idnits 2.17.1 draft-ietf-smime-rfc2633bis-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 1541 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 69: '...sages, an S/MIME agent MUST follow the...' RFC 2119 keyword, line 149: '...hm was changed to a MUST implement key...' RFC 2119 keyword, line 153: '...lgorithm has been included as a SHOULD...' RFC 2119 keyword, line 156: '...was changed to a MUST implement signat...' RFC 2119 keyword, line 196: '...Sending and receiving agents MUST support SHA-1 [CMSALG]. Receiving...' (103 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- ** The document contains RFC2119-like boilerplate, but doesn't seem to mention RFC 2119. The boilerplate contains a reference [MUSTSHOULD], but that reference does not seem to mention RFC 2119 either. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 26, 2004) is 7276 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'MIME-SPEC' on line 1417 looks like a reference -- Missing reference section? 'CMS' on line 1396 looks like a reference -- Missing reference section? 'PKCS-7' on line 1431 looks like a reference -- Missing reference section? 'MIME-SECURE' on line 1423 looks like a reference -- Missing reference section? 'MUSTSHOULD' on line 1428 looks like a reference -- Missing reference section? 'CMSALG' on line 1401 looks like a reference -- Missing reference section? 'ESS' on line 1412 looks like a reference -- Missing reference section? 'CMSAES' on line 1398 looks like a reference -- Missing reference section? 'CHARSETS' on line 1393 looks like a reference -- Missing reference section? 'CONTDISP' on line 1406 looks like a reference -- Missing reference section? 'FIPS180-2' on line 1414 looks like a reference -- Missing reference section? 'CMSCOMPR' on line 1403 looks like a reference -- Missing reference section? 'SMIMEV2' on line 1435 looks like a reference -- Missing reference section? 'CERT31' on line 1390 looks like a reference -- Missing reference section? 'RANDOM' on line 1433 looks like a reference -- Missing reference section? 'MMA' on line 1426 looks like a reference -- Missing reference section? 'DHSUB' on line 1409 looks like a reference -- Missing reference section? '0' on line 1355 looks like a reference -- Missing reference section? '1' on line 1356 looks like a reference -- Missing reference section? '2' on line 1357 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 22 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Editor: Blake Ramsdell, 2 draft-ietf-smime-rfc2633bis-06.txt Brute Squad Labs 3 October 26, 2003 4 Expires April 26, 2004 6 S/MIME Version 3.1 Message Specification 8 Status of this memo 10 This document is an Internet-Draft and is in full conformance with all 11 provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering Task 14 Force (IETF), its areas, and its working groups. Note that other 15 groups may also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference material 20 or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 1. Introduction 30 S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a 31 consistent way to send and receive secure MIME data. Based on the 32 popular Internet MIME standard, S/MIME provides the following 33 cryptographic security services for electronic messaging applications: 34 authentication, message integrity and non-repudiation of origin (using 35 digital signatures) and data confidentiality (using encryption). 37 S/MIME can be used by traditional mail user agents (MUAs) to add 38 cryptographic security services to mail that is sent, and to interpret 39 cryptographic security services in mail that is received. However, 40 S/MIME is not restricted to mail; it can be used with any transport 41 mechanism that transports MIME data, such as HTTP. As such, S/MIME 42 takes advantage of the object-based features of MIME and allows secure 43 messages to be exchanged in mixed-transport systems. 45 Further, S/MIME can be used in automated message transfer agents that 46 use cryptographic security services that do not require any human 47 intervention, such as the signing of software-generated documents and 48 the encryption of FAX messages sent over the Internet. 50 1.1 Specification Overview 52 This document describes a protocol for adding cryptographic signature 53 and encryption services to MIME data. The MIME standard [MIME-SPEC] 54 provides a general structure for the content type of Internet messages 55 and allows extensions for new content type applications. 57 This specification defines how to create a MIME body part that has 58 been cryptographically enhanced according to CMS [CMS], which is 59 derived from PKCS #7 [PKCS-7]. This specification also defines the 60 application/pkcs7-mime MIME type that can be used to transport those 61 body parts. 63 This specification also discusses how to use the multipart/signed MIME 64 type defined in [MIME-SECURE] to transport S/MIME signed messages. 65 multipart/signed is used in conjunction with the 66 application/pkcs7-signature MIME type, which is used to transport 67 a detached S/MIME signature. 69 In order to create S/MIME messages, an S/MIME agent MUST follow the 70 specifications in this document, as well as the specifications 71 listed in the Cryptographic Message Syntax [CMS]. 73 Throughout this specification, there are requirements and 74 recommendations made for how receiving agents handle incoming 75 messages. There are separate requirements and recommendations for how 76 sending agents create outgoing messages. In general, the best strategy 77 is to "be liberal in what you receive and conservative in what you 78 send". Most of the requirements are placed on the handling of incoming 79 messages while the recommendations are mostly on the creation of 80 outgoing messages. 82 The separation for requirements on receiving agents and sending agents 83 also derives from the likelihood that there will be S/MIME systems 84 that involve software other than traditional Internet mail clients. 85 S/MIME can be used with any system that transports MIME data. An 86 automated process that sends an encrypted message might not be able to 87 receive an encrypted message at all, for example. Thus, the 88 requirements and recommendations for the two types of agents are 89 listed separately when appropriate. 91 1.2 Terminology 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 95 document are to be interpreted as described in [MUSTSHOULD]. 97 1.3 Definitions 99 For the purposes of this specification, the following definitions 100 apply. 102 ASN.1: Abstract Syntax Notation One, as defined in CCITT X.208 103 [X.208-88]. 105 BER: Basic Encoding Rules for ASN.1, as defined in CCITT X.209 106 [X.209-88]. 108 Certificate: A type that binds an entity's distinguished name to a 109 public key with a digital signature. 111 DER: Distinguished Encoding Rules for ASN.1, as defined in CCITT 112 X.509 [X.509-88]. 114 7-bit data: Text data with lines less than 998 characters long, where 115 none of the characters have the 8th bit set, and there are no NULL 116 characters. and occur only as part of a end of line 117 delimiter. 119 8-bit data: Text data with lines less than 998 characters, and where 120 none of the characters are NULL characters. and occur only 121 as part of a end of line delimiter. 123 Binary data: Arbitrary data. 125 Transfer Encoding: A reversible transformation made on data so 8-bit 126 or binary data may be sent via a channel that only transmits 7-bit 127 data. 129 Receiving agent: software that interprets and processes S/MIME CMS 130 objects, MIME body parts that contain CMS content types, or both. 132 Sending agent: software that creates S/MIME CMS content types, MIME 133 body parts that contain CMS content types, or both. 135 S/MIME agent: user software that is a receiving agent, a sending 136 agent, or both. 138 1.4 Compatibility with Prior Practice of S/MIME 140 S/MIME version 3.1 agents should attempt to have the greatest 141 interoperability possible with agents for prior versions of S/MIME. 142 S/MIME version 2 is described in RFC 2311 through RFC 2315, inclusive 143 and S/MIME version 3 is described in RFC 2630 through RFC 2634 144 inclusive. RFC 2311 also has historical information about the 145 development of S/MIME. 147 1.5 Changes Since S/MIME v3.0 149 The RSA public key algorithm was changed to a MUST implement key 150 wrapping algorithm, and the Diffie-Hellman algorithm changed to a 151 SHOULD implement. 153 The AES symmetric encryption algorithm has been included as a SHOULD 154 implement. 