idnits 2.17.1 draft-ietf-smime-x400wrap-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 533 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 129: '...Sending and receiving agents MUST support SHA-1 [SHA1]....' RFC 2119 keyword, line 133: '...Sending and receiving agents MUST support id-dsa defined in [DSS]. The...' RFC 2119 keyword, line 134: '...rithm parameters MUST be absent (not e...' RFC 2119 keyword, line 136: '...Receiving agents MAY support rsaEncryption, defined in [PKCS-1]....' RFC 2119 keyword, line 138: '...Sending agents MAY support rsaEncrypti...' (43 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 22, 2001) is 8346 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'CMS' on line 464 looks like a reference -- Missing reference section? 'MSG' on line 475 looks like a reference -- Missing reference section? 'MUSTSHOULD' on line 478 looks like a reference -- Missing reference section? 'SHA1' on line 484 looks like a reference -- Missing reference section? 'DSS' on line 470 looks like a reference -- Missing reference section? 'PKCS-1' on line 481 looks like a reference -- Missing reference section? 'DH' on line 467 looks like a reference -- Missing reference section? 'ESS' on line 472 looks like a reference -- Missing reference section? 'CERT3' on line 461 looks like a reference Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 11 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Paul Hoffman, IMC 2 draft-ietf-smime-x400wrap-01.txt Chris Bonatti, IECA 3 November 22, 2000 Anders Eggen, FFI 4 Expires May 22, 2001 6 Securing X.400 Content with S/MIME 8 Status of this Memo 10 This document is an Internet-Draft and is in full conformance with all 11 provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering Task 14 Force (IETF), its areas, and its working groups. Note that other groups 15 may also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference material 20 or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 Abstract 30 This document describes a protocol for adding cryptographic signature 31 and encryption services to X.400 content. 33 1. Introduction 35 The techniques described in the Cryptographic Message Syntax [CMS] 36 specification are general enough to support many different content 37 types. The [CMS] specification thus provides many options for providing 38 different security mechanisms. In order to ensure interoperability of 39 systems within the X.400 community, it is necessary to specify the use 40 of CMS features to protect X.400 content (called "CMS-X.400" in this 41 document). 43 1.1 Specification Overview 45 This document is intended to be similar to the S/MIME Version 3 Message 46 Specification [MSG] except that it is tailored to the requirements of 47 X.400 content rather than Multipurpose Internet Mail Extensions (MIME). 49 This document defines how to create an X.400 content type that has been 50 cryptographically enhanced according to [CMS]. In order to create S/MIME 51 messages carrying X.400 content, an S/MIME agent has to follow 52 specifications in this document, as well as the specifications listed in 53 [CMS]. This memo also defines new parameter values for the 54 application/pkcs7-mime MIME type that can be used to transport those 55 body parts. 57 Throughout this document, there are requirements and recommendations 58 made for how receiving agents handle incoming messages. There are 59 separate requirements and recommendations for how sending agents create 60 outgoing messages. In general, the best strategy is to "be liberal in 61 what you receive and conservative in what you send". Most of the 62 requirements are placed on the handling of incoming messages while the 63 recommendations are mostly on the creation of outgoing messages. 65 This document does not address transport of CMS-X.400 content. It is 66 assumed that CMS-X.400 content would be transported by Internet mail 67 systems, X.400, or other suitable transport. 69 1.2 Terminology 71 The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED", and 72 "MAY" in this document are to be interpreted as described in RFC 2119 73 [MUSTSHOULD]. 75 1.3 Definitions 77 For the purposes of this document, the following definitions apply. 79 ASN.1: Abstract Syntax Notation One, as defined in ISO/IEC 8824. 81 BER: Basic Encoding Rules for ASN.1, as defined in ISO/IEC 8825-1. 83 Certificate: A type that binds an entity's distinguished name to a 84 public key with a digital signature. 86 DER: Distinguished Encoding Rules for ASN.1, as defined in ISO/IEC 87 8825-1. 89 7-bit data: Text data with lines less than 998 characters long, where 90 none of the characters have the 8th bit set, and there are no NULL 91 characters. and occur only as part of a end of line 92 delimiter. 