draft-ietf-smime-certcapa-05.txt   rfc4262.txt 
S/MIME Working Group S. Santesson (Microsoft) Network Working Group S. Santesson
INTERNET-DRAFT Request for Comments: 4262 Microsoft
Expires November 2005 May 2005 Category: Standards Track December 2005
X.509 Certificate Extension for S/MIME Capabilities
<draft-ietf-smime-certcapa-05.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any X.509 Certificate Extension for
applicable patent or other IPR claims of which he or she is aware Secure/Multipurpose Internet Mail Extensions (S/MIME) Capabilities
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Status of This Memo
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months This document specifies an Internet standards track protocol for the
and may be updated, replaced, or obsoleted by other documents at any Internet community, and requests discussion and suggestions for
time. It is inappropriate to use Internet-Drafts as reference improvements. Please refer to the current edition of the "Internet
material or to cite them other than a "work in progress." Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
The list of current Internet-Drafts can be accessed at Copyright Notice
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at Copyright (C) The Internet Society (2005).
http://www.ietf.org/shadow.html
Abstract Abstract
This document defines a certificate extension for inclusion of S/MIME This document defines a certificate extension for inclusion of
capabilities in X.509 public key certificates, as defined by RFC Secure/Multipurpose Internet Mail Extensions (S/MIME) Capabilities in
3280. X.509 public key certificates, as defined by RFC 3280. This
certificate extension provides an optional method to indicate the
This certificate extension provides an optional method to indicate cryptographic capabilities of an entity as a complement to the S/MIME
the cryptographic capabilities of an entity as a complement to the Capabilities signed attribute in S/MIME messages according to RFC
S/MIME Capabilities signed attribute in S/MIME messages according to 3851.
RFC 3851.
Table of Contents
1 Introduction ................................................ 2
1.1 Terminology ............................................... 3
2 S/MIME Capabilities Extension ............................... 3
3 Use in applications ......................................... 4
4 Security Considerations ..................................... 4
5 References .................................................. 5
Authors' Addresses ............................................. 5
Disclaimer ..................................................... 5
Copyright Statement ............................................ 5
1 Introduction 1. Introduction
This document defines a certificate extension for inclusion of S/MIME This document defines a certificate extension for inclusion of S/MIME
capabilities in X.509 public key certificates, as defined by RFC 3280 Capabilities in X.509 public key certificates, as defined by RFC 3280
[RFC 3280]. [RFC 3280].
The S/MIME Capabilities attribute, defined in RFC 3851, is defined to The S/MIME Capabilities attribute, defined in RFC 3851 [RFC3851], is
indicate cryptographic capabilities of the sender of a signed S/MIME defined to indicate cryptographic capabilities of the sender of a
message. This information can be used by the recipient in subsequent signed S/MIME message. This information can be used by the recipient
S/MIME secured exchanges to select appropriate cryptographic in subsequent S/MIME secured exchanges to select appropriate
properties. cryptographic properties.
S/MIME does however involve also the scenario where e.g. a sender of However, S/MIME does involve also the scenario where, for example, a
an encrypted message has no prior established knowledge of the sender of an encrypted message has no prior established knowledge of
recipient's cryptographic capabilities through recent S/MIME the recipient's cryptographic capabilities through recent S/MIME
exchanges. exchanges.
In such case the sender is forced to rely on out-of-band means or its In such a case, the sender is forced to rely on out-of-band means or
default configuration to select content encryption algorithm for its default configuration to select a content encryption algorithm
encrypted messages to recipients with unknown capabilities. Such for encrypted messages to recipients with unknown capabilities. Such
default configuration may however be incompatible with the default configuration may, however, be incompatible with the
recipient's capabilities and/or security policy. recipient's capabilities and/or security policy.
The solution defined in this specification leverages the fact that The solution defined in this specification leverages the fact that
S/MIME encryption requires possession of the recipient's public key S/MIME encryption requires possession of the recipient's public key
certificate. This certificate already contains information about the certificate. This certificate already contains information about the
recipient's public key and the cryptographic capabilities of this recipient's public key and the cryptographic capabilities of this
key. Through the extension mechanism defined in this specification key. Through the extension mechanism defined in this specification,
the certificate may also identify the subject's cryptographic S/MIME the certificate may also identify the subject's cryptographic S/MIME
capabilities. This may then be used as an optional information capabilities. This may then be used as an optional information
resource to select appropriate encryption settings for the resource to select appropriate encryption settings for the
communication. communication.
This document is limited to the "static" approach where asserted This document is limited to the "static" approach where asserted
cryptographic capabilities remain unchanged until the certificate cryptographic capabilities remain unchanged until the certificate
expires or is revoked. Other "dynamic" approaches which allow expires or is revoked. Other "dynamic" approaches, which allow
retrieval of certified dynamically updatable capabilities during the retrieval of certified dynamically updateable capabilities during the
lifetime of a certificate are out of scope of this document. lifetime of a certificate, are out of scope of this document.
1.1 Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [STDWORDS]. document are to be interpreted as described in RFC 2119 [STDWORDS].
2 S/MIME Capabilities Extension 2. S/MIME Capabilities Extension
This section defines the S/MIME Capabilities extension. This section defines the S/MIME Capabilities extension.
