idnits 2.17.1 draft-ietf-smime-rfc2633bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 1447 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 171: '...Sending and receiving agents MUST support SHA-1 [CMSALG]. Receiving...' RFC 2119 keyword, line 172: '...agents SHOULD support MD5 [CMSALG] for the purpose of providing...' RFC 2119 keyword, line 177: '...Receiving agents MUST support id-dsa defined in [CMSALG]. The...' RFC 2119 keyword, line 178: '...rithm parameters MUST be absent (not e...' RFC 2119 keyword, line 179: '...agents MUST support rsaEncryption, defined in [CMSALG]....' (96 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 1003 has weird spacing: '...y other unkn...' ** The document contains RFC2119-like boilerplate, but doesn't seem to mention RFC 2119. The boilerplate contains a reference [MUSTSHOULD], but that reference does not seem to mention RFC 2119 either. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 30, 2003) is 7660 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'MIME-SPEC' on line 1340 looks like a reference -- Missing reference section? 'CMS' on line 1328 looks like a reference -- Missing reference section? 'PKCS-7' on line 1352 looks like a reference -- Missing reference section? 'MIME-SECURE' on line 1346 looks like a reference -- Missing reference section? 'MUSTSHOULD' on line 1349 looks like a reference -- Missing reference section? 'TBD' on line 1243 looks like a reference -- Missing reference section? 'CMSALG' on line 1330 looks like a reference -- Missing reference section? 'ESS' on line 1338 looks like a reference -- Missing reference section? 'CHARSETS' on line 1325 looks like a reference -- Missing reference section? 'CONTDISP' on line 1335 looks like a reference -- Missing reference section? 'CMSCOMPR' on line 1332 looks like a reference -- Missing reference section? 'SMIMEV2' on line 1356 looks like a reference -- Missing reference section? 'CERT3' on line 1170 looks like a reference -- Missing reference section? 'RANDOM' on line 1354 looks like a reference -- Missing reference section? '0' on line 1287 looks like a reference -- Missing reference section? '1' on line 1288 looks like a reference -- Missing reference section? '2' on line 1289 looks like a reference -- Missing reference section? 'CERT31' on line 1322 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 20 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Editor: Blake Ramsdell, 2 draft-ietf-smime-rfc2633bis-02.txt Brute Squad Labs 3 October 30, 2002 4 Expires April 30, 2003 6 S/MIME Version 3.1 Message Specification 8 Status of this memo 10 This document is an Internet-Draft and is in full conformance with all 11 provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering Task 14 Force (IETF), its areas, and its working groups. Note that other 15 groups may also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference material 20 or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 1. Introduction 30 S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a 31 consistent way to send and receive secure MIME data. Based on the 32 popular Internet MIME standard, S/MIME provides the following 33 cryptographic security services for electronic messaging applications: 34 authentication, message integrity and non-repudiation of origin (using 35 digital signatures) and data confidentiality (using encryption). 37 S/MIME can be used by traditional mail user agents (MUAs) to add 38 cryptographic security services to mail that is sent, and to interpret 39 cryptographic security services in mail that is received. However, 40 S/MIME is not restricted to mail; it can be used with any transport 41 mechanism that transports MIME data, such as HTTP. As such, S/MIME 42 takes advantage of the object-based features of MIME and allows secure 43 messages to be exchanged in mixed-transport systems. 45 Further, S/MIME can be used in automated message transfer agents that 46 use cryptographic security services that do not require any human 47 intervention, such as the signing of software-generated documents and 48 the encryption of FAX messages sent over the Internet. 50 1.1 Specification Overview 52 This document describes a protocol for adding cryptographic signature 53 and encryption services to MIME data. The MIME standard [MIME-SPEC] 54 provides a general structure for the content type of Internet messages 55 and allows extensions for new content type applications. 57 This specification defines how to create a MIME body part that has 58 been cryptographically enhanced according to CMS [CMS], which is 59 derived from PKCS #7 [PKCS-7]. This specification also defines the 60 application/pkcs7- mime MIME type that can be used to transport those 61 body parts. 63 This specification also discusses how to use the multipart/signed MIME 64 type defined in [MIME-SECURE] to transport S/MIME signed messages. 65 multipart/signed is used in conjunction with the 66 application/pkcs7-signature MIME type, which is used to transport 67 a detached S/MIME signature. 69 In order to create S/MIME messages, an S/MIME agent has to follow the 70 specifications in this document, as well as the specifications 71 listed in the Cryptographic Message Syntax [CMS]. 73 Throughout this specification, there are requirements and 74 recommendations made for how receiving agents handle incoming 75 messages. There are separate requirements and recommendations for how 76 sending agents create outgoing messages. In general, the best strategy 77 is to "be liberal in what you receive and conservative in what you 78 send". Most of the requirements are placed on the handling of incoming 79 messages while the recommendations are mostly on the creation of 80 outgoing messages. 82 The separation for requirements on receiving agents and sending agents 83 also derives from the likelihood that there will be S/MIME systems 84 that involve software other than traditional Internet mail clients. 85 S/MIME can be used with any system that transports MIME data. An 86 automated process that sends an encrypted message might not be able to 87 receive an encrypted message at all, for example. Thus, the 88 requirements and recommendations for the two types of agents are 89 listed separately when appropriate. 91 1.2 Terminology 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 95 document are to be interpreted as described in [MUSTSHOULD]. 97 1.3 Definitions 99 For the purposes of this specification, the following definitions 100 apply. 102 ASN.1: Abstract Syntax Notation One, as defined in CCITT X.208. 104 BER: Basic Encoding Rules for ASN.1, as defined in CCITT X.209. 106 Certificate: A type that binds an entity's distinguished name to a 107 public key with a digital signature. 109 DER: Distinguished Encoding Rules for ASN.1, as defined in CCITT 110 X.509. 112 7-bit data: Text data with lines less than 998 characters long, where 113 none of the characters have the 8th bit set, and there are no NULL 114 characters. and occur only as part of a end of line 115 delimiter. 117 8-bit data: Text data with lines less than 998 characters, and where 118 none of the characters are NULL characters. and occur only 119 as part of a end of line delimiter. 121 Binary data: Arbitrary data. 123 Transfer Encoding: A reversible transformation made on data so 8-bit 124 or binary data may be sent via a channel that only transmits 7-bit 125 data. 127 Receiving agent: software that interprets and processes S/MIME CMS 128 objects, MIME body parts that contain CMS objects, or both. 130 Sending agent: software that creates S/MIME CMS objects, MIME body 131 parts that contain CMS objects, or both. 133 S/MIME agent: user software that is a receiving agent, a sending 134 agent, or both. 136 1.4 Compatibility with Prior Practice of S/MIME 138 S/MIME version 3 agents should attempt to have the greatest 139 interoperability possible with S/MIME version 2 agents. S/MIME version 140 2 is described in RFC 2311 through RFC 2315, inclusive. RFC 2311 also 141 has historical information about the development of S/MIME. 143 1.5 Changes Since S/MIME v3.0 145 [TBD] 147 1.6 Discussion of This Specification 149 This specification is being discussed on the "ietf-smime" mailing 150 list. To subscribe, send a message to: 152 ietf-smime-request@imc.org 154 with the single word 156 subscribe 158 in the body of the message. There is a Web site for the mailing list 159 at . 