draft-ietf-smime-certcapa-00.txt   draft-ietf-smime-certcapa-01.txt 
S/MIME Working Group S. Santesson (Microsoft) S/MIME Working Group S. Santesson (Microsoft)
INTERNET-DRAFT INTERNET-DRAFT
Expires April 2005 Expires May 2005
October 2004 November 2004
Certificate extension for S/MIME Capabilities Certificate extension for S/MIME Capabilities
<draft-ietf-smime-certcapa-00.txt> <draft-ietf-smime-certcapa-01.txt>
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed, patent or other IPR claims of which I am aware have been disclosed,
or will be disclosed, and any of which I become aware will be or will be disclosed, and any of which I become aware will be
disclosed, in accordance with RFC 3668 disclosed, in accordance with RFC 3668
Status of this Memo Status of this Memo
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 2, line 12 skipping to change at page 2, line 12
to use of the S/MIME Capabilities signed attribute in S/MIME messages to use of the S/MIME Capabilities signed attribute in S/MIME messages
according to RFC 3851. according to RFC 3851.
Table of Contents Table of Contents
1 Introduction ................................................ 2 1 Introduction ................................................ 2
2 S/MIME Capabilities Extension ............................... 3 2 S/MIME Capabilities Extension ............................... 3
3 Use in applications ......................................... 3 3 Use in applications ......................................... 3
4 Security Considerations ..................................... 3 4 Security Considerations ..................................... 3
5 References .................................................. 4 5 References .................................................. 4
A ASN.1 definitions ........................................... 4
Authors' Addresses ............................................. 4 Authors' Addresses ............................................. 4
Disclaimer ..................................................... 5 Disclaimer ..................................................... 5
Copyright Statement ............................................ 5 Copyright Statement ............................................ 5
1. Introduction 1. Introduction
The purpose of this specification is to specify means to minimize the The purpose of this specification is to specify a simple approach to
need to revert to default cryptographic settings in encrypted S/MIME store cryptographic capabilities in public key certificates.
exchanges due to lack of knowledge about the opponents cryptographic
capabilities.
The S/MIME Capabilities attribute is defined in RFC 3851 to identify The S/MIME Capabilities attribute is defined in RFC 3851 to identify
the cryptographic capabilities of the sender of a signed S/MIME the cryptographic capabilities of the sender of a signed S/MIME
message. This information can be used by the recipient in subsequent message. This information can be used by the recipient in subsequent
S/MIME secured exchanges to select appropriate cryptographic S/MIME secured exchanges to select appropriate cryptographic
properties for future exchange with the opponent. properties for future exchange with the opponent.
The use of S/MIME does however introduce the scenario where a sender The use of S/MIME does however introduce the scenario where a sender
of an encrypted message has no prior established knowledge of the of an encrypted message has no prior established knowledge of the
recipient's cryptographic capabilities through recent S/MIME recipient's cryptographic capabilities through recent S/MIME
exchanges. exchanges.
In such case the sender is forced to rely on its default In such case the sender is forced to rely on its default
configuration for encrypted messages to recipients with unknown configuration for encrypted messages to recipients with unknown
capabilities. The problem is however that this default configuration capabilities. The problem is however that this default configuration
may not be compatible with the recipient's capabilities and/or may not be compatible with the recipient's capabilities and/or
security policy. security policy.
The solution defined in this specification leverage on the fact that The solution defined in this specification leverages on the fact that
S/MIME encryption requires possession of the recipient's public key S/MIME encryption requires possession of the recipient's public key
certificate. This certificate contains information about the certificate. This certificate contains information about the
recipient's public key and the cryptographic capabilities of this recipient's public key and the cryptographic capabilities of this
key. Through the extension mechanism defined in this specification key. Through the extension mechanism defined in this specification
the certificate will also have the capacity to identify the subject's the certificate will also have the capacity to identify the subject's
cryptographic capabilities for use with S/MIME, to be used as an cryptographic capabilities for use with S/MIME, to be used as an
optional additional information resource when knowledge about the optional additional information resource when knowledge about the
subject capabilities is considered insufficient. subject capabilities is considered insufficient.
This document is limited to the "static" approach where asserted
cryptographic capabilities remain unchanged until the certificate
expires or is revoked. Other "dynamic" approaches which allow
retrieval of certified dynamically updatable capabilities during the
lifetime of a certificate are out of scope of this document.
