draft-ietf-smime-certdist-03.txt   draft-ietf-smime-certdist-04.txt 
Internet Draft Jim Schaad Internet Draft Jim Schaad
draft-ietf-smime-certdist-03.txt Microsoft October 20, 1999 Microsoft
February 25, 1999
Expires in six months Expires in six months
Certificate Distribution Specification Certificate Distribution Specification
draft-ietf-smime-certdist-04.txt
Status of this memo Status of this memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with
provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six
and may be updated, replaced, or obsoleted by other documents at any months and may be updated, replaced, or obsoleted by other documents
time. It is inappropriate to use Internet-Drafts as reference material at any time. It is inappropriate to use Internet-Drafts as reference
or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
ftp.isi.edu (US West Coast). ftp.isi.edu (US West Coast).
Abstract Abstract
Current methods of publishing certificates in directory services are Current methods of publishing certificates in directory services are
restricted to just certificates. This document provides a method of restricted to just certificates. This document provides a method of
publishing certificates with secondary support information such as the publishing certificates with secondary support information such as
SMimeCapabilities attribute (containing bulk algorithm support) in a the SMimeCapabilities attribute (containing bulk algorithm support)
way that is both authenticated and bound to a given certificate. in a way that is both authenticated and bound to a given
certificate.
This draft is being discussed on the "ietf-smime" mailing list. To This draft is being discussed on the "ietf-smime" mailing list. To
join the list, send a message to <ietf-smime-request@imc.org> with the join the list, send a message to <ietf-smime-request@imc.org> with
single word "subscribe" in the body of the message. Also, there is a the single word "subscribe" in the body of the message. Also, there
Web site for the mailing list at <http://www.imc.org/ietf-smime>. is a Web site for the mailing list at <http://www.imc.org/ietf-
smime>.
1. Introduction 1. Introduction
This document discusses a new method of publishing certificates in a This document discusses a new method of publishing certificates in a
directory to provide authenticated attributes as part of the directory to provide authenticated attributes as part of the
certificate publishing process. This allows for the addition of certificate publishing process. This allows for the addition of
information such as the SMimeCapabilities attribute from [SMIME] which information such as the SMimeCapabilities attribute from [SMIME]
contains information about the bulk encryption algorithms supported by which contains information about the bulk encryption algorithms
the End-Entity's cryptography module. supported by the End-Entity's cryptography module.
Section 2 discusses the current set of publishing methods available Section 2 discusses the current set of publishing methods available
for use, along with the benefits and restrictions of each method. for use, along with the benefits and restrictions of each method.
Schaad 1
CertDist October 1999
Section 3 covers the definition and properties of a Section 3 covers the definition and properties of a
SMimeCertificatePublish object. SMimeCertificatePublish object.
Throughout this draft, the terms MUST, MUST NOT, SHOULD, and SHOULD Throughout this draft, the terms MUST, MUST NOT, SHOULD, and SHOULD
NOT are used in capital letters. This conforms to the definitions in NOT are used in capital letters. This conforms to the definitions in
[MUSTSHOULD]. [MUSTSHOULD] defines the use of these key words to help [MUSTSHOULD]. [MUSTSHOULD] defines the use of these key words to
make the intent of standards track documents as clear as possible. The help make the intent of standards track documents as clear as
same key words are used in this document to help implementers achieve possible. The same key words are used in this document to help
interoperability. implementers achieve interoperability.
2. Current Publishing Methods 2. Current Publishing Methods
There are several different ways to publish certificate information. There are several different ways to publish certificate information.
These methods include the userCertificate property in LDAP These methods include the userCertificate property in LDAP
directories, sending signed objects between users, and transport of directories, sending signed objects between users, and transport of
certificate files (either bare or as CMS degenerate signed objects). certificate files (either bare or as CMS degenerate signed objects).
Each of these methods has benefits and drawbacks. Each of these Each of these methods has benefits and drawbacks. Each of these
methods will now be briefly discussed. methods will now be briefly discussed.
A public directory may be used to distribute certificates. LDAP A public directory may be used to distribute certificates. LDAP
currently has the userCertificate property defined just for that currently has the userCertificate property defined just for that
purpose. The benefits of using a public directory are that a sender purpose. The benefits of using a public directory are that a sender
may create an encrypted object for a recipient without first receiving may create an encrypted object for a recipient without first
information (such as a signed message) from the recipient. Most public receiving information (such as a signed message) from the recipient.
directories currently only contain leaf certificates for individuals Most public directories currently only contain leaf certificates for
in the directory entry for the individual. While some directories, individuals in the directory entry for the individual. While some
such as X.500 directories, provide for a directory entry to contain directories, such as X.500 directories, provide for a directory
the CA certificate, this is not the case for all directories. Outside entry to contain the CA certificate, this is not the case for all
of the structure of an X.500 directory the problems associated with directories. Outside of the structure of an X.500 directory the
chaining from the individual's certificate to the CA's directory entry problems associated with chaining from the individual's certificate
in order to obtain it's certificate is difficult to impossible. This to the CA's directory entry in order to obtain it's certificate is
leads to two drawbacks: First, the set of bulk algorithms supported by difficult to impossible. This leads to two drawbacks: First, the
the recipient is unknown. Second, no additional certificates may be set of bulk algorithms supported by the recipient is unknown.
carried which would help in validating the recipient's certificates. Second, no additional certificates may be carried which would help
in validating the recipient's certificates.
Using certificate files for certificate distribution has the benefit Using certificate files for certificate distribution has the benefit
of already being in wide spread use. (They are commonly used for of already being in wide spread use. (They are commonly used for
certificate distribution from Certificate Authorities either as part certificate distribution from Certificate Authorities either as part
of the enrollment protocol or from web based repositories.) The of the enrollment protocol or from web based repositories.) The
degenerate CMS signed object form, certificate files may carry a set degenerate CMS signed object form, certificate files may carry a set
of certificates to allow a sender to validate the recipients of certificates to allow a sender to validate the recipients
certificates. However, they suffer from two drawbacks. First, as certificates. However, they suffer from two drawbacks. First, as
with the public directory, the additional information is not available with the public directory, the additional information is not
as part of the certificate file. Second, the certificate is obtained available as part of the certificate file. Second, the certificate
from either the recipient one is encrypting for or a third party (not is obtained from either the recipient one is encrypting for or a
a directory). third party (not a directory).
Using signed objects for certificate distribution has the benefit of Using signed objects for certificate distribution has the benefit of
allowing additional information such as the SMimeCapabilities allowing additional information such as the SMimeCapabilities
attribute to be carried as part of the package. It also allows for attribute to be carried as part of the package. It also allows for
the inclusion of additional certificates to be used in verifying the the inclusion of additional certificates to be used in verifying the
encryption certificate used to build an encrypted object. However, it encryption certificate used to build an encrypted object. However,
has the drawback that the initialization process is done via a one-on-
one process. Schaad 2
CertDist October 1999
it has the drawback that the initialization process is done via a
one-on-one process.