156 The RSA public key algorithm was changed to a MUST implement signature 157 algorithm. 159 Ambiguous language about the use of "empty" SignedData messages to 160 transmit certificates was clarified to reflect that transmission of 161 certificate revocation lists is also allowed. 163 The use of binary encoding for some MIME entities is now explicitly 164 discussed. 166 Header protection through the use of the message/rfc822 MIME type has 167 been added. 169 Use of the CompressedData CMS type is allowed, along with required 170 MIME type and file extension additions. 172 1.6 Discussion of This Specification 174 This specification is being discussed on the "ietf-smime" mailing 175 list. To subscribe, send a message to: 177 ietf-smime-request@imc.org 179 with the single word 181 subscribe 183 in the body of the message. There is a Web site for the mailing list 184 at . 186 2. CMS Options 188 CMS allows for a wide variety of options in content and algorithm 189 support. This section puts forth a number of support requirements and 190 recommendations in order to achieve a base level of interoperability 191 among all S/MIME implementations. [CMS] provides additional details 192 regarding the use of the cryptographic algorithms. 194 2.1 DigestAlgorithmIdentifier 196 Sending and receiving agents MUST support SHA-1 [CMSALG]. Receiving 197 agents SHOULD support MD5 [CMSALG] for the purpose of providing 198 backward compatibility with MD5-digested S/MIME v2 SignedData objects. 200 2.2 SignatureAlgorithmIdentifier 202 Receiving agents MUST support id-dsa-with-sha1 defined in [CMSALG]. 203 The algorithm parameters MUST be absent (not encoded as NULL). 204 Receiving agents MUST support rsaEncryption, defined in [CMSALG]. 206 Sending agents MUST support either id-dsa-with-sha1 or rsaEncryption. 208 If using rsaEncryption, sending and receiving agents MUST support the 209 algorithms in section 2.1 as specified. 211 Note that S/MIME v3 clients might only implement signing or signature 212 verification using id-dsa-with-sha1, and might also use id-dsa as an 213 AlgorithmIdentifier in this field. Receiving clients SHOULD recognize 214 id-dsa as equivalent to id-dsa-with-sha1, and sending clients MUST use 215 id-dsa-with-sha1 if using that algorithm. Also note that S/MIME v2 216 clients are only required to verify digital signatures using the 217 rsaEncryption algorithm with SHA-1 or MD5, and may not implement 218 id-dsa-with-sha1 at all. 220 2.3 KeyEncryptionAlgorithmIdentifier 222 Sending and receiving agents MUST support rsaEncryption, defined in 223 [CMSALG]. 225 Sending and receiving agents SHOULD support Diffie-Hellman defined in 226 [CMSALG], using the ephemeral-static mode. 228 Note that S/MIME v3 clients might only implement key encryption and 229 decryption using the Diffie-Hellman algorithm. Also note that S/MIME 230 v2 clients are only capable of decrypting content-encryption keys 231 using the rsaEncryption algorithm. 233 2.4 General Syntax 235 There are several CMS content types. Of these, only the Data, 236 SignedData, EnvelopedData and CompressedData content types are 237 currently used for S/MIME. 239 2.4.1 Data Content Type 241 Sending agents MUST use the id-data content type identifier to 242 identify the "inner" MIME message content. For example, when applying 243 a digital signature to MIME data, the CMS signedData encapContentInfo 244 eContentType MUST include the id-data object identifier and the MIME 245 content MUST be stored in the SignedData encapContentInfo eContent 246 OCTET STRING (unless the sending agent is using multipart/signed, in 247 which case the eContent is absent, per section 3.4.3 of this 248 document). As another example, when applying encryption to MIME data, 249 the CMS EnvelopedData encryptedContentInfo ContentType MUST include 250 the id-data object identifier and the encrypted MIME content MUST be 251 stored in the envelopedData encryptedContentInfo encryptedContent 252 OCTET STRING. 254 2.4.2 SignedData Content Type 256 Sending agents MUST use the signedData content type to apply a digital 257 signature to a message or, in a degenerate case where there is no 258 signature information, to convey certificates. 260 2.4.3 EnvelopedData Content Type 262 This content type is used to apply data confidentiality to a message. 263 A sender needs to have access to a public key for each intended 264 message recipient to use this service. This content type does not 265 provide authentication. 267 2.4.4 CompressedData Content Type 269 This content type is used to apply data compression to a message. This 270 content type does not provide authentication or privacy, and is only 271 used to reduce message size. 273 See section 3.6 for further guidance on the use of this type in 274 conjunction with other CMS types. 276 2.5 Attribute SignerInfo Type 278 The SignerInfo type allows the inclusion of unsigned and signed 279 attributes to be included along with a signature. 281 Receiving agents MUST be able to handle zero or one instance of each 282 of the signed attributes listed here. Sending agents SHOULD generate 283 one instance of each of the following signed attributes in each S/MIME 284 message: 286 - signingTime (section 2.5.1 in this document) 287 - sMIMECapabilities (section 2.5.2 in this document) 288 - sMIMEEncryptionKeyPreference (section 2.5.3 in this document) 289 - id-messageDigest (section 11.2 in [CMS]) 290 - id-contentType (section 11.1 in [CMS]) 292 Further, receiving agents SHOULD be able to handle zero or one 293 instance in the signingCertificate signed attribute, as defined in 294 section 5 of [ESS]. 296 Sending agents SHOULD generate one instance of the signingCertificate 297 signed attribute in each SignerInfo structure. 299 Additional attributes and values for these attributes may be defined 300 in the future. Receiving agents SHOULD handle attributes or values 301 that it does not recognize in a graceful manner. 303 Interactive sending agents that include signed attributes that are not 304 listed here SHOULD display those attributes to the user, so that the 305 user is aware of all of the data being signed. 307 2.5.1 Signing-Time Attribute 309 The signing-time attribute is used to convey the time that a message 310 was signed. The time of signing will most likely be created by a 311 message originator and therefore is only as trustworthy as the 312 originator. 314 Sending agents MUST encode signing time through the year 2049 as 315 UTCTime; signing times in 2050 or later MUST be encoded as 316 GeneralizedTime. When the UTCTime CHOICE is used, S/MIME agents MUST 317 interpret the year field (YY) as follows: 319 if YY is greater than or equal to 50, the year is interpreted as 19YY; 320 if YY is less than 50, the year is interpreted as 20YY. 322 2.5.2 SMIMECapabilities Attribute 324 The SMIMECapabilities attribute includes signature algorithms (such as 325 "sha1WithRSAEncryption"), symmetric algorithms (such as "DES-EDE3- 326 CBC"), and key encipherment algorithms (such as "rsaEncryption"). 327 There are also several identifiers which indicate support for other 328 optional features such as binary encoding and compression. The 329 SMIMECapabilities were designed to be flexible and extensible so that, 330 in the future, a means of identifying other capabilities and 331 preferences such as certificates can be added in a way that will not 332 cause current clients to break. 334 If present, the SMIMECapabilities attribute MUST be a SignedAttribute; 335 it MUST NOT be an UnsignedAttribute. CMS defines SignedAttributes as a 336 SET OF Attribute. The SignedAttributes in a signerInfo MUST NOT 337 include multiple instances of the SMIMECapabilities attribute. CMS 338 defines the ASN.1 syntax for Attribute to include attrValues SET OF 339 AttributeValue. A SMIMECapabilities attribute MUST only include a 340 single instance of AttributeValue. There MUST NOT be zero or multiple 341 instances of AttributeValue present in the attrValues SET OF 342 AttributeValue. 