draft-ietf-smime-cms-03.txt   draft-ietf-smime-cms-04.txt 
S/MIME Working Group R. Housley S/MIME Working Group R. Housley
Internet Draft SPYRUS Internet Draft SPYRUS
expires in six months January 1998 expires in six months March 1998
Cryptographic Message Syntax Cryptographic Message Syntax
<draft-ietf-smime-cms-03.txt> <draft-ietf-smime-cms-04.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the To view the entire list of current Internet-Drafts, please check
"1id-abstracts.txt" listing contained in the Internet- Drafts Shadow the "1id-abstracts.txt" listing contained in the Internet-Drafts
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
ftp.isi.edu (US West Coast). (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu
(US West Coast).
Abstract Abstract
This document describes the Cryptographic Message Syntax. This This document describes the Cryptographic Message Syntax. This
syntax is used to digitally sign, digest, authenticate, or encrypt syntax is used to digitally sign, digest, authenticate, or encrypt
arbitrary messages. arbitrary messages.
The Cryptographic Message Syntax is derived from PKCS #7 version 1.5. The Cryptographic Message Syntax is derived from PKCS #7 version 1.5.
Wherever possible, backward compatibility is preserved; however, Wherever possible, backward compatibility is preserved; however,
changes were necessary to accommodate attribute certificate transfer changes were necessary to accommodate attribute certificate transfer
skipping to change at page 3, line 4 skipping to change at page 3, line 4
The Cryptographic Message Syntax exports one content type, The Cryptographic Message Syntax exports one content type,
ContentInfo, as well as the various object identifiers. ContentInfo, as well as the various object identifiers.
As a general design philosophy, content types permit single pass As a general design philosophy, content types permit single pass
processing using indefinite-length Basic Encoding Rules (BER) processing using indefinite-length Basic Encoding Rules (BER)
encoding. Single-pass operation is especially helpful if content is encoding. Single-pass operation is especially helpful if content is
large, stored on tapes, or is "piped" from another process. Single- large, stored on tapes, or is "piped" from another process. Single-
pass operation has one significant drawback: it is difficult to pass operation has one significant drawback: it is difficult to
perform encode operations using the Distinguished Encoding Rules perform encode operations using the Distinguished Encoding Rules
(DER) encoding in a single pass since the lengths of the various (DER) encoding in a single pass since the lengths of the various
components may not be known in advance. Since the signed-data components may not be known in advance. Authenticated attributes
content type requires DER encoding, an extra pass may be necessary within the signed-data content type require DER encoding.
when a content type other than data is encapsulated.
3 General Syntax 3 General Syntax
The Cryptographic Message Syntax associates a protection content type The Cryptographic Message Syntax associates a protection content type
with a protection content. The syntax shall have ASN.1 type with a protection content. The syntax shall have ASN.1 type
ContentInfo: ContentInfo:
ContentInfo ::= SEQUENCE { ContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
content [0] EXPLICIT ANY DEFINED BY contentType } content [0] EXPLICIT ANY DEFINED BY contentType }
skipping to change at page 5, line 36 skipping to change at page 5, line 36
eContentType ContentType, eContentType ContentType,
eContent [0] EXPLICIT OCTET STRING OPTIONAL } eContent [0] EXPLICIT OCTET STRING OPTIONAL }
ContentType ::= OBJECT IDENTIFIER ContentType ::= OBJECT IDENTIFIER
SignerInfos ::= SET OF SignerInfo SignerInfos ::= SET OF SignerInfo
The fields of type SignedData have the following meanings: The fields of type SignedData have the following meanings:
version is the syntax version number. If no attribute version is the syntax version number. If no attribute
certificates are present in the certificates field, then the value certificates are present in the certificates field and the
of version shall be 1; however, if attribute certificates are encapsulated content type is id-data, then the value of version
present, then the value of version shall be 3. shall be 1; however, if attribute certificates are present or the
encapsulated content type is other than id-data, then the value of
version shall be 3.
digestAlgorithms is a collection of message digest algorithm digestAlgorithms is a collection of message digest algorithm
identifiers. There may be any number of elements in the identifiers. There may be any number of elements in the
collection, including zero. Each element identifies the message collection, including zero. Each element identifies the message
digest algorithm, along with any associated parameters, used by digest algorithm, along with any associated parameters, used by
one or more signer. The collection is intended to list the one or more signer. The collection is intended to list the
message digest algorithms employed by all of the signers, in any message digest algorithms employed by all of the signers, in any
order, to facilitate one-pass signature verification. The message order, to facilitate one-pass signature verification. The message
digesting process is described in Section 5.3. digesting process is described in Section 5.3.
skipping to change at page 6, line 27 skipping to change at page 6, line 29
present, then the value of version shall be 3. present, then the value of version shall be 3.
crls is a collection of certificate revocation lists (CRLs). It crls is a collection of certificate revocation lists (CRLs). It
is intended that the set contain information sufficient to is intended that the set contain information sufficient to
determine whether or not the certificates in the certificates determine whether or not the certificates in the certificates
field are valid, but such correspondence is not necessary. There field are valid, but such correspondence is not necessary. There
may be more CRLs than necessary, and there may also be fewer CRLs may be more CRLs than necessary, and there may also be fewer CRLs
than necessary. than necessary.
signerInfos is a collection of per-signer information. There may signerInfos is a collection of per-signer information. There may
be any number of elements in the collection, including zero. be any number of elements in the collection, including zero. [***
Add forward reference ***]
The optional omission of the encapContentInfo field makes it possible The optional omission of the eContent within the
to construct "external signatures." In the case of external EncapsulatedContentInfo field makes it possible to construct
signatures, the content being signed would be absent from the "external signatures." In the case of external signatures, the
EncapsulatedContentInfo value included in the signed-data content content being signed is absent from the EncapsulatedContentInfo value
type. If the EncapsulatedContentInfo value is absent, the included in the signed-data content type. If the eContent value
signatureValue is calculated as though the EncapsulatedContentInfo within EncapsulatedContentInfo is absent, then the signatureValue is
value was present. The presumed EncapsulatedContentInfo must have calculated and the eContentType is assigned as though the eContent
the content type set to id-data (as defined in section 4) and the value was present.
content omitted.
