idnits 2.17.1 draft-ietf-smime-x400wrap-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 542 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 129: '...Sending and receiving agents MUST support SHA-1 [SHA1]....' RFC 2119 keyword, line 133: '...Sending and receiving agents MUST support id-dsa defined in [DSS]. The...' RFC 2119 keyword, line 134: '...rithm parameters MUST be absent (not e...' RFC 2119 keyword, line 136: '...Receiving agents MAY support rsaEncryption, defined in [PKCS-1]....' RFC 2119 keyword, line 138: '...Sending agents MAY support rsaEncrypti...' (45 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'CMS' on line 477 looks like a reference -- Missing reference section? 'MSG' on line 488 looks like a reference -- Missing reference section? 'MUSTSHOULD' on line 491 looks like a reference -- Missing reference section? 'SHA1' on line 497 looks like a reference -- Missing reference section? 'DSS' on line 483 looks like a reference -- Missing reference section? 'PKCS-1' on line 494 looks like a reference -- Missing reference section? 'DH' on line 480 looks like a reference -- Missing reference section? 'ESS' on line 485 looks like a reference -- Missing reference section? 'SMTP' on line 501 looks like a reference -- Missing reference section? 'TRANSPORT' on line 504 looks like a reference -- Missing reference section? 'CERT3' on line 474 looks like a reference Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Paul Hoffman, IMC 2 draft-ietf-smime-x400wrap-03.txt Chris Bonatti, IECA 3 July 19, 2001 Anders Eggen, FFI 4 Expires in six months 6 Securing X.400 Content with S/MIME 8 Status of this Memo 10 This document is an Internet-Draft and is in full conformance with all 11 provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering Task 14 Force (IETF), its areas, and its working groups. Note that other groups 15 may also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference material 20 or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 Abstract 30 This document describes a protocol for adding cryptographic signature 31 and encryption services to X.400 content. 33 1. Introduction 35 The techniques described in the Cryptographic Message Syntax [CMS] 36 specification are general enough to support many different content 37 types. The [CMS] specification thus provides many options for providing 38 different security mechanisms. In order to ensure interoperability of 39 systems within the X.400 community, it is necessary to specify the use 40 of CMS features to protect X.400 content (called "CMS-X.400" in this 41 document). 43 1.1 Specification Overview 45 This document is intended to be similar to the S/MIME Version 3 Message 46 Specification [MSG] except that it is tailored to the requirements of 47 X.400 content rather than Multipurpose Internet Mail Extensions (MIME). 49 This document defines how to create an X.400 content type that has been 50 cryptographically enhanced according to [CMS]. In order to create S/MIME 51 messages carrying X.400 content, an S/MIME agent has to follow 52 specifications in this document, as well as the specifications listed in 53 [CMS]. This memo also defines new parameter values for the 54 application/pkcs7-mime MIME type that can be used to transport those 55 body parts. 57 Throughout this document, there are requirements and recommendations 58 made for how receiving agents handle incoming messages. There are 59 separate requirements and recommendations for how sending agents create 60 outgoing messages. In general, the best strategy is to "be liberal in 61 what you receive and conservative in what you send". Most of the 62 requirements are placed on the handling of incoming messages while the 63 recommendations are mostly on the creation of outgoing messages. 65 This document does not address transport of CMS-X.400 content. It is 66 assumed that CMS-X.400 content would be transported by Internet mail 67 systems, X.400, or other suitable transport. 69 1.2 Terminology 71 The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED", and 72 "MAY" in this document are to be interpreted as described in RFC 2119 73 [MUSTSHOULD]. 75 1.3 Definitions 77 For the purposes of this document, the following definitions apply. 79 ASN.1: Abstract Syntax Notation One, as defined in ISO/IEC 8824. 81 BER: Basic Encoding Rules for ASN.1, as defined in ISO/IEC 8825-1. 83 Certificate: A type that binds an entity's distinguished name to a 84 public key with a digital signature. 86 DER: Distinguished Encoding Rules for ASN.1, as defined in ISO/IEC 87 8825-1. 89 7-bit data: Text data with lines less than 998 characters long, where 90 none of the characters have the 8th bit set, and there are no NULL 91 characters. and occur only as part of a end of line 92 delimiter. 