344 The semantics of the SMIMECapabilites attribute specify a partial list 345 as to what the client announcing the SMIMECapabilites can support. A 346 client does not have to list every capability it supports, and 347 probably should not list all its capabilities so that the capabilities 348 list doesn't get too long. In an SMIMECapabilities attribute, the 349 object identifiers (OIDs) are listed in order of their preference, but 350 SHOULD be logically separated along the lines of their categories 351 (signature algorithms, symmetric algorithms, key encipherment 352 algorithms, etc.) 354 The structure of the SMIMECapabilities attribute is to facilitate 355 simple table lookups and binary comparisons in order to determine 356 matches. For instance, the DER-encoding for the SMIMECapability for 357 DES EDE3 CBC MUST be identically encoded regardless of the 358 implementation. Because of the requirement for identical encoding, 359 individuals documenting algorithms to be used in the SMIMECapabilities 360 attribute should explicitly document the correct byte sequence for the 361 common cases. 363 For any capability, the associated parameters for the OID MUST specify 364 all of the parameters necessary to differentiate between two instances 365 of the same algorithm. For instance, the number of rounds and block 366 size for RC5 must be specified in addition to the key length. 368 The OIDs used with S/MIME are assigned in several different RFCs. Note 369 that all OIDs associated with the MUST and SHOULD implement algorithms 370 are included in section A of this document. 372 The OIDs that correspond to algorithms SHOULD use the same OID as the 373 actual algorithm, except in the case where the algorithm usage is 374 ambiguous from the OID. For instance, in an earlier specification, 375 rsaEncryption was ambiguous because it could refer to either a 376 signature algorithm or a key encipherment algorithm. In the event that 377 an OID is ambiguous, it needs to be arbitrated by the maintainer of 378 the registered SMIMECapabilities list as to which type of algorithm 379 will use the OID, and a new OID MUST be allocated under the 380 smimeCapabilities OID to satisfy the other use of the OID. 382 The registered SMIMECapabilities list specifies the parameters for 383 OIDs that need them, most notably key lengths in the case of variable- 384 length symmetric ciphers. In the event that there are no 385 differentiating parameters for a particular OID, the parameters MUST 386 be omitted, and MUST NOT be encoded as NULL. 388 Additional values for the SMIMECapabilities attribute may be defined 389 in the future. Receiving agents MUST handle a SMIMECapabilities object 390 that has values that it does not recognize in a graceful manner. 392 Section 2.7.1 explains a strategy for caching capabilities. 394 2.5.3 Encryption Key Preference Attribute 396 The encryption key preference attribute allows the signer to 397 unambiguously describe which of the signer's certificates has the 398 signer's preferred encryption key. This attribute is designed to 399 enhance behavior for interoperating with those clients which use 400 separate keys for encryption and signing. This attribute is used to 401 convey to anyone viewing the attribute which of the listed 402 certificates should be used for encrypting a session key for future 403 encrypted messages. 405 If present, the SMIMEEncryptionKeyPreference attribute MUST be a 406 SignedAttribute; it MUST NOT be an UnsignedAttribute. CMS defines 407 SignedAttributes as a SET OF Attribute. The SignedAttributes in a 408 signerInfo MUST NOT include multiple instances of the 409 SMIMEEncryptionKeyPreference attribute. CMS defines the ASN.1 syntax 410 for Attribute to include attrValues SET OF AttributeValue. A 411 SMIMEEncryptionKeyPreference attribute MUST only include a single 412 instance of AttributeValue. There MUST NOT be zero or multiple 413 instances of AttributeValue present in the attrValues SET OF 414 AttributeValue. 416 The sending agent SHOULD include the referenced certificate in the set 417 of certificates included in the signed message if this attribute is 418 used. The certificate may be omitted if it has been previously made 419 available to the receiving agent. Sending agents SHOULD use this 420 attribute if the commonly used or preferred encryption certificate is 421 not the same as the certificate used to sign the message. 423 Receiving agents SHOULD store the preference data if the signature on 424 the message is valid and the signing time is greater than the 425 currently stored value. (As with the SMIMECapabilities, the clock skew 426 should be checked and the data not used if the skew is too great.) 427 Receiving agents SHOULD respect the sender's encryption key preference 428 attribute if possible. This however represents only a preference and 429 the receiving agent may use any certificate in replying to the sender 430 that is valid. 432 Section 2.7.1 explains a strategy for caching preference data. 434 2.5.3.1 Selection of Recipient Key Management Certificate 436 In order to determine the key management certificate to be used when 437 sending a future CMS envelopedData message for a particular recipient, 438 the following steps SHOULD be followed: 440 - If an SMIMEEncryptionKeyPreference attribute is found in a 441 signedData object received from the desired recipient, this 442 identifies the X.509 certificate that should be used as the X.509 443 key management certificate for the recipient. 445 - If an SMIMEEncryptionKeyPreference attribute is not found in a 446 signedData object received from the desired recipient, the set of 447 X.509 certificates should be searched for a X.509 certificate with 448 the same subject name as the signing X.509 certificate which can be 449 used for key management. 451 - Or use some other method of determining the user's key management 452 key. If a X.509 key management certificate is not found, then 453 encryption cannot be done with the signer of the message. If 454 multiple X.509 key management certificates are found, the S/MIME 455 agent can make an arbitrary choice between them. 457 2.6 SignerIdentifier SignerInfo Type 459 S/MIME v3.1 and S/MIME v3 requires the use of SignerInfo version 1, 460 that is the issuerAndSerialNumber CHOICE MUST be used for 461 SignerIdentifier. 463 S/MIME v3.1 implementations MUST allow for the use of the choice of 464 subjectKeyIdentifier in messages. Messages that use this choice cannot 465 be read by S/MIME v2 clients, and MUST be handled gracefully in S/MIME 466 v3.1 clients. 468 2.7 ContentEncryptionAlgorithmIdentifier 470 Sending and receiving agents MUST support encryption and decryption 471 with DES EDE3 CBC, hereinafter called "tripleDES" [CMSALG]. Receiving 472 agents SHOULD support encryption and decryption using the RC2 [CMSALG] 473 or a compatible algorithm at a key size of 40 bits, hereinafter called 474 "RC2/40". Sending and receiving agents SHOULD support encryption and 475 decryption with AES [CMSAES] at a key size of 128, 192 and 256 bits. 477 2.7.1 Deciding Which Encryption Method To Use 479 When a sending agent creates an encrypted message, it has to decide 480 which type of encryption to use. The decision process involves using 481 information garnered from the capabilities lists included in messages 482 received from the recipient, as well as out-of-band information such 483 as private agreements, user preferences, legal restrictions, and so 484 on. 486 Section 2.5.2 defines a method by which a sending agent can optionally 487 announce, among other things, its decrypting capabilities in its order 488 of preference. The following method for processing and remembering the 489 encryption capabilities attribute in incoming signed messages SHOULD 490 be used. 492 - If the receiving agent has not yet created a list of capabilities 493 for the sender's public key, then, after verifying the signature on 494 the incoming message and checking the timestamp, the receiving agent 495 SHOULD create a new list containing at least the signing time and 496 the symmetric capabilities. 498 - If such a list already exists, the receiving agent SHOULD verify 499 that the signing time in the incoming message is greater than the 500 signing time stored in the list and that the signature is valid. If 501 so, the receiving agent SHOULD update both the signing time and 502 capabilities in the list. Values of the signing time that lie far in 503 the future (that is, a greater discrepancy than any reasonable clock 504 skew), or a capabilities list in messages whose signature could not 505 be verified, MUST NOT be accepted. 507 The list of capabilities SHOULD be stored for future use in creating 508 messages. 510 Before sending a message, the sending agent MUST decide whether it is 511 willing to use weak encryption for the particular data in the message. 