too long. In an SMIMECapabilities attribute, the OIDs 293 are listed in order of their preference, but SHOULD be logically 294 separated along the lines of their categories (signature algorithms, 295 symmetric algorithms, key encipherment algorithms, etc.) 297 The structure of the SMIMECapabilities attribute is to facilitate 298 simple table lookups and binary comparisons in order to determine 299 matches. For instance, the DER-encoding for the SMIMECapability for 300 DES EDE3 CBC MUST be identically encoded regardless of the 301 implementation. 303 In the case of symmetric algorithms, the associated parameters for the 304 OID MUST specify all of the parameters necessary to differentiate 305 between two instances of the same algorithm. For instance, the number 306 of rounds and block size for RC5 must be specified in addition to the 307 key length. 309 There is a list of OIDs (OIDs Used with S/MIME) that is centrally 310 maintained and is separate from this draft. The list of OIDs is 311 maintained by the Internet Mail Consortium at . 314 The OIDs that correspond to algorithms SHOULD use the same OID as the 315 actual algorithm, except in the case where the algorithm usage is 316 ambiguous from the OID. For instance, in an earlier draft, 317 rsaEncryption was ambiguous because it could refer to either a 318 signature algorithm or a key encipherment algorithm. In the event that 319 an OID is ambiguous, it needs to be arbitrated by the maintainer of 320 the registered SMIMECapabilities list as to which type of algorithm 321 will use the OID, and a new OID MUST be allocated under the 322 smimeCapabilities OID to satisfy the other use of the OID. 324 The registered SMIMECapabilities list specifies the parameters for 325 OIDs that need them, most notably key lengths in the case of variable- 326 length symmetric ciphers. In the event that there are no 327 differentiating parameters for a particular OID, the parameters MUST 328 be omitted, and MUST NOT be encoded as NULL. 330 Additional values for the SMIMECapabilities attribute may be defined 331 in the future. Receiving agents MUST handle a SMIMECapabilities object 332 that has values that it does not recognize in a graceful manner. 334 2.5.3 Encryption Key Preference Attribute 336 The encryption key preference attribute allows the signer to 337 unambiguously describe which of the signer's certificates has the 338 signer's preferred encryption key. This attribute is designed to 339 enhance behavior for interoperating with those clients which use 340 separate keys for encryption and signing. This attribute is used to 341 convey to anyone viewing the attribute which of the listed 342 certificates should be used for encrypting a session key for future 343 encrypted messages. 345 If present, the SMIMEEncryptionKeyPreference attribute MUST be a 346 SignedAttribute; it MUST NOT be an UnsignedAttribute. CMS defines 347 SignedAttributes as a SET OF Attribute. The SignedAttributes in a 348 signerInfo MUST NOT include multiple instances of the 349 SMIMEEncryptionKeyPreference attribute. CMS defines the ASN.1 syntax 350 for Attribute to include attrValues SET OF AttributeValue. A 351 SMIMEEncryptionKeyPreference attribute MUST only include a single 352 instance of AttributeValue. There MUST NOT be zero or multiple 353 instances of AttributeValue present in the attrValues SET OF 354 AttributeValue. 356 The sending agent SHOULD include the referenced certificate in the set 357 of certificates included in the signed message if this attribute is 358 used. The certificate may be omitted if it has been previously made 359 available to the receiving agent. Sending agents SHOULD use this 360 attribute if the commonly used or preferred encryption certificate is 361 not the same as the certificate used to sign the message. 363 Receiving agents SHOULD store the preference data if the signature on 364 the message is valid and the signing time is greater than the 365 currently stored value. (As with the SMIMECapabilities, the clock 366 skew should be checked and the data not used if the skew is too 367 great.) Receiving agents SHOULD respect the sender's encryption key 368 preference attribute if possible. This however represents only a 369 preference and the receiving agent may use any certificate in replying 370 to the sender that is valid. 372 2.5.3.1 Selection of Recipient Key Management Certificate 374 In order to determine the key management certificate to be used when 375 sending a future CMS envelopedData message for a particular recipient, 376 the following steps SHOULD be followed: 378 - If an SMIMEEncryptionKeyPreference attribute is found in a 379 signedData object received from the desired recipient, this identifies 380 the X.509 certificate that should be used as the X.509 key management 381 certificate for the recipient. 383 - If an SMIMEEncryptionKeyPreference attribute is not found in a 384 signedData object received from the desired recipient, the set of 385 X.509 certificates should be searched for a X.509 certificate with the 386 same subject name as the signing X.509 certificate which can be used 387 for key management. 389 - Or use some other method of determining the user's key management 390 key. If a X.509 key management certificate is not found, then 391 encryption cannot be done with the signer of the message. If multiple 392 X.509 key management certificates are found, the S/MIME agent can make 393 an arbitrary choice between them. 395 2.6 SignerIdentifier SignerInfo Type 397 S/MIME v3 requires the use of SignerInfo version 1, that is the 398 issuerAndSerialNumber CHOICE must be used for SignerIdentifier. 400 2.7 ContentEncryptionAlgorithmIdentifier 402 Sending and receiving agents MUST support encryption and decryption 403 with DES EDE3 CBC, hereinafter called "tripleDES" [3DES] [DES]. 