3. SMimeEncryptCerts 3. SMimeEncryptCerts
When publishing one's own encryption certificates, it is often When publishing one's own encryption certificates, it is often
advisable to publish a wide selection of certificates to insure advisable to publish a wide selection of certificates to insure
maximum interoperability. This section describes an attribute that maximum interoperability. This section describes an attribute that
may be used to both identify the set of encryption certificates and is used both to identify the set of encryption certificates and to
establish the set of bulk encryption algorithms supported by each of establish the set of bulk encryption algorithms supported by each of
the certificates. the certificates.
The SMimeEncryptCerts attribute is used to identify one's own The SMimeEncryptCerts attribute is used to identify one's own
encryption certificates to the other party. This attribute is a encryption certificates to the other party. This attribute is a
sequence so that more than one encryption certificate can be sequence so that more than one encryption certificate can be
identified in a single SignerInfo object. Each certificate is then identified in a single SignerInfo object. Each certificate is then
given a set of capabilities so senders can identify the correct given a set of capabilities so senders can identify the correct
certificate to use for specific capabilities. certificate to use for specific capabilities.
skipping to change at line 139 skipping to change at line 155
SMimeEncryptCert ::= SEQUENCE { SMimeEncryptCert ::= SEQUENCE {
hash Hash, hash Hash,
capabilities SMIMECapabilities capabilities SMIMECapabilities
} }
SMimeEncryptCerts ::= SEQUENCE OF SmimeEncryptCert SMimeEncryptCerts ::= SEQUENCE OF SmimeEncryptCert
Hash ::= OCTET STRING - SHA1 hash of the certificate Hash ::= OCTET STRING - SHA1 hash of the certificate
When a certificate appears in an SMimeEncryptCerts attribute, the When a certificate appears in an SMimeEncryptCerts attribute, the
certificate MUST be included SignedData object. The order of certificate MUST be available to the verifier in a well known
certificates in the SMimeEncryptCerts attribute is the preferred order location. For plain SignedData objects, this is the certificate bag
of use by the sender. It is expected that the preferred certificate in the object. (Section 4.5 defines another location for LDAP
in the SMIMEEncrpytionKeyPreference would be the first certificate in directories.) The order of certificates in the SMimeEncryptCerts
the SMimeEncryptCerts attribute. attribute is the preferred order of use by the sender.
If present, the SMimeEncryptCerts attribute MUST be an authenticated If present, the SMimeEncryptCerts attribute MUST be an authenticated
attribute; it MUST NOT be an unauthenticated attribute. CMS defines attribute; it MUST NOT be an unauthenticated attribute. CMS defines
authenticatedAttributes as a SET OF AuthAttribute. A SignerInfo MUST authenticatedAttributes as a SET OF AuthAttribute. A SignerInfo
NOT include multiple instances of the SMimeEncryptCerts attribute. CMS MUST NOT include multiple instances of the SMimeEncryptCerts
defines the ASN.1 syntax for the authenticated attributes to include attribute. CMS defines the ASN.1 syntax for the authenticated
attrValues SET OF AttributeValue. A SMimeEncryptCerts attribute MUST attributes to include attrValues SET OF AttributeValue. A
only include a single instance of AttributeValue. There MUST NOT be SMimeEncryptCerts attribute MUST only include a single instance of
zero or multiple instances of AttributeValue present in the attrValues AttributeValue. There MUST NOT be zero or multiple instances of
SET OF AttributeValue. AttributeValue present in the attrValues SET OF AttributeValue.
4. SMimeCertificatePublish Object 4. SMimeCertificatePublish Object
The structure of the SMimeCertificatePublish object is defined in this Schaad 3
section. This object has the benefit that it is published into a CertDist October 1999
directory service (and thus is available to all parties) and it
contains a signed object that allows it to carry the additional The structure of the SMimeCertificatePublish object is defined in
this section. This object has the benefit that it is published into
a directory service (and thus is available to all parties) and
itcontains a signed object that allows it to carry the additional
information desired to increase interoperability. information desired to increase interoperability.
This section describes the LDAP directory schema, the body content and This section describes the LDAP directory schema, the body content
additional restrictions on the attribute and signers of the SignedData and additional restrictions on the attribute and signers of the
object used in publishing the user's certificate. SignedData object used in publishing the user's certificate.
The ASN definition of a SMimeCertificatePublish object is the same a The ASN definition of a SMimeCertificatePublish object is the same a
CMS signed object. CMS signed object.
SMimeCertificatePublish ::= ContentInfo SMimeCertificatePublish ::= ContentInfo
Where the contentType is id-signed-data and the content is a Where the contentType is id-signed-data and the content is a
SignedData content. SignedData content.
A SMimeCertificatePublish object MAY contain multiple SignerInfo A SMimeCertificatePublish object MAY contain multiple SignerInfo
objects. Each SignerInfo object is independent. This document objects. Each SignerInfo object is independent. This document
imposes no restrictions on attributes that appear in more that one imposes no restrictions on attributes that appear in more that one
SignerInfo object. SignerInfo object.
4.1 Signed Content 4.1 Signed Content
The SMimeCertificatePublish object is explicitly designed to carry no The SMimeCertificatePublish object is explicitly designed to carry
body content. All information is carried in the signed attribute no body content. All information is carried in the signed attribute
section of the SignerInfo. section of the SignerInfo.
The following object identifier is used to distinguish the content of The following object identifier is used to distinguish the content
a SMimeCertificatePublish: of a SMimeCertificatePublish:
id-ct-publishCert OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-ct-publishCert OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-ct(1) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-ct(1)
3) 3)
When creating a SMimeCertificatePublish object, the eContent of the When creating a SMimeCertificatePublish object, the eContent of the
Signed-Data object is omitted and the eContentType OID is set to id- Signed-Data object is omitted and the eContentType OID is set to id-
ct- publishCert. Note this is different from an empty content, which ct- publishCert. Note this is different from an empty content,
would be represented as an octet string containing zero bytes. The which would be represented as an octet string containing zero bytes.
hash of the body (used in the id-message-digest attribute) is set to The hash of the body (used in the id-message-digest attribute) is
the initialization value of the hash function. (This is expected to set to the initialization value of the hash function. (This is
provide the same result as if you had hashed a body containing exactly expected to provide the same result as if you had hashed a body
0 bytes.) containing exactly 0 bytes.)
4.2 Signed Attributes 4.2 Signed Attributes
The signed attributes section MUST be present in the SignerInfo The signed attributes section MUST be present in the SignerInfo
object, and the following signed attributes MUST be present: The object, and the following signed attributes MUST be present: The
signing-time attribute (from [CMS]), the SMimeCapabilities and signing-time attribute (from [CMS]), the SMimeCapabilities and
SMIMEEncryptionKeyPreference (from [SMIME]). SMIMEEncryptionKeyPreference (from [SMIME]).
