idnits 2.17.1 draft-ietf-smime-msg-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 1459 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 90: '...draft, the terms MUST, MUST NOT, SHOUL...' RFC 2119 keyword, line 166: '...Sending and receiving agents MUST support SHA-1 [SHA1]. Receiving...' RFC 2119 keyword, line 167: '...agents SHOULD support MD5 [MD5] for the purpose of providing backward...' RFC 2119 keyword, line 172: '...Sending and receiving agents MUST support id-dsa defined in [DSS]....' RFC 2119 keyword, line 173: '...rithm parameters MUST be absent (not e...' (96 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 91 has weird spacing: '...s. This confo...' == Line 925 has weird spacing: '...gnature is "....' == Line 967 has weird spacing: '...y other unkn...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 30, 1999) is 8976 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'MIME-SPEC' on line 1332 looks like a reference -- Missing reference section? 'CMS' on line 1313 looks like a reference -- Missing reference section? 'PKCS-7' on line 1346 looks like a reference -- Missing reference section? 'MIME-SECURE' on line 1338 looks like a reference -- Missing reference section? 'MUSTSHOULD' on line 1341 looks like a reference -- Missing reference section? 'SHA1' on line 1352 looks like a reference -- Missing reference section? 'MD5' on line 1330 looks like a reference -- Missing reference section? 'DSS' on line 1325 looks like a reference -- Missing reference section? 'PKCS-1' on line 1344 looks like a reference -- Missing reference section? 'DH' on line 1371 looks like a reference -- Missing reference section? 'ESS' on line 1327 looks like a reference -- Missing reference section? '3DES' on line 1304 looks like a reference -- Missing reference section? 'DES' on line 1319 looks like a reference -- Missing reference section? 'RC2' on line 1350 looks like a reference -- Missing reference section? 'CHARSETS' on line 1310 looks like a reference -- Missing reference section? 'CONTDISP' on line 1316 looks like a reference -- Missing reference section? 'SMIMEV2' on line 1356 looks like a reference -- Missing reference section? 'CERT3' on line 1307 looks like a reference -- Missing reference section? 'RANDOM' on line 1381 looks like a reference -- Missing reference section? '0' on line 1213 looks like a reference -- Missing reference section? '1' on line 1214 looks like a reference -- Missing reference section? '2' on line 1215 looks like a reference Summary: 7 errors (**), 0 flaws (~~), 5 warnings (==), 24 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Editor: Blake Ramsdell, 2 draft-ietf-smime-msg-07.txt Worldtalk 3 March 31, 1999 4 Expires September 30, 1999 6 S/MIME Version 3 Message Specification 8 Status of this memo 10 This document is an Internet-Draft and is in full conformance with all 11 provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering Task 14 Force (IETF), its areas, and its working groups. Note that other 15 groups may also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference 20 material or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 1. Introduction 30 S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a 31 consistent way to send and receive secure MIME data. Based on the 32 popular Internet MIME standard, S/MIME provides the following 33 cryptographic security services for electronic messaging applications: 34 authentication, message integrity and non-repudiation of origin (using 35 digital signatures) and privacy and data security (using encryption). 37 S/MIME can be used by traditional mail user agents (MUAs) to add 38 cryptographic security services to mail that is sent, and to interpret 39 cryptographic security services in mail that is received. However, 40 S/MIME is not restricted to mail; it can be used with any transport 41 mechanism that transports MIME data, such as HTTP. As such, S/MIME 42 takes advantage of the object-based features of MIME and allows secure 43 messages to be exchanged in mixed-transport systems. 45 Further, S/MIME can be used in automated message transfer agents that 46 use cryptographic security services that do not require any human 47 intervention, such as the signing of software-generated documents and 48 the encryption of FAX messages sent over the Internet. 50 1.1 Specification Overview 52 This document describes a protocol for adding cryptographic signature 53 and encryption services to MIME data. The MIME standard [MIME-SPEC] 54 provides a general structure for the content type of Internet messages 55 and allows extensions for new content type applications. 57 This draft defines how to create a MIME body part that has been 58 cryptographically enhanced according to CMS [CMS], which is derived 59 from PKCS #7 [PKCS-7]. This draft also defines the application/pkcs7- 60 mime MIME type that can be used to transport those body parts. 62 This draft also discusses how to use the multipart/signed MIME type 63 defined in [MIME-SECURE] to transport S/MIME signed messages. This 64 draft also defines the application/pkcs7-signature MIME type, which is 65 also used to transport S/MIME signed messages. 67 In order to create S/MIME messages, an S/MIME agent has to follow 68 specifications in this draft, as well as the specifications listed in 69 the Cryptographic Message Syntax [CMS]. 71 Throughout this draft, there are requirements and recommendations made 72 for how receiving agents handle incoming messages. There are separate 73 requirements and recommendations for how sending agents create 74 outgoing messages. In general, the best strategy is to "be liberal in 75 what you receive and conservative in what you send". Most of the 76 requirements are placed on the handling of incoming messages while the 77 recommendations are mostly on the creation of outgoing messages. 79 The separation for requirements on receiving agents and sending agents 80 also derives from the likelihood that there will be S/MIME systems 81 that involve software other than traditional Internet mail clients. 82 S/MIME can be used with any system that transports MIME data. An 83 automated process that sends an encrypted message might not be able to 84 receive an encrypted message at all, for example. Thus, the 85 requirements and recommendations for the two types of agents are 86 listed separately when appropriate. 88 1.2 Terminology 90 Throughout this draft, the terms MUST, MUST NOT, SHOULD, and SHOULD 91 NOT are used in capital letters. This conforms to the definitions in 92 [MUSTSHOULD]. [MUSTSHOULD] defines the use of these key words to help 93 make the intent of standards track documents as clear as possible. The 94 same key words are used in this document to help implementors achieve 95 interoperability. 97 1.3 Definitions 99 For the purposes of this draft, the following definitions apply. 101 ASN.1: Abstract Syntax Notation One, as defined in CCITT X.208. 103 BER: Basic Encoding Rules for ASN.1, as defined in CCITT X.209. 105 Certificate: A type that binds an entity's distinguished name to a 106 public key with a digital signature. 108 DER: Distinguished Encoding Rules for ASN.1, as defined in CCITT 109 X.509. 111 7-bit data: Text data with lines less than 998 characters long, where 112 none of the characters have the 8th bit set, and there are no NULL 113 characters. and occur only as part of a end of line 114 delimiter. 116 8-bit data: Text data with lines less than 998 characters, and where 117 none of the characters are NULL characters. and occur only 118 as part of a end of line delimiter. 