In the degenerate case where there are no signers, the In the degenerate case where there are no signers, the
EncapsulatedContentInfo value being "signed" is irrelevant. In this EncapsulatedContentInfo value being "signed" is irrelevant. In this
case, the content type within the EncapsulatedContentInfo value being case, the content type within the EncapsulatedContentInfo value being
"signed" should be data (as defined in section 4), and the content "signed" should be id-data (as defined in section 4), and the content
field of the EncapsulatedContentInfo value should be omitted. field of the EncapsulatedContentInfo value should be omitted.
[*** Add a separte "break out" of EncapsulatedContentInfo. ***]
5.2 SignerInfo Type 5.2 SignerInfo Type
Per-signer information is represented in the type SignerInfo: Per-signer information is represented in the type SignerInfo:
SignerInfo ::= SEQUENCE { SignerInfo ::= SEQUENCE {
version Version, version Version,
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT CMSAttributes OPTIONAL, authenticatedAttributes [0] IMPLICIT AuthAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue, signature SignatureValue,
unauthenticatedAttributes [1] IMPLICIT CMSAttributes OPTIONAL } unauthenticatedAttributes [1] IMPLICIT UnauthAttributes OPTIONAL }
CMSAttributes ::= SET OF CMSAttribute AuthAttributes ::= SET SIZE (1..MAX) OF AuthAttribute
CMSAttribute ::= SEQUENCE { AuthAttribute ::= SEQUENCE {
cmsAttrType OBJECT IDENTIFIER, attrType OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE, critical BOOLEAN DEFAULT FALSE,
cmsAttrValues SET OF CMSAttributeValue } attrValues SET OF AttributeValue }
CMSAttributeValue ::= ANY UnauthAttributes ::= SET SIZE (1..MAX) OF UnauthAttribute
UnauthAttribute ::= SEQUENCE {
attrType OBJECT IDENTIFIER,
attrValues SET OF AttributeValue }
AttributeValue ::= ANY
SignatureValue ::= OCTET STRING SignatureValue ::= OCTET STRING
The fields of type SignerInfo have the following meanings: The fields of type SignerInfo have the following meanings:
version is the syntax version number. If any of the authenticated version is the syntax version number. If any of the authenticated
attributes, are critical, then the version shall be 3. If all of attributes are critical, then the version shall be 3. If all of
the authenticated attributes are non-critical, then the version the authenticated attributes are non-critical, then the version
shall be 1. If the authenticatedAttributes and field is absent, shall be 1. If the authenticatedAttributes field is absent, then
then version shall be 1. version shall be 1.
issuerAndSerialNumber specifies the signer's certificate (and issuerAndSerialNumber specifies the signer's certificate (and
thereby the signer's public key) by issuer distinguished name and thereby the signer's public key) by issuer distinguished name and
issuer-specific serial number. issuer-specific serial number.
digestAlgorithm identifies the message digest algorithm, and any digestAlgorithm identifies the message digest algorithm, and any
associated parameters, used by the signer. The message digest is associated parameters, used by the signer. The message digest is
computed over the encapsulated content and authenticated computed over the encapsulated content and authenticated
attributes, if present. The message digest algorithm should be attributes, if present. The message digest algorithm should be
among those listed in the digestAlgorithms field of the associated among those listed in the digestAlgorithms field of the associated
SignerInfo value. The message digesting process is described in SignerData. The message digesting process is described in Section
Section 5.3. 5.3.
authenticatedAttributes is a collection of attributes that are authenticatedAttributes is a collection of attributes that are
signed. The field is optional, but it must be present if the signed. The field is optional, but it must be present if the
content type of the EncapsulatedContentInfo value being signed is content type of the EncapsulatedContentInfo value being signed is
not data. The field may include critical and non-critical not data. The field may include critical and non-critical
attributes. Useful attribute types, such as signing time, are attributes. Useful attribute types, such as signing time, are
defined in Section 11. If the field is present, it must contain, defined in Section 11. If the field is present, it must contain,
at a minimum, the following two attributes: at a minimum, the following two attributes:
A content-type attribute having as its value the content type A content-type attribute having as its value the content type
skipping to change at page 8, line 28 skipping to change at page 8, line 34
signature. signature.
signature is the result of digital signature generation, using the signature is the result of digital signature generation, using the
message digest and the signer's private key. message digest and the signer's private key.
unauthenticatedAttributes is a collection of attributes that are unauthenticatedAttributes is a collection of attributes that are
not signed. The field is optional, and it may not include not signed. The field is optional, and it may not include
critical attributes. Useful attribute types, such as critical attributes. Useful attribute types, such as
countersignatures, are defined in Section 11. countersignatures, are defined in Section 11.
The fields of type CMSAttribute have the following meanings: The fields of type AuthAttribute and UnauthAttribute have the
following meanings:
cmsAttrType indicates the type of attribute. It is an object attrType indicates the type of attribute. It is an object
identifier. identifier.
critical is a boolean value. TRUE indicates that the attribute is critical is a boolean value. TRUE indicates that the attribute is
critical, and FALSE indicates that the attribute is non-critical. critical, and FALSE indicates that the attribute is non-critical.
A recipient must reject the signed-data if it encounters a A recipient must reject the signed-data if it encounters a
critical attribute that it does not recognize; however, an critical attribute that it does not recognize; however, an
unrecognized non-critical attribute may be ignored. unrecognized non-critical attribute may be ignored. Authenticated
attributes may be critical or non-critical. Unauthenticated
attributes are always non-critical. Caution should be exercised
in adopting any critical attributes, which might reduce
interoperability.
cmsAttrValues is a set of values that comprise the attribute. The attrValues is a set of values that comprise the attribute. The
type each value in the set can be determined uniquely by type of each value in the set can be determined uniquely by
attributeType. attrType.