94 8-bit data: Text data with lines less than 998 characters, and where 95 none of the characters are NULL characters. and occur only as 96 part of a end of line delimiter. 98 Binary data: Arbitrary data. 100 Transfer Encoding: A reversible transformation made on data so 8-bit or 101 binary data may be sent via a channel that only transmits 7-bit data. 103 Receiving agent: software that interprets and processes S/MIME CMS 104 objects 106 Sending agent: software that creates S/MIME CMS objects. 108 S/MIME agent: user software that is a receiving agent, a sending agent, 109 or both. 111 1.4 Compatibility with Prior Practice of S/MIME 113 There are believed to be no existing X.400 implementations that support 114 S/MIME version 2. Further, signed interoperability between X.400 and 115 MIME systems that support S/MIME version 2 is not believed to be easily 116 achievable. Therefore backward compatibility with S/MIME version 2 is 117 not considered to be a requirement for this document. 119 2. CMS Options 121 CMS allows for a wide variety of options in content and algorithm 122 support. This section puts forth a number of support requirements and 123 recommendations in order to achieve a base level of interoperability 124 among all CMS-X.400 implementations. [CMS] provides additional details 125 regarding the use of the cryptographic algorithms. 127 2.1 DigestAlgorithmIdentifier 129 Sending and receiving agents MUST support SHA-1 [SHA1]. 131 2.2 SignatureAlgorithmIdentifier 133 Sending and receiving agents MUST support id-dsa defined in [DSS]. The 134 algorithm parameters MUST be absent (not encoded as NULL). 136 Receiving agents MAY support rsaEncryption, defined in [PKCS-1]. 138 Sending agents MAY support rsaEncryption. Outgoing messages are signed 139 with a user's private key. The size of the private key is determined 140 during key generation. 142 2.3 KeyEncryptionAlgorithmIdentifier 144 Sending and receiving agents MUST support Diffie-Hellman defined in 145 [DH]. 147 Receiving agents MAY support rsaEncryption. Incoming encrypted messages 148 contain symmetric keys which are to be decrypted with a user's private 149 key. The size of the private key is determined during key generation. 151 Sending agents MAY support rsaEncryption. 153 2.4 General Syntax 155 The general syntax of CMS objects consist of an instance of the 156 ContentInfo structure containing one of several defined CMS content 157 types. CMS defines multiple content types. Of these, only the SignedData 158 and EnvelopedData content types are used for CMS-X.400. 160 2.4.1 SignedData Content Type 162 Sending agents MUST use the signedData content type to apply a digital 163 signature to a message or, in a degenerate case where there is no 164 signature information, to convey certificates. 166 2.4.2 EnvelopedData Content Type 168 This content type is used to apply privacy protection to a message. A 169 sender needs to have access to a public key for each intended message 170 recipient to use this service. This content type does not provide 171 authentication. 173 2.5 Attribute SignerInfo Type 175 The SignerInfo type allows the inclusion of unsigned and signed 176 attributes to be included along with a signature. 178 Receiving agents MUST be able to handle zero or one instance of each of 179 the signed attributes listed here. Sending agents SHOULD generate one 180 instance of each of the following signed attributes in each CMS-X400 181 message: 182 - signingTime 183 - sMIMECapabilities 184 - sMIMEEncryptionKeyPreference 186 Requirements for processing of these attributes MUST be in accordance 187 with the S/MIME Message Specification [MSG]. Handling of the signingTime 188 attribute MUST comply with clause 2.5.1 of [MSG]. Handling of the 189 sMIMECapabilities attribute MUST comply with clause 2.5.2 of [MSG]. 190 Handling of the sMIMEEncryptionKeyPreference attribute MUST comply with 191 clause 2.5.3 of [MSG]. 193 Further, receiving agents SHOULD be able to handle zero or one instance 194 in the signed attributes of the signingCertificate attribute. 196 Sending agents SHOULD generate one instance of the signingCertificate 197 signed attribute in each CMS-X400 message. 199 Additional attributes and values for these attributes may be defined in 200 the future. Receiving agents SHOULD handle attributes or values that it 201 does not recognize in a graceful manner. 203 Sending agents that include signed attributes that are not listed here 204 SHOULD display those attributes to the user, so that the user is aware 205 of all of the data being signed. 