4.3 CertificateSet 4.3 CertificateSet
This draft imposes additional restrictions on the set of certificates Schaad 4
to be included in the SignedData object beyond those specified in CertDist October 1999
[CMS] and [SMIMECERT]. A chain of certificate from the end-entity
certificate(s) to the root certificate(s) MUST be included in the
CertificateSet. Unlike in S/MIME messages the root certificate MUST be
included in the CertificateSet. The root certificate is included so
that end-entities have a better chance of finding and independently
verifying the trustworthiness of the root certificate based on its
content.
User agents MUST NOT automatically trust any root certificate found in This draft imposes additional restrictions on the set of
a SMimeCertificatePublish object. certificates to be included in the SignedData object beyond those
specified in [CMS] and [SMIMECERT]. A chain of certificate from the
end-entitycertificate(s) to the root certificate(s) MUST be included
in the CertificateSet. Unlike in S/MIME messages the root
certificate MUST be included in the CertificateSet. The root
certificate is included so that end-entities have a better chance of
finding and independently verifying the trustworthiness of the root
certificate based on its content.
User agents MUST NOT automatically trust any root certificate found
in a SMimeCertificatePublish object.
4.4 Signing Certificate 4.4 Signing Certificate
The SMimeCertificatePublish object MUST be signed by a signing The SMimeCertificatePublish object MUST be signed by a signing
certificate associated with the end-entity, or a signing certificate certificate associated with the end-entity, or a signing certificate
of a CA in the validation path of the encryption certificate. of a CA in the validation path of the encryption certificate.
Part of the process of extracting certificates involves comparing the Part of the process of extracting certificates involves comparing
certificate found to the address matching the directory look-up. The the certificate found to the address matching the directory look-up.
validation SHOULD match the address used to look up the certificate The validation SHOULD match the address used to look up the
with one of the names found in the certificate. Thus if an RFC822 certificate with one of the names found in the certificate. Thus,
name was used to do the directory look-up, the RFC822 name would be in if an RFC822 name was used to do the directory look-up, the RFC822
the SubjectAltName extension on the certificate. name would be in the SubjectAltName extension on the certificate.
The steps for extracting the encryption certificate from a The steps for extracting the encryption certificate from a
SMimeCertificatePublish object are as follows: SMimeCertificatePublish object are as follows:
1. Verify that the SMimeCertificatePublish object contains a valid 1. Verify that the SMimeCertificatePublish object contains a valid
signature and the certificate used to sign the message can be signature and the certificate used to sign the message can be
validated. validated.
2. Does the certificate used to sign the SMimeCertificatePublish 2. Does the certificate used to sign the SMimeCertificatePublish
object "match" the intended recipient of the encryption object? If object "match" the intended recipient of the encryption object?
so, proceed to step 6 else step 3. If so, proceed to step 6 else no encryption certificate is found.
3. Does the certificate referenced in the SMIMEEncryptionKeyPreference
attribute "match" the intended recipient of the encryption object?
If so, proceed to step 4, else stop with failure.
4. Validate the referenced encryption certificate.
5. Compare the signing certificate to the set of certificates used to 3. Get the set of potential encryption certificates from the
verify the encryption certificate. Is the signing certificate in SMIMEEncryptCerts attribute in the signed attributes of the
the set of verification certificates? If yes then the encryption SMimeCertificatePublish object.
certificate has been located. If no, no encryption certificate was
found.
6. Locate the encryption certificate using the 4. Select the encryption certificate from the set of potential
SMIMEEncryptionKeyPreference attribute in the signed attributes of encryption certificates by validating the certificate and
the SMimeCertificatePublish object. examining the set of encryption algorithms.
In all cases, once an encryption certificate has been obtained, the In all cases, once an encryption certificate has been obtained, the
standard methods of validating signatures on the certificate and standard methods of validating signatures on the certificate and
checking for revocation MUST be followed. checking for revocation MUST be followed.
4.5 LDAP Schema 4.5 LDAP Schema
After a SignedData object has been produced, it needs to be published After a SignedData object has been produced, it needs to be
into one or more directories. This section describes the LDAP schema published into one or more directories. This section describes the
used to support this. LDAP schema used to support this.
Schaad 5
CertDist October 1999
A new LDAP attribute userSMimeCertificate is defined by this document. A new LDAP attribute userSMimeCertificate is defined by this
The attribute is defined according to the syntax provided in [LDAPV3]. document. The attribute is defined according to the syntax provided
The definition of this attribute is: in [LDAPV3]. The definition of this attribute is:
( 1 2 840 113549 1 9 16 <TBD> ( 1 2 840 113549 1 9 16 <TBD>
NAME `userSMimeCertificate' NAME `userSMimeCertificate'
SYNTAX `binary' SYNTAX `binary'
MULTI-VALUE MULTI-VALUE
USAGE userApplications USAGE userApplications
) )
If the SignedData object is to be published in userSMimeCertificate,
the end-entity certificates MAY be omitted from the certificate bag
and published in the userCertificates LDAP attribute instead.
If the CA is the only entity that can write to the directory, it may If the CA is the only entity that can write to the directory, it may
wish to provide some mechanism for updating the attributes such as the wish to provide some mechanism for updating the attributes such as
smimeUserCapabilities in the published object. the smimeUserCapabilities in the published object.
4.6 MIME Encoding 4.6 MIME Encoding
The application/pkcs7-mime-publish type is used to carry The application/pkcs7-mime-publish content type is used to carry
SMimeCertificatePublish objects as mime objects. The optional "name" SMimeCertificatePublish objects as mime objects. The optional
parameter SHOULD be emitted as part of the Content-Type field. The "name" parameter SHOULD be emitted as part of the Content-Type
file extension for the file name SHOULD be ". p7p". field. The file extension for the file name SHOULD be ".p7p".
A. ASN Module A. ASN Module
SMimeCertDistributionSyntax SMimeCertDistributionSyntax
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) <TBD> } pkcs(1) pkcs-9(9) smime(16) modules(0) <TBD> }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS All -- EXPORTS All
-- The types and values defined in this module are exported for use -- The types and values defined in this module are exported for
-- in the other ASN.1 modules. Other applications may use them for -- use in the other ASN.1 modules. Other applications may use
-- their own purposes. -- them for their own purposes.