512 If the sending agent decides that weak encryption is unacceptable for 513 this data, then the sending agent MUST NOT use a weak algorithm such 514 as RC2/40. The decision to use or not use weak encryption overrides 515 any other decision in this section about which encryption algorithm to 516 use. 518 Sections 2.7.2.1 through 2.7.2.4 describe the decisions a sending 519 agent SHOULD use in deciding which type of encryption should be 520 applied to a message. These rules are ordered, so the sending agent 521 SHOULD make its decision in the order given. 523 2.7.1.1 Rule 1: Known Capabilities 525 If the sending agent has received a set of capabilities from the 526 recipient for the message the agent is about to encrypt, then the 527 sending agent SHOULD use that information by selecting the first 528 capability in the list (that is, the capability most preferred by the 529 intended recipient) for which the sending agent knows how to encrypt. 530 The sending agent SHOULD use one of the capabilities in the list if 531 the agent reasonably expects the recipient to be able to decrypt the 532 message. 534 2.7.1.2 Rule 2: Unknown Capabilities, Unknown Version of S/MIME 536 If the following two conditions are met: 537 - the sending agent has no knowledge of the encryption capabilities 538 of the recipient, 539 - and the sending agent has no knowledge of the version of S/MIME 540 of the recipient, 541 then the sending agent SHOULD use tripleDES because it is a stronger 542 algorithm and is required by S/MIME v3. If the sending agent chooses 543 not to use tripleDES in this step, it SHOULD use RC2/40. 545 2.7.2 Choosing Weak Encryption 547 Like all algorithms that use 40 bit keys, RC2/40 is considered by many 548 to be weak encryption. A sending agent that is controlled by a human 549 SHOULD allow a human sender to determine the risks of sending data 550 using RC2/40 or a similarly weak encryption algorithm before sending 551 the data, and possibly allow the human to use a stronger encryption 552 method such as tripleDES. 554 2.7.3 Multiple Recipients 556 If a sending agent is composing an encrypted message to a group of 557 recipients where the encryption capabilities of some of the recipients 558 do not overlap, the sending agent is forced to send more than one 559 message. It should be noted that if the sending agent chooses to send 560 a message encrypted with a strong algorithm, and then send the same 561 message encrypted with a weak algorithm, someone watching the 562 communications channel may be able to learn the contents of the 563 strongly-encrypted message simply by decrypting the weakly-encrypted 564 message. 566 3. Creating S/MIME Messages 568 This section describes the S/MIME message formats and how they are 569 created. S/MIME messages are a combination of MIME bodies and CMS 570 content types. Several MIME types as well as several CMS content types 571 are used. The data to be secured is always a canonical MIME entity. 572 The MIME entity and other data, such as certificates and algorithm 573 identifiers, are given to CMS processing facilities which produces a 574 CMS object. The CMS object is then finally wrapped in MIME. The 575 Enhanced Security Services for S/MIME [ESS] document provides examples 576 of how nested, secured S/MIME messages are formatted. ESS provides an 577 example of how a triple-wrapped S/MIME message is formatted using 578 multipart/signed and application/pkcs7-mime for the signatures. 580 S/MIME provides one format for enveloped-only data, several formats 581 for signed-only data, and several formats for signed and enveloped 582 data. Several formats are required to accommodate several 583 environments, in particular for signed messages. The criteria for 584 choosing among these formats are also described. 586 The reader of this section is expected to understand MIME as described 587 in [MIME-SPEC] and [MIME-SECURE]. 589 3.1 Preparing the MIME Entity for Signing or Enveloping 591 S/MIME is used to secure MIME entities. A MIME entity may be a sub- 592 part, sub-parts of a message, or the whole message with all its sub- 593 parts. A MIME entity that is the whole message includes only the MIME 594 headers and MIME body, and does not include the RFC-822 headers. Note 595 that S/MIME can also be used to secure MIME entities used in 596 applications other than Internet mail. If protection of the RFC-822 597 headers is required, the use of the message/rfc822 MIME type is 598 explained later in this section. 600 The MIME entity that is secured and described in this section can be 601 thought of as the "inside" MIME entity. That is, it is the "innermost" 602 object in what is possibly a larger MIME message. Processing "outside" 603 MIME entities into CMS content types is described in Section 3.2, 3.4 604 and elsewhere. 606 The procedure for preparing a MIME entity is given in [MIME-SPEC]. The 607 same procedure is used here with some additional restrictions when 608 signing. Description of the procedures from [MIME-SPEC] are repeated 609 here, but the reader should refer to that document for the exact 610 procedure. This section also describes additional requirements. 612 A single procedure is used for creating MIME entities that are to be 613 signed, enveloped, or both signed and enveloped. Some additional steps 614 are recommended to defend against known corruptions that can occur 615 during mail transport that are of particular importance for clear- 616 signing using the multipart/signed format. It is recommended that 617 these additional steps be performed on enveloped messages, or signed 618 and enveloped messages in order that the message can be forwarded to 619 any environment without modification. 621 These steps are descriptive rather than prescriptive. The implementor 622 is free to use any procedure as long as the result is the same. 624 Step 1. The MIME entity is prepared according to the local conventions 626 Step 2. The leaf parts of the MIME entity are converted to canonical 627 form 629 Step 3. Appropriate transfer encoding is applied to the leaves of the 630 MIME entity 632 When an S/MIME message is received, the security services on the 633 message are processed, and the result is the MIME entity. That MIME 634 entity is typically passed to a MIME-capable user agent where, it is 635 further decoded and presented to the user or receiving application. 637 In order to protect outer, non-content related message headers (for 638 instance, the "Subject", "To", "From" and "CC" fields), the sending 639 client MAY wrap a full MIME message in a message/rfc822 wrapper in 640 order to apply S/MIME security services to these headers. It is up to 641 the receiving client to decide how to present these "inner" headers 642 along with the unprotected "outer" headers. 644 When an S/MIME message is received, if the top-level protected MIME 645 entity has a Content-Type of message/rfc822, it can be assumed that 646 the intent was to provide header protection. This entity should be 647 presented as the top-level message, taking into account header merging 648 issues as previously discussed. 650 3.1.1 Canonicalization 652 Each MIME entity MUST be converted to a canonical form that is 653 uniquely and unambiguously representable in the environment where the 654 signature is created and the environment where the signature will be 655 verified. MIME entities MUST be canonicalized for enveloping and 656 compressing as well as signing. 658 The exact details of canonicalization depend on the actual MIME type 659 and subtype of an entity, and are not described here. Instead, the 660 standard for the particular MIME type should be consulted. For 661 example, canonicalization of type text/plain is different from 662 canonicalization of audio/basic. Other than text types, most types 663 have only one representation regardless of computing platform or 664 environment which can be considered their canonical representation. In 665 general, canonicalization will be performed by the non-security part 666 of the sending agent rather than the S/MIME implementation. 668 The most common and important canonicalization is for text, which is 669 often represented differently in different environments. MIME entities 670 of major type "text" must have both their line endings and character 671 set canonicalized. The line ending must be the pair of characters 672 , and the charset should be a registered charset [CHARSETS]. 