161 2. CMS Options 163 CMS allows for a wide variety of options in content and algorithm 164 support. This section puts forth a number of support requirements and 165 recommendations in order to achieve a base level of interoperability 166 among all S/MIME implementations. [CMS] provides additional details 167 regarding the use of the cryptographic algorithms. 169 2.1 DigestAlgorithmIdentifier 171 Sending and receiving agents MUST support SHA-1 [CMSALG]. Receiving 172 agents SHOULD support MD5 [CMSALG] for the purpose of providing 173 backward compatibility with MD5-digested S/MIME v2 SignedData objects. 175 2.2 SignatureAlgorithmIdentifier 177 Receiving agents MUST support id-dsa defined in [CMSALG]. The 178 algorithm parameters MUST be absent (not encoded as NULL). Receiving 179 agents MUST support rsaEncryption, defined in [CMSALG]. 181 Sending agents MUST support either id-dsa or rsaEncryption. 183 Note that S/MIME v3 clients might only implement signing or signature 184 verification using id-dsa. Also note that S/MIME v2 clients are only 185 capable of verifying digital signatures using the rsaEncryption 186 algorithm. 188 2.3 KeyEncryptionAlgorithmIdentifier 190 Sending and receiving agents MUST support rsaEncryption, defined in 191 [CMSALG]. 193 Sending and receiving agents SHOULD support Diffie-Hellman defined in 194 [CMSALG]. 196 Note that S/MIME v3 clients might only implement key encryption and 197 decryption using the Diffie-Hellman algorithm. Also note that S/MIME 198 v2 clients are only capable of decrypting content-encryption keys 199 using the rsaEncryption algorithm. 201 2.4 General Syntax 203 CMS defines multiple content types. Of these, only the Data, 204 SignedData, and EnvelopedData content types are currently used for 205 S/MIME. 207 2.4.1 Data Content Type 209 Sending agents MUST use the id-data content type identifier to 210 identify the "inner" MIME message content. For example, when applying 211 a digital signature to MIME data, the CMS signedData encapContentInfo 212 eContentType MUST include the id-data object identifier and the MIME 213 content MUST be stored in the SignedData encapContentInfo eContent 214 OCTET STRING (unless the sending agent is using multipart/signed, in 215 which case the eContent is absent, per section 3.4.3 of this 216 document). As another example, when applying encryption to MIME data, 217 the CMS EnvelopedData encryptedContentInfo ContentType MUST include 218 the id-data object identifier and the encrypted MIME content MUST be 219 stored in the envelopedData encryptedContentInfo encryptedContent 220 OCTET STRING. 222 2.4.2 SignedData Content Type 224 Sending agents MUST use the signedData content type to apply a digital 225 signature to a message or, in a degenerate case where there is no 226 signature information, to convey certificates. 228 2.4.3 EnvelopedData Content Type 230 This content type is used to apply data confidentiality to a message. 231 A sender needs to have access to a public key for each intended 232 message recipient to use this service. This content type does not 233 provide authentication. 235 2.5 Attribute SignerInfo Type 237 The SignerInfo type allows the inclusion of unsigned and signed 238 attributes to be included along with a signature. 240 Receiving agents MUST be able to handle zero or one instance of each 241 of the signed attributes listed here. Sending agents SHOULD generate 242 one instance of each of the following signed attributes in each S/MIME 243 message: 245 - signingTime (section 2.5.1 in this document) 246 - sMIMECapabilities (section 2.5.2 in this document) 247 - sMIMEEncryptionKeyPreference (section 2.5.3 in this document) 249 Further, receiving agents SHOULD be able to handle zero or one 250 instance in the signed attributes of the signingCertificate attribute 251 (section 5 in [ESS]). 253 Sending agents SHOULD generate one instance of the signingCertificate 254 signed attribute in each S/MIME message. 256 Additional attributes and values for these attributes may be defined 257 in the future. Receiving agents SHOULD handle attributes or values 258 that it does not recognize in a graceful manner. 260 Sending agents that include signed attributes that are not listed here 261 SHOULD display those attributes to the user, so that the user is aware 262 of all of the data being signed. 264 2.5.1 Signing-Time Attribute 266 The signing-time attribute is used to convey the time that a message 267 was signed. The time of signing will most likely be created by a 268 message originator and therefore is only as trustworthy as the 269 originator. 271 Sending agents MUST encode signing time through the year 2049 as 272 UTCTime; signing times in 2050 or later MUST be encoded as 273 GeneralizedTime. When the UTCTime CHOICE is used, S/MIME agents MUST 274 interpret the year field (YY) as follows: 276 if YY is greater than or equal to 50, the year is interpreted as 19YY; 277 if YY is less than 50, the year is interpreted as 20YY. 279 2.5.2 SMIMECapabilities Attribute 281 The SMIMECapabilities attribute includes signature algorithms (such as 282 "sha1WithRSAEncryption"), symmetric algorithms (such as "DES-EDE3- 283 CBC"), and key encipherment algorithms (such as "rsaEncryption"). 284 There are also several identifiers which indicate support for other 285 optional features such as binary encoding and compression. The 286 SMIMECapabilities were designed to be flexible and extensible so that, 287 in the future, a means of identifying other capabilities and 288 preferences such as certificates can be added in a way that will not 289 cause current clients to break. 291 If present, the SMIMECapabilities attribute MUST be a SignedAttribute; 292 it MUST NOT be an UnsignedAttribute. CMS defines SignedAttributes as a 293 SET OF Attribute. The SignedAttributes in a signerInfo MUST NOT 294 include multiple instances of the SMIMECapabilities attribute. CMS 295 defines the ASN.1 syntax for Attribute to include attrValues SET OF 296 AttributeValue. A SMIMECapabilities attribute MUST only include a 297 single instance of AttributeValue. There MUST NOT be zero or multiple 298 instances of AttributeValue present in the attrValues SET OF 299 AttributeValue. 301 The semantics of the SMIMECapabilites attribute specify a partial list 302 as to what the client announcing the SMIMECapabilites can support. A 303 client does not have to list every capability it supports, and 304 probably should not list all its capabilities so that the capabilities 305 list doesn't get too long. In an SMIMECapabilities attribute, the OIDs 306 are listed in order of their preference, but SHOULD be logically 307 separated along the lines of their categories (signature algorithms, 308 symmetric algorithms, key encipherment algorithms, etc.) 310 The structure of the SMIMECapabilities attribute is to facilitate 311 simple table lookups and binary comparisons in order to determine 312 matches. For instance, the DER-encoding for the SMIMECapability for 313 DES EDE3 CBC MUST be identically encoded regardless of the 314 implementation. 316 In the case of symmetric algorithms, the associated parameters for the 317 OID MUST specify all of the parameters necessary to differentiate 318 between two instances of the same algorithm. For instance, the number 319 of rounds and block size for RC5 must be specified in addition to the 320 key length. 