IMPORTS IMPORTS
-- SMime Cryptographic Message Format -- SMime Cryptographic Message Format
ContentInfo ContentInfo
FROM CryptographicMessageSyntax { iso(1) member-body(2) FROM CryptographicMessageSyntax { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
modules(0) cms(1) } modules(0) cms(1) }
-- SecureMimeMessageV3 -- SecureMimeMessageV3
SMIMECapabilities SMIMECapabilities
FROM SecureMimeMessageV3 { iso(1) member-body(2) us(840) FROM SecureMimeMessageV3 { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
smime(4)}; smime(4)};
-- S/MIME Object Identifier Registry -- S/MIME Object Identifier Registry
Schaad 6
CertDist October 1999
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) } rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) }
-- Authenticated Attribute identifing Encryption Certificates -- Authenticated Attribute identifing Encryption Certificates
-- Value is a single SMimeEncryptCerts -- Value is a single SMimeEncryptCerts
id-aa-smimeEncryptCerts OBJECT IDENTIFIER ::= { id-smime id-aa(2) 13 id-aa-smimeEncryptCerts OBJECT IDENTIFIER ::= { id-smime id-aa(2)
} 13 }
SMimeEncryptCerts ::= SEQUENCE OF SMimeEncryptCert SMimeEncryptCerts ::= SEQUENCE OF SMimeEncryptCert
SMimeEncryptCert ::= SEQUENCE { SMimeEncryptCert ::= SEQUENCE {
hash Hash, hash Hash,
capabilities SMIMECapabilities capabilities SMIMECapabilities
} }
Hash ::= OCTET STRING -- SHA1 hash of the certificate Hash ::= OCTET STRING -- SHA1 hash of the certificate
-- Content Type of Certificate publish message. -- Content Type of Certificate publish message.
-- Signed content is detatched and empty -- Signed content is detatched and empty
id-ct-publishCert OBJECT IDENTIFIER ::= { id-smime id-ct(1) 3 } id-ct-publishCert OBJECT IDENTIFIER ::= { id-smime id-ct(1) 3 }
SMimeCertificatePublish ::= ContentInfo SMimeCertificatePublish ::= ContentInfo
END -- of SMimeCertDistributionSyntax END -- of SMimeCertDistributionSyntax
B. Backwards Compatibility B. Backwards Compatibility
The SMimeCertificatePublish object is based on work previously done at The SMimeCertificatePublish object is based on work previously done
both Microsoft and Netscape. at both Microsoft and Netscape.
Both of these companies have implemented a version of Both of these companies have implemented a version of
userSMimeCertificate in their mail LDAP directory structures. userSMimeCertificate in their mail LDAP directory structures.
Microsoft has also put the property into its MAPI based directory Microsoft has also put the property into its MAPI based directory
schema. schema.
Both companies use a ContentInfo object containing a SignedData object Both companies use a ContentInfo object containing a SignedData
with one SignerInfo object. In both cases however the eContent is object with one SignerInfo object. In both cases however the
tagged with id-data not id-ct-publishCert. The actual content is eContent is tagged with id-data not id-ct-publishCert. The actual
omitted from the SMimeCertificatePublish object. content is omitted from the SMimeCertificatePublish object.
In the case of both companies, clients who implement this feature In the case of both companies, clients who implement this feature
require that the end-entity is the signer of the object; the CA is not require that the end-entity is the signer of the object; the CA is
permitted to sign and publish the object. not permitted to sign and publish the object.
Microsoft has also produced an early version of the SMimeEncryptCerts Microsoft has also produced an early version of the
attribute. The syntax for this structure is SMimeEncryptCerts attribute. The syntax for this structure is
id-Microsoft-SMimeEncryptCert OBJECT IDENTIFIER ::= {1 3 6 1 4 1 311 id-Microsoft-SMimeEncryptCert OBJECT IDENTIFIER ::= {1 3 6 1 4 1
16 4} 311 16 4}
Microsoft-SMimeEncryptionert ::= IssuerAndSerialNumber Microsoft-SMimeEncryptionert ::= IssuerAndSerialNumber
A description of IssuerAndSerialNumber can be find in [CMS]. A description of IssuerAndSerialNumber can be find in [CMS].
Schaad 7
CertDist October 1999
C. Registration of MIME C. Registration of MIME
To: ietf-types@iana.org To: ietf-types@iana.org
Subject: Registration of MIME media type application/pkcs7-mime- Subject: Registration of MIME media type application/pkcs7-mime-
publish publish
MIME media type name: application MIME media type name: application
MIME subtype name: pkcs7-mime-publish MIME subtype name: pkcs7-mime-publish
skipping to change at line 403 skipping to change at line 429
base-64 encoding base-64 encoding
Security considerations: There is no requirement for additional Security considerations: There is no requirement for additional
security mechanisms to be applied at this level. The required security mechanisms to be applied at this level. The required
mechanisms are designed into the SMimeCertificatePublish content. mechanisms are designed into the SMimeCertificatePublish content.
Interoperability considerations: - Interoperability considerations: -
Published specification: this document Published specification: this document