The S/MIME capabilities extension data structure used in this The S/MIME Capabilities extension data structure used in this
specification is identical to the data structure of the specification is identical to the data structure of the
SMIMECapabilities attribute defined in RFC 3851 [RFC 3851] (The ASN.1 SMIMECapabilities attribute defined in RFC 3851 [RFC3851]. (The
structure of smimeCapabilities is included below for illustrative ASN.1 structure of smimeCapabilities is included below for
purposes only). illustrative purposes only.)
smimeCapabilities OBJECT IDENTIFIER ::= smimeCapabilities OBJECT IDENTIFIER ::=
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) 15} pkcs-9(9) 15}
SMIMECapabilities ::= SEQUENCE OF SMIMECapability SMIMECapabilities ::= SEQUENCE OF SMIMECapability
SMIMECapability ::= SEQUENCE { SMIMECapability ::= SEQUENCE {
capabilityID OBJECT IDENTIFIER, capabilityID OBJECT IDENTIFIER,
parameters ANY DEFINED BY capabilityID OPTIONAL } parameters ANY DEFINED BY capabilityID OPTIONAL }
skipping to change at page 3, line 32 skipping to change at page 3, line 4
smimeCapabilities OBJECT IDENTIFIER ::= smimeCapabilities OBJECT IDENTIFIER ::=
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) 15} pkcs-9(9) 15}
SMIMECapabilities ::= SEQUENCE OF SMIMECapability SMIMECapabilities ::= SEQUENCE OF SMIMECapability
SMIMECapability ::= SEQUENCE { SMIMECapability ::= SEQUENCE {
capabilityID OBJECT IDENTIFIER, capabilityID OBJECT IDENTIFIER,
parameters ANY DEFINED BY capabilityID OPTIONAL } parameters ANY DEFINED BY capabilityID OPTIONAL }
All content requirements defined for the SMIMECapabilities attribute All content requirements defined for the SMIMECapabilities attribute
in RFC 3851 applies also to this extension. in RFC 3851 apply also to this extension.
There are numerous different types of S/MIME capabilities that have There are numerous different types of S/MIME Capabilities that have
been defined in various documents. While all of the different been defined in various documents. While all of the different
capabilities can be placed in this extension, the intended purpose of capabilities can be placed in this extension, the intended purpose of
this specification is mainly to support inclusion of S/MIME this specification is mainly to support inclusion of S/MIME
capabilities specifying content encryption algorithms. Capabilities specifying content encryption algorithms.
CAs SHOULD limit the type of included S/MIME capabilities in this Certification Authorities (CAs) SHOULD limit the type of included
extension to types that are considered relevant to the intended use S/MIME Capabilities in this extension to types that are considered
of the certificate. relevant to the intended use of the certificate.
Client applications processing this extensions MAY at its own Client applications processing this extension MAY at their own
discretion ignore any present S/MIME capabilities and SHOULD always discretion ignore any present S/MIME Capabilities and SHOULD always
gracefully ignore any present S/MIME capabilities that is not gracefully ignore any present S/MIME Capabilities that are not
consider relevant to its particular use of the certificate. considered relevant to the particular use of the certificate.
This extension MUST NOT be marked critical. This extension MUST NOT be marked critical.
3 Use in applications 3. Use in Applications
Applications using the S/MIME Capabilities extension SHOULD NOT use Applications using the S/MIME Capabilities extension SHOULD NOT use
information in the extension if more reliable and relevant information in the extension if more reliable and relevant
authenticated capabilities information are available to the authenticated capabilities information is available to the
application. application.
It is outside the scope of this specification to define what is, or It is outside the scope of this specification to define what is, or
is not, regarded as more reliable source of information by the is not, regarded as a more reliable source of information by the
certificate using application. application that is using the certificate.
4 Security Considerations 4. Security Considerations
The S/MIME capabilities extension contains a statement about the The S/MIME Capabilities extension contains a statement about the
subject's capabilities made at the time of certificate issuance. subject's capabilities made at the time of certificate issuance.
Implementers should therefore take into account any effect caused by Implementers should therefore take into account any effect caused by
the change of these capabilities during the lifetime of the the change of these capabilities during the lifetime of the
certificate. certificate.
Change in the subject's capabilities during the lifetime of a Change in the subject's capabilities during the lifetime of a
certificate may require revocation of the certificate. Revocation certificate may require revocation of the certificate. Revocation
should however only be motivated if a listed algorithm is considered should, however, only be motivated if a listed algorithm is
broken or considered too weak for the governing security policy. considered broken or considered too weak for the governing security
policy.
Implementers should take into account that the use of this extension Implementers should take into account that the use of this extension
does not change the fact that it is always the responsibility of the does not change the fact that it is always the responsibility of the
sender to choose sufficiently strong encryption for its information sender to choose sufficiently strong encryption for its information
disclosure. disclosure.
5 References 5. Normative References
Normative references:
[STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC 3280] R. Housley, W. Polk, W. Ford, and D. Solo, "Internet [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
X.509 Public Key Infrastructure: Certificate and X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", RFC 3280, Certificate Revocation List (CRL) Profile", RFC 3280,
April 2002. April 2002.
[RFC 3851] B. Ramsdell, "Secure/Multipurpose Internet Mail [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail
Extensions (S/MIME) Version 3.1 Message Specification", Extensions (S/MIME) Version 3.1 Message Specification",
RFC 3851, July 2004 RFC 3851, July 2004.
Authors' Addresses Author's Address
Stefan Santesson Stefan Santesson
Microsoft Microsoft
Tuborg Boulevard 12 Tuborg Boulevard 12
2900 Hellerup 2900 Hellerup
Denmark Denmark
EMail: stefans@microsoft.com EMail: stefans@microsoft.com
Disclaimer Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Intellectual Property
Copyright (C) The Internet Society (2005). The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
This document is subject to the rights, licenses and restrictions Copies of IPR disclosures made to the IETF Secretariat and any
contained in BCP 78, and except as set forth therein, the authors assurances of licenses to be made available, or the result of an
retain all their rights. attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
Expires November 2005 The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
 End of changes. 40 change blocks. 
101 lines changed or deleted 91 lines changed or added

This html diff was produced by rfcdiff 1.28, available from http://www.levkowetz.com/ietf/tools/rfcdiff/