94 8-bit data: Text data with lines less than 998 characters, and where 95 none of the characters are NULL characters. and occur only as 96 part of a end of line delimiter. 98 Binary data: Arbitrary data. 100 Transfer Encoding: A reversible transformation made on data so 8-bit or 101 binary data may be sent via a channel that only transmits 7-bit data. 103 Receiving agent: Software that interprets and processes S/MIME CMS 104 objects. 106 Sending agent: Software that creates S/MIME CMS objects. 108 S/MIME agent: User software that is a receiving agent, a sending agent, 109 or both. 111 1.4 Compatibility with Prior Practice of S/MIME 113 There are believed to be no existing X.400 implementations that support 114 S/MIME version 2. Further, signed interoperability between X.400 and 115 MIME systems that support S/MIME version 2 is not believed to be easily 116 achievable. Therefore backward compatibility with S/MIME version 2 is 117 not considered to be a requirement for this document. 119 2. CMS Options 121 CMS allows for a wide variety of options in content and algorithm 122 support. This section puts forth a number of support requirements and 123 recommendations in order to achieve a base level of interoperability 124 among all CMS-X.400 implementations. [CMS] provides additional details 125 regarding the use of the cryptographic algorithms. 127 2.1 DigestAlgorithmIdentifier 129 Sending and receiving agents MUST support SHA-1 [SHA1]. 131 2.2 SignatureAlgorithmIdentifier 133 Sending and receiving agents MUST support id-dsa defined in [DSS]. The 134 algorithm parameters MUST be absent (not encoded as NULL). 136 Receiving agents MAY support rsaEncryption, defined in [PKCS-1]. 138 Sending agents MAY support rsaEncryption. Outgoing messages are signed 139 with a user's private key. 141 2.3 KeyEncryptionAlgorithmIdentifier 143 Sending and receiving agents MUST support rsaEncryption. Incoming 144 encrypted messages contain symmetric keys which are to be decrypted with 145 a user's private key. 147 Sending and receiving agents MAY support Diffie-Hellman defined in [DH]. 149 2.4 General Syntax 151 The general syntax of CMS objects consist of an instance of the 152 ContentInfo structure containing one of several defined CMS content 153 types. CMS defines multiple content types. Of these, only the SignedData 154 and EnvelopedData content types are used for CMS-X.400. 156 2.4.1 SignedData Content Type 158 Sending agents MUST use the signedData content type to apply a digital 159 signature to a message or, in a degenerate case where there is no 160 signature information, to convey certificates. 162 2.4.2 EnvelopedData Content Type 164 Senders MUST use the envelopedData content type to apply privacy 165 protection to a message. A sender needs to have access to a public key 166 for each intended message recipient to use this service. This content 167 type does not provide authentication. 169 2.5 Attribute SignerInfo Type 171 The SignerInfo type allows the inclusion of unsigned and signed 172 attributes to be included along with a signature. 174 Receiving agents MUST be able to handle zero or one instance of each of 175 the signed attributes listed here. Sending agents SHOULD generate one 176 instance of each of the following signed attributes in each CMS-X400 177 message: 178 - signingTime 179 - sMIMECapabilities 180 - sMIMEEncryptionKeyPreference 182 Requirements for processing of these attributes MUST be in accordance 183 with the S/MIME Message Specification [MSG]. Handling of the signingTime 184 attribute MUST comply with clause 2.5.1 of [MSG]. Handling of the 185 sMIMECapabilities attribute MUST comply with clause 2.5.2 of [MSG]. 186 Handling of the sMIMEEncryptionKeyPreference attribute MUST comply with 187 clause 2.5.3 of [MSG]. 189 Further, receiving agents SHOULD be able to handle zero or one instance 190 in the signed attributes of the signingCertificate attribute [ESS]. 192 Sending agents SHOULD generate one instance of the signingCertificate 193 signed attribute in each CMS-X400 message. 195 Additional attributes and values for these attributes may be defined in 196 the future. Receiving agents SHOULD handle attributes or values that it 197 does not recognize in a graceful manner. 199 Sending agents that include signed attributes that are not listed here 200 SHOULD display those attributes to the user, so that the user is aware 201 of all of the data being signed. 203 3. Creating S/MIME Messages 205 This section describes the S/MIME message formats and how they can be 206 used to secure X.400 contents. The S/MIME messages are a combination of 207 X.400 contents and CMS objects (i.e., a ContentInfo structure containing 208 one of the CMS-defined content types). The X.400 content and other data, 209 such as certificates and algorithm identifiers, are given to CMS 210 processing facilities which produces a CMS object. This document also 211 describes how nested, secured S/MIME messages should be formatted when 212 encapsulating an X.400 content, and provides an example of how a 213 triple-wrapped S/MIME message over X.400 content should be created if 214 backwards compatibility with S/MIME version 2 is of no concern. 