Applications that use this media type: Secure Internet mail and other Applications that use this media type: Secure Internet mail and
secure data transports. other secure data transports.
Additional information: Additional information:
File extension (s): p7p File extension (s): p7p
Macintosh File Type Code (s): - Macintosh File Type Code (s): -
Person and email address to contact for further information: Jim Person and email address to contact for further information: Jim
Schaad, jimsch@microsoft.com Schaad, jimsch@microsoft.com
Intended usage: COMMON Intended usage: COMMON
D. Open Issues D. Example Message
- Need Example Message In this example Alice makes the statement that messages encrypted
for her should use one of two encryption certificates issued to Bob.
0 30 NDEF: SEQUENCE {
2 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
13 A0 NDEF: [0] {
15 30 NDEF: SEQUENCE {
17 02 1: INTEGER 1
20 31 11: SET {
22 30 9: SEQUENCE {
24 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
31 05 0: NULL
: }
: }
33 30 NDEF: SEQUENCE {
35 06 11: OBJECT IDENTIFIER
: id-ct-publishCert (1 2 840 113549 1 9 16 1 3)
Schaad 8
CertDist October 1999
48 A0 NDEF: [0] {
: }
: }
54 A0 3298: [0] {
58 30 491: SEQUENCE {
62 30 340: SEQUENCE {
66 A0 3: [0] {
68 02 1: INTEGER 2
: }
71 02 16: INTEGER
: 46 34 6B C7 80 00 56 BC 11 D3 6E 2E 9F F2 50 20
89 30 13: SEQUENCE {
91 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
102 05 0: NULL
: }
104 30 18: SEQUENCE {
106 31 16: SET {
108 30 14: SEQUENCE {
110 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
115 13 7: PrintableString 'CarlRSA'
: }
: }
: }
124 30 30: SEQUENCE {
126 17 13: UTCTime '990818070000Z'
141 17 13: UTCTime '391231235959Z'
: }
156 30 18: SEQUENCE {
158 31 16: SET {
160 30 14: SEQUENCE {
162 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
167 13 7: PrintableString 'CarlRSA'
: }
: }
: }
176 30 159: SEQUENCE {
179 30 13: SEQUENCE {
181 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
192 05 0: NULL
: }
194 03 141: BIT STRING 0 unused bits
: 30 81 89 02 81 81 00 E4 4B FF 18 B8 24 57 F4 77
: FF 6E 73 7B 93 71 5C BC 33 1A 92 92 72 23 D8 41
: 46 D0 CD 11 3A 04 B3 8E AF 82 9D BD 51 1E 17 7A
: F2 76 2C 2B 86 39 A7 BD D7 8D 1A 53 EC E4 00 D5
: E8 EC A2 36 B1 ED E2 50 E2 32 09 8A 3F 9F 99 25
: 8F B8 4E AB B9 7D D5 96 65 DA 16 A0 C5 BE 0E AE
: 44 5B EF 5E F4 A7 29 CB 82 DD AC 44 E9 AA 93 94
: 29 0E F8 18 D6 C8 57 5E F2 76 C4 F2 11 60 38 B9
: 1B 3C 1D 97 C9 6A F1 02 03 01 00 01
: }
338 A3 66: [3] {
340 30 64: SEQUENCE {
Schaad 9
CertDist October 1999
342 30 15: SEQUENCE {
344 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
349 01 1: BOOLEAN TRUE
352 04 5: OCTET STRING
: 30 03 01 01 FF
: }
359 30 14: SEQUENCE {
361 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
366 01 1: BOOLEAN TRUE
369 04 4: OCTET STRING
: 03 02 01 86
: }
375 30 29: SEQUENCE {
377 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14)
382 04 22: OCTET STRING
: 04 14 E9 E0 90 27 AC 78 20 7A 9A D3 4C F2 42 37
: 4E 22 AE 9E 38 BB
: }
: }
: }
: }
406 30 13: SEQUENCE {
408 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
419 05 0: NULL
: }
421 03 129: BIT STRING 0 unused bits
: B7 9E D4 04 D3 ED 29 E4 FF 89 89 15 2E 4C DB 0C
: F0 48 0F 32 61 EE C4 04 EC 12 5D 2D FF 0F 64 59
: 7E 0A C3 ED 18 FD E3 56 40 37 A7 07 B5 F0 38 12
: 61 50 ED EF DD 3F E3 0B B8 61 A5 A4 9B 3C E6 9E
: 9C 54 9A B6 95 D6 DA 6C 3B B5 2D 45 35 9D 49 01
: 76 FA B9 B9 31 F9 F9 6B 12 53 A0 F5 14 60 9B 7D
: CA 3E F2 53 6B B0 37 6F AD E6 74 D7 DB FA 5A EA
: 14 41 63 5D CD BE C8 0E C1 DA 6A 8D 53 34 18 02
: }
553 30 520: SEQUENCE {
557 30 369: SEQUENCE {
561 A0 3: [0] {
563 02 1: INTEGER 2
: }
566 02 16: INTEGER
: 46 34 6B C7 80 00 56 BC 11 D3 6E 2E CD 5D 71 D0
584 30 13: SEQUENCE {
586 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
597 05 0: NULL
: }
599 30 18: SEQUENCE {
601 31 16: SET {
603 30 14: SEQUENCE {
605 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
610 13 7: PrintableString 'CarlRSA'
: }
Schaad 10
CertDist October 1999
: }
: }
619 30 30: SEQUENCE {
621 17 13: UTCTime '990819070000Z'
636 17 13: UTCTime '391231235959Z'
: }
651 30 17: SEQUENCE {
653 31 15: SET {
655 30 13: SEQUENCE {
657 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
662 13 6: PrintableString 'BobRSA'
: }
: }
: }
670 30 159: SEQUENCE {
673 30 13: SEQUENCE {
675 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
686 05 0: NULL
: }
688 03 141: BIT STRING 0 unused bits
: 30 81 89 02 81 81 00 CA 5C E1 2E EC CF C1 3B 5D
: 10 1B DF 54 35 71 99 0A 09 D8 3D E4 61 BF A0 BE
: 0A BE 11 A4 3C B5 38 41 41 48 04 E1 5B B1 17 1C
: 53 B5 F4 C5 15 D3 FE 0C FB 0C AC EA 80 18 36 03
: 7E 41 93 53 D7 40 74 49 DB D9 C6 AF FE D6 CA 0D
: CA 01 84 8F A1 E9 A3 00 21 27 51 D5 40 19 AA E3
: C0 30 78 5B A0 B2 E6 C1 2D 24 36 CB AE 44 10 82
: B0 DD 74 D7 F6 EB 51 27 B2 A7 B6 AD 78 CA A7 1B
: 59 51 18 EF 28 0C 53 02 03 01 00 01
: }
832 A3 96: [3] {
834 30 94: SEQUENCE {
836 30 12: SEQUENCE {
838 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
843 01 1: BOOLEAN TRUE
846 04 2: OCTET STRING