322 There is a list of OIDs (OIDs Used with S/MIME) that is centrally 323 maintained and is separate from this specification. The list of OIDs 324 is maintained by the Internet Mail Consortium at 325 . Note that all OIDs 326 associated with the MUST and SHOULD implement algorithms are included 327 in section A of this document. 329 The OIDs that correspond to algorithms SHOULD use the same OID as the 330 actual algorithm, except in the case where the algorithm usage is 331 ambiguous from the OID. For instance, in an earlier specification, 332 rsaEncryption was ambiguous because it could refer to either a 333 signature algorithm or a key encipherment algorithm. In the event that 334 an OID is ambiguous, it needs to be arbitrated by the maintainer of 335 the registered SMIMECapabilities list as to which type of algorithm 336 will use the OID, and a new OID MUST be allocated under the 337 smimeCapabilities OID to satisfy the other use of the OID. 339 The registered SMIMECapabilities list specifies the parameters for 340 OIDs that need them, most notably key lengths in the case of variable- 341 length symmetric ciphers. In the event that there are no 342 differentiating parameters for a particular OID, the parameters MUST 343 be omitted, and MUST NOT be encoded as NULL. 345 Additional values for the SMIMECapabilities attribute may be defined 346 in the future. Receiving agents MUST handle a SMIMECapabilities object 347 that has values that it does not recognize in a graceful manner. 349 2.5.3 Encryption Key Preference Attribute 351 The encryption key preference attribute allows the signer to 352 unambiguously describe which of the signer's certificates has the 353 signer's preferred encryption key. This attribute is designed to 354 enhance behavior for interoperating with those clients which use 355 separate keys for encryption and signing. This attribute is used to 356 convey to anyone viewing the attribute which of the listed 357 certificates should be used for encrypting a session key for future 358 encrypted messages. 360 If present, the SMIMEEncryptionKeyPreference attribute MUST be a 361 SignedAttribute; it MUST NOT be an UnsignedAttribute. CMS defines 362 SignedAttributes as a SET OF Attribute. The SignedAttributes in a 363 signerInfo MUST NOT include multiple instances of the 364 SMIMEEncryptionKeyPreference attribute. CMS defines the ASN.1 syntax 365 for Attribute to include attrValues SET OF AttributeValue. A 366 SMIMEEncryptionKeyPreference attribute MUST only include a single 367 instance of AttributeValue. There MUST NOT be zero or multiple 368 instances of AttributeValue present in the attrValues SET OF 369 AttributeValue. 371 The sending agent SHOULD include the referenced certificate in the set 372 of certificates included in the signed message if this attribute is 373 used. The certificate may be omitted if it has been previously made 374 available to the receiving agent. Sending agents SHOULD use this 375 attribute if the commonly used or preferred encryption certificate is 376 not the same as the certificate used to sign the message. 378 Receiving agents SHOULD store the preference data if the signature on 379 the message is valid and the signing time is greater than the 380 currently stored value. (As with the SMIMECapabilities, the clock skew 381 should be checked and the data not used if the skew is too great.) 382 Receiving agents SHOULD respect the sender's encryption key preference 383 attribute if possible. This however represents only a preference and 384 the receiving agent may use any certificate in replying to the sender 385 that is valid. 387 2.5.3.1 Selection of Recipient Key Management Certificate 389 In order to determine the key management certificate to be used when 390 sending a future CMS envelopedData message for a particular recipient, 391 the following steps SHOULD be followed: 393 - If an SMIMEEncryptionKeyPreference attribute is found in a 394 signedData object received from the desired recipient, this 395 identifies the X.509 certificate that should be used as the X.509 396 key management certificate for the recipient. 398 - If an SMIMEEncryptionKeyPreference attribute is not found in a 399 signedData object received from the desired recipient, the set of 400 X.509 certificates should be searched for a X.509 certificate with 401 the same subject name as the signing X.509 certificate which can be 402 used for key management. 404 - Or use some other method of determining the user's key management 405 key. If a X.509 key management certificate is not found, then 406 encryption cannot be done with the signer of the message. If 407 multiple X.509 key management certificates are found, the S/MIME 408 agent can make an arbitrary choice between them. 410 2.6 SignerIdentifier SignerInfo Type 412 S/MIME v3 requires the use of SignerInfo version 1, that is the 413 issuerAndSerialNumber CHOICE MUST be used for SignerIdentifier. 415 2.7 ContentEncryptionAlgorithmIdentifier 417 Sending and receiving agents MUST support encryption and decryption 418 with DES EDE3 CBC, hereinafter called "tripleDES" [CMSALG]. Receiving 419 agents SHOULD support encryption and decryption using the RC2 [CMSALG] 420 or a compatible algorithm at a key size of 40 bits, hereinafter called 421 "RC2/40". 423 2.7.1 Deciding Which Encryption Method To Use 425 When a sending agent creates an encrypted message, it has to decide 426 which type of encryption to use. The decision process involves using 427 information garnered from the capabilities lists included in messages 428 received from the recipient, as well as out-of-band information such 429 as private agreements, user preferences, legal restrictions, and so 430 on. 432 Section 2.5 defines a method by which a sending agent can optionally 433 announce, among other things, its decrypting capabilities in its order 434 of preference. The following method for processing and remembering the 435 encryption capabilities attribute in incoming signed messages SHOULD 436 be used. 438 - If the receiving agent has not yet created a list of capabilities 439 for the sender's public key, then, after verifying the signature on 440 the incoming message and checking the timestamp, the receiving agent 441 SHOULD create a new list containing at least the signing time and 442 the symmetric capabilities. 444 - If such a list already exists, the receiving agent SHOULD verify 445 that the signing time in the incoming message is greater than the 446 signing time stored in the list and that the signature is valid. If 447 so, the receiving agent SHOULD update both the signing time and 448 capabilities in the list. Values of the signing time that lie far in 449 the future (that is, a greater discrepancy than any reasonable clock 450 skew), or a capabilities list in messages whose signature could not 451 be verified, MUST NOT be accepted. 453 The list of capabilities SHOULD be stored for future use in creating 454 messages. 456 Before sending a message, the sending agent MUST decide whether it is 457 willing to use weak encryption for the particular data in the message. 458 If the sending agent decides that weak encryption is unacceptable for 459 this data, then the sending agent MUST NOT use a weak algorithm such 460 as RC2/40. The decision to use or not use weak encryption overrides 461 any other decision in this section about which encryption algorithm to 462 use. 464 Sections 2.7.2.1 through 2.7.2.4 describe the decisions a sending 465 agent SHOULD use in deciding which type of encryption should be 466 applied to a message. These rules are ordered, so the sending agent 467 SHOULD make its decision in the order given. 469 2.7.1.1 Rule 1: Known Capabilities 471 If the sending agent has received a set of capabilities from the 472 recipient for the message the agent is about to encrypt, then the 473 sending agent SHOULD use that information by selecting the first 474 capability in the list (that is, the capability most preferred by the 475 intended recipient) for which the sending agent knows how to encrypt. 476 The sending agent SHOULD use one of the capabilities in the list if 477 the agent reasonably expects the recipient to be able to decrypt the 478 message. 