207 3. Creating S/MIME Messages 209 This section describes the S/MIME message formats and how they can be 210 used to secure X.400 contents. The S/MIME messages are then a 211 combination of X.400 contents and CMS objects (i.e., a ContentInfo 212 structure containing one of the CMS-defined content types). The X.400 213 content and other data, such as certificates and algorithm identifiers, 214 are given to CMS processing facilities which produces a CMS object. This 215 document also describes how nested, secured S/MIME messages should be 216 formatted when encapsulating an X.400 content, and provides an example 217 of how a triple-wrapped S/MIME message over X.400 content should be 218 created if backwards compatibility with S/MIME version 2 is of no 219 concern. 221 S/MIME provides one format for enveloped-only data, several formats for 222 signed-only data, and several formats for signed and enveloped data. 223 Several formats are required to accommodate several environments, in 224 particular for signed messages. Only one of these signed formats is 225 applicable to X.400. 227 Note that canonicalization is not required for X.400 content, and a 228 "detached signature" form is not possible. These dramatically simplify 229 the description of S/MIME productions. 231 The reader of this section is expected to understand X.400 as described 232 in [X.400] and S/MIME as described in [CMS] and [ESS]. 234 3.1 The X.400 Message Structure 236 This section reviews the X.400 message format. An X.400 message has two 237 parts, the envelope and the content, as described in X.402 [X.400]: 239 Envelope -- An information object whose composition varies from one 240 transmittal step to another and that variously identifies the message's 241 originator and potential recipients, documents its previous conveyance 242 and directs its subsequent conveyance by the Message Transfer System 243 (MTS), and characterizes its content. 245 Content -- The content is the piece of information that the originating 246 User Agent wants to be delivered to one or more recipients. The MTS 247 neither examines nor modifies the content, except for conversion, during 248 its conveyance of the message. 250 One piece of information borne by the envelope identifies the type of 251 the content. The content type is an identifier (an ASN.1 OID or Integer) 252 that denotes the syntax and semantics of the content overall. This 253 identifier enables the MTS to determine the message's deliverability to 254 particular users, and enables User Agents and Message Stores to 255 interpret and process the content. 257 Another piece of information borne by the envelope identifies the types 258 of encoded information represented in the content. An encoded 259 information type (EIT) is an identifier (an ASN.1 Object Identifier or 260 Integer) that denotes the medium and format (e.g., IA5 text or Group 3 261 facsimile) of individual portions of the content. It further enables the 262 MTS to determine the message's deliverability to particular users, and 263 to identify opportunities for it to make the message deliverable by 264 converting a portion of the content from one EIT to another. 266 This document describes how S/MIME CMS is used to secure the content 267 part of X.400 messages. 269 3.2 Creating a Signed-only Message with X.400 Content 271 The SignedData format as described in the Cryptographic Message Syntax 272 [CMS] MUST be used for signing of X.400 contents. 274 The protected X.400 content MUST then be placed in the SignedData 275 encapContentInfo eContent field. Note that this X.400 content SHOULD 276 maintain the encoding defined by the content type, but SHOULD NOT be 277 MIME wrapped. The object identifier for content type of the protected 278 X.400 content MUST be placed in the SignedData encapContentInfo 279 eContentType field. The resulting signedData object MAY optionally be 280 wrapped in a MIME encoding. 282 The signedData object is encapsulated by a ContentInfo SEQUENCE with 283 a contentType of id-signedData. 285 Note that if SMTP is used to transport the resulting signed-only message 286 then the optional MIME encoding SHOULD be used. If other 8-bit 287 transports (e.g., X.400) are used then the optional MIME encoding SHOULD 288 NOT be used. 290 3.2.1 MIME Wrapping to Dynamically Support 7-bit Transport 292 The signedData object MAY optionally be wrapped in MIME to dynamically 293 support 7-bit transport. In this case the application/pkcs7-mime type as 294 defined in S/MIME Version 3 Message Specification [MSG] SHOULD be used 295 with the following parameters: 297 Content-Type: application/pkcs7-mime; smime-type=signed-data 298 Content-Transfer-Encoding: base64 300 If the application/pkcs7-mime MIME type is used to support 7 bit 301 transport, the steps to create this format are: 303 Step 1. The X.400 content to be signed is ASN.1 encoded. 