5.3 Message Digest Calculation Process 5.3 Message Digest Calculation Process
The message digest calculation process computes a message digest on The message digest calculation process computes a message digest on
either the content being signed or the content together with the either the content being signed or the content together with the
signer's authenticated attributes. In either case, the initial input signer's authenticated attributes. In either case, the initial input
to the message digest calculation process is the "value" of the to the message digest calculation process is the "value" of the
encapsulated content being signed. Specifically, the initial input encapsulated content being signed. Specifically, the initial input
is the content OCTET STRING of the content field of the is the encapContentInfo eContent OCTET STRING to which the signing
EncapsulatedContentInfo value to which the signing process is process is applied. Only the octets comprising the value of the
applied. Only the contents of the OCTET STRING are input to the eContent OCTET STRING are input to the message digest algorithm, not
message digest algorithm, not the identifier octets or the length the tag or the length octets.
octets.
The result of the message digest calculation process depends on The result of the message digest calculation process depends on
whether the authenticatedAttributes field is present. When the field whether the authenticatedAttributes field is present. When the field
is absent, the result is just the message digest of the content as is absent, the result is just the message digest of the content as
described above. When the field is present, however, the result is described above. When the field is present, however, the result is
the message digest of the complete DER encoding of the Attributes the message digest of the complete DER encoding of the AuthAttributes
value contained in the authenticatedAttributes field. Since the value contained in the authenticatedAttributes field. Since the
Attributes value, when present, must contain as attributes the AuthAttributes value, when present, must contain as attributes the
content type and the content message digest, those values are content type and the content message digest, those values are
indirectly included in the result. A separate encoding of the indirectly included in the result. A separate encoding of the
authenticatedAttributes field is performed for message digest authenticatedAttributes field is performed for message digest
calculation. The IMPLICIT [0] tag in the authenticatedAttributes calculation. The IMPLICIT [0] tag in the authenticatedAttributes
field is not used for the DER encoding, rather an EXPLICIT SET OF tag field is not used for the DER encoding, rather an EXPLICIT SET OF tag
is used. That is, the DER encoding of the SET OF tag, rather than of is used. That is, the DER encoding of the SET OF tag, rather than of
the IMPLICIT [0] tag, is to be included in the message digest the IMPLICIT [0] tag, is to be included in the message digest
calculation along with the length and content octets of the calculation along with the length and content octets of the
CMSAttributes value. AuthAttributes value.
When the content being signed has a content type of data (as defined
in section 4) and the authenticatedAttributes field is absent, then
just the value of the data (e.g., the contents of a file) is input to
the message digest calculation. This has the advantage that the
length of the content being signed need not be known in advance of
the signature generation process.
Although the identifier octets and the length octets are not included When the authenticatedAttributes field is absent, then only the
in the message digest calculation, they are still protected by other octets comprising the value of the signedData encapContentInfo
means. The length octets are protected by the nature of the message eContent OCTET STRING (e.g., the contents of a file) are input to the
digest algorithm since it is computationally infeasible to find any message digest calculation. This has the advantage that the length
two distinct messages of any length that have the same message of the content being signed need not be known in advance of the
digest. signature generation process.
The fact that the message digest is computed on part of a DER Although the encapContentInfo eContent OCTET STRING tag and length
encoding does not mean that DER is the required method of octets are not included in the message digest calculation, they are
representing that part for data transfer. Indeed, it is expected still protected by other means. The length octets are protected by
that some implementations will store objects in forms other than the nature of the message digest algorithm since it is
their DER encodings, but such practices do not affect message digest computationally infeasible to find any two distinct messages of any
computation. length that have the same message digest.
5.4 Message Signature Generation Process 5.4 Message Signature Generation Process
The input to the signature generation process includes the result of The input to the signature generation process includes the result of
the message digest calculation process and the signer's private key. the message digest calculation process and the signer's private key.
The details of the signature generation depend on the signature The details of the signature generation depend on the signature
algorithm employed. The object identifier, along with any algorithm employed. The object identifier, along with any
parameters, that specifies the signature algorithm employed by the parameters, that specifies the signature algorithm employed by the
signer is carried in the signatureAlgorithm field. The signature signer is carried in the signatureAlgorithm field. The signature
value generated by the signer is encoded as an OCTET STRING and value generated by the signer is encoded as an OCTET STRING and
skipping to change at page 10, line 18 skipping to change at page 10, line 25
5.5 Message Signature Validation Process 5.5 Message Signature Validation Process
The input to the signature validation process includes the result of The input to the signature validation process includes the result of
the message digest calculation process and the signer's public key. the message digest calculation process and the signer's public key.
The details of the signature validation depend on the signature The details of the signature validation depend on the signature
algorithm employed. algorithm employed.
The recipient may not rely on any message digest values computed by The recipient may not rely on any message digest values computed by
the originator. If the signedData signerInfo includes the originator. If the signedData signerInfo includes
authenticatedAttributes, then content message digest must be authenticatedAttributes, then the content message digest must be
calculated as described in section 5.3. For the signature to be calculated as described in section 5.3. For the signature to be
valid, the message digest value calculated by the recipient must be valid, the message digest value calculated by the recipient must be
the same as the value of the messageDigest attribute included in the the same as the value of the messageDigest attribute included in the
authenticatedAttributes of the signedData signerInfo. authenticatedAttributes of the signedData signerInfo.
6 Enveloped-data Content Type 6 Enveloped-data Content Type
The enveloped-data content type consists of an encrypted content of The enveloped-data content type consists of an encrypted content of
any type and encrypted content-encryption keys for one or more any type and encrypted content-encryption keys for one or more
recipients. The combination of the encrypted content and one recipients. The combination of the encrypted content and one
skipping to change at page 15, line 24 skipping to change at page 15, line 35
date is optional. When present, the date specifies a single key- date is optional. When present, the date specifies a single key-
encryption key from a set that was previously distributed to the encryption key from a set that was previously distributed to the
sender and the recipient. sender and the recipient.
other is optional. When present, this field contains additional other is optional. When present, this field contains additional
information used by the recipient to locate the keying material information used by the recipient to locate the keying material
used by the sender. used by the sender.