480 2.7.1.2 Rule 2: Unknown Capabilities, Known Use of Encryption 482 If: 483 - the sending agent has no knowledge of the encryption capabilities 484 of the recipient, 485 - and the sending agent has received at least one message from the 486 recipient, 487 - and the last encrypted message received from the recipient had a 488 trusted signature on it, 489 then the outgoing message SHOULD use the same encryption algorithm as 490 was used on the last signed and encrypted message received from the 491 recipient. 493 2.7.1.3 Rule 3: Unknown Capabilities, Unknown Version of S/MIME 495 If: 496 - the sending agent has no knowledge of the encryption capabilities 497 of the recipient, 498 - and the sending agent has no knowledge of the version of S/MIME 499 of the recipient, 500 then the sending agent SHOULD use tripleDES because it is a stronger 501 algorithm and is required by S/MIME v3. If the sending agent chooses 502 not to use tripleDES in this step, it SHOULD use RC2/40. 504 2.7.2 Choosing Weak Encryption 506 Like all algorithms that use 40 bit keys, RC2/40 is considered by many 507 to be weak encryption. A sending agent that is controlled by a human 508 SHOULD allow a human sender to determine the risks of sending data 509 using RC2/40 or a similarly weak encryption algorithm before sending 510 the data, and possibly allow the human to use a stronger encryption 511 method such as tripleDES. 513 2.7.3 Multiple Recipients 515 If a sending agent is composing an encrypted message to a group of 516 recipients where the encryption capabilities of some of the recipients 517 do not overlap, the sending agent is forced to send more than one 518 message. It should be noted that if the sending agent chooses to send 519 a message encrypted with a strong algorithm, and then send the same 520 message encrypted with a weak algorithm, someone watching the 521 communications channel may be able to learn the contents of the 522 strongly-encrypted message simply by decrypting the weakly-encrypted 523 message. 525 3. Creating S/MIME Messages 527 This section describes the S/MIME message formats and how they are 528 created. S/MIME messages are a combination of MIME bodies and CMS 529 objects. Several MIME types as well as several CMS objects are used. 530 The data to be secured is always a canonical MIME entity. The MIME 531 entity and other data, such as certificates and algorithm identifiers, 532 are given to CMS processing facilities which produces a CMS object. 533 The CMS object is then finally wrapped in MIME. The Enhanced Security 534 Services for S/MIME [ESS] document provides examples of how nested, 535 secured S/MIME messages are formatted. ESS provides an example of how 536 a triple-wrapped S/MIME message is formatted using multipart/signed 537 and application/pkcs7-mime for the signatures. 539 S/MIME provides one format for enveloped-only data, several formats 540 for signed-only data, and several formats for signed and enveloped 541 data. Several formats are required to accommodate several 542 environments, in particular for signed messages. The criteria for 543 choosing among these formats are also described. 545 The reader of this section is expected to understand MIME as described 546 in [MIME-SPEC] and [MIME-SECURE]. 548 3.1 Preparing the MIME Entity for Signing or Enveloping 550 S/MIME is used to secure MIME entities. A MIME entity may be a sub- 551 part, sub-parts of a message, or the whole message with all its sub- 552 parts. A MIME entity that is the whole message includes only the MIME 553 headers and MIME body, and does not include the RFC-822 headers. Note 554 that S/MIME can also be used to secure MIME entities used in 555 applications other than Internet mail. 557 The MIME entity that is secured and described in this section can be 558 thought of as the "inside" MIME entity. That is, it is the "innermost" 559 object in what is possibly a larger MIME message. Processing "outside" 560 MIME entities into CMS objects is described in Section 3.2, 3.4 and 561 elsewhere. 563 The procedure for preparing a MIME entity is given in [MIME-SPEC]. The 564 same procedure is used here with some additional restrictions when 565 signing. Description of the procedures from [MIME-SPEC] are repeated 566 here, but the reader should refer to that document for the exact 567 procedure. This section also describes additional requirements. 569 A single procedure is used for creating MIME entities that are to be 570 signed, enveloped, or both signed and enveloped. Some additional steps 571 are recommended to defend against known corruptions that can occur 572 during mail transport that are of particular importance for clear- 573 signing using the multipart/signed format. It is recommended that 574 these additional steps be performed on enveloped messages, or signed 575 and enveloped messages in order that the message can be forwarded to 576 any environment without modification. 578 These steps are descriptive rather than prescriptive. The implementor 579 is free to use any procedure as long as the result is the same. 581 Step 1. The MIME entity is prepared according to the local conventions 583 Step 2. The leaf parts of the MIME entity are converted to canonical 584 form 586 Step 3. Appropriate transfer encoding is applied to the leaves of the 587 MIME entity 589 When an S/MIME message is received, the security services on the 590 message are processed, and the result is the MIME entity. That MIME 591 entity is typically passed to a MIME-capable user agent where, it is 592 further decoded and presented to the user or receiving application. 594 In order to protect outer, non-content related message headers (for 595 instance, the "Subject", "To", "From" and "CC" fields), the sending 596 client MAY wrap a full MIME message in a message/rfc822 wrapper in 597 order to apply S/MIME security services to these headers. It is up to 598 the receiving client to decide how to present these "inner" headers 599 along with the unprotected "outer" headers. 601 3.1.1 Canonicalization 603 Each MIME entity MUST be converted to a canonical form that is 604 uniquely and unambiguously representable in the environment where the 605 signature is created and the environment where the signature will be 606 verified. MIME entities MUST be canonicalized for enveloping as well 607 as signing. 609 The exact details of canonicalization depend on the actual MIME type 610 and subtype of an entity, and are not described here. Instead, the 611 standard for the particular MIME type should be consulted. For 612 example, canonicalization of type text/plain is different from 613 canonicalization of audio/basic. Other than text types, most types 614 have only one representation regardless of computing platform or 615 environment which can be considered their canonical representation. In 616 general, canonicalization will be performed by the non-security part 617 of the sending agent rather than the S/MIME implementation. 619 The most common and important canonicalization is for text, which is 620 often represented differently in different environments. MIME entities 621 of major type "text" must have both their line endings and character 622 set canonicalized. The line ending must be the pair of characters 623 , and the charset should be a registered charset [CHARSETS]. 