673 The details of the canonicalization are specified in [MIME-SPEC]. The 674 chosen charset SHOULD be named in the charset parameter so that the 675 receiving agent can unambiguously determine the charset used. 677 Note that some charsets such as ISO-2022 have multiple representations 678 for the same characters. When preparing such text for signing, the 679 canonical representation specified for the charset MUST be used. 681 3.1.2 Transfer Encoding 683 When generating any of the secured MIME entities below, except the 684 signing using the multipart/signed format, no transfer encoding at all 685 is required. S/MIME implementations MUST be able to deal with binary 686 MIME objects. If no Content-Transfer-Encoding header is present, the 687 transfer encoding should be considered 7BIT. 689 S/MIME implementations SHOULD however use transfer encoding described 690 in section 3.1.3 for all MIME entities they secure. The reason for 691 securing only 7-bit MIME entities, even for enveloped data that are 692 not exposed to the transport, is that it allows the MIME entity to be 693 handled in any environment without changing it. For example, a trusted 694 gateway might remove the envelope, but not the signature, of a 695 message, and then forward the signed message on to the end recipient 696 so that they can verify the signatures directly. If the transport 697 internal to the site is not 8-bit clean, such as on a wide-area 698 network with a single mail gateway, verifying the signature will not 699 be possible unless the original MIME entity was only 7-bit data. 701 S/MIME implementations which "know" that all intended recipient(s) are 702 capable of handling inner (all but the outermost) binary MIME objects 703 SHOULD use binary encoding as opposed to a 7-bit-safe transfer 704 encoding for the inner entities. The use of a 7-bit-safe encoding 705 (such as base64) would unnecessarily expand the message size. 706 Implementations MAY "know" that recipient implementations are capable 707 of handling inner binary MIME entities either by interpreting the 708 id-cap-preferBinaryInside sMIMECapabilities attribute, by prior 709 agreement, or by other means. 711 If one or more intended recipients are unable to handle inner binary 712 MIME objects, or if this capability in unknown for any of the intended 713 recipients, S/MIME implementations SHOULD use transfer encoding 714 described in section 3.1.3 for all MIME entities they secure. 716 3.1.3 Transfer Encoding for Signing Using multipart/signed 718 If a multipart/signed entity is ever to be transmitted over the 719 standard Internet SMTP infrastructure or other transport that is 720 constrained to 7-bit text, it MUST have transfer encoding applied so 721 that it is represented as 7-bit text. MIME entities that are 7-bit 722 data already need no transfer encoding. Entities such as 8-bit text 723 and binary data can be encoded with quoted-printable or base-64 724 transfer encoding. 726 The primary reason for the 7-bit requirement is that the Internet mail 727 transport infrastructure cannot guarantee transport of 8-bit or binary 728 data. Even though many segments of the transport infrastructure now 729 handle 8-bit and even binary data, it is sometimes not possible to 730 know whether the transport path is 8-bit clear. If a mail message with 731 8-bit data were to encounter a message transfer agent that can not 732 transmit 8-bit or binary data, the agent has three options, none of 733 which are acceptable for a clear-signed message: 735 - The agent could change the transfer encoding; this would invalidate 736 the signature. 737 - The agent could transmit the data anyway, which would most likely 738 result in the 8th bit being corrupted; this too would invalidate the 739 signature. 740 - The agent could return the message to the sender. 742 [MIME-SECURE] prohibits an agent from changing the transfer encoding 743 of the first part of a multipart/signed message. If a compliant agent 744 that can not transmit 8-bit or binary data encounters a 745 multipart/signed message with 8-bit or binary data in the first part, 746 it would have to return the message to the sender as undeliverable. 748 3.1.4 Sample Canonical MIME Entity 750 This example shows a multipart/mixed message with full transfer 751 encoding. This message contains a text part and an attachment. The 752 sample message text includes characters that are not US-ASCII and thus 753 must be transfer encoded. Though not shown here, the end of each line 754 is . The line ending of the MIME headers, the text, and 755 transfer encoded parts, all must be . 757 Note that this example is not of an S/MIME message. 759 Content-Type: multipart/mixed; boundary=bar 761 --bar 762 Content-Type: text/plain; charset=iso-8859-1 763 Content-Transfer-Encoding: quoted-printable 765 =A1Hola Michael! 767 How do you like the new S/MIME specification? 769 It's generally a good idea to encode lines that begin with 770 From=20because some mail transport agents will insert a greater- 771 than (>) sign, thus invalidating the signature. 773 Also, in some cases it might be desirable to encode any =20 774 trailing whitespace that occurs on lines in order to ensure =20 775 that the message signature is not invalidated when passing =20 776 a gateway that modifies such whitespace (like BITNET). =20 778 --bar 779 Content-Type: image/jpeg 780 Content-Transfer-Encoding: base64 782 iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC// 783 jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq 784 uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn 785 HOxEa44b+EI= 787 --bar-- 789 3.2 The application/pkcs7-mime Type 791 The application/pkcs7-mime type is used to carry CMS content types 792 including envelopedData, signedData and compressedData. The details of 793 constructing these entities is described in subsequent sections. This 794 section describes the general characteristics of the 795 application/pkcs7-mime type. 797 The carried CMS object always contains a MIME entity that is prepared 798 as described in section 3.1 if the eContentType is id-data. Other 799 contents may be carried when the eContentType contains different 800 values. See [ESS] for an example of this with signed receipts. 802 Since CMS content types are binary data, in most cases base-64 803 transfer encoding is appropriate, in particular when used with SMTP 804 transport. The transfer encoding used depends on the transport through 805 which the object is to be sent, and is not a characteristic of the 806 MIME type. 808 Note that this discussion refers to the transfer encoding of the CMS 809 object or "outside" MIME entity. It is completely distinct from, and 810 unrelated to, the transfer encoding of the MIME entity secured by the 811 CMS object, the "inside" object, which is described in section 3.1. 813 Because there are several types of application/pkcs7-mime objects, a 814 sending agent SHOULD do as much as possible to help a receiving agent 815 know about the contents of the object without forcing the receiving 816 agent to decode the ASN.1 for the object. The MIME headers of all 817 application/pkcs7-mime objects SHOULD include the optional "smime- 818 type" parameter, as described in the following sections. 820 3.2.1 The name and filename Parameters 822 For the application/pkcs7-mime, sending agents SHOULD emit the 823 optional "name" parameter to the Content-Type field for compatibility 824 with older systems. Sending agents SHOULD also emit the optional 825 Content-Disposition field [CONTDISP] with the "filename" parameter. If 826 a sending agent emits the above parameters, the value of the 827 parameters SHOULD be a file name with the appropriate extension: 829 MIME Type File Extension 831 Application/pkcs7-mime (signedData, envelopedData) .p7m 833 Application/pkcs7-mime (degenerate signedData .p7c 834 certificate management message) 836 Application/pkcs7-mime (compressedData) .p7z 838 Application/pkcs7-signature .p7s 840 In addition, the file name SHOULD be limited to eight characters 841 followed by a three letter extension. The eight character filename 842 base can be any distinct name; the use of the filename base "smime" 843 SHOULD be used to indicate that the MIME entity is associated with 844 S/MIME. 846 Including a file name serves two purposes. It facilitates easier use 847 of S/MIME objects as files on disk. It also can convey type 848 information across gateways. When a MIME entity of type 849 application/pkcs7-mime (for example) arrives at a gateway that has no 850 special knowledge of S/MIME, it will default the entity's MIME type to 851 application/octet-stream and treat it as a generic attachment, thus 852 losing the type information. However, the suggested filename for an 853 attachment is often carried across a gateway. This often allows the 854 receiving systems to determine the appropriate application to hand the 855 attachment off to, in this case a stand-alone S/MIME processing 856 application. Note that this mechanism is provided as a convenience for 857 implementations in certain environments. A proper S/MIME 858 implementation MUST use the MIME types and MUST NOT rely on the file 859 extensions. 