305 Step 2. The ASN.1 encoded X.400 content and other required data is 306 processed into a CMS object of type SignedData. 308 Step 3. The CMS object is inserted into an application/pkcs7-mime MIME 309 entity. 311 The smime-type parameter for messages using application/pkcs7-mime with 312 SignedData is "signed-x400". 314 3.3 Creating an Enveloped-only Message with X.400 Content 316 This section describes the format for enveloping an X.400 content 317 without signing it. It is important to note that sending enveloped but 318 not signed messages does not provide for data integrity. It is possible 319 to replace ciphertext in such a way that the processed message will 320 still be valid, but the meaning may be altered. 322 The EnvelopedData format as described in [CMS] may be used for privacy of 323 the X.400 contents. 325 The protected X.400 content MUST be placed in the EnvelopedData 326 encryptedContentInfo encryptedContent field. Note that this X.400 327 content SHOULD maintain the encoding defined by the content type, but 328 SHOULD NOT be MIME wrapped. The object identifier for content type of 329 the protected X.400 content MUST be placed in the EnvelopedData 330 encryptedContentInfo contentType field. The resulting envelopedData 331 object MAY optionally be wrapped in a MIME encoding. 333 The envelopedData object is encapsulated by a ContentInfo SEQUENCE 334 with a contentType of id-envelopedData. 336 Note that if SMTP is used to transport the resulting enveloped-only 337 message then the optional MIME encoding SHOULD be used. If other 8-bit 338 transport (e.g., X.400) is used then the optional MIME encoding SHOULD 339 NOT be used. 341 3.3.1 MIME Wrapping to Dynamically Support 7-bits Transport 343 The envelopedData object MAY optionally be wrapped in MIME to 344 dynamically support 7-bit transport. In this case the 345 application/pkcs7-mime type as defined in S/MIME Version 3 Message 346 Specification [MSG] SHOULD be used with the following parameters: 348 Content-Type: application/pkcs7-mime; smime-type=enveloped-data 349 Content-Transfer-Encoding: base64 351 If the application/pkcs7-mime MIME type is used to support 7 bit 352 transport, the steps to create this format are: 354 Step 1. The X.400 content to be enveloped is ASN.1 encoded. 356 Step 2. The ASN.1 encoded X.400 content and other required data is 357 processed into a CMS object of type EnvelopedData. In addition to 358 encrypting a copy of the content-encryption key for each recipient, a 359 copy of the content encryption key SHOULD be encrypted for the 360 originator and included in the envelopedData (see CMS Section 6). 362 Step 3. Optionally the CMS object may be inserted into an 363 application/pkcs7-mime MIME entity to allow for 7-bit transport. 365 If the application/pkcs7-mime MIME entity is used, the smime-type 366 parameter for enveloped-only messages is "enveloped-x400". 368 3.4 Nested CMS Structures 370 To achieve signing and enveloping, any of the signed-only and 371 encrypted-only CMS objects may be nested. 373 When nesting is used, backwards compatibility with S/MIME version 2 374 requires that each layer of the nested message are identified with the 375 OID id-data, and when id-data is used a MIME wrapper is required. This 376 can potentially lead to an enormous amount of overhead and should be 377 avoided. If S/MIME version 2 compatibility is of no concern, 378 implementations should use id-ct-contentInfo to circumvent the MIME 379 wrappers. 381 MIME wrapping to support 7-bit transport, is optional and need only be 382 used around the outermost CMS structure. In this case, the 383 application/pkcs7 content type MUST be used. 385 An S/MIME implementation MUST be able to receive and process arbitrarily 386 nested CMS structures within reasonable resource limits of the recipient 387 computer. 389 3.4.1 Creating a Triple Wrapped Message With an X.400 Content 391 The Enhanced Security Services for S/MIME [ESS] document provides 392 examples of how nested, secured S/MIME messages are formatted. ESS 393 provides an example of how a triple-wrapped S/MIME message is formatted 394 using application/pkcs7-mime for the signatures. 396 This section explains how an X.400 content may be conveyed within a 397 Triple Wrapped Message if S/MIME version 2 compatibility is of no 398 concern: 400 Step 1. Start with the X.400 content (called the "original content"). 