6.3 Content-encryption Process 6.3 Content-encryption Process
The input to the content-encryption process is the "value" of the The content-encryption key for the desired content-encryption
content being enveloped. Only the content octets; identifier or algorithm is randomly generated. The data to be protected is padded
length octets are not included. as described below, then the padded data is encrypted using the
content-encryption key. The encryption operation maps an arbitrary
When the content being enveloped has content type of data (as defined string of octets (the data) to another string of octets (the
in section 4), then just the value of the data (e.g., the contents of ciphertext) under control of a content-encryption key. The encrypted
a file) is encrypted. This has the advantage that the length of the data is included in the envelopedData encryptedContentInfo
content being encrypted need not be known in advance of the encryptedContent OCTET STRING.
encryption process.
The identifier octets and the length octets are not encrypted. The The input to the content-encryption process is the "value" of the
length octets may be protected implicitly by the encryption process, content being enveloped. Only the value octets of the envelopedData
depending on the encryption algorithm. The identifier octets are not encryptedContentInfo encryptedContent OCTET STRING are encrypted; the
protected at all, although they can be recovered from the content OCTET STRING tag and length octets are not encrypted.
type, assuming that the content type uniquely determines the
identifier octets. Explicit protection of the identifier and length
octets requires that the signed-data content type be employed prior
to digital enveloping.
Some content-encryption algorithms assume the input length is a Some content-encryption algorithms assume the input length is a
multiple of k octets, where k is greater than one. For such multiple of k octets, where k is greater than one. For such
algorithms, the input shall be padded at the trailing end with algorithms, the input shall be padded at the trailing end with
k-(l mod k) octets all having value k-(l mod k), where l is the k-(l mod k) octets all having value k-(l mod k), where l is the
length of the input. In other words, the input is padded at the length of the input. In other words, the input is padded at the
trailing end with one of the following strings: trailing end with one of the following strings:
01 -- if l mod k = k-1 01 -- if l mod k = k-1
02 02 -- if l mod k = k-2 02 02 -- if l mod k = k-2
skipping to change at page 18, line 27 skipping to change at page 18, line 27
9 Authenticated-data Content Type 9 Authenticated-data Content Type
The authenticated-data content type consists of content of any type, The authenticated-data content type consists of content of any type,
a message authentication code (MAC), and encrypted authentication a message authentication code (MAC), and encrypted authentication
keys for one or more recipients. The combination of the MAC and one keys for one or more recipients. The combination of the MAC and one
encrypted authentication key for a recipient is necessary for that encrypted authentication key for a recipient is necessary for that
recipient to validate the integrity of the content. Any type of recipient to validate the integrity of the content. Any type of
content can be integrity protected for an arbitrary number of content can be integrity protected for an arbitrary number of
recipients. recipients.
[*** Add processing steps ***]
9.1 AuthenticatedData Type
The following object identifier identifies the authenticated-data The following object identifier identifies the authenticated-data
content type: content type:
id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
ct(1) 2 } ct(1) 2 }
The authenticated-data content type shall have ASN.1 type The authenticated-data content type shall have ASN.1 type
AuthenticatedData: AuthenticatedData:
skipping to change at page 19, line 23 skipping to change at page 19, line 27
identifier. It identifies the message authentication code identifier. It identifies the message authentication code
algorithm, along with any associated parameters, used by the algorithm, along with any associated parameters, used by the
originator. Placement of the macAlgorithm field facilitates one- originator. Placement of the macAlgorithm field facilitates one-
pass processing by the recipient. pass processing by the recipient.
encapContentInfo is the content that is authenticated, as defined encapContentInfo is the content that is authenticated, as defined
in section 5.1. in section 5.1.
mac is the message authentication code. mac is the message authentication code.
10 Useful Types 9.2 MAC Generation
This section defines types that are used other places in the The MAC calculation process computes a message authentication code on
document. The types are not listed in any particular order. either the message content or the content together with the
originator's authenticated attributes.
10.1 CertificateRevocationLists If there are no authenticated attributes, the MAC input data is the
content octets of the DER encoding of the content field of the
ContentInfo value to which the MAC process is applied. Only the
contents octets of the DER encoding of that field are input to the
MAC algorithm, not the identifier octets or the length octets.
The CertificateRevocationLists type gives a set of certificate If authenticated attributes are present, they must include the
revocation lists (CRLs). It is intended that the set contain contentType and messageDigest attributes (as described in Section
information sufficient to determine whether the certificates with 5.2), and a digestAlorithm attribute [*** needs an OID ***]. The
which the set is associated are revoked or not. However, there may digestAlgorithm indicates the algorithm used to compute the
be more CRLs than necessary or there may be fewer CRLs than messageDigest value from the content. The MAC input data is the the
necessary. complete DER encoding of the Attributes value contained in the
authenticatedAttributes field. Since the Attributes value, when the
field is present, must contain as attributes the content type and the
message digest of the content, those values are indirectly included
in the result. A separate encoding of the authenticatedAttributes
field is performed for MAC calculation. The IMPLICIT [0] tag in the
authenticatedAttributes field is not used for the DER encoding,
rather an EXPLICIT SET OF tag is used. That is, the DER encoding of
the SET OF tag, rather than of the IMPLICIT [0] tag, is to be
included in the message digest calculation along with the length and
contents octets of the AuthAttributes value.
The definition of CertificateList is imported from X.509. If the content has content type data and the authenticatedAttributes
field is absent, then just the value of the data (e.g., the contents
of a file) is input to the MAC calculation. This has the advantage
that the length of the content need not be known in advance of the
MAC calculation process. Although the identifier octets and the
length octets are not included in the MAC calculation, they are still
protected by other means. The length octets are protected by the
nature of the MAC algorithm since it is computationally infeasible to
find any two distinct messages of any length that have the same MAC.