404 Receiving agents SHOULD support encryption and decryption using the 405 RC2 [RC2] or a compatible algorithm at a key size of 40 bits, 406 hereinafter called "RC2/40". 408 2.7.1 Deciding Which Encryption Method To Use 410 When a sending agent creates an encrypted message, it has to decide 411 which type of encryption to use. The decision process involves using 412 information garnered from the capabilities lists included in messages 413 received from the recipient, as well as out-of-band information such 414 as private agreements, user preferences, legal restrictions, and so 415 on. 417 Section 2.5 defines a method by which a sending agent can optionally 418 announce, among other things, its decrypting capabilities in its order 419 of preference. The following method for processing and remembering the 420 encryption capabilities attribute in incoming signed messages SHOULD 421 be used. 423 - If the receiving agent has not yet created a list of capabilities 424 for the sender's public key, then, after verifying the signature 425 on the incoming message and checking the timestamp, the receiving 426 agent SHOULD create a new list containing at least the signing 427 time and the symmetric capabilities. 428 - If such a list already exists, the receiving agent SHOULD verify 429 that the signing time in the incoming message is greater than 430 the signing time stored in the list and that the signature is 431 valid. If so, the receiving agent SHOULD update both the signing 432 time and capabilities in the list. Values of the signing time that 433 lie far in the future (that is, a greater discrepancy than any 434 reasonable clock skew), or a capabilities list in messages whose 435 signature could not be verified, MUST NOT be accepted. 437 The list of capabilities SHOULD be stored for future use in creating 438 messages. 440 Before sending a message, the sending agent MUST decide whether it is 441 willing to use weak encryption for the particular data in the message. 442 If the sending agent decides that weak encryption is unacceptable for 443 this data, then the sending agent MUST NOT use a weak algorithm such 444 as RC2/40. The decision to use or not use weak encryption overrides 445 any other decision in this section about which encryption algorithm to 446 use. 448 Sections 2.7.2.1 through 2.7.2.4 describe the decisions a sending 449 agent SHOULD use in deciding which type of encryption should be 450 applied to a message. These rules are ordered, so the sending agent 451 SHOULD make its decision in the order given. 453 2.7.1.1 Rule 1: Known Capabilities 455 If the sending agent has received a set of capabilities from the 456 recipient for the message the agent is about to encrypt, then the 457 sending agent SHOULD use that information by selecting the first 458 capability in the list (that is, the capability most preferred by the 459 intended recipient) for which the sending agent knows how to encrypt. 460 The sending agent SHOULD use one of the capabilities in the list if 461 the agent reasonably expects the recipient to be able to decrypt the 462 message. 464 2.7.1.2 Rule 2: Unknown Capabilities, Known Use of Encryption 466 If: 467 - the sending agent has no knowledge of the encryption capabilities 468 of the recipient, 469 - and the sending agent has received at least one message from the 470 recipient, 471 - and the last encrypted message received from the recipient had a 472 trusted signature on it, 473 then the outgoing message SHOULD use the same encryption algorithm as 474 was used on the last signed and encrypted message received from the 475 recipient. 477 2.7.1.3 Rule 3: Unknown Capabilities, Unknown Version of S/MIME 479 If: 480 - the sending agent has no knowledge of the encryption capabilities 481 of the recipient, 482 - and the sending agent has no knowledge of the version of S/MIME 483 of the recipient, 484 then the sending agent SHOULD use tripleDES because it is a stronger 485 algorithm and is required by S/MIME v3. If the sending agent chooses 486 not to use tripleDES in this step, it SHOULD use RC2/40. 488 2.7.2 Choosing Weak Encryption 490 Like all algorithms that use 40 bit keys, RC2/40 is considered by many 491 to be weak encryption. A sending agent that is controlled by a human 492 SHOULD allow a human sender to determine the risks of sending data 493 using RC2/40 or a similarly weak encryption algorithm before sending 494 the data, and possibly allow the human to use a stronger encryption 495 method such as tripleDES. 497 2.7.3 Multiple Recipients 499 If a sending agent is composing an encrypted message to a group of 500 recipients where the encryption capabilities of some of the recipients 501 do not overlap, the sending agent is forced to send more than one 502 message. It should be noted that if the sending agent chooses to send 503 a message encrypted with a strong algorithm, and then send the same 504 message encrypted with a weak algorithm, someone watching the 505 communications channel can decipher the contents of the strongly- 506 encrypted message simply by decrypting the weakly-encrypted message. 508 3. Creating S/MIME Messages 510 This section describes the S/MIME message formats and how they are 511 created. S/MIME messages are a combination of MIME bodies and CMS 512 objects. Several MIME types as well as several CMS objects are used. 513 The data to be secured is always a canonical MIME entity. The MIME 514 entity and other data, such as certificates and algorithm identifiers, 515 are given to CMS processing facilities which produces a CMS object. 516 The CMS object is then finally wrapped in MIME. The Enhanced Security 517 Services for S/MIME [ESS] document provides examples of how nested, 518 secured S/MIME messages are formatted. ESS provides an example of how 519 a triple-wrapped S/MIME message is formatted using multipart/signed 520 and application/pkcs7-mime for the signatures. 