120 Binary data: Arbitrary data. 122 Transfer Encoding: A reversible transformation made on data so 8-bit 123 or binary data may be sent via a channel that only transmits 7-bit 124 data. 126 Receiving agent: software that interprets and processes S/MIME CMS 127 objects, MIME body parts that contain CMS objects, or both. 129 Sending agent: software that creates S/MIME CMS objects, MIME body 130 parts that contain CMS objects, or both. 132 S/MIME agent: user software that is a receiving agent, a sending 133 agent, or both. 135 1.4 Compatibility with Prior Practice of S/MIME 137 S/MIME version 3 agents should attempt to have the greatest 138 interoperability possible with S/MIME version 2 agents. S/MIME version 139 2 is described in RFC 2311 through RFC 2315, inclusive. RFC 2311 also 140 has historical information about the development of S/MIME. 142 1.5 Discussion of This Draft 144 This draft is being discussed on the "ietf-smime" mailing list. To 145 subscribe, send a message to: 147 ietf-smime-request@imc.org 149 with the single word 151 subscribe 153 in the body of the message. There is a Web site for the mailing list 154 at . 156 2. CMS Options 158 CMS allows for a wide variety of options in content and algorithm 159 support. This section puts forth a number of support requirements and 160 recommendations in order to achieve a base level of interoperability 161 among all S/MIME implementations. [CMS] provides additional details 162 regarding the use of the cryptographic algorithms. 164 2.1 DigestAlgorithmIdentifier 166 Sending and receiving agents MUST support SHA-1 [SHA1]. Receiving 167 agents SHOULD support MD5 [MD5] for the purpose of providing backward 168 compatibility with MD5-digested S/MIME v2 SignedData objects. 170 2.2 SignatureAlgorithmIdentifier 172 Sending and receiving agents MUST support id-dsa defined in [DSS]. 173 The algorithm parameters MUST be absent (not encoded as NULL). 175 Receiving agents SHOULD support rsaEncryption, defined in [PKCS-1]. 177 Sending agents SHOULD support rsaEncryption. Outgoing messages are 178 signed with a user's private key. The size of the private key is 179 determined during key generation. 181 Note that S/MIME v2 clients are only capable of verifying digital 182 signatures using the rsaEncryption algorithm. 184 2.3 KeyEncryptionAlgorithmIdentifier 186 Sending and receiving agents MUST support Diffie-Hellman defined in 187 [DH]. 189 Receiving agents SHOULD support rsaEncryption. Incoming encrypted 190 messages contain symmetric keys which are to be decrypted with a 191 user's private key. The size of the private key is determined during 192 key generation. 194 Sending agents SHOULD support rsaEncryption. 196 Note that S/MIME v2 clients are only capable of decrypting content 197 encryption keys using the rsaEncryption algorithm. 199 2.4 General Syntax 201 CMS defines multiple content types. Of these, only the Data, 202 SignedData, and EnvelopedData content types are currently used for 203 S/MIME. 205 2.4.1 Data Content Type 207 Sending agents MUST use the id-data content type identifier to 208 indicate the message content which has had security services applied 209 to it. For example, when applying a digital signature to MIME data, 210 the CMS signedData encapContentInfo eContentType MUST include the id- 211 data object identifier and the MIME content MUST be stored in the 212 SignedData encapContentInfo eContent OCTET STRING (unless the sending 213 agent is using multipart/signed, in which case the eContent is absent, 214 per section 3.4.3 of this document). As another example, when 215 applying encryption to MIME data, the CMS EnvelopedData 216 encryptedContentInfo ContentType MUST include the id-data object 217 identifier and the encrypted MIME content MUST be stored in the 218 envelopedData encryptedContentInfo encryptedContent OCTET STRING. 220 2.4.2 SignedData Content Type 222 Sending agents MUST use the signedData content type to apply a digital 223 signature to a message or, in a degenerate case where there is no 224 signature information, to convey certificates. 226 2.4.3 EnvelopedData Content Type 228 This content type is used to apply privacy protection to a message. A 229 sender needs to have access to a public key for each 230 intended message recipient to use this service. This content type does 231 not provide authentication. 233 2.5 Attribute SignerInfo Type 235 The SignerInfo type allows the inclusion of unsigned and signed 236 attributes to be included along with a signature. 238 Receiving agents MUST be able to handle zero or one instance of each 239 of the signed attributes listed here. Sending agents SHOULD generate 240 one instance of each of the following signed attributes in each S/MIME 241 message: 242 - signingTime (section 2.5.1 in this document) 243 - sMIMECapabilities (section 2.5.2 in this document) 244 - sMIMEEncryptionKeyPreference (section 2.5.3 in this document) 246 Further, receiving agents SHOULD be able to handle zero or one 247 instance in the signed attributes of the signingCertificate attribute 248 (section 5 in [ESS]). 250 Sending agents SHOULD generate one instance of the signingCertificate 251 signed attribute in each S/MIME message. 253 Additional attributes and values for these attributes may be defined 254 in the future. Receiving agents SHOULD handle attributes or values 255 that it does not recognize in a graceful manner. 257 Sending agents that include signed attributes that are not listed here 258 SHOULD display those attributes to the user, so that the user is aware 259 of all of the data being signed. 261 2.5.1 Signing-Time Attribute 263 The signing-time attribute is used to convey the time that a message 264 was signed. Until there are trusted timestamping services, the time of 265 signing will most likely be created by a message originator and 266 therefore is only as trustworthy as the originator. 268 Sending agents MUST encode signing time through the year 2049 as 269 UTCTime; signing times in 2050 or later MUST be encoded as 270 GeneralizedTime. When the UTCTime CHOICE is used, S/MIME agents MUST 271 interpret the year field (YY) as follows: 273 if YY is greater than or equal to 50, the year is interpreted as 19YY; 274 if YY is less than 50, the year is interpreted as 20YY. 276 2.5.2 SMIMECapabilities Attribute 278 The SMIMECapabilities attribute includes signature algorithms (such as 279 "sha1WithRSAEncryption"), symmetric algorithms (such as "DES-EDE3- 280 CBC"), and key encipherment algorithms (such as "rsaEncryption"). It 281 also includes a non-algorithm capability which is the preference for 282 signedData. The SMIMECapabilities were designed to be flexible and 283 extensible so that, in the future, a means of identifying other 284 capabilities and preferences such as certificates can be added in a 285 way that will not cause current clients to break. 287 If present, the SMIMECapabilities attribute MUST be a SignedAttribute; 288 it MUST NOT be an UnsignedAttribute. CMS defines SignedAttributes as a 289 SET OF Attribute. The SignedAttributes in a signerInfo MUST NOT 290 include multiple instances of the SMIMECapabilities attribute. CMS 291 defines the ASN.1 syntax for Attribute to include attrValues SET OF 292 AttributeValue. A SMIMECapabilities attribute MUST only include a 293 single instance of AttributeValue. There MUST NOT be zero or multiple 294 instances of AttributeValue present in the attrValues SET OF 295 AttributeValue. 297 The semantics of the SMIMECapabilites attribute specify a partial list 298 as to what the client announcing the SMIMECapabilites can support. A 299 client does not have to list every capability it supports, and 300 probably should not list all its capabilities so that the capabilities 301 list doesn't get too long. In an SMIMECapabilities attribute, the OIDs 302 are listed in order of their preference, but SHOULD be logically 303 separated along the lines of their categories (signature algorithms, 304 symmetric algorithms, key encipherment algorithms, etc.) 306 The structure of the SMIMECapabilities attribute is to facilitate 307 simple table lookups and binary comparisons in order to determine 308 matches. For instance, the DER-encoding for the SMIMECapability for 309 DES EDE3 CBC MUST be identically encoded regardless of the 310 implementation. 