216 S/MIME provides one format for enveloped-only data, several formats for 217 signed-only data, and several formats for signed and enveloped data. The 218 different formats are required to accommodate several environments, in 219 particular for signed messages. Only one of these signed formats is 220 applicable to X.400. 222 Note that canonicalization is not required for X.400 content because it 223 is a binary rather than text encoding, and only the "embedded" content 224 version is used. These dramatically simplify the description of S/MIME 225 productions. 227 The reader of this section is expected to understand X.400 as described 228 in [X.400] and S/MIME as described in [CMS] and [ESS]. 230 3.1 The X.400 Message Structure 232 This section reviews the X.400 message format. An X.400 message has two 233 parts, the envelope and the content, as described in X.402 [X.400]: 235 Envelope -- An information object whose composition varies from one 236 transmittal step to another and that variously identifies the message's 237 originator and potential recipients, documents its previous conveyance 238 and directs its subsequent conveyance by the Message Transfer System 239 (MTS), and characterizes its content. 241 Content -- The content is the piece of information that the originating 242 User Agent wants to be delivered to one or more recipients. The MTS 243 neither examines nor modifies the content, except for conversion, during 244 its conveyance of the message. MTS conversion is not applicable to the 245 scenario of this draft because such conversion is incompatible with CMS 246 protection mechanisms. 248 One piece of information borne by the envelope identifies the type of 249 the content. The content type is an identifier (an ASN.1 OID or Integer) 250 that denotes the syntax and semantics of the content overall. This 251 identifier enables the MTS to determine the message's deliverability to 252 particular users, and enables User Agents and Message Stores to 253 interpret and process the content. 255 Another piece of information borne by the envelope identifies the types 256 of encoded information represented in the content. An encoded 257 information type (EIT) is an identifier (an ASN.1 Object Identifier or 258 Integer) that denotes the medium and format (e.g., IA5 text or Group 3 259 facsimile) of individual portions of the content. It further enables the 260 MTS to determine the message's deliverability to particular users, and 261 to identify opportunities for it to make the message deliverable by 262 converting a portion of the content from one EIT to another. 264 This document describes how S/MIME CMS is used to secure the content 265 part of X.400 messages. 267 3.2 Creating a Signed-only Message with X.400 Content 269 The SignedData format as described in the Cryptographic Message Syntax 270 [CMS] MUST be used for signing of X.400 contents. 272 The protected X.400 content MUST be placed in the SignedData 273 encapContentInfo eContent field. The eContent field MUST either (a) 274 contain the contentType OID and MUST NOT be MIME-wrapped or (b) contain 275 the id-data OID and a MIME-wrapped content. The object identifier for 276 content type of the protected X.400 content MUST be placed in the 277 SignedData encapContentInfo eContentType field. 279 The signedData object is encapsulated by a ContentInfo SEQUENCE with a 280 contentType of id-signedData. The resulting CMS object MAY optionally be 281 wrapped in a MIME encoding. 283 Note that if SMTP [SMTP] used to transport the resulting signed-only 284 message then the optional MIME encoding SHOULD be used. If binary 285 transports such as X.400 are used then the optional MIME encoding SHOULD 286 NOT be used. 288 3.2.1 MIME Wrapping to Dynamically Support 7-bit Transport 290 The signedData object MAY optionally be wrapped in MIME to dynamically 291 support 7-bit transport. In this case the application/pkcs7-mime type as 292 defined in S/MIME Version 3 Message Specification [MSG] SHOULD be used 293 with the following parameters: 295 Content-Type: application/pkcs7-mime; smime-type=signed-data 296 Content-Transfer-Encoding: base64 298 If the application/pkcs7-mime MIME type is used to support 7-bit 299 transport, the steps to create this format are: 301 Step 1. The X.400 content to be signed is ASN.1 encoded. 