861 3.2.2 The smime-type parameter 863 The application/pkcs7-mime content type defines the optional "smime- 864 type" parameter. The intent of this parameter is to convey details 865 about the security applied (signed or enveloped) along with 866 information about the contained content. This specification defines 867 the following smime-types. 869 Name CMS type Inner Content 871 enveloped-data EnvelopedData id-data 873 signed-data SignedData id-data 875 certs-only SignedData none 877 compressed-data CompressedData id-data 879 In order that consistency can be obtained with future, the following 880 guidelines should be followed when assigning a new smime-type 881 parameter. 883 1. If both signing and encryption can be applied to the content, then 884 two values for smime-type SHOULD be assigned "signed-*" and 885 "encrypted-*". If one operation can be assigned then this may be 886 omitted. Thus since "certs-only" can only be signed, "signed-" is 887 omitted. 889 2. A common string for a content oid should be assigned. We use "data" 890 for the id-data content OID when MIME is the inner content. 892 3. If no common string is assigned. Then the common string of 893 "OID." is recommended (for example, "OID.1.3.6.1.5.5.7.6.1" would 894 be DES40). 896 3.3 Creating an Enveloped-only Message 898 This section describes the format for enveloping a MIME entity without 899 signing it. It is important to note that sending enveloped but not 900 signed messages does not provide for data integrity. It is possible to 901 replace ciphertext in such a way that the processed message will still 902 be valid, but the meaning may be altered. 904 Step 1. The MIME entity to be enveloped is prepared according to 905 section 3.1. 907 Step 2. The MIME entity and other required data is processed into a 908 CMS object of type envelopedData. In addition to encrypting a copy of 909 the content-encryption key for each recipient, a copy of the content- 910 encryption key SHOULD be encrypted for the originator and included in 911 the envelopedData (see CMS Section 6). 913 Step 3. The envelopedData object is wrapped in a CMS ContentInfo 914 object. 916 Step 4. The ContentInfo object is inserted into an 917 application/pkcs7-mime MIME entity. 919 The smime-type parameter for enveloped-only messages is "enveloped- 920 data". The file extension for this type of message is ".p7m". 922 A sample message would be: 924 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; 925 name=smime.p7m 926 Content-Transfer-Encoding: base64 927 Content-Disposition: attachment; filename=smime.p7m 929 rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 930 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H 931 f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 932 0GhIGfHfQbnj756YT64V 934 3.4 Creating a Signed-only Message 936 There are two formats for signed messages defined for S/MIME: 937 application/pkcs7-mime with SignedData, and multipart/signed. In 938 general, the multipart/signed form is preferred for sending, and 939 receiving agents SHOULD be able to handle both. 941 3.4.1 Choosing a Format for Signed-only Messages 943 There are no hard-and-fast rules when a particular signed-only format 944 should be chosen because it depends on the capabilities of all the 945 receivers and the relative importance of receivers with S/MIME 946 facilities being able to verify the signature versus the importance of 947 receivers without S/MIME software being able to view the message. 949 Messages signed using the multipart/signed format can always be viewed 950 by the receiver whether they have S/MIME software or not. They can 951 also be viewed whether they are using a MIME-native user agent or they 952 have messages translated by a gateway. In this context, "be viewed" 953 means the ability to process the message essentially as if it were not 954 a signed message, including any other MIME structure the message might 955 have. 957 Messages signed using the signedData format cannot be viewed by a 958 recipient unless they have S/MIME facilities. However, the signedData 959 format protects the message content from being changed by benign 960 intermediate agents. Such agents might do line wrapping or 961 content-transfer encoding changes which would break the signature. 963 3.4.2 Signing Using application/pkcs7-mime with SignedData 965 This signing format uses the application/pkcs7-mime MIME type. The 966 steps to create this format are: 968 Step 1. The MIME entity is prepared according to section 3.1 970 Step 2. The MIME entity and other required data is processed into a 971 CMS object of type signedData 973 Step 3. The signedData object is wrapped in a CMS ContentInfo 974 object. 976 Step 4. The ContentInfo object is inserted into an 977 application/pkcs7-mime MIME entity. 979 The smime-type parameter for messages using application/pkcs7-mime 980 with SignedData is "signed-data". The file extension for this type of 981 message is ".p7m". 983 A sample message would be: 985 Content-Type: application/pkcs7-mime; smime-type=signed-data; 986 name=smime.p7m 987 Content-Transfer-Encoding: base64 988 Content-Disposition: attachment; filename=smime.p7m 990 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7 991 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH 992 HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh 993 6YT64V0GhIGfHfQbnj75 995 3.4.3 Signing Using the multipart/signed Format 997 This format is a clear-signing format. Recipients without any S/MIME 998 or CMS processing facilities are able to view the message. It makes 999 use of the multipart/signed MIME type described in [MIME-SECURE]. The 1000 multipart/signed MIME type has two parts. The first part contains the 1001 MIME entity that is signed; the second part contains the "detached 1002 signature" CMS SignedData object in which the encapContentInfo 1003 eContent field is absent. 1005 3.4.3.1 The application/pkcs7-signature MIME Type 1007 This MIME type always contains a CMS ContentInfo containing a single 1008 CMS object of type signedData. The signedData encapContentInfo 1009 eContent field MUST be absent. The signerInfos field contains the 1010 signatures for the MIME entity. 1012 The file extension for signed-only messages using application/pkcs7- 1013 signature is ".p7s". 1015 3.4.3.2 Creating a multipart/signed Message 1017 Step 1. The MIME entity to be signed is prepared according to section 1018 3.1, taking special care for clear-signing. 1020 Step 2. The MIME entity is presented to CMS processing in order to 1021 obtain an object of type signedData in which the encapContentInfo 1022 eContent field is absent. 1024 Step 3. The MIME entity is inserted into the first part of a 1025 multipart/signed message with no processing other than that described 1026 in section 3.1. 1028 Step 4. Transfer encoding is applied to the "detached signature" CMS 1029 SignedData object and it is inserted into a MIME entity of type 1030 application/pkcs7-signature. 1032 Step 5. The MIME entity of the application/pkcs7-signature is inserted 1033 into the second part of the multipart/signed entity. 1035 The multipart/signed Content type has two required parameters: the 1036 protocol parameter and the micalg parameter. 1038 The protocol parameter MUST be "application/pkcs7-signature". Note 1039 that quotation marks are required around the protocol parameter 1040 because MIME requires that the "/" character in the parameter value 1041 MUST be quoted. 1043 The micalg parameter allows for one-pass processing when the signature 1044 is being verified. The value of the micalg parameter is dependent on 1045 the message digest algorithm(s) used in the calculation of the Message 1046 Integrity Check. If multiple message digest algorithms are used they 1047 MUST be separated by commas per [MIME-SECURE]. The values to be placed 1048 in the micalg parameter SHOULD be from the following: 1050 Algorithm Value 1051 used 1053 MD5 md5 1054 SHA-1 sha1 1055 SHA-256 sha256 1056 SHA-384 sha384 1057 SHA-512 sha512 1058 Any other (defined separately in algorithm profile or "unknown" 1059 if not defined) 1061 (Historical note: some early implementations of S/MIME emitted and 1062 expected "rsa-md5" and "rsa-sha1" for the micalg parameter.) Receiving 1063 agents SHOULD be able to recover gracefully from a micalg parameter 1064 value that they do not recognize. 