312 In the case of symmetric algorithms, the associated parameters for the 313 OID MUST specify all of the parameters necessary to differentiate 314 between two instances of the same algorithm. For instance, the number 315 of rounds and block size for RC5 must be specified in addition to the 316 key length. 318 There is a list of OIDs (OIDs Used with S/MIME) that is centrally 319 maintained and is separate from this draft. The list of OIDs is 320 maintained by the Internet Mail Consortium at . Note that all OIDs associated with the MUST and 322 SHOULD implement algorithms are included in section A of this 323 document. 325 The OIDs that correspond to algorithms SHOULD use the same OID as the 326 actual algorithm, except in the case where the algorithm usage is 327 ambiguous from the OID. For instance, in an earlier draft, 328 rsaEncryption was ambiguous because it could refer to either a 329 signature algorithm or a key encipherment algorithm. In the event that 330 an OID is ambiguous, it needs to be arbitrated by the maintainer of 331 the registered SMIMECapabilities list as to which type of algorithm 332 will use the OID, and a new OID MUST be allocated under the 333 smimeCapabilities OID to satisfy the other use of the OID. 335 The registered SMIMECapabilities list specifies the parameters for 336 OIDs that need them, most notably key lengths in the case of variable- 337 length symmetric ciphers. In the event that there are no 338 differentiating parameters for a particular OID, the parameters MUST 339 be omitted, and MUST NOT be encoded as NULL. 341 Additional values for the SMIMECapabilities attribute may be defined 342 in the future. Receiving agents MUST handle a SMIMECapabilities object 343 that has values that it does not recognize in a graceful manner. 345 2.5.3 Encryption Key Preference Attribute 347 The encryption key preference attribute allows the signer to 348 unambiguously describe which of the signer's certificates has the 349 signer's preferred encryption key. This attribute is designed to 350 enhance behavior for interoperating with those clients which use 351 separate keys for encryption and signing. This attribute is used to 352 convey to anyone viewing the attribute which of the listed 353 certificates should be used for encrypting a session key for future 354 encrypted messages. 356 If present, the SMIMEEncryptionKeyPreference attribute MUST be a 357 SignedAttribute; it MUST NOT be an UnsignedAttribute. CMS defines 358 SignedAttributes as a SET OF Attribute. The SignedAttributes in a 359 signerInfo MUST NOT include multiple instances of the 360 SMIMEEncryptionKeyPreference attribute. CMS defines the ASN.1 syntax 361 for Attribute to include attrValues SET OF AttributeValue. A 362 SMIMEEncryptionKeyPreference attribute MUST only include a single 363 instance of AttributeValue. There MUST NOT be zero or multiple 364 instances of AttributeValue present in the attrValues SET OF 365 AttributeValue. 367 The sending agent SHOULD include the referenced certificate in the set 368 of certificates included in the signed message if this attribute is 369 used. The certificate may be omitted if it has been previously made 370 available to the receiving agent. Sending agents SHOULD use this 371 attribute if the commonly used or preferred encryption certificate is 372 not the same as the certificate used to sign the message. 374 Receiving agents SHOULD store the preference data if the signature on 375 the message is valid and the signing time is greater than the 376 currently stored value. (As with the SMIMECapabilities, the clock 377 skew should be checked and the data not used if the skew is too 378 great.) Receiving agents SHOULD respect the sender's encryption key 379 preference attribute if possible. This however represents only a 380 preference and the receiving agent may use any certificate in replying 381 to the sender that is valid. 383 2.5.3.1 Selection of Recipient Key Management Certificate 385 In order to determine the key management certificate to be used when 386 sending a future CMS envelopedData message for a particular recipient, 387 the following steps SHOULD be followed: 389 - If an SMIMEEncryptionKeyPreference attribute is found in a 390 signedData object received from the desired recipient, this identifies 391 the X.509 certificate that should be used as the X.509 key management 392 certificate for the recipient. 394 - If an SMIMEEncryptionKeyPreference attribute is not found in a 395 signedData object received from the desired recipient, the set of 396 X.509 certificates should be searched for a X.509 certificate with the 397 same subject name as the signing X.509 certificate which can be used 398 for key management. 400 - Or use some other method of determining the user's key management 401 key. If a X.509 key management certificate is not found, then 402 encryption cannot be done with the signer of the message. If multiple 403 X.509 key management certificates are found, the S/MIME agent can make 404 an arbitrary choice between them. 406 2.6 SignerIdentifier SignerInfo Type 408 S/MIME v3 requires the use of SignerInfo version 1, that is the 409 issuerAndSerialNumber CHOICE MUST be used for SignerIdentifier. 411 2.7 ContentEncryptionAlgorithmIdentifier 413 Sending and receiving agents MUST support encryption and decryption 414 with DES EDE3 CBC, hereinafter called "tripleDES" [3DES] [DES]. 415 Receiving agents SHOULD support encryption and decryption using the 416 RC2 [RC2] or a compatible algorithm at a key size of 40 bits, 417 hereinafter called "RC2/40". 419 2.7.1 Deciding Which Encryption Method To Use 421 When a sending agent creates an encrypted message, it has to decide 422 which type of encryption to use. The decision process involves using 423 information garnered from the capabilities lists included in messages 424 received from the recipient, as well as out-of-band information such 425 as private agreements, user preferences, legal restrictions, and so 426 on. 428 Section 2.5 defines a method by which a sending agent can optionally 429 announce, among other things, its decrypting capabilities in its order 430 of preference. The following method for processing and remembering the 431 encryption capabilities attribute in incoming signed messages SHOULD 432 be used. 434 - If the receiving agent has not yet created a list of capabilities 435 for the sender's public key, then, after verifying the signature 436 on the incoming message and checking the timestamp, the receiving 437 agent SHOULD create a new list containing at least the signing 438 time and the symmetric capabilities. 439 - If such a list already exists, the receiving agent SHOULD verify 440 that the signing time in the incoming message is greater than 441 the signing time stored in the list and that the signature is 442 valid. If so, the receiving agent SHOULD update both the signing 443 time and capabilities in the list. Values of the signing time that 444 lie far in the future (that is, a greater discrepancy than any 445 reasonable clock skew), or a capabilities list in messages whose 446 signature could not be verified, MUST NOT be accepted. 448 The list of capabilities SHOULD be stored for future use in creating 449 messages. 451 Before sending a message, the sending agent MUST decide whether it is 452 willing to use weak encryption for the particular data in the message. 453 If the sending agent decides that weak encryption is unacceptable for 454 this data, then the sending agent MUST NOT use a weak algorithm such 455 as RC2/40. The decision to use or not use weak encryption overrides 456 any other decision in this section about which encryption algorithm to 457 use. 459 Sections 2.7.2.1 through 2.7.2.4 describe the decisions a sending 460 agent SHOULD use in deciding which type of encryption should be 461 applied to a message. These rules are ordered, so the sending agent 462 SHOULD make its decision in the order given. 