CertificateRevocationLists ::= SET OF CertificateList The fact that the MAC is computed on part of a DER encoding does not
mean that DER is the required method of representing that part for
data transfer. Indeed, it is expected that some implementations will
store objects in forms other than their DER encodings, but such
practices do not affect MAC computation.
10.2 ContentEncryptionAlgorithmIdentifier The input to the MAC calculation process includes the MAC input data,
defined above, and an authentication key conveyed in a recipientInfo
structure. The details of MAC calculation depend on the MAC
algorithm employed (e.g., HMAC-SHA1). The object identifier, along
with any parameters, that specifies the MAC algorithm employed by the
originator is carried in the macAlgorithm field. The MAC value
generated by the originator is encoded as an OCTET STRING and carried
in the mac field.
The ContentEncryptionAlgorithmIdentifier type identifies a content- 9.2 MAC Validation
encryption algorithm such as DES. A content-encryption algorithm
supports encryption and decryption operations. The encryption
operation maps an octet string (the message) to another octet string
(the ciphertext) under control of a content-encryption key. The
decryption operation is the inverse of the encryption operation.
Context determines which operation is intended.
The definition of AlgorithmIdentifier is imported from X.509. The input to the MAC validation process includes the input data
(determined based on the presence or absence of authenticated
attributes, as defined in 9.3), and the authentication key (conveyed
in a recipientInfo structure). The details of the MAC validation
process depend on the MAC algorithm employed.
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier The recipient may not rely on any message digest values computed by
the originator. If the originator includes authenticated Attributes,
then the ASN.1 DER encoded content of the authenticatedData object
must be digested as described in section 5.3. For the MAC to be
valid, the message digest value calculated by the recipient must be
the same as the value of the messageDigest attribute included in the
authenticatedAttributes.
10.3 DigestAlgorithmIdentifier 10 Useful Types
This section is divided into two parts. The first part defines
algorithm identifiers, and the second part defines other useful
types.
10.1 Algorithm Identifier Types
All of the algorithm identifiers have the same type:
AlgorithmIdentifier. The definition of AlgorithmIdentifier is
imported from X.509.
There are many alternatives for each type of algorithm listed. For
each of these five types, Section 12 lists the algorithms that must
be included in a CMS implementation.
10.1.1 DigestAlgorithmIdentifier
The DigestAlgorithmIdentifier type identifies a message-digest The DigestAlgorithmIdentifier type identifies a message-digest
algorithm. Examples include SHA-1, MD2, and MD5. A message-digest algorithm. Examples include SHA-1, MD2, and MD5. A message-digest
algorithm maps an octet string (the message) to another octet string algorithm maps an octet string (the message) to another octet string
(the message digest). (the message digest).
The definition of AlgorithmIdentifier is imported from X.509.
DigestAlgorithmIdentifier ::= AlgorithmIdentifier DigestAlgorithmIdentifier ::= AlgorithmIdentifier
10.4 SignatureAlgorithmIdentifier 10.1.2 SignatureAlgorithmIdentifier
The SignatureAlgorithmIdentifier type identifies a signature The SignatureAlgorithmIdentifier type identifies a signature
algorithm. Examples include DSS and RSA. A signature algorithm algorithm. Examples include DSS and RSA. A signature algorithm
supports signature generation and verification operations. The supports signature generation and verification operations. The
signature generation operation uses the message digest and the signature generation operation uses the message digest and the
signer's private key to generate a signature value. The signature signer's private key to generate a signature value. The signature
verification operation uses the message digest and the signer's verification operation uses the message digest and the signer's
public key to determine whether or not a signature value is valid. public key to determine whether or not a signature value is valid.
Context determines which operation is intended. Context determines which operation is intended.
The definition of AlgorithmIdentifier is imported from X.509.
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
10.5 CertificateChoices 10.1.3 KeyEncryptionAlgorithmIdentifier
The KeyEncryptionAlgorithmIdentifier type identifies a key-encryption
algorithm used to encrypt a content-encryption key. The encryption
operation maps an octet string (the key) to another octet string (the
encrypted key) under control of a key-encryption key. The decryption
operation is the inverse of the encryption operation. Context
determines which operation is intended.
The details of encryption and decryption depend on the key management
algorithm used. Key transport, key agreement, and previously
distributed symmetric key-encrypting keys are supported.
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
10.1.4 ContentEncryptionAlgorithmIdentifier
The ContentEncryptionAlgorithmIdentifier type identifies a content-
encryption algorithm. Examples include DES, Triple-DES, and RC2. A
content-encryption algorithm supports encryption and decryption
operations. The encryption operation maps an octet string (the
message) to another octet string (the ciphertext) under control of a
content-encryption key. The decryption operation is the inverse of
the encryption operation. Context determines which operation is
intended.
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
10.1.5 MessageAuthenticationCodeAlgorithm
The MessageAuthenticationCodeAlgorithm type identifies a message
authentication code (MAC) algorithm. Examples include DES MAC and
HMAC. A MAC algorithm supports generation and verification
operations. The MAC generation and verification operations use the
same symmetric key. Context determines which operation is intended.
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
10.2 Other Useful Types
This section defines types that are used other places in the
document. The types are not listed in any particular order.
10.2.1 CertificateRevocationLists
The CertificateRevocationLists type gives a set of certificate
revocation lists (CRLs). It is intended that the set contain
information sufficient to determine whether the certificates with
which the set is associated are revoked or not. However, there may
be more CRLs than necessary or there may be fewer CRLs than
necessary.
The definition of CertificateList is imported from X.509.
CertificateRevocationLists ::= SET OF CertificateList
10.2.2 CertificateChoices
The CertificateChoices type gives either a PKCS #6 extended The CertificateChoices type gives either a PKCS #6 extended
certificate, an X.509 certificate, or an X.509 attribute certificate. certificate, an X.509 certificate, or an X.509 attribute certificate.