522 S/MIME provides one format for enveloped-only data, several formats 523 for signed-only data, and several formats for signed and enveloped 524 data. Several formats are required to accommodate several 525 environments, in particular for signed messages. The criteria for 526 choosing among these formats are also described. 528 The reader of this section is expected to understand MIME as described 529 in [MIME-SPEC] and [MIME-SECURE]. 531 3.1 Preparing the MIME Entity for Signing or Enveloping 533 S/MIME is used to secure MIME entities. A MIME entity may be a sub- 534 part, sub-parts of a message, or the whole message with all its sub- 535 parts. A MIME entity that is the whole message includes only the MIME 536 headers and MIME body, and does not include the RFC-822 headers. Note 537 that S/MIME can also be used to secure MIME entities used in 538 applications other than Internet mail. 540 The MIME entity that is secured and described in this section can be 541 thought of as the "inside" MIME entity. That is, it is the "innermost" 542 object in what is possibly a larger MIME message. Processing "outside" 543 MIME entities into CMS objects is described in Section 3.2, 3.4 and 544 elsewhere. 546 The procedure for preparing a MIME entity is given in [MIME-SPEC]. The 547 same procedure is used here with some additional restrictions when 548 signing. Description of the procedures from [MIME-SPEC] are repeated 549 here, but the reader should refer to that document for the exact 550 procedure. This section also describes additional requirements. 552 A single procedure is used for creating MIME entities that are to be 553 signed, enveloped, or both signed and enveloped. Some additional steps 554 are recommended to defend against known corruptions that can occur 555 during mail transport that are of particular importance for clear- 556 signing using the multipart/signed format. It is recommended that 557 these additional steps be performed on enveloped messages, or signed 558 and enveloped messages in order that the message can be forwarded to 559 any environment without modification. 561 These steps are descriptive rather than prescriptive. The implementor 562 is free to use any procedure as long as the result is the same. 564 Step 1. The MIME entity is prepared according to the local conventions 566 Step 2. The leaf parts of the MIME entity are converted to canonical 567 form 569 Step 3. Appropriate transfer encoding is applied to the leaves of the 570 MIME entity 572 When an S/MIME message is received, the security services on the 573 message are processed, and the result is the MIME entity. That MIME 574 entity is typically passed to a MIME-capable user agent where, it is 575 further decoded and presented to the user or receiving application. 577 3.1.1 Canonicalization 579 Each MIME entity MUST be converted to a canonical form that is 580 uniquely and unambiguously representable in the environment where the 581 signature is created and the environment where the signature will be 582 verified. MIME entities MUST be canonicalized for enveloping as well 583 as signing. 585 The exact details of canonicalization depend on the actual MIME type 586 and subtype of an entity, and are not described here. Instead, the 587 standard for the particular MIME type should be consulted. For 588 example, canonicalization of type text/plain is different from 589 canonicalization of audio/basic. Other than text types, most types 590 have only one representation regardless of computing platform or 591 environment which can be considered their canonical representation. In 592 general, canonicalization will be performed by the non-security part 593 of the sending agent rather than the S/MIME implementation. 595 The most common and important canonicalization is for text, which is 596 often represented differently in different environments. MIME entities 597 of major type "text" must have both their line endings and character 598 set canonicalized. The line ending must be the pair of characters 599 , and the charset should be a registered charset [CHARSETS]. 600 The details of the canonicalization are specified in [MIME-SPEC]. The 601 chosen charset SHOULD be named in the charset parameter so that 602 the receiving agent can unambiguously determine the charset used. 604 Note that some charsets such as ISO-2022 have multiple representations 605 for the same characters. When preparing such text for signing, the 606 canonical representation specified for the charset MUST be used. 608 3.1.2 Transfer Encoding 610 When generating any of the secured MIME entities below, except the 611 signing using the multipart/signed format, no transfer encoding at all 612 is required. S/MIME implementations MUST be able to deal with binary 613 MIME objects. If no Content-Transfer-Encoding header is present, the 614 transfer encoding should be considered 7BIT. 616 S/MIME implementations SHOULD however use transfer encoding described 617 in section 3.1.3 for all MIME entities they secure. The reason for 618 securing only 7-bit MIME entities, even for enveloped data that are 619 not exposed to the transport, is that it allows the MIME entity to be 620 handled in any environment without changing it. For example, a trusted 621 gateway might remove the envelope, but not the signature, of a 622 message, and then forward the signed message on to the end recipient 623 so that they can verify the signatures directly. If the transport 624 internal to the site is not 8-bit clean, such as on a wide-area 625 network with a single mail gateway, verifying the signature will not 626 be possible unless the original MIME entity was only 7-bit data. 628 3.1.3 Transfer Encoding for Signing Using multipart/signed 630 If a multipart/signed entity is EVER to be transmitted over the 631 standard Internet SMTP infrastructure or other transport that is 632 constrained to 7-bit text, it MUST have transfer encoding applied so 633 that it is represented as 7-bit text. MIME entities that are 7-bit 634 data already need no transfer encoding. Entities such as 8-bit text 635 and binary data can be encoded with quoted-printable or base-64 636 transfer encoding. 