624 The details of the canonicalization are specified in [MIME-SPEC]. The 625 chosen charset SHOULD be named in the charset parameter so that the 626 receiving agent can unambiguously determine the charset used. 628 Note that some charsets such as ISO-2022 have multiple representations 629 for the same characters. When preparing such text for signing, the 630 canonical representation specified for the charset MUST be used. 632 3.1.2 Transfer Encoding 634 When generating any of the secured MIME entities below, except the 635 signing using the multipart/signed format, no transfer encoding at all 636 is required. S/MIME implementations MUST be able to deal with binary 637 MIME objects. If no Content-Transfer-Encoding header is present, the 638 transfer encoding should be considered 7BIT. 640 S/MIME implementations SHOULD however use transfer encoding described 641 in section 3.1.3 for all MIME entities they secure. The reason for 642 securing only 7-bit MIME entities, even for enveloped data that are 643 not exposed to the transport, is that it allows the MIME entity to be 644 handled in any environment without changing it. For example, a trusted 645 gateway might remove the envelope, but not the signature, of a 646 message, and then forward the signed message on to the end recipient 647 so that they can verify the signatures directly. If the transport 648 internal to the site is not 8-bit clean, such as on a wide-area 649 network with a single mail gateway, verifying the signature will not 650 be possible unless the original MIME entity was only 7-bit data. 652 S/MIME implementations which "know" that all intended recipient(s) are 653 capable of handling inner (all but the outermost) binary MIME objects 654 SHOULD NOT use 7-bit transfer encoding for the inner entities since 655 this would unnecessarily expand the message size. Implementations MAY 656 "know" that recipient implementations are capable of handling inner 657 binary MIME entities either by interpreting the 658 id-cap-preferBinaryInside sMIMECapabilities attribute, by prior 659 agreement, or by other means. 661 If one or more intended recipients are unable to handle inner binary 662 MIME objects, or if this capability in unknown for any of the intended 663 recipients, S/MIME implementations SHOULD use transfer encoding 664 described in section 3.1.3 for all MIME entities they secure. 666 3.1.3 Transfer Encoding for Signing Using multipart/signed 668 If a multipart/signed entity is EVER to be transmitted over the 669 standard Internet SMTP infrastructure or other transport that is 670 constrained to 7-bit text, it MUST have transfer encoding applied so 671 that it is represented as 7-bit text. MIME entities that are 7-bit 672 data already need no transfer encoding. Entities such as 8-bit text 673 and binary data can be encoded with quoted-printable or base-64 674 transfer encoding. 676 The primary reason for the 7-bit requirement is that the Internet mail 677 transport infrastructure cannot guarantee transport of 8-bit or binary 678 data. Even though many segments of the transport infrastructure now 679 handle 8-bit and even binary data, it is sometimes not possible to 680 know whether the transport path is 8-bit clear. If a mail message with 681 8-bit data were to encounter a message transfer agent that can not 682 transmit 8-bit or binary data, the agent has three options, none of 683 which are acceptable for a clear-signed message: 685 - The agent could change the transfer encoding; this would invalidate 686 the signature. 687 - The agent could transmit the data anyway, which would most likely 688 result in the 8th bit being corrupted; this too would invalidate the 689 signature. 690 - The agent could return the message to the sender. 692 [MIME-SECURE] prohibits an agent from changing the transfer encoding 693 of the first part of a multipart/signed message. If a compliant agent 694 that can not transmit 8-bit or binary data encounters a 695 multipart/signed message with 8-bit or binary data in the first part, 696 it would have to return the message to the sender as undeliverable. 698 3.1.4 Sample Canonical MIME Entity 700 This example shows a multipart/mixed message with full transfer 701 encoding. This message contains a text part and an attachment. The 702 sample message text includes characters that are not US-ASCII and thus 703 must be transfer encoded. Though not shown here, the end of each line 704 is . The line ending of the MIME headers, the text, and 705 transfer encoded parts, all must be . 707 Note that this example is not of an S/MIME message. 709 Content-Type: multipart/mixed; boundary=bar 711 --bar 712 Content-Type: text/plain; charset=iso-8859-1 713 Content-Transfer-Encoding: quoted-printable 715 =A1Hola Michael! 717 How do you like the new S/MIME specification? 719 It's generally a good idea to encode lines that begin with 720 From=20because some mail transport agents will insert a greater- 721 than (>) sign, thus invalidating the signature. 723 Also, in some cases it might be desirable to encode any =20 724 trailing whitespace that occurs on lines in order to ensure =20 725 that the message signature is not invalidated when passing =20 726 a gateway that modifies such whitespace (like BITNET). =20 728 --bar 729 Content-Type: image/jpeg 730 Content-Transfer-Encoding: base64 732 iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC// 733 jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq 734 uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn 735 HOxEa44b+EI= 737 --bar-- 739 3.2 The application/pkcs7-mime Type 741 The application/pkcs7-mime type is used to carry CMS objects of 742 several types including envelopedData and signedData. The details of 743 constructing these entities is described in subsequent sections. This 744 section describes the general characteristics of the 745 application/pkcs7- mime type. 747 The carried CMS object always contains a MIME entity that is prepared 748 as described in section 3.1 if the eContentType is id-data. Other 749 contents may be carried when the eContentType contains different 750 values. See [ESS] for an example of this with signed receipts. 752 Since CMS objects are binary data, in most cases base-64 transfer 753 encoding is appropriate, in particular when used with SMTP transport. 754 The transfer encoding used depends on the transport through which the 755 object is to be sent, and is not a characteristic of the MIME type. 757 Note that this discussion refers to the transfer encoding of the CMS 758 object or "outside" MIME entity. It is completely distinct from, and 759 unrelated to, the transfer encoding of the MIME entity secured by the 760 CMS object, the "inside" object, which is described in section 3.1. 762 Because there are several types of application/pkcs7-mime objects, a 763 sending agent SHOULD do as much as possible to help a receiving agent 764 know about the contents of the object without forcing the receiving 765 agent to decode the ASN.1 for the object. The MIME headers of all 766 application/pkcs7-mime objects SHOULD include the optional "smime- 767 type" parameter, as described in the following sections. 769 3.2.1 The name and filename Parameters 771 For the application/pkcs7-mime, sending agents SHOULD emit the 772 optional "name" parameter to the Content-Type field for compatibility 773 with older systems. Sending agents SHOULD also emit the optional 774 Content-Disposition field [CONTDISP] with the "filename" parameter. If 775 a sending agent emits the above parameters, the value of the 776 parameters SHOULD be a file name with the appropriate extension: 778 MIME Type File Extension 780 Application/pkcs7-mime (signedData, envelopedData) .p7m 782 Application/pkcs7-mime (degenerate signedData .p7c 783 certificate management message) 785 Application/pkcs7-mime (compressedData) .p7z 787 Application/pkcs7-signature .p7s 789 In addition, the file name SHOULD be limited to eight characters 790 followed by a three letter extension. The eight character filename 791 base can be any distinct name; the use of the filename base "smime" 792 SHOULD be used to indicate that the MIME entity is associated with 793 S/MIME. 795 Including a file name serves two purposes. It facilitates easier use 796 of S/MIME objects as files on disk. It also can convey type 797 information across gateways. When a MIME entity of type 798 application/pkcs7-mime (for example) arrives at a gateway that has no 799 special knowledge of S/MIME, it will default the entity's MIME type to 800 application/octet-stream and treat it as a generic attachment, thus 801 losing the type information. However, the suggested filename for an 802 attachment is often carried across a gateway. This often allows the 803 receiving systems to determine the appropriate application to hand the 804 attachment off to, in this case a stand-alone S/MIME processing 805 application. Note that this mechanism is provided as a convenience for 806 implementations in certain environments. A proper S/MIME 807 implementation MUST use the MIME types and MUST NOT rely on the file 808 extensions. 