The PKCS #6 extended certificate is obsolete. It is included for The PKCS #6 extended certificate is obsolete. It is included for
backward compatibility, and its use should be avoided. backward compatibility, and its use should be avoided.
The definitions of Certificate and AttributeCertificate are imported The definitions of Certificate and AttributeCertificate are imported
from X.509. from X.509.
CertificateChoices ::= CHOICE { CertificateChoices ::= CHOICE {
certificate Certificate, -- See X.509 certificate Certificate, -- See X.509
extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
attrCert [1] IMPLICIT AttributeCertificate } -- See X.509 and X9.57 attrCert [1] IMPLICIT AttributeCertificate } -- See X.509 and X9.57
10.6 CertificateSet 10.2.3 CertificateSet
The CertificateSet type provides a set of certificates. It is The CertificateSet type provides a set of certificates. It is
intended that the set be sufficient to contain chains from a intended that the set be sufficient to contain chains from a
recognized "root" or "top-level certification authority" to all of recognized "root" or "top-level certification authority" to all of
the sender certificates with which the set is associated. However, the sender certificates with which the set is associated. However,
there may be more certificates than necessary, or there may be fewer there may be more certificates than necessary, or there may be fewer
than necessary. than necessary.
The precise meaning of a "chain" is outside the scope of this The precise meaning of a "chain" is outside the scope of this
document. Some applications may impose upper limits on the length of document. Some applications may impose upper limits on the length of
a chain; others may enforce certain relationships between the a chain; others may enforce certain relationships between the
subjects and issuers of certificates within a chain. subjects and issuers of certificates within a chain.
CertificateSet ::= SET OF CertificateChoices CertificateSet ::= SET OF CertificateChoices
10.7 IssuerAndSerialNumber 10.2.4 IssuerAndSerialNumber
The IssuerAndSerialNumber type identifies a certificate, and thereby The IssuerAndSerialNumber type identifies a certificate, and thereby
an entity and a public key, by the distinguished name of the an entity and a public key, by the distinguished name of the
certificate issuer and an issuer-specific certificate serial number. certificate issuer and an issuer-specific certificate serial number.
The definition of Name is imported from X.501, and the definition of The definition of Name is imported from X.501, and the definition of
SerialNumber is imported from X.509. SerialNumber is imported from X.509.
IssuerAndSerialNumber ::= SEQUENCE { IssuerAndSerialNumber ::= SEQUENCE {
issuer Name, issuer Name,
serialNumber SerialNumber } serialNumber SerialNumber }
SerialNumber ::= INTEGER SerialNumber ::= INTEGER
10.8 KeyEncryptionAlgorithmIdentifier 10.2.5 Version
The KeyEncryptionAlgorithmIdentifier type identifies a key-encryption
algorithm used to encrypt a content-encryption key. The encryption
operation maps an octet string (the key) to another octet string (the
encrypted key) under control of a key-encryption key. The decryption
operation is the inverse of the encryption operation. Context
determines which operation is intended.
The details of encryption and decryption depend on the key management
algorithm used. Key transport, key agreement, and previously
distributed symmetric key-encrypting keys are supported.
The definition of AlgorithmIdentifier is imported from X.509.
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
10.9 Version
The Version type gives a syntax version number, for compatibility The Version type gives a syntax version number, for compatibility
with future revisions of this document. with future revisions of this document.
Version ::= INTEGER Version ::= INTEGER { v0(0), v1(1), v2(2), v3(3) }
10.10 UserKeyingMaterial 10.2.6 UserKeyingMaterial
The UserKeyingMaterial type gives a syntax user keying material The UserKeyingMaterial type gives a syntax user keying material
(UKM). Some key management algorithms require UKMs. The sender (UKM). Some key management algorithms require UKMs. The sender
provides a UKM for the specific key management algorithm. The UKM is provides a UKM for the specific key management algorithm. The UKM is
employed by all of the recipients that use the same key encryption employed by all of the recipients that use the same key encryption
algorithm. algorithm.
UserKeyingMaterial ::= SEQUENCE { UserKeyingMaterial ::= SEQUENCE {
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
ukm OCTET STRING } ukm OCTET STRING }
10.11 UserKeyingMaterials 10.2.7 UserKeyingMaterials
The UserKeyingMaterial type provides a set of user keying materials The UserKeyingMaterial type provides a set of user keying materials
(UKMs). This allows the sender to provide a UKM for each key (UKMs). This allows the sender to provide a UKM for each key
management algorithm that requires one. management algorithm that requires one.
UserKeyingMaterials ::= SET OF UserKeyingMaterial UserKeyingMaterials ::= SET SIZE (1..MAX) OF UserKeyingMaterial
10.12 OtherKeyAttribute 10.2.8 OtherKeyAttribute
The OtherKeyAttribute type gives a syntax for the inclusion of other The OtherKeyAttribute type gives a syntax for the inclusion of other
key attributes that permit the recipient to select the key used by key attributes that permit the recipient to select the key used by
the sender. The attribute object identifier must be registered along the sender. The attribute object identifier must be registered along
with the syntax of the attribute itself. Use of this structure with the syntax of the attribute itself. Use of this structure
should be avoided since it may impede interoperability. should be avoided since it may impede interoperability.
OtherKeyAttribute ::= SEQUENCE { OtherKeyAttribute ::= SEQUENCE {
keyAttrId OBJECT IDENTIFIER, keyAttrId OBJECT IDENTIFIER,
keyAttr ANY DEFINED BY keyAttrId OPTIONAL } keyAttr ANY DEFINED BY keyAttrId OPTIONAL }
10.13 MessageAuthenticationCodeAlgorithm
The MessageAuthenticationCodeAlgorithm type identifies a message
authentication code (MAC) algorithm. Examples include DES MAC and
HMAC. A MAC algorithm supports generation and verification
operations. The MAC generation and verification operations use the
same symmetric key. Context determines which operation is intended.