: 30 00
: }
850 30 14: SEQUENCE {
852 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
857 01 1: BOOLEAN TRUE
860 04 4: OCTET STRING
: 03 02 05 20
: }
866 30 31: SEQUENCE {
868 06 3: OBJECT IDENTIFIER
: authorityKeyIdentifier (2 5 29 35)
873 04 24: OCTET STRING
: 30 16 80 14 E9 E0 90 27 AC 78 20 7A 9A D3 4C F2
: 42 37 4E 22 AE 9E 38 BB
: }
899 30 29: SEQUENCE {
901 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14)
Schaad 11
CertDist October 1999
906 04 22: OCTET STRING
: 04 14 E8 F4 B8 67 D8 B3 96 A4 2A F3 11 AA 29 D3
: 95 5A 86 16 B4 24
: }
: }
: }
: }
930 30 13: SEQUENCE {
932 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
943 05 0: NULL
: }
945 03 129: BIT STRING 0 unused bits
: 2B 53 8A E0 38 69 0C 19 2D AA D9 42 67 BE 58 49
: A9 58 4C 42 F1 F5 68 B6 4E 4D 07 A4 9E B2 DB D0
: 95 DF 4C F0 EF 5F 23 D6 90 7C 3F 62 92 86 E4 D2
: 64 AB 2E B5 CA 5D 58 57 04 DF 39 29 73 B0 CD A5
: 6B 22 75 C9 5D D5 0B FF C9 B8 7B F0 09 2C A1 86
: F3 75 CD 54 67 AD 8B 1E 7B EC 7E AB 25 2B 14 71
: 98 D1 19 16 F0 60 EB 3B 3C F4 0F 24 98 7A A4 A4
: BA E6 C2 4E 80 07 EA C4 93 92 8B 49 17 FE 42 58
: }
1077 30 667: SEQUENCE {
1081 30 602: SEQUENCE {
1085 A0 3: [0] {
1087 02 1: INTEGER 2
: }
1090 02 1: INTEGER 1
1093 30 9: SEQUENCE {
1095 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
1104 30 18: SEQUENCE {
1106 31 16: SET {
1108 30 14: SEQUENCE {
1110 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
1115 13 7: PrintableString 'CarlDSS'
: }
: }
: }
1124 30 30: SEQUENCE {
1126 17 13: UTCTime '990816225050Z'
1141 17 13: UTCTime '391231235959Z'
: }
1156 30 18: SEQUENCE {
1158 31 16: SET {
1160 30 14: SEQUENCE {
1162 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
1167 13 7: PrintableString 'CarlDSS'
: }
: }
: }
1176 30 439: SEQUENCE {
1180 30 299: SEQUENCE {
1184 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
1193 30 286: SEQUENCE {
Schaad 12
CertDist October 1999
1197 02 129: INTEGER
: 00 B6 49 18 3E 8A 44 C1 29 71 94 4C 01 C4 12 C1
: 7A 79 CB 54 4D AB 1E 81 FB C6 4C B3 0E 94 09 06
: EB 01 D4 B1 C8 71 4B C7 45 C0 50 25 5D 9C FC DA
: E4 6D D3 E2 86 48 84 82 7D BA 15 95 4A 16 F6 46
: ED DD F6 98 D2 BB 7E 8A 0A 8A BA 16 7B B9 50 01
: 48 93 8B EB 25 15 51 97 55 DC 8F 53 0E 10 A9 50
: FC 70 B7 CD 30 54 FD DA DE A8 AA 22 B5 A1 AF 8B
: CC 02 88 E7 8B 70 5F B9 AD E1 08 D4 6D 29 2D D6
: E9
1329 02 21: INTEGER
: 00 DD C1 2F DF 53 CE 0B 34 60 77 3E 02 A4 BF 8A
: 5D 98 B9 10 D5
1352 02 128: INTEGER
: 0C EE 57 9B 4B BD DA B6 07 6A 74 37 4F 55 7F 9D
: ED BC 61 0D EB 46 59 3C 56 0B 2B 5B 0C 91 CE A5
: 62 52 69 CA E1 6D 3E BD BF FE E1 B7 B9 2B 61 3C
: AD CB AE 45 E3 06 AC 8C 22 9D 9C 44 87 0B C7 CD
: F0 1C D9 B5 4E 5D 73 DE AF 0E C9 1D 5A 51 F5 4F
: 44 79 35 5A 73 AA 7F 46 51 1F A9 42 16 9C 48 EB
: 8A 79 61 B4 D5 2F 53 22 44 63 1F 86 B8 A3 58 06
: 25 F8 29 C0 EF BA E0 75 F0 42 C4 63 65 52 9B 0A
: }
: }
1483 03 133: BIT STRING 0 unused bits
: 02 81 81 00 99 87 74 27 03 66 A0 B1 C0 AD DC 2C
: 75 BB E1 6C 44 9C DA 21 6D 4D 47 6D B1 62 09 E9
: D8 AE 1E F2 3A B4 94 B1 A3 8E 7A 9B 71 4E 00 94
: C9 B4 25 4E B9 60 96 19 24 01 F3 62 0C FE 75 C0
: FB CE D8 68 00 E3 FD D5 70 4F DF 23 96 19 06 94
: F4 B1 61 8F 3A 57 B1 08 11 A4 0B 26 25 F0 52 76
: 81 EA 0B 62 0D 95 2A E6 86 BA 72 B2 A7 50 83 0B
: AA 27 CD 1B A9 4D 89 9A D7 8D 18 39 84 3F 8B C5
: 56 4D 80 7A
: }
1619 A3 66: [3] {
1621 30 64: SEQUENCE {
1623 30 15: SEQUENCE {
1625 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
1630 01 1: BOOLEAN TRUE
1633 04 5: OCTET STRING
: 30 03 01 01 FF
: }
1640 30 14: SEQUENCE {
1642 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
1647 01 1: BOOLEAN TRUE
1650 04 4: OCTET STRING
: 03 02 01 86
: }
1656 30 29: SEQUENCE {
1658 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14)
1663 04 22: OCTET STRING
: 04 14 70 44 3E 82 2E 6F 87 DE 4A D3 75 E3 3D 20
: BC 43 2B 93 F1 1F
Schaad 13
CertDist October 1999
: }
: }
: }
: }
1687 30 9: SEQUENCE {
1689 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
1698 03 48: BIT STRING 0 unused bits
: 30 2D 02 14 6B A9 F0 4E 7A 5A 79 E3 F9 BE 3D 2B
: C9 06 37 E9 11 17 A1 13 02 15 00 8F 34 69 2A 8B
: B1 3C 03 79 94 32 4D 12 1F CE 89 FB 46 B2 3B
: }
1748 30 734: SEQUENCE {
1752 30 669: SEQUENCE {
1756 A0 3: [0] {
1758 02 1: INTEGER 2
: }
1761 02 2: INTEGER 200
1765 30 9: SEQUENCE {
1767 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
1776 30 18: SEQUENCE {
1778 31 16: SET {
1780 30 14: SEQUENCE {
1782 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
1787 13 7: PrintableString 'CarlDSS'
: }
: }
: }
1796 30 30: SEQUENCE {
1798 17 13: UTCTime '990817011049Z'
1813 17 13: UTCTime '391231235959Z'
: }
1828 30 19: SEQUENCE {
1830 31 17: SET {
1832 30 15: SEQUENCE {
1834 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
1839 13 8: PrintableString 'AliceDSS'
: }
: }
: }
1849 30 438: SEQUENCE {
1853 30 299: SEQUENCE {
1857 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
1866 30 286: SEQUENCE {
1870 02 129: INTEGER
: 00 81 8D CD ED 83 EA 0A 9E 39 3E C2 48 28 A3 E4
: 47 93 DD 0E D7 A8 0E EC 53 C5 AB 84 08 4F FF 94