464 2.7.1.1 Rule 1: Known Capabilities 466 If the sending agent has received a set of capabilities from the 467 recipient for the message the agent is about to encrypt, then the 468 sending agent SHOULD use that information by selecting the first 469 capability in the list (that is, the capability most preferred by the 470 intended recipient) for which the sending agent knows how to encrypt. 471 The sending agent SHOULD use one of the capabilities in the list if 472 the agent reasonably expects the recipient to be able to decrypt the 473 message. 475 2.7.1.2 Rule 2: Unknown Capabilities, Known Use of Encryption 477 If: 478 - the sending agent has no knowledge of the encryption capabilities 479 of the recipient, 480 - and the sending agent has received at least one message from the 481 recipient, 482 - and the last encrypted message received from the recipient had a 483 trusted signature on it, 484 then the outgoing message SHOULD use the same encryption algorithm as 485 was used on the last signed and encrypted message received from the 486 recipient. 488 2.7.1.3 Rule 3: Unknown Capabilities, Unknown Version of S/MIME 490 If: 491 - the sending agent has no knowledge of the encryption capabilities 492 of the recipient, 493 - and the sending agent has no knowledge of the version of S/MIME 494 of the recipient, 495 then the sending agent SHOULD use tripleDES because it is a stronger 496 algorithm and is required by S/MIME v3. If the sending agent chooses 497 not to use tripleDES in this step, it SHOULD use RC2/40. 499 2.7.2 Choosing Weak Encryption 501 Like all algorithms that use 40 bit keys, RC2/40 is considered by many 502 to be weak encryption. A sending agent that is controlled by a human 503 SHOULD allow a human sender to determine the risks of sending data 504 using RC2/40 or a similarly weak encryption algorithm before sending 505 the data, and possibly allow the human to use a stronger encryption 506 method such as tripleDES. 508 2.7.3 Multiple Recipients 510 If a sending agent is composing an encrypted message to a group of 511 recipients where the encryption capabilities of some of the recipients 512 do not overlap, the sending agent is forced to send more than one 513 message. It should be noted that if the sending agent chooses to send 514 a message encrypted with a strong algorithm, and then send the same 515 message encrypted with a weak algorithm, someone watching the 516 communications channel may be able to learn the contents of the 517 strongly-encrypted message simply by decrypting the weakly-encrypted 518 message. 520 3. Creating S/MIME Messages 522 This section describes the S/MIME message formats and how they are 523 created. S/MIME messages are a combination of MIME bodies and CMS 524 objects. Several MIME types as well as several CMS objects are used. 525 The data to be secured is always a canonical MIME entity. The MIME 526 entity and other data, such as certificates and algorithm identifiers, 527 are given to CMS processing facilities which produces a CMS object. 528 The CMS object is then finally wrapped in MIME. The Enhanced Security 529 Services for S/MIME [ESS] document provides examples of how nested, 530 secured S/MIME messages are formatted. ESS provides an example of how 531 a triple-wrapped S/MIME message is formatted using multipart/signed 532 and application/pkcs7-mime for the signatures. 534 S/MIME provides one format for enveloped-only data, several formats 535 for signed-only data, and several formats for signed and enveloped 536 data. Several formats are required to accommodate several 537 environments, in particular for signed messages. The criteria for 538 choosing among these formats are also described. 540 The reader of this section is expected to understand MIME as described 541 in [MIME-SPEC] and [MIME-SECURE]. 543 3.1 Preparing the MIME Entity for Signing or Enveloping 545 S/MIME is used to secure MIME entities. A MIME entity may be a sub- 546 part, sub-parts of a message, or the whole message with all its sub- 547 parts. A MIME entity that is the whole message includes only the MIME 548 headers and MIME body, and does not include the RFC-822 headers. Note 549 that S/MIME can also be used to secure MIME entities used in 550 applications other than Internet mail. 552 The MIME entity that is secured and described in this section can be 553 thought of as the "inside" MIME entity. That is, it is the "innermost" 554 object in what is possibly a larger MIME message. Processing "outside" 555 MIME entities into CMS objects is described in Section 3.2, 3.4 and 556 elsewhere. 558 The procedure for preparing a MIME entity is given in [MIME-SPEC]. The 559 same procedure is used here with some additional restrictions when 560 signing. Description of the procedures from [MIME-SPEC] are repeated 561 here, but the reader should refer to that document for the exact 562 procedure. This section also describes additional requirements. 564 A single procedure is used for creating MIME entities that are to be 565 signed, enveloped, or both signed and enveloped. Some additional steps 566 are recommended to defend against known corruptions that can occur 567 during mail transport that are of particular importance for clear- 568 signing using the multipart/signed format. It is recommended that 569 these additional steps be performed on enveloped messages, or signed 570 and enveloped messages in order that the message can be forwarded to 571 any environment without modification. 573 These steps are descriptive rather than prescriptive. The implementor 574 is free to use any procedure as long as the result is the same. 576 Step 1. The MIME entity is prepared according to the local conventions 578 Step 2. The leaf parts of the MIME entity are converted to canonical 579 form 581 Step 3. Appropriate transfer encoding is applied to the leaves of the 582 MIME entity 584 When an S/MIME message is received, the security services on the 585 message are processed, and the result is the MIME entity. That MIME 586 entity is typically passed to a MIME-capable user agent where, it is 587 further decoded and presented to the user or receiving application. 589 3.1.1 Canonicalization 591 Each MIME entity MUST be converted to a canonical form that is 592 uniquely and unambiguously representable in the environment where the 593 signature is created and the environment where the signature will be 594 verified. MIME entities MUST be canonicalized for enveloping as well 595 as signing. 597 The exact details of canonicalization depend on the actual MIME type 598 and subtype of an entity, and are not described here. Instead, the 599 standard for the particular MIME type should be consulted. For 600 example, canonicalization of type text/plain is different from 601 canonicalization of audio/basic. Other than text types, most types 602 have only one representation regardless of computing platform or 603 environment which can be considered their canonical representation. In 604 general, canonicalization will be performed by the non-security part 605 of the sending agent rather than the S/MIME implementation. 607 The most common and important canonicalization is for text, which is 608 often represented differently in different environments. MIME entities 609 of major type "text" must have both their line endings and character 610 set canonicalized. The line ending must be the pair of characters 611 , and the charset should be a registered charset [CHARSETS]. 