2. S/MIME Capabilities Extension 2. S/MIME Capabilities Extension
This section defines the S/MIME Capabilities extension. This section defines the S/MIME Capabilities extension.
The S/MIME capabilities extension data structure used in this The S/MIME capabilities extension data structure used in this
specification is identical to the data structure of the S/MIME specification is identical to the data structure of the S/MIME
capabilities attribute defined in RFC 3633. capabilities attribute defined in RFC 3851.
The S/MIME Capabilities extension MUST have the following definition: The S/MIME Capabilities extension MUST follow the definition defined
in RFC 3851. (The ASN.1 structure of smimeCapabilities is included
below for illustrative purposes only)
smimeCapabilities OBJECT IDENTIFIER ::= smimeCapabilities OBJECT IDENTIFIER ::=
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) 15} pkcs-9(9) 15}
sMIMECapabilitiesExt EXTENSION ::= { sMIMECapabilitiesExt EXTENSION ::= {
SYNTAX SMIMECapabilities SYNTAX SMIMECapabilities
IDENTIFIED BY smimeCapabilities } IDENTIFIED BY smimeCapabilities }
SMIMECapabilities ::= SEQUENCE OF SMIMECapability SMIMECapabilities ::= SEQUENCE OF SMIMECapability
SMIMECapability ::= SEQUENCE { SMIMECapability ::= SEQUENCE {
capabilityID OBJECT IDENTIFIER, capabilityID OBJECT IDENTIFIER,
parameters ANY DEFINED BY capabilityID OPTIONAL } parameters ANY DEFINED BY capabilityID OPTIONAL }
Algorithms should be ordered by preference Algorithms should be ordered by preference.
This extension MUST NOT be marked critical.
3. Use in applications 3. Use in applications
Applications using the S/MIME Capabilities extension SHOULD NOT use Applications using the S/MIME Capabilities extension SHOULD NOT use
information in the extension if more reliable and relevant information in the extension if more reliable and relevant
authenticated capabilities information are available to the authenticated capabilities information are available to the
application. application.
It is outside the scope of this specification to define what is, or It is outside the scope of this specification to define what is, or
is not, regarded as more reliable source of information by the is not, regarded as more reliable source of information by the
skipping to change at page 4, line 16 skipping to change at page 4, line 20
broken and/or considered too week to use for the adopted encryption broken and/or considered too week to use for the adopted encryption
policy. policy.
Implementers should take into account that the use of this extension Implementers should take into account that the use of this extension
does not change the fact that it is always the responsibility of the does not change the fact that it is always the responsibility of the
sender to choose sufficiently strong encryption for its information sender to choose sufficiently strong encryption for its information
disclosure. disclosure.
5 References 5 References
Normative references:
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC 3280] R. Housley, W. Polk, W. Ford, and D. Solo, "Internet [RFC
3280] R. Housley, W. Polk, W. Ford, and D. Solo, "Internet
X.509 Public Key Infrastructure: Certificate and X.509 Public Key Infrastructure: Certificate and
Certificate Revocation List (CRL) Profile", RFC 3280, Certificate Revocation List (CRL) Profile", RFC 3280,
April 2002. April 2002.
[RFC 3851] B. Ramsdell, "Secure/Multipurpose Internet Mail [RFC 3851] B. Ramsdell, "Secure/Multipurpose Internet Mail
Extensions (S/MIME) Version 3.1 Message Specification", Extensions (S/MIME) Version 3.1 Message Specification",
RFC 3851, July 2004 RFC 3851, July 2004
A. ASN.1 definitions
TBD
Authors' Addresses Authors' Addresses
Stefan Santesson Stefan Santesson
Microsoft Microsoft
Tuborg Boulevard 12 Tuborg Boulevard 12
2900 Hellerup 2900 Hellerup
Denmark Denmark
EMail: stefans@microsoft.com EMail: stefans@microsoft.com
skipping to change at page 5, line 21 skipping to change at page 5, line 21
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Expires April 2005 Expires May 2005
Attachment Converted: C:\Program Files\Qualcomm\Eudora\attachements\draft-ietf-smime-certcapa-011.nro
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/