810 3.2.2 The smime-type parameter 812 The application/pkcs7-mime content type defines the optional "smime- 813 type" parameter. The intent of this parameter is to convey details 814 about the security applied (signed or enveloped) along with infomation 815 about the contained content. This specification defines the following 816 smime- types. 818 Name CMS type Inner Content 820 enveloped-data EnvelopedData id-data 822 signed-data SignedData id-data 824 certs-only SignedData none 826 compressed-data CompressedData id-data 828 In order that consistency can be obtained with future, the following 829 guidelines should be followed when assigning a new smime-type 830 parameter. 832 1. If both signing and encryption can be applied to the content, then 833 two values for smime-type SHOULD be assigned "signed-*" and 834 "encrypted- *". If one operation can be assigned then this may be 835 omitted. Thus since "certs-only" can only be signed, "signed-" is 836 omitted. 838 2. A common string for a content oid should be assigned. We use "data" 839 for the id-data content OID when MIME is the inner content. 841 3. If no common string is assigned. Then the common string of 842 "OID." is recommended (for example, "OID.1.3.6.1.5.5.7.6.1" would 843 be DES40). 845 3.3 Creating an Enveloped-only Message 847 This section describes the format for enveloping a MIME entity without 848 signing it. It is important to note that sending enveloped but not 849 signed messages does not provide for data integrity. It is possible to 850 replace ciphertext in such a way that the processed message will still 851 be valid, but the meaning may be altered. 853 Step 1. The MIME entity to be enveloped is prepared according to 854 section 3.1. 856 Step 2. The MIME entity and other required data is processed into a 857 CMS object of type envelopedData. In addition to encrypting a copy of 858 the content-encryption key for each recipient, a copy of the content- 859 encryption key SHOULD be encrypted for the originator and included in 860 the envelopedData (see CMS Section 6). 862 Step 3. The envelopedData object is wrapped in a CMS ContentInfo 863 object. 865 Step 4. The ContentInfo object is inserted into an 866 application/pkcs7-mime MIME entity. 868 The smime-type parameter for enveloped-only messages is "enveloped- 869 data". The file extension for this type of message is ".p7m". 871 A sample message would be: 873 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; 874 name=smime.p7m 875 Content-Transfer-Encoding: base64 876 Content-Disposition: attachment; filename=smime.p7m 878 rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 879 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H 880 f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 881 0GhIGfHfQbnj756YT64V 883 3.4 Creating a Signed-only Message 885 There are two formats for signed messages defined for S/MIME: 886 application/pkcs7-mime with SignedData, and multipart/signed. In 887 general, the multipart/signed form is preferred for sending, and 888 receiving agents SHOULD be able to handle both. 890 3.4.1 Choosing a Format for Signed-only Messages 892 There are no hard-and-fast rules when a particular signed-only format 893 should be chosen because it depends on the capabilities of all the 894 receivers and the relative importance of receivers with S/MIME 895 facilities being able to verify the signature versus the importance of 896 receivers without S/MIME software being able to view the message. 898 Messages signed using the multipart/signed format can always be viewed 899 by the receiver whether they have S/MIME software or not. They can 900 also be viewed whether they are using a MIME-native user agent or they 901 have messages translated by a gateway. In this context, "be viewed" 902 means the ability to process the message essentially as if it were not 903 a signed message, including any other MIME structure the message might 904 have. 906 Messages signed using the signedData format cannot be viewed by a 907 recipient unless they have S/MIME facilities. However, if they have 908 S/MIME facilities, these messages can always be verified if they were 909 not changed in transit. 911 3.4.2 Signing Using application/pkcs7-mime with SignedData 913 This signing format uses the application/pkcs7-mime MIME type. The 914 steps to create this format are: 916 Step 1. The MIME entity is prepared according to section 3.1 918 Step 2. The MIME entity and other required data is processed into a 919 CMS object of type signedData 921 Step 3. The signedData object is wrapped in a CMS ContentInfo 922 object. 924 Step 4. The ContentInfo object is inserted into an 925 application/pkcs7-mime MIME entity. 927 The smime-type parameter for messages using application/pkcs7-mime 928 with SignedData is "signed-data". The file extension for this type of 929 message is ".p7m". 931 A sample message would be: 933 Content-Type: application/pkcs7-mime; smime-type=signed-data; 934 name=smime.p7m 935 Content-Transfer-Encoding: base64 936 Content-Disposition: attachment; filename=smime.p7m 938 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7 939 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH 940 HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh 941 6YT64V0GhIGfHfQbnj75 943 3.4.3 Signing Using the multipart/signed Format 945 This format is a clear-signing format. Recipients without any S/MIME 946 or CMS processing facilities are able to view the message. It makes 947 use of the multipart/signed MIME type described in [MIME-SECURE]. The 948 multipart/signed MIME type has two parts. The first part contains the 949 MIME entity that is signed; the second part contains the "detached 950 signature" CMS SignedData object in which the encapContentInfo 951 eContent field is absent. 953 3.4.3.1 The application/pkcs7-signature MIME Type 955 This MIME type always contains a CMS ContentInfo containing a single 956 CMS object of type signedData. The signedData encapContentInfo 957 eContent field MUST be absent. The signerInfos field contains the 958 signatures for the MIME entity. 960 The file extension for signed-only messages using application/pkcs7- 961 signature is ".p7s". 963 3.4.3.2 Creating a multipart/signed Message 965 Step 1. The MIME entity to be signed is prepared according to section 966 3.1, taking special care for clear-signing. 968 Step 2. The MIME entity is presented to CMS processing in order to 969 obtain an object of type signedData in which the encapContentInfo 970 eContent field is absent. 972 Step 3. The MIME entity is inserted into the first part of a 973 multipart/signed message with no processing other than that described 974 in section 3.1. 976 Step 4. Transfer encoding is applied to the "detached signature" CMS 977 SignedData object and it is inserted into a MIME entity of type 978 application/pkcs7-signature. 980 Step 5. The MIME entity of the application/pkcs7-signature is inserted 981 into the second part of the multipart/signed entity. 983 The multipart/signed Content type has two required parameters: the 984 protocol parameter and the micalg parameter. 986 The protocol parameter MUST be "application/pkcs7-signature". Note 987 that quotation marks are required around the protocol parameter 988 because MIME requires that the "/" character in the parameter value 989 MUST be quoted. 