612 The details of the canonicalization are specified in [MIME-SPEC]. The 613 chosen charset SHOULD be named in the charset parameter so that 614 the receiving agent can unambiguously determine the charset used. 616 Note that some charsets such as ISO-2022 have multiple representations 617 for the same characters. When preparing such text for signing, the 618 canonical representation specified for the charset MUST be used. 620 3.1.2 Transfer Encoding 622 When generating any of the secured MIME entities below, except the 623 signing using the multipart/signed format, no transfer encoding at all 624 is required. S/MIME implementations MUST be able to deal with binary 625 MIME objects. If no Content-Transfer-Encoding header is present, the 626 transfer encoding should be considered 7BIT. 628 S/MIME implementations SHOULD however use transfer encoding described 629 in section 3.1.3 for all MIME entities they secure. The reason for 630 securing only 7-bit MIME entities, even for enveloped data that are 631 not exposed to the transport, is that it allows the MIME entity to be 632 handled in any environment without changing it. For example, a trusted 633 gateway might remove the envelope, but not the signature, of a 634 message, and then forward the signed message on to the end recipient 635 so that they can verify the signatures directly. If the transport 636 internal to the site is not 8-bit clean, such as on a wide-area 637 network with a single mail gateway, verifying the signature will not 638 be possible unless the original MIME entity was only 7-bit data. 640 3.1.3 Transfer Encoding for Signing Using multipart/signed 642 If a multipart/signed entity is EVER to be transmitted over the 643 standard Internet SMTP infrastructure or other transport that is 644 constrained to 7-bit text, it MUST have transfer encoding applied so 645 that it is represented as 7-bit text. MIME entities that are 7-bit 646 data already need no transfer encoding. Entities such as 8-bit text 647 and binary data can be encoded with quoted-printable or base-64 648 transfer encoding. 650 The primary reason for the 7-bit requirement is that the Internet mail 651 transport infrastructure cannot guarantee transport of 8-bit or binary 652 data. Even though many segments of the transport infrastructure now 653 handle 8-bit and even binary data, it is sometimes not possible to 654 know whether the transport path is 8-bit clear. If a mail message with 655 8-bit data were to encounter a message transfer agent that can not 656 transmit 8-bit or binary data, the agent has three options, none of 657 which are acceptable for a clear-signed message: 659 - The agent could change the transfer encoding; this would invalidate 660 the signature. 661 - The agent could transmit the data anyway, which would most likely 662 result in the 8th bit being corrupted; this too would invalidate the 663 signature. 664 - The agent could return the message to the sender. 666 [MIME-SECURE] prohibits an agent from changing the transfer encoding 667 of the first part of a multipart/signed message. If a compliant agent 668 that can not transmit 8-bit or binary data encounters a 669 multipart/signed message with 8-bit or binary data in the first part, 670 it would have to return the message to the sender as undeliverable. 672 3.1.4 Sample Canonical MIME Entity 674 This example shows a multipart/mixed message with full transfer 675 encoding. This message contains a text part and an attachment. The 676 sample message text includes characters that are not US-ASCII and thus 677 must be transfer encoded. Though not shown here, the end of each line 678 is . The line ending of the MIME headers, the text, and 679 transfer encoded parts, all must be . 681 Note that this example is not of an S/MIME message. 683 Content-Type: multipart/mixed; boundary=bar 685 --bar 686 Content-Type: text/plain; charset=iso-8859-1 687 Content-Transfer-Encoding: quoted-printable 689 =A1Hola Michael! 691 How do you like the new S/MIME specification? 693 I agree. It's generally a good idea to encode lines that begin 694 with 695 From=20because some mail transport agents will insert a greater- 696 than (>) sign, thus invalidating the signature. 698 Also, in some cases it might be desirable to encode any =20 699 trailing whitespace that occurs on lines in order to ensure =20 700 that the message signature is not invalidated when passing =20 701 a gateway that modifies such whitespace (like BITNET). =20 703 --bar 704 Content-Type: image/jpeg 705 Content-Transfer-Encoding: base64 707 iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC// 708 jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq 709 uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn 710 HOxEa44b+EI= 712 --bar-- 714 3.2 The application/pkcs7-mime Type 716 The application/pkcs7-mime type is used to carry CMS objects of 717 several types including envelopedData and signedData. The details of 718 constructing these entities is described in subsequent sections. This 719 section describes the general characteristics of the application/pkcs7- 720 mime type. 722 The carried CMS object always contains a MIME entity that is prepared 723 as described in section 3.1 if the eContentType is id-data. Other 724 contents may be carried when the eContentType contains different 725 values. See [ESS] for an example of this with signed receipts. 727 Since CMS objects are binary data, in most cases base-64 transfer 728 encoding is appropriate, in particular when used with SMTP transport. 729 The transfer encoding used depends on the transport through which the 730 object is to be sent, and is not a characteristic of the MIME type. 732 Note that this discussion refers to the transfer encoding of the CMS 733 object or "outside" MIME entity. It is completely distinct from, and 734 unrelated to, the transfer encoding of the MIME entity secured by the 735 CMS object, the "inside" object, which is described in section 3.1. 737 Because there are several types of application/pkcs7-mime objects, a 738 sending agent SHOULD do as much as possible to help a receiving agent 739 know about the contents of the object without forcing the receiving 740 agent to decode the ASN.1 for the object. The MIME headers of all 741 application/pkcs7-mime objects SHOULD include the optional "smime- 742 type" parameter, as described in the following sections. 744 3.2.1 The name and filename Parameters 746 For the application/pkcs7-mime, sending agents SHOULD emit the 747 optional "name" parameter to the Content-Type field for compatibility 748 with older systems. Sending agents SHOULD also emit the optional 749 Content-Disposition field [CONTDISP] with the "filename" parameter. If 750 a sending agent emits the above parameters, the value of the 751 parameters SHOULD be a file name with the appropriate extension: 753 MIME Type File Extension 755 Application/pkcs7-mime (signedData, .p7m 756 envelopedData) 758 Application/pkcs7-mime (degenerate .p7c 759 signedData "certs-only" message) 761 Application/pkcs7-signature .p7s 763 In addition, the file name SHOULD be limited to eight characters 764 followed by a three letter extension. The eight character filename 765 base can be any distinct name; the use of the filename base "smime" 766 SHOULD be used to indicate that the MIME entity is associated with 767 S/MIME. 769 Including a file name serves two purposes. It facilitates easier use 770 of S/MIME objects as files on disk. It also can convey type 771 information across gateways. When a MIME entity of type 772 application/pkcs7-mime (for example) arrives at a gateway that has no 773 special knowledge of S/MIME, it will default the entity's MIME type to 774 application/octet-stream and treat it as a generic attachment, thus 775 losing the type information. However, the suggested filename for an 776 attachment is often carried across a gateway. This often allows the 777 receiving systems to determine the appropriate application to hand the 778 attachment off to, in this case a stand-alone S/MIME processing 779 application. Note that this mechanism is provided as a convenience for 780 implementations in certain environments. A proper S/MIME 781 implementation MUST use the MIME types and MUST NOT rely on the file 782 extensions. 784 3.2.2 The smime-type parameter 786 The application/pkcs7-mime content type defines the optional "smime- 787 type" parameter. The intent of this parameter is to convey details 788 about the security applied (signed or enveloped) along with infomation 789 about the contained content. This draft defines the following smime- 790 types. 