401 The X.400 content MUST be ASN.1 encoded, but SHOULD NOT be MIME wrapped. 403 Step 2. Place the protected ASN.1 encoded X.400 content in the 404 SignedData encapContentInfo eContent field. Add any attributes to be 405 signed. 407 Step 3. Sign the result of step 2 (the original content). The SignedData 408 encapContentInfo eContentType MUST contain the object identifier of the 409 X.400 content. The SignedData structure is encapsulated by a ContentInfo 410 SEQUENCE with a contentType of id-signedData. 412 Step 4. Encrypt the result of step 3 as a single block. The 413 EnvelopedData encryptedContentInfo contentType MUST be set to 414 id-ct-contentInfo. This is called the "encrypted body". The 415 EnvelopedData structure is encapsulated by a ContentInfo SEQUENCE with a 416 contentType of id-envelopedData. 418 Step 5. Using the same logic as in step 2 and 3 above, sign the result 419 of step 5 (the encrypted body) as a single block. The SignedData 420 structure is encapsulated by a ContentInfo SEQUENCE with a contentType 421 of id-signedData. 423 Step 6. The resulting message is called the "outer signature", and is 424 also the triple wrapped message. 426 MIME wrapping to support 7 bit transport, is optional and MUST only be 427 used around the outermost CMS structure. In this case, the 428 application/pkcs7-mime content type MUST be used. 430 3.6 Certificate Enrollment 432 S/MIME v3 does not specify how to get a certificate from a certificate 433 authority, but instead mandates that every sending agent already has a 434 certificate. The PKIX Working Group of the IETF has, at the time of this 435 writing, produced two separate standards for certificate enrollment: 436 CMP (RFC 2510) and CMC(RFC 2792). 438 4. Certificate Processing 440 A receiving agent MUST provide some certificate retrieval mechanism in 441 order to gain access to certificates for recipients of digital 442 envelopes. This document does not cover how S/MIME agents handle 443 certificates, only what they do after a certificate has been validated 444 or rejected. S/MIME certification issues are covered in [CERT3]. 446 At a minimum, for initial S/MIME deployment, a user agent could 447 automatically generate a message to an intended recipient requesting 448 that recipient's certificate in a signed return message. Receiving and 449 sending agents SHOULD also provide a mechanism to allow a user to "store 450 and protect" certificates for correspondents in such a way so as to 451 guarantee their later retrieval. 453 5. Security Considerations 455 This entire document discusses security. Additional security issues are 456 identified in section 5 of [MSG], section 6 of [ESS] and the Security 457 Considerations section of [CMS]. 459 A. References 461 [CERT3] Ramsdell, B., Editor, "S/MIME Version 3 Certificate 462 Handling", RFC 2632, June 1999. 464 [CMS] Housley, R., "Cryptographic Message Syntax", RFC 2630, June 465 1999. 467 [DH] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, 468 June 1999. 470 [DSS] NIST FIPS PUB 186, "Digital Signature Standard", 18 May 1994. 472 [ESS] Hoffman, P., Editor "Enhanced Security Services for S/MIME", 473 RFC 2634, June 1999. 475 [MSG] Ramsdell, B., Editor "S/MIME Version 3 Message Specification", 476 RFC 2633, June 1999. 478 [MUSTSHOULD] Bradner, S., "Key words for use in RFCs to Indicate 479 Requirement Levels", BCP14, RFC 2119, March 1997. 481 [PKCS-1] Kaliski, B., "PKCS #1: RSA Encryption Version 2.0", RFC 482 2437, October 1998. 484 [SHA1] NIST FIPS PUB 180-1, "Secure Hash Standard," National 485 Institute of Standards and Technology, U.S. Department of Commerce, 31 486 May 1994. 488 [X.400] ITU-T X.400 Series of Recommendations, Information technology 489 - Message Handling Systems (MHS). X.400: System and Service Overview; 490 X.402: Overall Architecture; X.411: Message Transfer System: Abstract 491 Service Definition and Procedures; X.420: Interpersonal Messaging 492 System; 1996. 494 B. Differences between version -00 and -01 496 Many small corrections from Bill Ottaway. 498 3.2 and 3.3: Clarified, based on the mailing list discussion with Graeme 499 Lunt. The new sentence reads: "Note that this X.400 content SHOULD 500 maintain the encoding defined by the content type, but SHOULD NOT be 501 MIME wrapped." Also made many small corrections to these sections to 502 make the ASN.1 objects and fields clearer. 504 C. Editor's Address 506 Paul Hoffman 507 Internet Mail Consortium 508 127 Segre Place 509 Santa Cruz, CA 95060 USA 510 phoffman@imc.org 512 Chris Bonatti 513 IECA, Inc. 514 bonattic@ieca.com 516 Anders Eggen 517 Forsvarets Forskningsinstitutt 518 Postboks 25 519 2027 Kjeller, Norway 520 anders.eggen@ffi.no