: E1 73 48 7E 0C D6 F3 44 48 D1 FE 9F AF A4 A1 89
: 2F E1 D9 30 C8 36 DE 3F 9B BF B7 4C DC 5F 69 8A
: E4 75 D0 37 0C 91 08 95 9B DE A7 5E F9 FC F4 9F
: 2F DD 43 A8 8B 54 F1 3F B0 07 08 47 4D 5D 88 C3
: C3 B5 B3 E3 55 08 75 D5 39 76 10 C4 78 BD FF 9D
: B0 84 97 37 F2 E4 51 1B B5 E4 09 96 5C F3 7E 5B
: DB
Schaad 14
CertDist October 1999
2002 02 21: INTEGER
: 00 E2 47 A6 1A 45 66 B8 13 C6 DA 8F B8 37 21 2B
: 62 8B F7 93 CD
2025 02 128: INTEGER
: 26 38 D0 14 89 32 AA 39 FB 3E 6D D9 4B 59 6A 4C
: 76 23 39 04 02 35 5C F2 CB 1A 30 C3 1E 50 5D DD
: 9B 59 E2 CD AA 05 3D 58 C0 7B A2 36 B8 6E 07 AF
: 7D 8A 42 25 A7 F4 75 CF 4A 08 5E 4B 3E 90 F8 6D
: EA 9C C9 21 8A 3B 76 14 E9 CE 2E 5D A3 07 CD 23
: 85 B8 2F 30 01 7C 6D 49 89 11 89 36 44 BD F8 C8
: 95 4A 53 56 B5 E2 F9 73 EC 1A 61 36 1F 11 7F C2
: BD ED D1 50 FF 98 74 C2 D1 81 4A 60 39 BA 36 39
: }
: }
2156 03 132: BIT STRING 0 unused bits
: 02 81 80 5C E3 B9 5A 75 14 96 0B A9 7A DD E3 3F
: A9 EC AC 5E DC BD B7 13 11 34 A6 16 89 28 11 23
: D9 34 86 67 75 75 13 12 3D 43 5B 6F E5 51 BF FA
: 89 F2 A2 1B 3E 24 7D 3D 07 8D 5B 63 C8 BB 45 A5
: A0 4A E3 85 D6 CE 06 80 3F E8 23 7E 1A F2 24 AB
: 53 1A B8 27 0D 1E EF 08 BF 66 14 80 5C 62 AC 65
: FA 15 8B F1 BB 34 D4 D2 96 37 F6 61 47 B2 C4 32
: 84 F0 7E 41 40 FD 46 A7 63 4E 33 F2 A5 E2 F4 F2
: 83 E5 B8
: }
2291 A3 131: [3] {
2294 30 128: SEQUENCE {
2297 30 32: SEQUENCE {
2299 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
2304 04 25: OCTET STRING
: 30 17 81 15 61 6C 69 63 65 44 73 73 40 65 78 61
: 6D 70 6C 65 73 2E 63 6F 6D
: }
2331 30 12: SEQUENCE {
2333 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
2338 01 1: BOOLEAN TRUE
2341 04 2: OCTET STRING
: 30 00
: }
2345 30 14: SEQUENCE {
2347 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
2352 01 1: BOOLEAN TRUE
2355 04 4: OCTET STRING
: 03 02 06 C0
: }
2361 30 31: SEQUENCE {
2363 06 3: OBJECT IDENTIFIER
: authorityKeyIdentifier (2 5 29 35)
2368 04 24: OCTET STRING
: 30 16 80 14 70 44 3E 82 2E 6F 87 DE 4A D3 75 E3
: 3D 20 BC 43 2B 93 F1 1F
: }
2394 30 29: SEQUENCE {
2396 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14)
Schaad 15
CertDist October 1999
2401 04 22: OCTET STRING
: 04 14 BE 6C A1 B3 E3 C1 F7 ED 43 70 A4 CE 13 01
: E2 FD E3 97 FE CD
: }
: }
: }
: }
2425 30 9: SEQUENCE {
2427 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
2436 03 48: BIT STRING 0 unused bits
: 30 2D 02 15 00 98 B0 C6 3F CF 71 47 5A 35 A9 4A
: 8F C0 F8 24 05 E8 46 94 8E 02 14 5B 9F 48 C0 8C
: A1 C1 02 9C 44 EA E9 A1 87 C1 A5 7F 28 2D BB
: }
2486 30 866: SEQUENCE {
2490 30 801: SEQUENCE {
2494 A0 3: [0] {
2496 02 1: INTEGER 2
: }
2499 02 2: INTEGER 201
2503 30 9: SEQUENCE {
2505 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
2514 30 18: SEQUENCE {
2516 31 16: SET {
2518 30 14: SEQUENCE {
2520 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
2525 13 7: PrintableString 'CarlDSS'
: }
: }
: }
2534 30 30: SEQUENCE {
2536 17 13: UTCTime '990817011828Z'
2551 17 13: UTCTime '391231235959Z'
: }
2566 30 16: SEQUENCE {
2568 31 14: SET {
2570 30 12: SEQUENCE {
2572 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
2577 13 5: PrintableString 'bobDH'
: }
: }
: }
2584 30 578: SEQUENCE {
2588 30 439: SEQUENCE {
2592 06 7: OBJECT IDENTIFIER
: dhPublicNumber (1 2 840 10046 2 1)
2601 30 426: SEQUENCE {
2605 02 129: INTEGER
: 00 EC 2C CD A4 EF 9A 26 2F 62 A7 BB 23 4D DF 2B
: 25 C1 68 D2 9E A9 45 5B 36 F1 94 89 1A AF 7D 11
: 24 9D 3D B9 3C 29 E8 D7 23 80 33 A6 9E 45 02 BB
: AA CC 9E 28 05 95 A0 B3 17 76 C1 F7 25 35 61 02
: 41 92 27 0C 5E AE 48 E5 F3 6E 38 EF 91 D1 CF 37
Schaad 16
CertDist October 1999
: FE 9A 40 97 C8 2D 35 9E 9D 93 C6 F8 15 AF 3F DA
: 74 3A B7 C4 93 B5 B9 BB 76 6C 1F A8 7E BC 3A AA
: 43 0A 81 64 FC 63 F0 7B 71 98 FA C0 38 79 10 1A
: 33
2737 02 129: INTEGER
: 00 BA 0B D7 74 3D E7 34 E5 4C 13 A7 95 96 BB F1
: E4 61 37 08 FB 12 C7 FB 9C 91 77 06 99 35 F0 48
: 24 96 33 12 01 7E 8D EC 0B F6 B2 C0 63 A7 15 C5
: 5E 95 86 A2 73 C5 49 46 37 79 60 FD 77 05 09 48
: 9B 70 8D 3C 05 F6 CE 44 2C 7F 7D 1B 2B 15 DD F3
: 05 2F BE 85 20 8F 8D F9 B4 A0 45 74 2B F4 3B 9D
: 42 62 34 27 27 81 8E 6F 0F 5E 62 85 89 CC ED 21
: C3 91 70 06 54 EE 70 A8 92 55 5B 6E 19 22 4D 62
: A7
2869 02 33: INTEGER
: 00 C3 AB 4A 30 79 B3 D3 97 4E CA F5 A2 7D C7 70
: A3 45 F3 B3 A2 86 05 D2 3E 49 F9 9F D9 0A B3 BE
: BD
2904 02 97: INTEGER
: 01 34 FE C2 33 48 EB F6 3B 97 D9 E4 97 A7 60 A5
: 25 69 34 FB FD 46 2A D6 C9 C4 C5 F7 D6 F4 04 19
: 8D 94 D9 8A 37 68 69 67 55 FB F2 6B 0E 47 C5 5B
: 0B 4B 0E 1C 1A 8B 7B 75 B7 AA C3 AA D7 EB 3B DA
: 2A 8D 02 87 37 47 83 D7 31 B4 25 A8 AC BB 11 88
: 53 1C 11 92 B6 69 E7 2E 90 C1 7A FC 87 F4 F6 D7
: 1A
3003 30 26: SEQUENCE {
3005 03 21: BIT STRING 0 unused bits
: B9 FF 1C 93 44 67 37 D1 B2 F8 57 9A 32 4A C9 4A
: FF 3B EC 1E
3028 02 1: INTEGER 29
: }
: }
: }
3031 03 132: BIT STRING 0 unused bits
: 02 81 80 6F D4 F6 CD 94 9A 6E AF 5B 57 17 96 75
: BB 0F B9 48 E9 90 37 0D 15 20 C2 55 1E 13 E2 AE
: 71 17 84 C3 0E 74 AE 8A 55 7F 28 7D 8B D7 28 22
: 9C 76 46 D7 3B 4F 9D D1 4D 1B B2 DB 51 94 C5 6D
: 54 96 40 38 8A 38 81 63 4A 8C C3 1E 09 89 74 A6