The definition of AlgorithmIdentifier is imported from X.509.
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
11 Useful Attributes 11 Useful Attributes
This section defines attributes that may used with signed-data. All This section defines attributes that may used with signed-data. All
of these attributes were originally defined in PKCS #9, and they are of these attributes were originally defined in PKCS #9, and they are
included here for easy reference. The attributes are not listed in included here for easy reference. The attributes are not listed in
any particular order. any particular order.
11.1 Content Type 11.1 Content Type
The content-type attribute type specifies the content type of the The content-type attribute type specifies the content type of the
ContentInfo value being signed in signed-data. The content-type ContentInfo value being signed in signed-data. The content-type
attribute type is required if there are any authenticated attributes attribute type is required if there are any authenticated attributes
present. present.
The content-type attribute must be an authenticated attribute; it
cannot be an unauthenticated attribute. The content-type attribute
is never critical.
The following object identifier identifies the content-type The following object identifier identifies the content-type
attribute: attribute:
id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
Content-type attribute values have ASN.1 type ContentType: Content-type attribute values have ASN.1 type ContentType:
ContentType ::= OBJECT IDENTIFIER ContentType ::= OBJECT IDENTIFIER
A content-type attribute must have a single attribute value. A content-type attribute must have a single attribute value.
11.2 Message Digest 11.2 Message Digest
The message-digest attribute type specifies the message digest of the The message-digest attribute type specifies the message digest of the
contents octets of the DER encoding of the content field of the encapContentInfo eContent OCTET STRING being signed in signed-data
ContentInfo value being signed in signed-data, where the message (see section 5.3), where the message digest is computed using the
digest is computed using the signer's message digest algorithm. The signer's message digest algorithm. The message-digest attribute type
message-digest attribute type is required if there are any is required if there are any authenticated attributes present.
authenticated attributes present.
The message-digest attribute must be an authenticated attribute; it
cannot be an unauthenticated attribute. The message-digest attribute
is never critical.
The following object identifier identifies the message-digest The following object identifier identifies the message-digest
attribute: attribute:
id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
Message-digest attribute values have ASN.1 type MessageDigest: Message-digest attribute values have ASN.1 type MessageDigest:
MessageDigest ::= OCTET STRING MessageDigest ::= OCTET STRING
skipping to change at page 24, line 4 skipping to change at page 25, line 39
The following object identifier identifies the message-digest The following object identifier identifies the message-digest
attribute: attribute:
id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
Message-digest attribute values have ASN.1 type MessageDigest: Message-digest attribute values have ASN.1 type MessageDigest:
MessageDigest ::= OCTET STRING MessageDigest ::= OCTET STRING
A message-digest attribute must have a single attribute value. A message-digest attribute must have a single attribute value.
11.3 Signing Time 11.3 Signing Time
The signing-time attribute type specifies the time at which the The signing-time attribute type specifies the time at which the
signer (purportedly) performed the signing process. The signing-time signer (purportedly) performed the signing process. The signing-time
attribute type is intended for use in signed-data. attribute type is intended for use in signed-data.
The signing-time attribute may be an authenticated attribute or an
unauthenticated attribute. The signing-time authenticated attribute
may be critical or non-critical.
The following object identifier identifies the signing-time The following object identifier identifies the signing-time
attribute: attribute:
id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
Signing-time attribute values have ASN.1 type SigningTime: Signing-time attribute values have ASN.1 type SigningTime:
SigningTime ::= Time SigningTime ::= Time
skipping to change at page 24, line 45 skipping to change at page 26, line 38
time, and acceptance of a purported signing time is a matter of a time, and acceptance of a purported signing time is a matter of a
recipient's discretion. It is expected, however, that some signers, recipient's discretion. It is expected, however, that some signers,
such as time-stamp servers, will be trusted implicitly. such as time-stamp servers, will be trusted implicitly.
11.4 Countersignature 11.4 Countersignature
The countersignature attribute type specifies one or more signatures The countersignature attribute type specifies one or more signatures
on the contents octets of the DER encoding of the signatureValue on the contents octets of the DER encoding of the signatureValue
field of a SignerInfo value in signed-data. Thus, the field of a SignerInfo value in signed-data. Thus, the
countersignature attribute type countersigns (signs in serial) countersignature attribute type countersigns (signs in serial)
another signature. The countersignature attribute must be an another signature.
unauthenticated attribute; it cannot be an authenticated attribute.
The countersignature attribute must be an unauthenticated attribute;
it cannot be an authenticated attribute.
The following object identifier identifies the countersignature The following object identifier identifies the countersignature
attribute: attribute:
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
Countersignature attribute values have ASN.1 type Countersignature: Countersignature attribute values have ASN.1 type Countersignature:
Countersignature ::= SignerInfo Countersignature ::= SignerInfo
skipping to change at page 25, line 39 skipping to change at page 27, line 28
The fact that a countersignature is computed on a signature value The fact that a countersignature is computed on a signature value
means that the countersigning process need not know the original means that the countersigning process need not know the original
content input to the signing process. This has advantages both in content input to the signing process. This has advantages both in
efficiency and in confidentiality. A countersignature, since it has efficiency and in confidentiality. A countersignature, since it has
type SignerInfo, can itself contain a countersignature attribute. type SignerInfo, can itself contain a countersignature attribute.
Thus it is possible to construct arbitrarily long series of Thus it is possible to construct arbitrarily long series of
countersignatures. countersignatures.
12 Supported Algorithms 12 Supported Algorithms
To be supplied. However, this section will list the must implement This section lists the algorithms that must be implemented.
algorithms and other algorithms that may be implemented. It will Additional algorithms that may be implemented are also included.
include:
MUST implement: DSS, SHA-1, Diffie-Hellman (X9.42), and Triple-DES 12.1 Digest Algorithms
CBC (with three keys).