303 Step 2. The ASN.1 encoded X.400 content and other required data is 304 processed into a CMS object of type SignedData. The SignedData structure 305 is encapsulated by a ContentInfo SEQUENCE with a contentType of 306 id-signedData. 308 Step 3. The CMS object is inserted into an application/pkcs7-mime MIME 309 entity. 311 The smime-type parameter for messages using application/pkcs7-mime with 312 SignedData is "signed-x400" as defined in [TRANSPORT]. 314 3.3 Creating an Enveloped-only Message with X.400 Content 316 This section describes the format for enveloping an X.400 content 317 without signing it. It is important to note that sending enveloped but 318 not signed messages does not provide for data integrity. It is possible 319 to replace ciphertext in such a way that the processed message will 320 still be valid, but the meaning is altered. 322 The EnvelopedData format as described in [CMS] is used for 323 confidentiality of the X.400 contents. 325 The protected X.400 content MUST be placed in the EnvelopedData 326 encryptedContentInfo encryptedContent field. Note that this X.400 327 content SHOULD maintain the encoding defined by the content type, but 328 SHOULD NOT be MIME wrapped. The object identifier for content type of 329 the protected X.400 content MUST be placed in the EnvelopedData 330 encryptedContentInfo contentType field. 332 The envelopedData object is encapsulated by a ContentInfo SEQUENCE with 333 a contentType of id-envelopedData. The resulting CMS object MAY 334 optionally be wrapped in a MIME encoding. 336 Note that if SMTP is used to transport the resulting enveloped-only 337 message then the optional MIME encoding SHOULD be used. If other binary 338 transport (e.g., X.400) is used then the optional MIME encoding SHOULD 339 NOT be used. 341 3.3.1 MIME Wrapping to Dynamically Support 7-bits Transport 343 The envelopedData object MAY optionally be wrapped in MIME to 344 dynamically support 7-bit transport. In this case, the 345 application/pkcs7-mime type as defined in S/MIME Version 3 Message 346 Specification [MSG] SHOULD be used with the following parameters: 348 Content-Type: application/pkcs7-mime; smime-type=enveloped-x400 349 Content-Transfer-Encoding: base64 351 If the application/pkcs7-mime MIME type is used to support 7-bit 352 transport, the steps to create this format are: 354 Step 1. The X.400 content to be enveloped is ASN.1 encoded. 356 Step 2. The ASN.1 encoded X.400 content and other required data is 357 processed into a CMS object of type EnvelopedData. In addition to 358 encrypting a copy of the content-encryption key for each recipient, a 359 copy of the content encryption key SHOULD be encrypted for the 360 originator and included in the EnvelopedData (see CMS Section 6). The 361 EnvelopedData structure is encapsulated by a ContentInfo SEQUENCE with a 362 contentType of id-envelopedData. 364 Step 3. The CMS object is inserted into an application/pkcs7-mime MIME 365 entity to allow for 7-bit transport. 367 If the application/pkcs7-mime MIME entity is used, the smime-type 368 parameter for enveloped-only messages is "enveloped-x400" as defined in 369 [TRANSPORT]. 371 3.4 Nested CMS Structures 373 To achieve signing and enveloping, any of the signed-only and 374 encrypted-only CMS objects may be nested. 376 When nesting is used, backwards compatibility with S/MIME version 2 377 requires that each layer of the nested message are identified with the 378 OID id-data, and when id-data is used a MIME wrapper is required. This 379 can potentially lead to an enormous amount of overhead and should be 380 avoided. Because S/MIME version 2 compatibility is of no concern, 381 implementations SHOULD directly encode the encapsulated object as the 382 eContent of the current structure. 384 MIME wrapping to support 7-bit transport, is optional and need only be 385 used around the outermost CMS structure. In this case, the 386 application/pkcs7 content type MUST be used. 388 An S/MIME implementation MUST be able to receive and process arbitrarily 389 nested CMS structures within reasonable resource limits of the recipient 390 computer. 392 3.4.1 Creating a Triple Wrapped Message With an X.400 Content 394 The Enhanced Security Services for S/MIME [ESS] document provides 395 examples of how nested, secured S/MIME messages are formatted. ESS 396 provides an example of how a triple-wrapped S/MIME message is formatted 397 using application/pkcs7-mime for the signatures. 399 This section explains how an X.400 content may be conveyed within a 400 Triple Wrapped Message because S/MIME version 2 compatibility is of no 401 concern: 403 Step 1. Start with the X.400 content (called the "original content"). 404 The X.400 content MUST be ASN.1 encoded, but SHOULD NOT be MIME wrapped. 406 Step 2. Place the protected ASN.1 encoded X.400 content in the 407 SignedData encapContentInfo eContent field. Add any attributes 408 that are to be signed. 