991 The micalg parameter allows for one-pass processing when the signature 992 is being verified. The value of the micalg parameter is dependent on 993 the message digest algorithm(s) used in the calculation of the Message 994 Integrity Check. If multiple message digest algorithms are used they 995 MUST be separated by commas per [MIME-SECURE]. The values to be placed 996 in the micalg parameter SHOULD be from the following: 998 Algorithm Value 999 used 1001 MD5 md5 1002 SHA-1 sha1 1003 Any other unknown 1005 (Historical note: some early implementations of S/MIME emitted and 1006 expected "rsa-md5" and "rsa-sha1" for the micalg parameter.) Receiving 1007 agents SHOULD be able to recover gracefully from a micalg parameter 1008 value that they do not recognize. 1010 3.4.3.3 Sample multipart/signed Message 1012 Content-Type: multipart/signed; 1013 protocol="application/pkcs7-signature"; 1014 micalg=sha1; boundary=boundary42 1016 --boundary42 1017 Content-Type: text/plain 1019 This is a clear-signed message. 1021 --boundary42 1022 Content-Type: application/pkcs7-signature; name=smime.p7s 1023 Content-Transfer-Encoding: base64 1024 Content-Disposition: attachment; filename=smime.p7s 1026 ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 1027 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj 1028 n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 1029 7GhIGfHfYT64VQbnj756 1031 --boundary42-- 1033 3.5 Creating an Compressed-only Message 1035 This section describes the format for compressing a MIME entity. 1036 Please note that versions of S/MIME prior to 3.1 did not specify any 1037 use of compressedData, and will not recognize it. The use of a 1038 capability to indicate the ability to receive compressedData is 1039 described in [CMSCOMPR] and is the preferred method for compatibility. 1041 Step 1. The MIME entity to be enveloped is prepared according to 1042 section 3.1. 1044 Step 2. The MIME entity and other required data is processed into a 1045 CMS object of type compressedData. 1047 Step 3. The compressedData object is wrapped in a CMS ContentInfo 1048 object. 1050 Step 4. The ContentInfo object is inserted into an 1051 application/pkcs7-mime MIME entity. 1053 The smime-type parameter for compressed-only messages is "compressed- 1054 data". The file extension for this type of message is ".p7z". 1056 A sample message would be: 1058 Content-Type: application/pkcs7-mime; smime-type=compressed-data; 1059 name=smime.p7z 1060 Content-Transfer-Encoding: base64 1061 Content-Disposition: attachment; filename=smime.p7z 1063 rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 1064 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H 1065 f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 1066 0GhIGfHfQbnj756YT64V 1068 3.6 Multiple Operations 1070 Any of the signed-only, compressed-only and encrypted-only MIME 1071 formats listed above may be nested. This is allowed because the above 1072 formats are all MIME entities, and because they all secure MIME 1073 entities. 1075 An S/MIME implementation MUST be able to receive and process 1076 arbitrarily nested S/MIME within reasonable resource limits of the 1077 recipient computer. 1079 It is possible to apply any of the signing, encrypting and compressing 1080 operations in any order. It is up to the implementor and the user to 1081 choose. When signing first, the signatories are then securely obscured 1082 by the enveloping. When enveloping first the signatories are exposed, 1083 but it is possible to verify signatures without removing the 1084 enveloping. This may be useful in an environment were automatic 1085 signature verification is desired, as no private key material is 1086 required to verify a signature. 1088 There are security ramifications to choosing whether to sign first or 1089 encrypt first. A recipient of a message that is encrypted and then 1090 signed can validate that the encrypted block was unaltered, but cannot 1091 determine any relationship between the signer and the unencrypted 1092 contents of the message. A recipient of a message that is signed-then- 1093 encrypted can assume that the signed message itself has not been 1094 altered, but that a careful attacker may have changed the 1095 unauthenticated portions of the encrypted message. 1097 When using compression, the only guidance we will give here is to not 1098 compress encrypted data, since this will not yield significant 1099 compression. 1101 3.7 Creating a Certificate Management Message 1103 The certificate management message or MIME entity is used to transport 1104 certificates and/or certificate revocation lists, such as in response 1105 to a registration request. 1107 Step 1. The certificates and/or certificate revocation lists are made 1108 available to the CMS generating process which creates a CMS object of 1109 type signedData. The signedData encapContentInfo eContent field MUST 1110 be absent and signerInfos field MUST be empty. 1112 Step 2. The signedData object is wrapped in a CMS ContentInfo 1113 object. 1115 Step 3. The ContentInfo object is enclosed in an application/pkcs7- 1116 mime MIME entity 1118 The smime-type parameter for a certificate management message is 1119 "certs-only". The file extension for this type of message is ".p7c". 1121 3.8 Registration Requests 1123 A sending agent that signs messages MUST have a certificate for the 1124 signature so that a receiving agent can verify the signature. There 1125 are many ways of getting certificates, such as through an exchange 1126 with a certificate authority, through a hardware token or diskette, 1127 and so on. 1129 S/MIME v2 [SMIMEV2] specified a method for "registering" public keys 1130 with certificate authorities using an application/pkcs10 body part. 1131 The IETF's PKIX Working Group is preparing another method for 1132 requesting certificates; however, that work was not finished at the 1133 time of this specification. S/MIME v3 does not specify how to request 1134 a certificate, but instead mandates that every sending agent already 1135 has a certificate. Standardization of certificate management is being 1136 pursued separately in the IETF. 1138 3.9 Identifying an S/MIME Message 1140 Because S/MIME takes into account interoperation in non-MIME 1141 environments, several different mechanisms are employed to carry the 1142 type information, and it becomes a bit difficult to identify S/MIME 1143 messages. The following table lists criteria for determining whether 1144 or not a message is an S/MIME message. A message is considered an 1145 S/MIME message if it matches any below. 1147 The file suffix in the table below comes from the "name" parameter in 1148 the content-type header, or the "filename" parameter on the content- 1149 disposition header. These parameters that give the file suffix are not 1150 listed below as part of the parameter section. 1152 MIME type: application/pkcs7-mime 1153 parameters: any 1154 file suffix: any 1156 MIME type: multipart/signed 1157 parameters: protocol="application/pkcs7-signature" 1158 file suffix: any 1160 MIME type: application/octet-stream 1161 parameters: any 1162 file suffix: p7m, p7s, p7c, p7z 1164 4. Certificate Processing 1166 A receiving agent MUST provide some certificate retrieval mechanism in 1167 order to gain access to certificates for recipients of digital 1168 envelopes. This specification does not cover how S/MIME agents handle 1169 certificates, only what they do after a certificate has been validated 1170 or rejected. S/MIME certification issues are covered in [CERT3]. 1172 At a minimum, for initial S/MIME deployment, a user agent could 1173 automatically generate a message to an intended recipient requesting 1174 that recipient's certificate in a signed return message. Receiving and 1175 sending agents SHOULD also provide a mechanism to allow a user to 1176 "store and protect" certificates for correspondents in such a way so 1177 as to guarantee their later retrieval. 