: 58 D5 C8 5A 3D CF BB B8 23 7F 9C 1F 7D 78 FA 9E
: F9 90 9E 91 E7 4B C2 A4 BE 45 06 78 42 58 3D 9F
: 63 2C EF 84 D4 67 E5 FB C6 6D A2 36 29 67 90 46
: DB 4E 48
: }
3166 A3 127: [3] {
3168 30 125: SEQUENCE {
3170 30 29: SEQUENCE {
3172 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
3177 04 22: OCTET STRING
: 30 14 81 12 62 6F 62 44 68 40 65 78 61 6D 70 6C
: 65 73 2E 63 6F 6D
: }
3201 30 12: SEQUENCE {
3203 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
Schaad 17
CertDist October 1999
3208 01 1: BOOLEAN TRUE
3211 04 2: OCTET STRING
: 30 00
: }
3215 30 14: SEQUENCE {
3217 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
3222 01 1: BOOLEAN TRUE
3225 04 4: OCTET STRING
: 03 02 03 08
: }
3231 30 31: SEQUENCE {
3233 06 3: OBJECT IDENTIFIER
: authorityKeyIdentifier (2 5 29 35)
3238 04 24: OCTET STRING
: 30 16 80 14 70 44 3E 82 2E 6F 87 DE 4A D3 75 E3
: 3D 20 BC 43 2B 93 F1 1F
: }
3264 30 29: SEQUENCE {
3266 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14)
3271 04 22: OCTET STRING
: 04 14 26 FF 19 48 C3 59 33 68 56 8D 7E C8 80 68
: 5C CF 3C 72 DD 26
: }
: }
: }
: }
3295 30 9: SEQUENCE {
3297 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
3306 03 48: BIT STRING 0 unused bits
: 30 2D 02 14 15 EA 15 43 E3 49 22 86 C1 BB E5 DA
: E4 0E B8 09 E0 D5 72 35 02 15 00 AE 4F 51 29 73
: 71 75 A9 81 EB ED 9D 5E 00 19 7E F0 DE 5A D6
: }
: }
3356 31 283: SET {
3360 30 279: SEQUENCE {
3364 02 1: INTEGER 1
3367 30 24: SEQUENCE {
3369 30 18: SEQUENCE {
3371 31 16: SET {
3373 30 14: SEQUENCE {
3375 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
3380 13 7: PrintableString 'CarlDSS'
: }
: }
: }
3389 02 2: INTEGER 200
: }
3393 30 9: SEQUENCE {
3395 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
3402 05 0: NULL
: }
3404 A0 176: [0] {
Schaad 18
CertDist October 1999
3407 30 26: SEQUENCE {
3409 06 9: OBJECT IDENTIFIER
: contentType (1 2 840 113549 1 9 3)
3420 31 13: SET {
3422 06 11: OBJECT IDENTIFIER
: id-ct-publishCert (1 2 840 113549 1 9 16 1 3)
: }
: }
3435 30 35: SEQUENCE {
3437 06 9: OBJECT IDENTIFIER
: messageDigest (1 2 840 113549 1 9 4)
3448 31 22: SET {
3450 04 20: OCTET STRING
: DA 39 A3 EE 5E 6B 4B 0D 32 55 BF EF 95 60 18 90
: AF D8 07 09
: }
: }
3472 30 109: SEQUENCE {
3474 06 11: OBJECT IDENTIFIER
: id-aa-smimeEncryptCerts (1 2 840 113549 1 9 16 2
13)
3487 31 94: SET {
3489 30 92: SEQUENCE {
3491 30 36: SEQUENCE {
3493 04 20: OCTET STRING
: 3B F6 B5 69 50 7E 3E AD 03 97 F8 F8 29 DD A0 B9
: 8A CF DA 9B
3515 30 12: SEQUENCE {
3517 30 10: SEQUENCE {
3519 06 8: OBJECT IDENTIFIER
: des-EDE3-CBC (1 2 840 113549 3 7)
: }
: }
: }
3529 30 52: SEQUENCE {
3531 04 20: OCTET STRING
: E4 B8 2D 17 E4 23 D5 22 F0 58 BD 73 BD 3D 59 76
: AF C6 18 C8
3553 30 28: SEQUENCE {
3555 30 10: SEQUENCE {
3557 06 8: OBJECT IDENTIFIER
: des-EDE3-CBC (1 2 840 113549 3 7)
: }
3567 30 14: SEQUENCE {
3569 06 8: OBJECT IDENTIFIER
: rc2CBC (1 2 840 113549 3 2)
3579 02 2: INTEGER 160
: }
: }
: }
: }
: }
: }
: }
3583 30 9: SEQUENCE {
Schaad 19
CertDist October 1999
3585 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
3594 04 47: OCTET STRING
: 30 2D 02 15 00 B7 D1 AD F0 EF F6 49 30 F9 9F 9C
: 55 74 E0 60 56 65 B4 14 15 02 14 37 B4 90 1F 00
: 8A F6 F7 41 8B CF AF 90 E6 F3 8E 4D A0 7A 30
: }
: }
: }
: }
: }
References References
CMS "Cryptographic Message Syntax", Internet Draft ietf-draft- CMS Housley, R., "Cryptographic Message Syntax" RFC 2630,
smime-cms
MUSTSHOULD "Key words for use in RFCs to Indicate Requirement Levels", June 1999.
RFC 2119
LDAPV3 "Lightweight Directory Access Protocol (v3): Attribute Syntax MUSTSHOULD Bradner, S., "Key words for use in RFCs to Indicate
Definitions", RFC 2252 Requirement Levels", RFC 2119 , March 1997.
SMIME "S/MIME Version 3 Message Specification", Internet Draft ietf- LDAPV3 "Lightweight Directory Access Protocol (v3): Attribute
draft-smime-msg Syntax Definitions", RFC 2252, December 1997.
SMIMECERT "S/MIME Version 3 Certificate Handling", Internet Draft SMIME Ramsdell, B., "S/MIME Version 3 Message Specification",
ietf-draft-smime-cert RFC 2633, June 1999.
SMIMECERT Ramsdell, B., "S/MIME Version 3 Certificate Handling",
RFC 2632, June 1999.
Security Considerations Security Considerations
Something goes here about making sure that you have the correct This entire document discusses security. Some items of special note
certificate and that no substitutions are done when getting are:
certificates and information from the directory service.
Implementations must protect the signer's private key. Compromise
of the signer's private key permits masquerading and therefore
substitution of encryption certificates.
Implementations must do appropriate checking that the entity named
in a certificate is the same entity that the encrypted message is
destined for to protect contents of encrypted messages.
Author Address Author Address
Jim Schaad Jim Schaad
Microsoft Microsoft
One Microsoft Way One Microsoft Way
Redmond, WA 98052-6399 Redmond, WA 98052-6399
Jimsch@Microsoft.com Jimsch@Microsoft.com
Schaad 20
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/