410 Step 3. Sign the result of step 2 (the original content). The SignedData 411 encapContentInfo eContentType MUST contain the object identifier of the 412 X.400 content. 414 Step 4. Encrypt the result of step 3 as a single block. The 415 EnvelopedData encryptedContentInfo contentType MUST be set to 416 id-signedData. This is called the "encrypted body". 418 Step 5. Using the same logic as in step 2 and 3 above, sign the result 419 of step 4 (the encrypted body) as a single block. The SignedData 420 encapContentInfo eContentType MUST be set to id-envelopedData. The outer 421 SignedData structure is encapsulated by a ContentInfo SEQUENCE with a 422 contentType of id-signedData. 424 Step 6. The resulting message is called the "outer signature", and is 425 also the triple wrapped message. 427 MIME wrapping to support 7-bit transport, is optional and MUST only be 428 used around the outermost CMS structure. In this case, the 429 application/pkcs7-mime content type MUST be used. The smime-type 430 in the case of adding a MIME wrapper MUST be consistent with 431 that appropriate to the innermost protection layer. 433 In some instances, an smime-type will be created that only reflects one 434 security service (such as certs-only, which is only for signed). 435 However, as new layers are wrapped, this smime-type SHOULD be propagated 436 upwards. Thus if a certs-only message were to be encrypted, or wrapped 437 in a new SignedData structure, the smime-type of certs-only should be 438 propagated up to the next MIME wrapper. In other words, the innermost 439 type is reflected outwards. 441 4. Use of Certificates 443 4.1 Certificate Enrollment 445 S/MIME v3 does not specify how to get a certificate from a certificate 446 authority, but instead mandates that every sending agent already has a 447 certificate. The PKIX Working Group has, at the time of this writing, 448 produced two separate standards for certificate enrollment: CMP (RFC 449 2510) and CMC (RFC 2792). 451 4.2 Certificate Processing 453 A receiving agent MUST provide some certificate retrieval mechanism in 454 order to gain access to certificates for recipients of digital 455 envelopes. This document does not cover how S/MIME agents handle 456 certificates, only what they do after a certificate has been validated 457 or rejected. S/MIME certification issues are covered in [CERT3]. 459 At a minimum, for initial S/MIME deployment, a user agent could 460 automatically generate a message to an intended recipient requesting 461 that recipient's certificate in a signed return message. Receiving and 462 sending agents SHOULD also provide a mechanism to allow a user to "store 463 and protect" certificates for correspondents in such a way so as to 464 guarantee their later retrieval. 466 5. Security Considerations 468 This entire document discusses security. Additional security issues are 469 identified in section 5 of [MSG], section 6 of [ESS] and the Security 470 Considerations section of [CMS]. 472 A. References 474 [CERT3] Ramsdell, B., Editor, "S/MIME Version 3 Certificate 475 Handling", RFC 2632, June 1999. 477 [CMS] Housley, R., "Cryptographic Message Syntax", RFC 2630, June 478 1999. 480 [DH] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, 481 June 1999. 483 [DSS] NIST FIPS PUB 186, "Digital Signature Standard", 18 May 1994. 485 [ESS] Hoffman, P., Editor "Enhanced Security Services for S/MIME", 486 RFC 2634, June 1999. 488 [MSG] Ramsdell, B., Editor "S/MIME Version 3 Message Specification", 489 RFC 2633, June 1999. 491 [MUSTSHOULD] Bradner, S., "Key words for use in RFCs to Indicate 492 Requirement Levels", BCP14, RFC 2119, March 1997. 494 [PKCS-1] Kaliski, B., "PKCS #1: RSA Encryption Version 2.0", RFC 495 2437, October 1998. 497 [SHA1] NIST FIPS PUB 180-1, "Secure Hash Standard," National 498 Institute of Standards and Technology, U.S. Department of Commerce, 31 499 May 1994. 501 [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, 502 April, 2001. 504 [TRANSPORT] Hoffman, P. and Bonatti, C., "Transporting S/MIME Objects in 505 X.400", work in progress (will progress with this document). 507 [X.400] ITU-T X.400 Series of Recommendations, Information technology 508 - Message Handling Systems (MHS). X.400: System and Service Overview; 509 X.402: Overall Architecture; X.411: Message Transfer System: Abstract 510 Service Definition and Procedures; X.420: Interpersonal Messaging 511 System; 1996. 513 B. Editor's Address 515 Paul Hoffman 516 Internet Mail Consortium 517 127 Segre Place 518 Santa Cruz, CA 95060 USA 519 phoffman@imc.org 521 Chris Bonatti 522 IECA, Inc. 523 15309 Turkey Foot Road 524 Darnestown, MD 20878-3640 USA 525 bonattic@ieca.com 527 Anders Eggen 528 Forsvarets Forskningsinstitutt 529 Postboks 25 530 2027 Kjeller, Norway 531 anders.eggen@ffi.no