1179 4.1 Key Pair Generation 1181 If an S/MIME agent needs to generate a key pair, then the S/MIME agent 1182 or some related administrative utility or function MUST be capable of 1183 generating separate DH and DSS public/private key pairs on behalf of 1184 the user. Each key pair MUST be generated from a good source of non- 1185 deterministic random input [RANDOM] and the private key MUST be 1186 protected in a secure fashion. 1188 If an S/MIME agent needs to generate a key pair, then the S/MIME agent 1189 or some related administrative utility or function SHOULD generate RSA 1190 key pairs. 1192 A user agent SHOULD generate RSA key pairs at a minimum key size of 1193 768 bits. A user agent MUST NOT generate RSA key pairs less than 512 1194 bits long. Creating keys longer than 1024 bits may cause some older 1195 S/MIME receiving agents to not be able to verify signatures, but gives 1196 better security and is therefore valuable. A receiving agent SHOULD be 1197 able to verify signatures with keys of any size over 512 bits. Some 1198 agents created in the United States have chosen to create 512 bit keys 1199 in order to get more advantageous export licenses. However, 512 bit 1200 keys are considered by many to be cryptographically insecure. 1201 Implementors should be aware that multiple (active) key pairs may be 1202 associated with a single individual. For example, one key pair may be 1203 used to support confidentiality, while a different key pair may be 1204 used for authentication. 1206 5. Security 1208 40-bit encryption is considered weak by most cryptographers. Using 1209 weak cryptography in S/MIME offers little actual security over sending 1210 plaintext. However, other features of S/MIME, such as the 1211 specification of tripleDES and the ability to announce stronger 1212 cryptographic capabilities to parties with whom you communicate, allow 1213 senders to create messages that use strong encryption. Using weak 1214 cryptography is never recommended unless the only alternative is no 1215 cryptography. When feasible, sending and receiving agents should 1216 inform senders and recipients the relative cryptographic strength of 1217 messages. 1219 It is impossible for most software or people to estimate the value of 1220 a message. Further, it is impossible for most software or people to 1221 estimate the actual cost of decrypting a message that is encrypted 1222 with a key of a particular size. Further, it is quite difficult to 1223 determine the cost of a failed decryption if a recipient cannot decode 1224 a message. Thus, choosing between different key sizes (or choosing 1225 whether to just use plaintext) is also impossible. However, decisions 1226 based on these criteria are made all the time, and therefore this 1227 specification gives a framework for using those estimates in choosing 1228 algorithms. 1230 If a sending agent is sending the same message using different 1231 strengths of cryptography, an attacker watching the communications 1232 channel may be able to determine the contents of the strongly- 1233 encrypted message by decrypting the weakly-encrypted version. In other 1234 words, a sender should not send a copy of a message using weaker 1235 cryptography than they would use for the original of the message. 1237 Modification of the ciphertext can go undetected if authentication is 1238 not also used, which is the case when sending EnvelopedData without 1239 wrapping it in SignedData or enclosing SignedData within it. 1241 [TBD] -- PKCS #1 v1.5 warnings (RFC 3218) 1243 [TBD] -- Small subgroup Diffie-Hellman (RFC 2785) 1245 A. ASN.1 Module 1247 SecureMimeMessageV3 1248 { iso(1) member-body(2) us(840) rsadsi(113549) 1249 pkcs(1) pkcs-9(9) smime(16) modules(0) smime(4) } 1251 DEFINITIONS IMPLICIT TAGS ::= 1252 BEGIN 1254 IMPORTS 1255 -- Cryptographic Message Syntax 1256 SubjectKeyIdentifier, IssuerAndSerialNumber, 1257 RecipientKeyIdentifier 1258 FROM CryptographicMessageSyntax 1259 { iso(1) member-body(2) us(840) rsadsi(113549) 1260 pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1) }; 1262 -- id-aa is the arc with all new authenticated and unauthenticated 1263 -- attributes produced the by S/MIME Working Group 1265 id-aa OBJECT IDENTIFIER ::= {iso(1) member-body(2) usa(840) 1266 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) attributes(2)} 1268 -- S/MIME Capabilities provides a method of broadcasting the symetric 1269 -- capabilities understood. Algorithms should be ordered by 1270 -- preference and grouped by type 1272 smimeCapabilities OBJECT IDENTIFIER ::= 1273 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 15} 1275 SMIMECapability ::= SEQUENCE { 1276 capabilityID OBJECT IDENTIFIER, 1277 parameters ANY DEFINED BY capabilityID OPTIONAL } 1279 SMIMECapabilities ::= SEQUENCE OF SMIMECapability 1281 -- Encryption Key Preference provides a method of broadcasting the 1282 -- prefered encryption certificate. 1284 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} 1286 SMIMEEncryptionKeyPreference ::= CHOICE { 1287 issuerAndSerialNumber [0] IssuerAndSerialNumber, 1288 receipentKeyId [1] RecipientKeyIdentifier, 1289 subjectAltKeyIdentifier [2] SubjectKeyIdentifier 1290 } 1292 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1293 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 1295 id-cap OBJECT IDENTIFIER ::= { id-smime 11 } 1297 -- The preferBinaryInside indicates an ability to receive messages 1298 -- with binary encoding inside the CMS wrapper 1300 id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } 1302 -- The following list the OIDs to be used with S/MIME V3 1304 -- Signature Algorithms Not Found in [CMSALG] 1305 -- 1306 -- md2WithRSAEncryption OBJECT IDENTIFIER ::= 1307 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1308 -- 2} 1309 -- 1310 -- Other Signed Attributes 1311 -- 1312 -- signingTime OBJECT IDENTIFIER ::= 1313 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1314 -- 5} 1315 -- See [CMS] for a description of how to encode the attribute 1316 -- value. 1318 END 1320 B. References 1322 [CERT31] "S/MIME Version 3.1 Certificate Handling", Internet Draft 1323 draft-ietf-smime-rfc2632bis 1325 [CHARSETS] Character sets assigned by IANA. See . 1328 [CMS] "Cryptographic Message Syntax", RFC 3369 1330 [CMSALG] "Cryptographic Message Syntax (CMS) Algorithms", RFC 3370 1332 [CMSCOMPR] "Compressed Data Content Type for Cryptographic Message 1333 Syntax (CMS)", RFC 3274 1335 [CONTDISP] "Communicating Presentation Information in Internet 1336 Messages: The Content-Disposition Header Field", RFC 2183 1338 [ESS] "Enhanced Security Services for S/MIME", RFC 2634 1340 [MIME-SPEC] The primary definition of MIME. "MIME Part 1: Format of 1341 Internet Message Bodies", RFC 2045; "MIME Part 2: Media Types", RFC 1342 2046; "MIME Part 3: Message Header Extensions for Non-ASCII Text", RFC 1343 2047; "MIME Part 4: Registration Procedures", RFC 2048; "MIME Part 5: 1344 Conformance Criteria and Examples", RFC 2049 1346 [MIME-SECURE] "Security Multiparts for MIME: Multipart/Signed and 1347 Multipart/Encrypted", RFC 1847 1349 [MUSTSHOULD] "Key words for use in RFCs to Indicate Requirement 1350 Levels", RFC 2119 1352 [PKCS-7] "PKCS #7: Cryptographic Message Syntax Version 1.5", RFC 2315 1354 [RANDOM] "Randomness Recommendations for Security", RFC 1750 1356 [SMIMEV2] "S/MIME Version 2 Message Specification", RFC 2311 1358 C. Acknowledgements 1360 [tbd] 1362 D. Editor's address 1364 Blake Ramsdell 1365 Brute Squad Labs 1366 Suite 217-C 1367 16451 Redmond Way 1368 Redmond, WA 98052-4482 1370 blake@brutesquadlabs.com 1372 E. Changes from last draft 1374 Reverted cert-management to certs-only for the MIME type, and removed 1375 related backward compatibility statements (Jim Schaad, Russ Housley) 1377 Binary encoding changes (Tony Capel) 1379 Updated references to CMS, CMSALG and ESS to point to RFCs (Blake 1380 Ramsdell) 1382 Added message/rfc822 language to section 3.1 (Blake Ramsdell) 1384 Added compressed data language (new section 3.5, modifications to 1385 section 3.6, new smime-type and file extension) (Blake Ramsdell)