792 Name Security Inner Content 794 enveloped-data EnvelopedData id-data 796 signed-data SignedData id-data 798 certs-only SignedData none 800 In order that consistency can be obtained with future, the following 801 guidelines should be followed when assigning a new smime-type 802 parameter. 804 1. If both signing and encryption can be applied to the content, then 805 two values for smime-type SHOULD be assigned "signed-*" and "encrypted- 806 *". If one operation can be assigned then this may be omitted. Thus 807 since "certs-only" can only be signed, "signed-" is omitted. 809 2. A common string for a content oid should be assigned. We use "data" 810 for the id-data content OID when MIME is the inner content. 812 3. If no common string is assigned. Then the common string of 813 "OID." is recommended (for example, "OID.1.3.6.1.5.5.7.6.1" would 814 be DES40). 816 3.3 Creating an Enveloped-only Message 818 This section describes the format for enveloping a MIME entity without 819 signing it. It is important to note that sending enveloped but not 820 signed messages does not provide for data integrity. It is possible to 821 replace ciphertext in such a way that the processed message will still 822 be valid, but the meaning may be altered. 824 Step 1. The MIME entity to be enveloped is prepared according to 825 section 3.1. 827 Step 2. The MIME entity and other required data is processed into a 828 CMS object of type envelopedData. In addition to encrypting a copy of 829 the content-encryption key for each recipient, a copy of the content 830 encryption key SHOULD be encrypted for the originator and included in 831 the envelopedData (see CMS Section 6). 833 Step 3. The CMS object is inserted into an application/pkcs7-mime MIME 834 entity. 836 The smime-type parameter for enveloped-only messages is "enveloped- 837 data". The file extension for this type of message is ".p7m". 839 A sample message would be: 841 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; 842 name=smime.p7m 843 Content-Transfer-Encoding: base64 844 Content-Disposition: attachment; filename=smime.p7m 846 rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 847 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H 848 f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 849 0GhIGfHfQbnj756YT64V 851 3.4 Creating a Signed-only Message 853 There are two formats for signed messages defined for S/MIME: 854 application/pkcs7-mime with SignedData, and multipart/signed. In 855 general, the multipart/signed form is preferred for sending, and 856 receiving agents SHOULD be able to handle both. 858 3.4.1 Choosing a Format for Signed-only Messages 860 There are no hard-and-fast rules when a particular signed-only format 861 should be chosen because it depends on the capabilities of all the 862 receivers and the relative importance of receivers with S/MIME 863 facilities being able to verify the signature versus the importance of 864 receivers without S/MIME software being able to view the message. 866 Messages signed using the multipart/signed format can always be viewed 867 by the receiver whether they have S/MIME software or not. They can 868 also be viewed whether they are using a MIME-native user agent or they 869 have messages translated by a gateway. In this context, "be viewed" 870 means the ability to process the message essentially as if it were not 871 a signed message, including any other MIME structure the message might 872 have. 874 Messages signed using the signedData format cannot be viewed by a 875 recipient unless they have S/MIME facilities. However, if they have 876 S/MIME facilities, these messages can always be verified if they were 877 not changed in transit. 879 3.4.2 Signing Using application/pkcs7-mime with SignedData 881 This signing format uses the application/pkcs7-mime MIME type. The 882 steps to create this format are: 884 Step 1. The MIME entity is prepared according to section 3.1 886 Step 2. The MIME entity and other required data is processed into a 887 CMS object of type signedData 889 Step 3. The CMS object is inserted into an application/pkcs7-mime MIME 890 entity 892 The smime-type parameter for messages using application/pkcs7-mime 893 with SignedData is "signed-data". The file extension for this type of 894 message is ".p7m". 896 A sample message would be: 898 Content-Type: application/pkcs7-mime; smime-type=signed-data; 899 name=smime.p7m 900 Content-Transfer-Encoding: base64 901 Content-Disposition: attachment; filename=smime.p7m 903 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7 904 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH 905 HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh 906 6YT64V0GhIGfHfQbnj75 908 3.4.3 Signing Using the multipart/signed Format 910 This format is a clear-signing format. Recipients without any S/MIME 911 or CMS processing facilities are able to view the message. It makes 912 use of the multipart/signed MIME type described in [MIME-SECURE]. The 913 multipart/signed MIME type has two parts. The first part contains the 914 MIME entity that is signed; the second part contains the "detached 915 signature" CMS SignedData object in which the encapContentInfo 916 eContent field is absent. 918 3.4.3.1 The application/pkcs7-signature MIME Type 920 This MIME type always contains a single CMS object of type signedData. 921 The signedData encapContentInfo eContent field MUST be absent. The 922 signerInfos field contains the signatures for the MIME entity. 924 The file extension for signed-only messages using application/pkcs7- 925 signature is ".p7s". 927 3.4.3.2 Creating a multipart/signed Message 929 Step 1. The MIME entity to be signed is prepared according to section 930 3.1, taking special care for clear-signing. 932 Step 2. The MIME entity is presented to CMS processing in order to 933 obtain an object of type signedData in which the encapContentInfo 934 eContent field is absent. 936 Step 3. The MIME entity is inserted into the first part of a 937 multipart/signed message with no processing other than that described 938 in section 3.1. 940 Step 4. Transfer encoding is applied to the "detached signature" CMS 941 SignedData object and it is inserted into a MIME entity of type 942 application/pkcs7-signature. 944 Step 5. The MIME entity of the application/pkcs7-signature is inserted 945 into the second part of the multipart/signed entity. 947 The multipart/signed Content type has two required parameters: the 948 protocol parameter and the micalg parameter. 950 The protocol parameter MUST be "application/pkcs7-signature". Note 951 that quotation marks are required around the protocol parameter 952 because MIME requires that the "/" character in the parameter value 953 MUST be quoted. 955 The micalg parameter allows for one-pass processing when the signature 956 is being verified. The value of the micalg parameter is dependent on 957 the message digest algorithm(s) used in the calculation of the Message 958 Integrity Check. If multiple message digest algorithms are used they 959 MUST be separated by commas per [MIME-SECURE]. The values to be placed 960 in the micalg parameter SHOULD be from the following: 962 Algorithm Value 963 used 965 MD5 md5 966 SHA-1 sha1 967 Any other unknown 969 (Historical note: some early implementations of S/MIME emitted and 970 expected "rsa-md5" and "rsa-sha1" for the micalg parameter.) Receiving 971 agents SHOULD be able to recover gracefully from a micalg parameter 972 value that they do not recognize. 974 3.4.3.3 Sample multipart/signed Message 976 Content-Type: multipart/signed; 977 protocol="application/pkcs7-signature"; 978 micalg=sha1; boundary=boundary42 980 --boundary42 981 Content-Type: text/plain 983 This is a clear-signed message. 