638 The primary reason for the 7-bit requirement is that the Internet mail 639 transport infrastructure cannot guarantee transport of 8-bit or binary 640 data. Even though many segments of the transport infrastructure now 641 handle 8-bit and even binary data, it is sometimes not possible to 642 know whether the transport path is 8-bit clear. If a mail message with 643 8-bit data were to encounter a message transfer agent that can not 644 transmit 8-bit or binary data, the agent has three options, none of 645 which are acceptable for a clear-signed message: 647 - The agent could change the transfer encoding; this would invalidate 648 the signature. 649 - The agent could transmit the data anyway, which would most likely 650 result in the 8th bit being corrupted; this too would invalidate the 651 signature. 652 - The agent could return the message to the sender. 654 [MIME-SECURE] prohibits an agent from changing the transfer encoding 655 of the first part of a multipart/signed message. If a compliant agent 656 that can not transmit 8-bit or binary data encounters a 657 multipart/signed message with 8-bit or binary data in the first part, 658 it would have to return the message to the sender as undeliverable. 660 3.1.4 Sample Canonical MIME Entity 662 This example shows a multipart/mixed message with full transfer 663 encoding. This message contains a text part and an attachment. The 664 sample message text includes characters that are not US-ASCII and thus 665 must be transfer encoded. Though not shown here, the end of each line 666 is . The line ending of the MIME headers, the text, and 667 transfer encoded parts, all must be . 669 Note that this example is not of an S/MIME message. 671 Content-Type: multipart/mixed; boundary=bar 673 --bar 674 Content-Type: text/plain; charset=iso-8859-1 675 Content-Transfer-Encoding: quoted-printable 677 =A1Hola Michael! 679 How do you like the new S/MIME specification? 681 I agree. It's generally a good idea to encode lines that begin with 682 From=20because some mail transport agents will insert a greater- 683 than (>) sign, thus invalidating the signature. 685 Also, in some cases it might be desirable to encode any =20 686 trailing whitespace that occurs on lines in order to ensure =20 687 that the message signature is not invalidated when passing =20 688 a gateway that modifies such whitespace (like BITNET). =20 690 --bar 691 Content-Type: image/jpeg 692 Content-Transfer-Encoding: base64 694 iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC// 695 jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq 696 uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn 697 HOxEa44b+EI= 699 --bar-- 701 3.2 The application/pkcs7-mime Type 703 The application/pkcs7-mime type is used to carry CMS objects of 704 several types including envelopedData and signedData. The details of 705 constructing these entities is described in subsequent sections. This 706 section describes the general characteristics of the application/pkcs7- 707 mime type. 709 The carried CMS object always contains a MIME entity that is prepared 710 as described in section 3.1 if the eContentType is id-data. Other 711 contents may be carried when the eContentType contains different 712 values. See [ESS] for an example of this with signed receipts. 714 Since CMS objects are binary data, in most cases base-64 transfer 715 encoding is appropriate, in particular when used with SMTP transport. 716 The transfer encoding used depends on the transport through which the 717 object is to be sent, and is not a characteristic of the MIME type. 719 Note that this discussion refers to the transfer encoding of the CMS 720 object or "outside" MIME entity. It is completely distinct from, and 721 unrelated to, the transfer encoding of the MIME entity secured by the 722 CMS object, the "inside" object, which is described in section 3.1. 724 Because there are several types of application/pkcs7-mime objects, a 725 sending agent SHOULD do as much as possible to help a receiving agent 726 know about the contents of the object without forcing the receiving 727 agent to decode the ASN.1 for the object. The MIME headers of all 728 application/pkcs7-mime objects SHOULD include the optional "smime- 729 type" parameter, as described in the following sections. 731 3.2.1 The name and filename Parameters 733 For the application/pkcs7-mime, sending agents SHOULD emit the 734 optional "name" parameter to the Content-Type field for compatibility 735 with older systems. Sending agents SHOULD also emit the optional 736 Content-Disposition field [CONTDISP] with the "filename" parameter. If 737 a sending agent emits the above parameters, the value of the 738 parameters SHOULD be a file name with the appropriate extension: 740 MIME Type File Extension 742 Application/pkcs7-mime (signedData, .p7m 743 envelopedData) 745 Application/pkcs7-mime (degenerate .p7c 746 signedData "certs-only" message) 748 Application/pkcs7-signature .p7s 750 In addition, the file name SHOULD be limited to eight characters 751 followed by a three letter extension. The eight character filename 752 base can be any distinct name; the use of the filename base "smime" 753 SHOULD be used to indicate that the MIME entity is associated with 754 S/MIME. 756 Including a file name serves two