1066 The SHA-256, SHA-384 and SHA-512 algorithms [FIPS180-2] are not 1067 currently supported in S/MIME, and are included here for completeness. 1069 3.4.3.3 Sample multipart/signed Message 1071 Content-Type: multipart/signed; 1072 protocol="application/pkcs7-signature"; 1073 micalg=sha1; boundary=boundary42 1075 --boundary42 1076 Content-Type: text/plain 1078 This is a clear-signed message. 1080 --boundary42 1081 Content-Type: application/pkcs7-signature; name=smime.p7s 1082 Content-Transfer-Encoding: base64 1083 Content-Disposition: attachment; filename=smime.p7s 1085 ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 1086 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj 1087 n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 1088 7GhIGfHfYT64VQbnj756 1090 --boundary42-- 1092 The content that is digested (the first part of the multipart/signed) 1093 are the bytes: 1095 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 1096 6e 0d 0a 0d 0a 54 68 69 73 20 69 73 20 61 20 63 6c 65 61 72 2d 73 69 1097 67 6e 65 64 20 6d 65 73 73 61 67 65 2e 0d 0a 1099 3.5 Creating an Compressed-only Message 1101 This section describes the format for compressing a MIME entity. 1102 Please note that versions of S/MIME prior to 3.1 did not specify any 1103 use of compressedData, and will not recognize it. The use of a 1104 capability to indicate the ability to receive compressedData is 1105 described in [CMSCOMPR] and is the preferred method for compatibility. 1107 Step 1. The MIME entity to be enveloped is prepared according to 1108 section 3.1. 1110 Step 2. The MIME entity and other required data is processed into a 1111 CMS object of type compressedData. 1113 Step 3. The compressedData object is wrapped in a CMS ContentInfo 1114 object. 1116 Step 4. The ContentInfo object is inserted into an 1117 application/pkcs7-mime MIME entity. 1119 The smime-type parameter for compressed-only messages is "compressed- 1120 data". The file extension for this type of message is ".p7z". 1122 A sample message would be: 1124 Content-Type: application/pkcs7-mime; smime-type=compressed-data; 1125 name=smime.p7z 1126 Content-Transfer-Encoding: base64 1127 Content-Disposition: attachment; filename=smime.p7z 1129 rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 1130 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H 1131 f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 1132 0GhIGfHfQbnj756YT64V 1134 3.6 Multiple Operations 1136 The signed-only, encrypted-only, and compressed-only MIME formats can 1137 be nested. This works because these formats are all MIME entities that 1138 encapsulate other MIME entities. 1140 An S/MIME implementation MUST be able to receive and process 1141 arbitrarily nested S/MIME within reasonable resource limits of the 1142 recipient computer. 1144 It is possible to apply any of the signing, encrypting and compressing 1145 operations in any order. It is up to the implementor and the user to 1146 choose. When signing first, the signatories are then securely obscured 1147 by the enveloping. When enveloping first the signatories are exposed, 1148 but it is possible to verify signatures without removing the 1149 enveloping. This may be useful in an environment were automatic 1150 signature verification is desired, as no private key material is 1151 required to verify a signature. 1153 There are security ramifications to choosing whether to sign first or 1154 encrypt first. A recipient of a message that is encrypted and then 1155 signed can validate that the encrypted block was unaltered, but cannot 1156 determine any relationship between the signer and the unencrypted 1157 contents of the message. A recipient of a message that is signed-then- 1158 encrypted can assume that the signed message itself has not been 1159 altered, but that a careful attacker may have changed the 1160 unauthenticated portions of the encrypted message. 1162 When using compression, keep the following guidelines in mind: 1164 - Compression of binary encoded encrypted data is discouraged, since 1165 it will not yield significant compression. Base64 encrypted data 1166 could very well benefit, however. 1167 - If a lossy compression algorithm is used with signing, you will need 1168 to compress first, then sign. 1170 3.7 Creating a Certificate Management Message 1172 The certificate management message or MIME entity is used to transport 1173 certificates and/or certificate revocation lists, such as in response 1174 to a registration request. 1176 Step 1. The certificates and/or certificate revocation lists are made 1177 available to the CMS generating process which creates a CMS object of 1178 type signedData. The signedData encapContentInfo eContent field MUST 1179 be absent and signerInfos field MUST be empty. 1181 Step 2. The signedData object is wrapped in a CMS ContentInfo 1182 object. 1184 Step 3. The ContentInfo object is enclosed in an application/pkcs7- 1185 mime MIME entity 1187 The smime-type parameter for a certificate management message is 1188 "certs-only". The file extension for this type of message is ".p7c". 1190 3.8 Registration Requests 1192 A sending agent that signs messages MUST have a certificate for the 1193 signature so that a receiving agent can verify the signature. There 1194 are many ways of getting certificates, such as through an exchange 1195 with a certificate authority, through a hardware token or diskette, 1196 and so on. 1198 S/MIME v2 [SMIMEV2] specified a method for "registering" public keys 1199 with certificate authorities using an application/pkcs10 body part. 1200 Since that time, the IETF PKIX Working Group has developed other 1201 methods for requesting certificates. However, S/MIME v3.1 does not 1202 require a particular certificate request mechanism. 1204 3.9 Identifying an S/MIME Message 1206 Because S/MIME takes into account interoperation in non-MIME 1207 environments, several different mechanisms are employed to carry the 1208 type information, and it becomes a bit difficult to identify S/MIME 1209 messages. The following table lists criteria for determining whether 1210 or not a message is an S/MIME message. A message is considered an 1211 S/MIME message if it matches any of the criteria listed below. 1213 The file suffix in the table below comes from the "name" parameter in 1214 the content-type header, or the "filename" parameter on the content- 1215 disposition header. These parameters that give the file suffix are not 1216 listed below as part of the parameter section. 1218 MIME type: application/pkcs7-mime 1219 parameters: any 1220 file suffix: any 1222 MIME type: multipart/signed 1223 parameters: protocol="application/pkcs7-signature" 1224 file suffix: any 1226 MIME type: application/octet-stream 1227 parameters: any 1228 file suffix: p7m, p7s, p7c, p7z 1230 4. Certificate Processing 1232 A receiving agent MUST provide some certificate retrieval mechanism in 1233 order to gain access to certificates for recipients of digital 1234 envelopes. This specification does not cover how S/MIME agents handle 1235 certificates, only what they do after a certificate has been validated 1236 or rejected. S/MIME certification issues are covered in [CERT31]. 1238 At a minimum, for initial S/MIME deployment, a user agent could 1239 automatically generate a message to an intended recipient requesting 1240 that recipient's certificate in a signed return message. Receiving and 1241 sending agents SHOULD also provide a mechanism to allow a user to 1242 "store and protect" certificates for correspondents in such a way so 1243 as to guarantee their later retrieval. 1245 4.1 Key Pair Generation 1247 All generated key pairs MUST be generated from a good source of non- 1248 deterministic random input [RANDOM] and the private key MUST be 1249 protected in a secure fashion. 