985 --boundary42 986 Content-Type: application/pkcs7-signature; name=smime.p7s 987 Content-Transfer-Encoding: base64 988 Content-Disposition: attachment; filename=smime.p7s 990 ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 991 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj 992 n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 993 7GhIGfHfYT64VQbnj756 995 --boundary42-- 997 3.5 Signing and Encrypting 999 To achieve signing and enveloping, any of the signed-only and 1000 encrypted-only formats may be nested. This is allowed because the 1001 above formats are all MIME entities, and because they all secure MIME 1002 entities. 1004 An S/MIME implementation MUST be able to receive and process 1005 arbitrarily nested S/MIME within reasonable resource limits of the 1006 recipient computer. 1008 It is possible to either sign a message first, or to envelope the 1009 message first. It is up to the implementor and the user to choose. 1010 When signing first, the signatories are then securely obscured by the 1011 enveloping. When enveloping first the signatories are exposed, but it 1012 is possible to verify signatures without removing the enveloping. This 1013 may be useful in an environment were automatic signature verification 1014 is desired, as no private key material is required to verify a 1015 signature. 1017 There are security ramifications to choosing whether to sign first or 1018 encrypt first. A recipient of a message that is encrypted and then 1019 signed can validate that the encrypted block was unaltered, but cannot 1020 determine any relationship between the signer and the unencrypted 1021 contents of the message. A recipient of a message that is signed-then- 1022 encrypted can assume that the signed message itself has not been 1023 altered, but that a careful attacker may have changed the 1024 unauthenticated portions of the encrypted message. 1026 3.6 Creating a Certificates-only Message 1028 The certificates only message or MIME entity is used to transport 1029 certificates, such as in response to a registration request. This 1030 format can also be used to convey CRLs. 1032 Step 1. The certificates are made available to the CMS generating 1033 process which creates a CMS object of type signedData. The signedData 1034 encapContentInfo eContent field MUST be absent and signerInfos field 1035 MUST be empty. 1037 Step 2. The CMS signedData object is enclosed in an application/pkcs7- 1038 mime MIME entity 1040 The smime-type parameter for a certs-only message is "certs-only". 1041 The file extension for this type of message is ".p7c". 1043 3.7 Registration Requests 1045 A sending agent that signs messages MUST have a certificate for the 1046 signature so that a receiving agent can verify the signature. There 1047 are many ways of getting certificates, such as through an exchange 1048 with a certificate authority, through a hardware token or diskette, 1049 and so on. 1051 S/MIME v2 [SMIMEV2] specified a method for "registering" public keys 1052 with certificate authorities using an application/pkcs10 body part. 1053 The IETF's PKIX Working Group is preparing another method for 1054 requesting certificates; however, that work was not finished at the 1055 time of this draft. S/MIME v3 does not specify how to request a 1056 certificate, but instead mandates that every sending agent already has 1057 a certificate. Standardization of certificate management is being 1058 pursued separately in the IETF. 1060 3.8 Identifying an S/MIME Message 1062 Because S/MIME takes into account interoperation in non-MIME 1063 environments, several different mechanisms are employed to carry the 1064 type information, and it becomes a bit difficult to identify S/MIME 1065 messages. The following table lists criteria for determining whether 1066 or not a message is an S/MIME message. A message is considered an 1067 S/MIME message if it matches any below. 1069 The file suffix in the table below comes from the "name" parameter in 1070 the content-type header, or the "filename" parameter on the content- 1071 disposition header. These parameters that give the file suffix are not 1072 listed below as part of the parameter section. 1074 MIME type: application/pkcs7-mime 1075 parameters: any 1076 file suffix: any 1078 MIME type: multipart/signed 1079 parameters: protocol="application/pkcs7-signature" 1080 file suffix: any 1082 MIME type: application/octet-stream 1083 parameters: any 1084 file suffix: p7m, p7s, p7c 1086 4. Certificate Processing 1088 A receiving agent MUST provide some certificate retrieval mechanism in 1089 order to gain access to certificates for recipients of digital 1090 envelopes. This draft does not cover how S/MIME agents handle 1091 certificates, only what they do after a certificate has been validated 1092 or rejected. S/MIME certification issues are covered in [CERT3]. 1094 At a minimum, for initial S/MIME deployment, a user agent could 1095 automatically generate a message to an intended recipient requesting 1096 that recipient's certificate in a signed return message. Receiving and 1097 sending agents SHOULD also provide a mechanism to allow a user to 1098 "store and protect" certificates for correspondents in such a way so 1099 as to guarantee their later retrieval. 1101 4.1 Key Pair Generation 1103 If an S/MIME agent needs to generate a key pair, then the S/MIME agent 1104 or some related administrative utility or function MUST be capable of 1105 generating separate DH and DSS public/private key pairs on behalf of 1106 the user. Each key pair MUST be generated from a good source of non- 1107 deterministic random input [RANDOM] and the private key MUST be 1108 protected in a secure fashion. 1110 If an S/MIME agent needs to generate a key pair, then the S/MIME agent 1111 or some related administrative utility or function SHOULD generate RSA 1112 key pairs. 1114 A user agent SHOULD generate RSA key pairs at a minimum key size of 1115 768 bits. A user agent MUST NOT generate RSA key pairs less than 512 1116 bits long. Creating keys longer than 1024 bits may cause some older 1117 S/MIME receiving agents to not be able to verify signatures, but gives 1118 better security and is therefore valuable. A receiving agent SHOULD be 1119 able to verify signatures with keys of any size over 512 bits. Some 1120 agents created in the United States have chosen to create 512 bit keys 1121 in order to get more advantageous export licenses. However, 512 bit 1122 keys are considered by many to be cryptographically insecure. 1123 Implementors should be aware that multiple (active) key pairs may be 1124 associated with a single individual. For example, one key pair may be 1125 used to support confidentiality, while a different key pair may be 1126 used for authentication. 1128 5. Security 1130 This entire draft discusses security. Security issues not covered in 1131 other parts of the draft include: 1133 40-bit encryption is considered weak by most cryptographers. Using 1134 weak cryptography in S/MIME offers little actual security over sending 1135 plaintext. However, other features of S/MIME, such as the 1136 specification of tripleDES and the ability to announce stronger 1137 cryptographic capabilities to parties with whom you communicate, allow 1138 senders to create messages that use strong encryption. Using weak 1139 cryptography is never recommended unless the only alternative is no 1140 cryptography. When feasible, sending and receiving agents should 1141 inform senders and recipients the relative cryptographic strength of 1142 messages. 1144 It is impossible for most software or people to estimate the value of 1145 a message. Further, it is impossible for most software or people to 1146 estimate the actual cost of decrypting a message that is encrypted 1147 with a key of a particular size. Further, it is quite difficult to 1148 determine the cost of a failed decryption if a recipient cannot decode 1149 a message. Thus, choosing between different key sizes (or choosing 1150 whether to just use plaintext) is also impossible. However, decisions 1151 based on these criteria are made all the time, and therefore this 1152 draft gives a framework for using those estimates in choosing 1153 algorithms. 