purposes. It facilitates easier use 757 of S/MIME objects as files on disk. It also can convey type 758 information across gateways. When a MIME entity of type 759 application/pkcs7-mime (for example) arrives at a gateway that has no 760 special knowledge of S/MIME, it will default the entity's MIME type to 761 application/octet-stream and treat it as a generic attachment, thus 762 losing the type information. However, the suggested filename for an 763 attachment is often carried across a gateway. This often allows the 764 receiving systems to determine the appropriate application to hand the 765 attachment off to, in this case a stand-alone S/MIME processing 766 application. Note that this mechanism is provided as a convenience for 767 implementations in certain environments. A proper S/MIME 768 implementation MUST use the MIME types and MUST not rely on the file 769 extensions. 771 3.2.2 The smime-type parameter 773 The application/pkcs7-mime content type defines the optional "smime- 774 type" parameter. The intent of this parameter is to convey details 775 about the security applied (signed or enveloped) along with infomation 776 about the contained content. This draft defines the following smime- 777 types. 779 Name Security Inner Content 781 enveloped-data EnvelopedData id-data 783 signed-data SignedData id-data 785 certs-only SignedData none 787 In order that consistency can be obtained with future, the following 788 guidelines should be followed when assigning a new smime-type 789 parameter. 791 1. If both signing and encryption can be applied to the content, then 792 two values for smime-type SHOULD be assigned "signed-*" and "encrypted- 793 *". If one operation can be assigned then this may be omitted. Thus 794 since "certs-only" can only be signed, "signed-" is omitted. 796 2. A common string for a content oid should be assigned. We use "data" 797 for the id-data content OID when MIME is the inner content. 799 3. If no common string is assigned. Then the common string of 800 "OID." is recommended. 802 3.3 Creating an Enveloped-only Message 804 This section describes the format for enveloping a MIME entity without 805 signing it. It is important to note that sending enveloped but not 806 signed messages does not provide for data integrity. It is possible to 807 replace ciphertext in such a way that the processed message will still 808 be valid, but the meaning may be altered. 810 Step 1. The MIME entity to be enveloped is prepared according to 811 section 3.1. 813 Step 2. The MIME entity and other required data is processed into a 814 CMS object of type envelopedData. In addition to encrypting a copy of 815 the content-encryption key for each recipient, a copy of the content 816 encryption key SHOULD be encrypted for the originator and included in 817 the envelopedData (see CMS Section 6). 819 Step 3. The CMS object is inserted into an application/pkcs7-mime MIME 820 entity. 822 The smime-type parameter for enveloped-only messages is "enveloped- 823 data". The file extension for this type of message is ".p7m". 825 A sample message would be: 827 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; 828 name=smime.p7m 829 Content-Transfer-Encoding: base64 830 Content-Disposition: attachment; filename=smime.p7m 832 rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 833 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H 834 f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 835 0GhIGfHfQbnj756YT64V 837 3.4 Creating a Signed-only Message 839 There are two formats for signed messages defined for S/MIME: 840 application/pkcs7-mime with SignedData, and multipart/signed. In 841 general, the multipart/signed form is preferred for sending, and 842 receiving agents SHOULD be able to handle both. 844 3.4.1 Choosing a Format for Signed-only Messages 846 There are no hard-and-fast rules when a particular signed-only format 847 should be chosen because it depends on the capabilities of all the 848 receivers and the relative importance of receivers with S/MIME 849 facilities being able to verify the signature versus the importance of 850 receivers without S/MIME software being able to view the message. 852 Messages signed using the multipart/signed format can always be viewed 853 by the receiver whether they have S/MIME software or not. They can 854 also be viewed whether they are using a MIME-native user agent or they 855 have messages translated by a gateway. In this context, "be viewed" 856 means the ability to process the message essentially as if it were not 857 a signed message, including any other MIME structure the message might 858 have. 860 Messages signed using the signedData format cannot be viewed by a 861 recipient unless they have S/MIME facilities. However, if they have 862 S/MIME facilities, these messages can always be verified if they were 863 not changed in transit. 865 3.4.2 Signing Using application/pkcs7-mime with SignedData 867 This signing format uses the application/pkcs7-mime MIME type. The 868 steps to create this format are: 870 Step 1. The MIME entity is prepared according to section 3.1 872 Step 2. The MIME entity and other required data is processed into a 873 CMS object of type signedData 875 Step 3. The CMS object is inserted into an application/pkcs7-mime MIME 876 entity 878 The smime-type parameter for messages using application/pkcs7-mime 879 with SignedData is "signed-data". The file extension for this type of 880 message is ".p7m". 