MAY implement: RSA (signature and key management), MD5, RC2 (40 bit), CMS implementations must include SHA-1. CMS implementations may
DES CBC, and DES MAC. include MD5.
12.1.1 SHA-1
12.1.2 MD5
12.2 Signature Algorithms
CMS implementations must include DSA. CMS implementations may
include RSA.
12.2.1 DSA
12.2.2 RSA
12.3 Key Encryption Algorithms
CMS implementations must include X9.42 Static Diffie-Hellman. CMS
implementations may include RSA.
12.3.1 X9.42 Static Diffie-Hellman
12.3.2 RSA
12.4 Content Encryption Algorithms
CMS implementations must include Triple-DES in CBC mode. CMS
implementations may include DES in CBC mode and RC2 in CBC mode.
12.4.1 Triple-DES CBC
12.4.2 DES CBC
12.4.3 RC2 CBC
12.5 MessageAuthenticationCodeAlgorithm
No MAC algorithms are mandatory. CMS implementations may include DES
MAC and HMAC.
12.5.1 DES MAC
12.5.2 HMAC
Appendix A: ASN.1 Module Appendix A: ASN.1 Module
CryptographicMessageSyntax CryptographicMessageSyntax
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1) } pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
skipping to change at page 27, line 8 skipping to change at page 31, line 8
EncapsulatedContentInfo ::= SEQUENCE { EncapsulatedContentInfo ::= SEQUENCE {
eContentType ContentType, eContentType ContentType,
eContent [0] EXPLICIT OCTET STRING OPTIONAL } eContent [0] EXPLICIT OCTET STRING OPTIONAL }
SignerInfos ::= SET OF SignerInfo SignerInfos ::= SET OF SignerInfo
SignerInfo ::= SEQUENCE { SignerInfo ::= SEQUENCE {
version Version, version Version,
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT CMSAttributes OPTIONAL, authenticatedAttributes [0] IMPLICIT AuthAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue, signature SignatureValue,
unauthenticatedAttributes [1] IMPLICIT CMSAttributes OPTIONAL } unauthenticatedAttributes [1] IMPLICIT UnauthAttributes OPTIONAL }
CMSAttributes ::= SET OF CMSAttribute AuthAttributes ::= SET SIZE (1..MAX) OF AuthAttribute
CMSAttribute ::= SEQUENCE { AuthAttribute ::= SEQUENCE {
cmsAttrType OBJECT IDENTIFIER, attrType OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE, critical BOOLEAN DEFAULT FALSE,
cmsAttrValues SET OF CMSAttributeValue } attrValues SET OF AttributeValue }
CMSAttributeValue ::= ANY UnauthAttributes ::= SET SIZE (1..MAX) OF UnauthAttribute
UnauthAttribute ::= SEQUENCE {
attrType OBJECT IDENTIFIER,
attrValues SET OF AttributeValue }
AttributeValue ::= ANY
SignatureValue ::= OCTET STRING SignatureValue ::= OCTET STRING
EnvelopedData ::= SEQUENCE { EnvelopedData ::= SEQUENCE {
version Version, version Version,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo } encryptedContentInfo EncryptedContentInfo }
OriginatorInfo ::= SEQUENCE { OriginatorInfo ::= SEQUENCE {
skipping to change at page 29, line 23 skipping to change at page 33, line 37
CertificateSet ::= SET OF CertificateChoices CertificateSet ::= SET OF CertificateChoices
IssuerAndSerialNumber ::= SEQUENCE { IssuerAndSerialNumber ::= SEQUENCE {
issuer Name, issuer Name,
serialNumber SerialNumber } serialNumber SerialNumber }
SerialNumber ::= INTEGER SerialNumber ::= INTEGER
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
Version ::= INTEGER Version ::= INTEGER { v0(0), v1(1), v2(2), v3(3) }
UserKeyingMaterial ::= SEQUENCE { UserKeyingMaterial ::= SEQUENCE {
algorithm AlgorithmIdentifier, algorithm AlgorithmIdentifier,
ukm OCTET STRING } ukm OCTET STRING }
UserKeyingMaterials ::= SET OF UserKeyingMaterial UserKeyingMaterials ::= SET SIZE (1..MAX) OF UserKeyingMaterial
OtherKeyAttribute ::= SEQUENCE { OtherKeyAttribute ::= SEQUENCE {
keyAttrId OBJECT IDENTIFIER, keyAttrId OBJECT IDENTIFIER,
keyAttr ANY DEFINED BY keyAttrId OPTIONAL } keyAttr ANY DEFINED BY keyAttrId OPTIONAL }
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
-- CMS Attributes -- CMS Attributes
MessageDigest ::= OCTET STRING MessageDigest ::= OCTET STRING
SigningTime ::= Time SigningTime ::= Time
Time ::= CHOICE { Time ::= CHOICE {
utcTime UTCTime, utcTime UTCTime,
generalTime GeneralizedTime } generalTime GeneralizedTime }
skipping to change at page 31, line 18 skipping to change at page 35, line 18
extendedCertificate [0] IMPLICIT ExtendedCertificate } extendedCertificate [0] IMPLICIT ExtendedCertificate }
ExtendedCertificate ::= SEQUENCE { ExtendedCertificate ::= SEQUENCE {
extendedCertificateInfo ExtendedCertificateInfo, extendedCertificateInfo ExtendedCertificateInfo,
signatureAlgorithm SignatureAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature } signature Signature }
ExtendedCertificateInfo ::= SEQUENCE { ExtendedCertificateInfo ::= SEQUENCE {
version Version, version Version,
certificate Certificate, certificate Certificate,
attributes Attributes } attributes UnauthAttributes }
Signature ::= BIT STRING Signature ::= BIT STRING
END -- of CryptographicMessageSyntax END -- of CryptographicMessageSyntax
References References
PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate Syntax PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate Syntax
Standard. Version 1.5, November 1993. Standard. Version 1.5, November 1993.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/