1251 If an S/MIME agent needs to generate an RSA key pair, then the S/MIME 1252 agent or some related administrative utility or function SHOULD 1253 generate RSA key pairs using the following guidelines. A user agent 1254 SHOULD generate RSA key pairs at a minimum key size of 768 bits. A 1255 user agent MUST NOT generate RSA key pairs less than 512 bits long. 1256 Creating keys longer than 1024 bits may cause some older S/MIME 1257 receiving agents to not be able to verify signatures, but gives better 1258 security and is therefore valuable. A receiving agent SHOULD be able 1259 to verify signatures with keys of any size over 512 bits. Some agents 1260 created in the United States have chosen to create 512 bit keys in 1261 order to get more advantageous export licenses. However, 512 bit keys 1262 are considered by many to be cryptographically insecure. Implementors 1263 should be aware that multiple (active) key pairs may be associated 1264 with a single individual. For example, one key pair may be used to 1265 support confidentiality, while a different key pair may be used for 1266 authentication. 1268 5. Security 1270 40-bit encryption is considered weak by most cryptographers. Using 1271 weak cryptography in S/MIME offers little actual security over sending 1272 plaintext. However, other features of S/MIME, such as the 1273 specification of tripleDES and the ability to announce stronger 1274 cryptographic capabilities to parties with whom you communicate, allow 1275 senders to create messages that use strong encryption. Using weak 1276 cryptography is never recommended unless the only alternative is no 1277 cryptography. When feasible, sending and receiving agents should 1278 inform senders and recipients the relative cryptographic strength of 1279 messages. 1281 It is impossible for most software or people to estimate the value of 1282 a message. Further, it is impossible for most software or people to 1283 estimate the actual cost of decrypting a message that is encrypted 1284 with a key of a particular size. Further, it is quite difficult to 1285 determine the cost of a failed decryption if a recipient cannot decode 1286 a message. Thus, choosing between different key sizes (or choosing 1287 whether to just use plaintext) is also impossible. However, decisions 1288 based on these criteria are made all the time, and therefore this 1289 specification gives a framework for using those estimates in choosing 1290 algorithms. 1292 If a sending agent is sending the same message using different 1293 strengths of cryptography, an attacker watching the communications 1294 channel may be able to determine the contents of the strongly- 1295 encrypted message by decrypting the weakly-encrypted version. In other 1296 words, a sender should not send a copy of a message using weaker 1297 cryptography than they would use for the original of the message. 1299 Modification of the ciphertext can go undetected if authentication is 1300 not also used, which is the case when sending EnvelopedData without 1301 wrapping it in SignedData or enclosing SignedData within it. 1303 See RFC 3218 [MMA] for more information about thwarting the adaptive 1304 chosen ciphertext vulnerability in PKCS #1 Version 1.5 1305 implementations. 1307 In some circumstances the use of the Diffie-Hellman key agreement 1308 scheme in a prime order subgroup of a large prime p is vulnerable to 1309 certain attacks known as "small-subgroup" attacks. Methods exist, 1310 however, to prevent these attacks. These methods are described in RFC 1311 2785 [DHSUB]. 1313 A. ASN.1 Module 1315 SecureMimeMessageV3dot1 1316 { iso(1) member-body(2) us(840) rsadsi(113549) 1317 pkcs(1) pkcs-9(9) smime(16) modules(0) msg-v3dot1(21) } 1319 DEFINITIONS IMPLICIT TAGS ::= 1320 BEGIN 1322 IMPORTS 1323 -- Cryptographic Message Syntax 1324 SubjectKeyIdentifier, IssuerAndSerialNumber, 1325 RecipientKeyIdentifier 1326 FROM CryptographicMessageSyntax 1327 { iso(1) member-body(2) us(840) rsadsi(113549) 1328 pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2001(14) }; 1330 -- id-aa is the arc with all new authenticated and unauthenticated 1331 -- attributes produced the by S/MIME Working Group 1333 id-aa OBJECT IDENTIFIER ::= {iso(1) member-body(2) usa(840) 1334 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) attributes(2)} 1336 -- S/MIME Capabilities provides a method of broadcasting the symetric 1337 -- capabilities understood. Algorithms should be ordered by 1338 -- preference and grouped by type 1340 smimeCapabilities OBJECT IDENTIFIER ::= 1341 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 15} 1343 SMIMECapability ::= SEQUENCE { 1344 capabilityID OBJECT IDENTIFIER, 1345 parameters ANY DEFINED BY capabilityID OPTIONAL } 1347 SMIMECapabilities ::= SEQUENCE OF SMIMECapability 1349 -- Encryption Key Preference provides a method of broadcasting the 1350 -- prefered encryption certificate. 1352 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} 1354 SMIMEEncryptionKeyPreference ::= CHOICE { 1355 issuerAndSerialNumber [0] IssuerAndSerialNumber, 1356 receipentKeyId [1] RecipientKeyIdentifier, 1357 subjectAltKeyIdentifier [2] SubjectKeyIdentifier 1358 } 1360 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1361 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 1363 id-cap OBJECT IDENTIFIER ::= { id-smime 11 } 1365 -- The preferBinaryInside indicates an ability to receive messages 1366 -- with binary encoding inside the CMS wrapper 1368 id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } 1370 -- The following list the OIDs to be used with S/MIME V3 1372 -- Signature Algorithms Not Found in [CMSALG] 1373 -- 1374 -- md2WithRSAEncryption OBJECT IDENTIFIER ::= 1375 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1376 -- 2} 1377 -- 1378 -- Other Signed Attributes 1379 -- 1380 -- signingTime OBJECT IDENTIFIER ::= 1381 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1382 -- 5} 1383 -- See [CMS] for a description of how to encode the attribute 1384 -- value. 1386 END 1388 B. References 1390 [CERT31] "S/MIME Version 3.1 Certificate Handling", Internet Draft 1391 draft-ietf-smime-rfc2632bis 1393 [CHARSETS] Character sets assigned by IANA. See . 1396 [CMS] "Cryptographic Message Syntax", RFC 3369 1398 [CMSAES] "Use of the AES Encryption Algorithm in CMS", 1399 draft-ietf-smime-aes-alg-07 1401 [CMSALG] "Cryptographic Message Syntax (CMS) Algorithms", RFC 3370 1403 [CMSCOMPR] "Compressed Data Content Type for Cryptographic Message 1404 Syntax (CMS)", RFC 3274 1406 [CONTDISP] "Communicating Presentation Information in Internet 1407 Messages: The Content-Disposition Header Field", RFC 2183 1409 [DHSUB] "Methods for Avoiding the "Small-Subgroup" Attacks on the 1410 Diffie-Hellman Key Agreement Method for S/MIME", RFC 2785 1412 [ESS] "Enhanced Security Services for S/MIME", RFC 2634 1414 [FIPS180-2] "Secure Hash Signature Standard (SHS)", National Institute 1415 of Standards and Technology (NIST). FIPS Publication 180-2 1417 [MIME-SPEC] The primary definition of MIME. "MIME Part 1: Format of 1418 Internet Message Bodies", RFC 2045; "MIME Part 2: Media Types", RFC 1419 2046; "MIME Part 3: Message Header Extensions for Non-ASCII Text", RFC 1420 2047; "MIME Part 4: Registration Procedures", RFC 2048; "MIME Part 5: 1421 Conformance Criteria and Examples", RFC 2049 1423 [MIME-SECURE] "Security Multiparts for MIME: Multipart/Signed and 1424 Multipart/Encrypted", RFC 1847 1426 [MMA] "Preventing the Million Message Attack on CMS", RFC 3218 1428 [MUSTSHOULD] "Key words for use in RFCs to Indicate Requirement 1429 Levels", RFC 2119 1431 [PKCS-7] "PKCS #7: Cryptographic Message Syntax Version 1.5", RFC 2315 1433 [RANDOM] "Randomness Recommendations for Security", RFC 1750 1435 [SMIMEV2] "S/MIME Version 2 Message Specification", RFC 2311 1437 [X.208-88] CCITT. Recommendation X.208: Specification of Abstract 1438 Syntax Notation One (ASN.1). 1988. 1440 [X.209-88] CCITT. Recommendation X.209: Specification of Basic 1441 Encoding Rules for Abstract Syntax Notation One (ASN.1). 1988. 1443 [X.509-88] CCITT. Recommendation X.509: The Directory - Authentication 1444 Framework. 1988. 1446 C. Acknowledgements 1448 Many thanks go out to the other authors of the S/MIME Version 2 1449 Message Specification RFC: Steve Dusse, Paul Hoffman, Laurence 1450 Lundblade and Lisa Repka. 1452 A number of the members of the S/MIME Working Group have also worked 1453 very hard and contributed to this document. Any list of people is 1454 doomed to omission, and for that I apologize. In alphabetical order, 1455 the following people stand out in my mind due to the fact that they 1456 made direct contributions to this document. 1458 Tony Capel 1459 Piers Chivers 1460 Dave Crocker 1461 Bill Flanigan 1462 Paul Hoffman 1463 Russ Housley 1464 William Ottaway 1465 John Pawling 1466 Jim Schaad 1468 D. Editor's address 1470 Blake Ramsdell 1471 Brute Squad Labs 1472 Suite 407-C 1473 16451 Redmond Way 1474 Redmond, WA 98052-4482 1476 blake@brutesquadlabs.com 1478 E. Changes from last draft 1480 Numerous changes (Jim Schaad)