882 A sample message would be: 884 Content-Type: application/pkcs7-mime; smime-type=signed-data; 885 name=smime.p7m 886 Content-Transfer-Encoding: base64 887 Content-Disposition: attachment; filename=smime.p7m 889 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7 890 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH 891 HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh 892 6YT64V0GhIGfHfQbnj75 894 3.4.3 Signing Using the multipart/signed Format 896 This format is a clear-signing format. Recipients without any S/MIME 897 or CMS processing facilities are able to view the message. It makes 898 use of the multipart/signed MIME type described in [MIME-SECURE]. The 899 multipart/signed MIME type has two parts. The first part contains the 900 MIME entity that is signed; the second part contains the "detached 901 signature" CMS SignedData object in which the encapContentInfo 902 eContent field is absent. 904 3.4.3.1 The application/pkcs7-signature MIME Type 906 This MIME type always contains a single CMS object of type signedData. 907 The signedData encapContentInfo eContent field MUST be absent. The 908 signerInfos field contains the signatures for the MIME entity. 910 The file extension for signed-only messages using application/pkcs7- 911 signature is ".p7s". 913 3.4.3.2 Creating a multipart/signed Message 915 Step 1. The MIME entity to be signed is prepared according to section 916 3.1, taking special care for clear-signing. 918 Step 2. The MIME entity is presented to CMS processing in order to 919 obtain an object of type signedData in which the encapContentInfo 920 eContent field is absent. 922 Step 3. The MIME entity is inserted into the first part of a 923 multipart/signed message with no processing other than that described 924 in section 3.1. 926 Step 4. Transfer encoding is applied to the "detached signature" CMS 927 SignedData object and it is inserted into a MIME entity of type 928 application/pkcs7-signature. 930 Step 5. The MIME entity of the application/pkcs7-signature is inserted 931 into the second part of the multipart/signed entity. 933 The multipart/signed Content type has two required parameters: the 934 protocol parameter and the micalg parameter. 936 The protocol parameter MUST be "application/pkcs7-signature". Note 937 that quotation marks are required around the protocol parameter 938 because MIME requires that the "/" character in the parameter value 939 MUST be quoted. 941 The micalg parameter allows for one-pass processing when the signature 942 is being verified. The value of the micalg parameter is dependent on 943 the message digest algorithm(s) used in the calculation of the Message 944 Integrity Check. If multiple message digest algorithms are used they 945 MUST be separated by commas per [MIME-SECURE]. The values to be placed 946 in the micalg parameter SHOULD be from the following: 948 Algorithm Value 949 used 951 MD5 md5 952 SHA-1 sha1 953 Any other unknown 955 (Historical note: some early implementations of S/MIME emitted and 956 expected "rsa-md5" and "rsa-sha1" for the micalg parameter.) Receiving 957 agents SHOULD be able to recover gracefully from a micalg parameter 958 value that they do not recognize. 960 3.4.3.3 Sample multipart/signed Message 962 Content-Type: multipart/signed; 963 protocol="application/pkcs7-signature"; 964 micalg=sha1; boundary=boundary42 966 --boundary42 967 Content-Type: text/plain 969 This is a clear-signed message. 971 --boundary42 972 Content-Type: application/pkcs7-signature; name=smime.p7s 973 Content-Transfer-Encoding: base64 974 Content-Disposition: attachment; filename=smime.p7s 976 ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 977 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj 978 n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 979 7GhIGfHfYT64VQbnj756 981 --boundary42-- 983 3.5 Signing and Encrypting 985 To achieve signing and enveloping, any of the signed-only and 986 encrypted-only formats may be nested. This is allowed because the 987 above formats are all MIME entities, and because they all secure MIME 988 entities. 990 An S/MIME implementation MUST be able to receive and process 991 arbitrarily nested S/MIME within reasonable resource limits of the 992 recipient computer. 994 It is possible to either sign a message first, or to envelope the 995 message first. It is up to the implementor and the user to choose. 996 When signing first, the signatories are then securely obscured by the 997 enveloping. When enveloping first the signatories are exposed, but it 998 is possible to verify signatures without removing the enveloping. This 999 may be useful in an environment were automatic signature verification 1000 is desired, as no private key material is required to verify a 1001 signature. 1003 There are security ramifications to choosing whether to sign first or 1004 encrypt first. A recipient of a message that is encrypted and then 1005 signed can validate that the encrypted block was unaltered, but cannot 1006 determine any relationship between the signer and the unencrypted 1007 contents of the message. A recipient of a message that is signed-then- 1008 encrypted can assume that the signed message itself has not been 1009 altered, but that a careful attacker may have changed the 1010 unauthenticated portions of the encrypted message. 1012 3.6 Creating a Certificates-only Message 1014 The certificates only message or MIME entity is used to transport 1015 certificates, such as in response to a registration request. This 1016 format can also be used to convey CRLs. 1018 Step 1. The certificates are made available to the CMS generating 1019 process which creates a CMS object of type signedData. The signedData 1020 encapContentInfo eContent field MUST be absent and signerInfos field 1021 MUST be empty. 1023 Step 2. The CMS signedData object is enclosed in an application/pkcs7- 1024 mime MIME entity 1026 The smime-type parameter for a certs-only message is "certs-only". 1027 The file extension for this type of message is ".p7c". 