1155 If a sending agent is sending the same message using different 1156 strengths of cryptography, an attacker watching the communications 1157 channel may be able to determine the contents of the strongly- 1158 encrypted message by decrypting the weakly-encrypted version. In other 1159 words, a sender should not send a copy of a message using weaker 1160 cryptography than they would use for the original of the message. 1162 Modification of the ciphertext can go undetected if authentication is 1163 not also used, which is the case when sending EnvelopedData without 1164 wrapping it in SignedData or enclosing SignedData within it. 1166 A. ASN.1 Module 1168 SecureMimeMessageV3 1169 { iso(1) member-body(2) us(840) rsadsi(113549) 1170 pkcs(1) pkcs-9(9) smime(16) modules(0) smime(4) } 1172 DEFINITIONS IMPLICIT TAGS ::= 1173 BEGIN 1175 IMPORTS 1176 -- Cryptographic Message Syntax 1177 SubjectKeyIdentifier, IssuerAndSerialNumber, 1178 RecipientKeyIdentifier 1179 FROM CryptographicMessageSyntax 1180 { iso(1) member-body(2) us(840) rsadsi(113549) 1181 pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1) }; 1183 -- id-aa is the arc with all new authenticated and unauthenticated 1184 attributes 1185 -- produced the by S/MIME Working Group 1187 id-aa OBJECT IDENTIFIER ::= {iso(1) member-body(2) usa(840) 1188 rsadsi(113549) 1189 pkcs(1) pkcs-9(9) smime(16) attributes(2)} 1191 -- S/MIME Capabilities provides a method of broadcasting the symetric 1192 capabilities 1193 -- understood. Algorithms should be ordered by preference and 1194 grouped 1195 by type 1197 smimeCapabilities OBJECT IDENTIFIER ::= 1198 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 15} 1200 SMIMECapability ::= SEQUENCE { 1201 capabilityID OBJECT IDENTIFIER, 1202 parameters ANY DEFINED BY capabilityID OPTIONAL } 1204 SMIMECapabilities ::= SEQUENCE OF SMIMECapability 1206 -- Encryption Key Preference provides a method of broadcasting the 1207 prefered 1208 -- encryption certificate. 1210 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} 1212 SMIMEEncryptionKeyPreference ::= CHOICE { 1213 issuerAndSerialNumber [0] IssuerAndSerialNumber, 1214 receipentKeyId [1] RecipientKeyIdentifier, 1215 subjectAltKeyIdentifier [2] SubjectKeyIdentifier 1216 } 1218 -- The Content Encryption Algorithms defined for SMIME are: 1220 -- Triple-DES is the manditory algorithm with CBCParameter being the 1221 parameters 1223 dES-EDE3-CBC OBJECT IDENTIFIER ::= 1224 {iso(1) member-body(2) us(840) rsadsi(113549) 1225 encryptionAlgorithm(3) 7} 1227 CBCParameter ::= IV 1229 IV ::= OCTET STRING (SIZE (8..8)) 1231 -- RC2 (or compatable) is an optional algorithm w/ RC2-CBC-paramter 1232 as the 1233 parameter 1235 rC2-CBC OBJECT IDENTIFIER ::= 1236 {iso(1) member-body(2) us(840) rsadsi(113549) 1237 encryptionAlgorithm(3) 2} 1239 -- For the effective-key-bits (key size) greater than 32 and less than 1240 -- 256, the RC2-CBC algorithm parameters are encoded as: 1242 RC2-CBC-parameter ::= SEQUENCE { 1243 rc2ParameterVersion INTEGER, 1244 iv IV} 1246 -- For the effective-key-bits of 40, 64, and 128, the 1247 rc2ParameterVersion 1248 -- values are 160, 120, 58 respectively. 1250 -- The following list the OIDs to be used with S/MIME V3 1252 -- Digest Algorithms: 1254 -- md5 OBJECT IDENTIFIER ::= 1255 -- {iso(1) member-body(2) us(840) rsadsi(113549) 1256 digestAlgorithm(2) 5} 1258 -- sha-1 OBJECT IDENTIFIER ::= 1259 --- {iso(1) identified-organization(3) oiw(14) secsig(3) 1260 algorithm(2) 1261 -- 26} 1263 -- Asymmetric Encryption Algorithms 1264 -- 1265 -- rsaEncryption OBJECT IDENTIFIER ::= 1266 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1267 1} 1268 -- 1269 -- rsa OBJECT IDENTIFIER ::= 1270 -- {joint-iso-ccitt(2) ds(5) algorithm(8) encryptionAlgorithm(1) 1} 1271 -- 1272 -- id-dsa OBJECT IDENTIFIER ::= 1273 -- {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } 1275 -- Signature Algorithms 1276 -- 1277 -- md2WithRSAEncryption OBJECT IDENTIFIER ::= 1278 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1279 2} 1280 -- 1281 -- md5WithRSAEncryption OBJECT IDENTIFIER ::= 1282 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1283 4} 1284 -- 1285 -- sha-1WithRSAEncryption OBJECT IDENTIFIER ::= 1286 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1287 5} 1288 -- 1289 -- id-dsa-with-sha1 OBJECT IDENTIFIER ::= 1290 -- {iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3} 1292 -- Other Signed Attributes 1293 -- 1294 -- signingTime OBJECT IDENTIFIER ::= 1295 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1296 5} 1297 -- See [CMS] for a description of how to encode the attribute 1298 value. 1300 END 1302 B. References 1304 [3DES] ANSI X9.52-1998, "Triple Data Encryption Algorithm Modes of 1305 Operation", American National Standards Institute, 1998. 1307 [CERT3] "S/MIME Version 3 Certificate Handling", Internet Draft draft- 1308 ietf-smime-cert-*.txt. 1310 [CHARSETS] Character sets assigned by IANA. See . 1313 [CMS] "Cryptographic Message Syntax", Internet Draft draft-ietf-smime- 1314 cms-*.txt. 1316 [CONTDISP] "Communicating Presentation Information in Internet 1317 Messages: The Content-Disposition Header Field", RFC 2183 1319 [DES] ANSI X3.106, "American National Standard for Information Systems- 1320 Data Link Encryption," American National Standards Institute, 1983. 1322 [DH] "Diffie-Hellman Key Agreement Method", Internet Draft draft-ietf- 1323 smime-x942-*.txt 1325 [DSS] NIST FIPS PUB 186, "Digital Signature Standard", 18 May 1994. 1327 [ESS] "Enhanced Security Services for S/MIME", Internet draft, draft- 1328 ietf-smime-ess-*.txt. 1330 [MD5] "The MD5 Message Digest Algorithm", RFC 1321 1332 [MIME-SPEC] The primary definition of MIME. "MIME Part 1: Format of 1333 Internet Message Bodies", RFC 2045; "MIME Part 2: Media Types", RFC 1334 2046; "MIME Part 3: Message Header Extensions for Non-ASCII Text", RFC 1335 2047; "MIME Part 4: Registration Procedures", RFC 2048; "MIME Part 5: 1336 Conformance Criteria and Examples", RFC 2049 1338 [MIME-SECURE] "Security Multiparts for MIME: Multipart/Signed and 1339 Multipart/Encrypted", RFC 1847 1341 [MUSTSHOULD] "Key words for use in RFCs to Indicate Requirement 1342 Levels", RFC 2119 1344 [PKCS-1] "PKCS #1: RSA Encryption Version 1.5", RFC 2313 1346 [PKCS-7] "PKCS #7: Cryptographic Message Syntax Version 1.5", RFC 2315 1348 [RANDOM] "Randomness Recommendations for Security", RFC 1750 1350 [RC2] "A Description of the RC2 (r) Encryption Algorithm", RFC 2268 1352 [SHA1] NIST FIPS PUB 180-1, "Secure Hash Standard," National Institute 1353 of Standards and Technology, U.S. Department of Commerce, DRAFT, 31May 1354 1994. 1356 [SMIMEV2] "S/MIME Version 2 Message Specification", RFC 2311 1358 C. Acknowledgements 1360 1362 D. Changes from last draft 1364 Clarified section 2.4.1 in the case of multipart/signed (eContent is 1365 absent in that case) (Jim Schaad) 1366 Removed receipt request attribute from section 2.5 (Jim Schaad) 1367 Capitalized MUST for use of the issuerAndSerialNumber CHOICE in 1368 section 2.6 (Jim Schaad) 1369 Capitalized NOT in section 3.2.1 regarding reliance on file extensions 1370 (Jim Schaad) 1371 Changed [DH] reference to refer to draft-ietf-smime-x942-*.txt (Jim 1372 Schaad) 1373 Replaced section A with ASN.1 module (Jim Schaad) 1374 Rewording of 2.7.3 to explain that the content of the strongly- 1375 encrypted message can be learned by decrypting the weaker message 1376 (Russ Housley) 1377 Provided example OID. string for new smime-type values in section 1378 3.2.2 (Russ Housley) 1379 Rewording of section 5 regarding sending two messages with different 1380 levels of encryption (Russ Housley) 1381 Added [RANDOM] reference in section 4.1 and to section B (Russ 1382 Housley) 1383 Explained in section 2.5.2 that section A contains all of the MUST and 1384 SHOULD OIDs (Russ Housley) 1385 Added language to 2.2 and 2.3 about S/MIME v2 clients only have 1386 rsaEncryption (Paul Hoffman) 1388 F. Edito's address 1390 Blake Ramsdell 1391 Worldtalk 1392 13122 NE 20th St., Suite C 1393 Bellevue, WA 98005 1394 (425) 882-8861 1395 blaker@deming.com