1029 3.7 Registration Requests 1031 A sending agent that signs messages MUST have a certificate for the 1032 signature so that a receiving agent can verify the signature. There 1033 are many ways of getting certificates, such as through an exchange 1034 with a certificate authority, through a hardware token or diskette, 1035 and so on. 1037 S/MIME v2 [SMIMEV2] specified a method for "registering" public keys 1038 with certificate authorities using an application/pkcs10 body part. 1039 The IETF's PKIX Working Group is preparing another method for 1040 requesting certificates; however, that work was not finished at the 1041 time of this draft. S/MIME v3 does not specify how to request a 1042 certificate, but instead mandates that every sending agent already has 1043 a certificate. Standardization of certificate management is being 1044 pursued separately in the IETF. 1046 3.8 Identifying an S/MIME Message 1048 Because S/MIME takes into account interoperation in non-MIME 1049 environments, several different mechanisms are employed to carry the 1050 type information, and it becomes a bit difficult to identify S/MIME 1051 messages. The following table lists criteria for determining whether 1052 or not a message is an S/MIME message. A message is considered an 1053 S/MIME message if it matches any below. 1055 The file suffix in the table below comes from the "name" parameter in 1056 the content-type header, or the "filename" parameter on the content- 1057 disposition header. These parameters that give the file suffix are not 1058 listed below as part of the parameter section. 1060 MIME type: application/pkcs7-mime 1061 parameters: any 1062 file suffix: any 1064 MIME type: multipart/signed 1065 parameters: protocol="application/pkcs7-signature" 1066 file suffix: any 1068 MIME type: application/octet-stream 1069 parameters: any 1070 file suffix: p7m, p7s, p7c 1072 4. Certificate Processing 1074 A receiving agent MUST provide some certificate retrieval mechanism in 1075 order to gain access to certificates for recipients of digital 1076 envelopes. This draft does not cover how S/MIME agents handle 1077 certificates, only what they do after a certificate has been validated 1078 or rejected. S/MIME certification issues are covered in [CERT3]. 1080 At a minimum, for initial S/MIME deployment, a user agent could 1081 automatically generate a message to an intended recipient requesting 1082 that recipient's certificate in a signed return message. Receiving and 1083 sending agents SHOULD also provide a mechanism to allow a user to 1084 "store and protect" certificates for correspondents in such a way so 1085 as to guarantee their later retrieval. 1087 4.1 Key Pair Generation 1089 If an S/MIME agent needs to generate a key pair, then the S/MIME agent 1090 or some related administrative utility or function MUST be capable of 1091 generating separate DH and DSS public/private key pairs on behalf of 1092 the user. Each key pair MUST be generated from a good source of non- 1093 deterministic random input and the private key MUST be protected in a 1094 secure fashion. 1096 If an S/MIME agent needs to generate a key pair, then the S/MIME agent 1097 or some related administrative utility or function SHOULD generate RSA 1098 key pairs. 1100 A user agent SHOULD generate RSA key pairs at a minimum key size of 1101 768 bits. A user agent MUST NOT generate RSA key pairs less than 512 1102 bits long. Creating keys longer than 1024 bits may cause some older 1103 S/MIME receiving agents to not be able to verify signatures, but gives 1104 better security and is therefore valuable. A receiving agent SHOULD be 1105 able to verify signatures with keys of any size over 512 bits. Some 1106 agents created in the United States have chosen to create 512 bit keys 1107 in order to get more advantageous export licenses. However, 512 bit 1108 keys are considered by many to be cryptographically insecure. 1109 Implementors should be aware that multiple (active) key pairs may be 1110 associated with a single individual. For example, one key pair may be 1111 used to support confidentiality, while a different key pair may be 1112 used for authentication. 1114 5. Security 1116 This entire draft discusses security. Security issues not covered in 1117 other parts of the draft include: 1119 40-bit encryption is considered weak by most cryptographers. Using 1120 weak cryptography in S/MIME offers little actual security over sending 1121 plaintext. However, other features of S/MIME, such as the 1122 specification of tripleDES and the ability to announce stronger 1123 cryptographic capabilities to parties with whom you communicate, allow 1124 senders to create messages that use strong encryption. Using weak 1125 cryptography is never recommended unless the only alternative is no 1126 cryptography. When feasible, sending and receiving agents should 1127 inform senders and recipients the relative cryptographic strength of 1128 messages. 1130 It is impossible for most software or people to estimate the value of 1131 a message. Further, it is impossible for most software or people to 1132 estimate the actual cost of decrypting a message that is encrypted 1133 with a key of a particular size. Further, it is quite difficult to 1134 determine the cost of a failed decryption if a recipient cannot decode 1135 a message. Thus, choosing between different key sizes (or choosing 1136 whether to just use plaintext) is also impossible. However, decisions 1137 based on these criteria are made all the time, and therefore this 1138 draft gives a framework for using those estimates in choosing 1139 algorithms. 1141 If a sending agent is sending the same message using different 1142 strengths of cryptography, an attacker watching the communications 1143 channel can determine the contents of the strongly-encrypted message 1144 by decrypting the weakly-encrypted version. In other words, a sender 1145 should not send a copy of a message using weaker cryptography than 1146 they would use for the original of the message. 1148 Modification of the ciphertext can go undetected if authentication is 1149 not also used, which is the case when sending EnvelopedData without 1150 wrapping it in SignedData or enclosing SignedData within it. 1152 A. Object Identifiers and Syntax 1154 SMIMECapability ::= SEQUENCE { 1155 capabilityID OBJECT IDENTIFIER, 1156 parameters ANY DEFINED BY capabilityID OPTIONAL } 1158 SMIMECapabilities ::= SEQUENCE OF SMIMECapability 1160 SMIMEEncryptionKeyPreference ::= CHOICE { 1161 issuerAndSerialNumber [0] IssuerAndSerialNumber, 1162 receipentKeyId [1] RecipientKeyIdentifier, 1163 subjectAltKeyIdentifier [2] KeyIdentifier 1164 } 1166 A.1 Content Encryption Algorithms 1168 RC2-CBC OBJECT IDENTIFIER ::= 1169 {iso(1) member-body(2) us(840) rsadsi(113549) 1170 encryptionAlgorithm(3) 2} 1172 For the effective-key-bits (key size) greater than 32 and less than 1173 256, the RC2-CBC algorithm parameters are encoded as: 1175 RC2-CBC parameter ::= SEQUENCE { 1176 rc2ParameterVersion INTEGER, 1177 iv OCTET STRING (8)} 1179 For the effective-key-bits of 40, 64, and 128, the rc2ParameterVersion 1180 values are 160, 120, 58 respectively. 1182 DES-EDE3-CBC OBJECT IDENTIFIER ::= 1183 {iso(1) member-body(2) us(840) rsadsi(113549) 1184 encryptionAlgorithm(3) 7} 1186 For DES-CBC and DES-EDE3-CBC, the parameter should be encoded as: 1188 CBCParameter ::= IV 1190 where IV ::= OCTET STRING -- 8 octets. 1192 A.2 Digest Algorithms 1194 md5 OBJECT IDENTIFIER ::= 1195 {iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5} 1197 sha-1 OBJECT IDENTIFIER ::= 1198 {iso(1) identified-organization(3) oiw(14) secsig(3) algorithm(2) 1199 26} 1201 A.3 Asymmetric Encryption Algorithms 1203 rsaEncryption OBJECT IDENTIFIER ::= 1204 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1} 1206 rsa OBJECT IDENTIFIER ::= 1207 {joint-iso-ccitt(2) ds(5) algorithm(8) encryptionAlgorithm(1) 1} 1209 id-dsa OBJECT IDENTIFIER ::= 1210 {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } 1212 A.4 Signature Algorithms 1214 md2WithRSAEncryption OBJECT IDENTIFIER ::= 1215 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2} 1217 md5WithRSAEncryption OBJECT IDENTIFIER ::= 1218 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4} 1220 sha-1WithRSAEncryption OBJECT IDENTIFIER ::= 1221 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5} 1223 id-dsa-with-sha1 OBJECT IDENTIFIER ::= 1224 {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3} 1226 A.5 Signed Attributes 1228 signingTime OBJECT IDENTIFIER ::= 1229 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 5} 1231 smimeCapabilities OBJECT IDENTIFIER ::= 1232 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 15} 1234 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= 1235 {id-aa 11} 1237 B. References 1239 [3DES] ANSI X9.52-1998, "Triple Data Encryption Algorithm Modes of 1240 Operation", American National Standards Institute, 1998. 1242 [CERT3] "S/MIME Version 3 Certificate Handling", Internet Draft draft- 1243 ietf-smime-cert-*.txt. 1245 [CHARSETS] Character sets assigned by IANA. See . 1248 [CMS] "Cryptographic Message Syntax", Internet Draft draft-ietf-smime- 1249 cms-*.txt. 1251 [CONTDISP] "Communicating Presentation Information in Internet 1252 Messages: The Content-Disposition Header Field", RFC 2183 1254 [DES] ANSI X3.106, "American National Standard for Information Systems- 1255 Data Link Encryption," American National Standards Institute, 1983. 1257 [DH] ANSI X9.42 TBD 1259 [DSS] NIST FIPS PUB 186, "Digital Signature Standard", 18 May 1994. 1261 [ESS] "Enhanced Security Services for S/MIME", Internet draft, draft- 1262 ietf-smime-ess-*.txt. 1264 [MD5] "The MD5 Message Digest Algorithm", RFC 1321 1266 [MIME-SPEC] The primary definition of MIME. "MIME Part 1: Format of 1267 Internet Message Bodies", RFC 2045; "MIME Part 2: Media Types", RFC 1268 2046; "MIME Part 3: Message Header Extensions for Non-ASCII Text", RFC 1269 2047; "MIME Part 4: Registration Procedures", RFC 2048; "MIME Part 5: 1270 Conformance Criteria and Examples", RFC 2049 1272 [MIME-SECURE] "Security Multiparts for MIME: Multipart/Signed and 1273 Multipart/Encrypted", RFC 1847 1275 [MUSTSHOULD] "Key words for use in RFCs to Indicate Requirement 1276 Levels", RFC 2119 1278 [PKCS-1] "PKCS #1: RSA Encryption Version 1.5", RFC 2313 1280 [PKCS-7] "PKCS #7: Cryptographic Message Syntax Version 1.5", RFC 2315 1282 [RC2] "A Description of the RC2 (r) Encryption Algorithm", RFC 2268 1284 [SHA1] NIST FIPS PUB 180-1, "Secure Hash Standard," National Institute 1285 of Standards and Technology, U.S. Department of Commerce, DRAFT, 31May 1286 1994. 1288 [SMIMEV2] "S/MIME Version 2 Message Specification", RFC 2311 1290 C. Acknowledgements 1292 This document is largely derived from [SMIMEV2] written by Steve 1293 Dusse, Paul Hoffman, Blake Ramsdell, Laurence Lundblade, and Lisa 1294 Repka. 1296 Significant comments and additions were made by John Pawling and Jim 1297 Schaad. 1299 D. Changes from last draft 1301 Changed section 2.5 to clarify signed attributes handling (Paul 1302 Hoffman) 1303 Changed [3DES] reference (Russ Housley) 1304 Clarified 3.1.1 regarding canonicalization by the sending agent vs. 1305 the S/MIME part (Bill Flanigan, Paul Hoffman) 1306 Various small language changes (Bill Flanigan, Paul Hoffman) 1307 Changed [DSS] reference to FIPS 186 (Bill Flanigan) 1308 Added section 3.2.2 for smime-type clarification (Jim Schaad) 1309 Added definitions for "agents" (Bill Flanigan, Paul Hoffman) 1310 Inserted section 2.6 for SignerIdentifier (WG consensus) 1312 F. Editor's address 1314 Blake Ramsdell 1315 Worldtalk 1316 13122 NE 20th St., Suite C 1317 Bellevue, WA 98005 1318 (425) 882-8861 1319 blaker@deming.com