draft-ietf-smime-rfc2633bis-08.txt   draft-ietf-smime-rfc2633bis-09.txt 
Internet Draft Editor: Blake Ramsdell, Internet Draft Editor: Blake Ramsdell,
draft-ietf-smime-rfc2633bis-08.txt Sendmail, Inc. draft-ietf-smime-rfc2633bis-09.txt Sendmail, Inc.
March 25, 2004 April 19, 2004
Expires September 25, 2004 Expires October 19, 2004
S/MIME Version 3.1 Message Specification S/MIME Version 3.1 Message Specification
Status of this memo Status of this memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other Force (IETF), its areas, and its working groups. Note that other
skipping to change at line 29 skipping to change at line 28
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress." or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Abstract
This document defines S/MIME (Secure/Multipurpose Internet Mail
extensions) version 3.1. S/MIME provides a consistent way to send and
receive secure MIME data. Digital signatures provide authentication,
message integrity and non-repudiation with proof of origin, encryption
provides data confidentiality and compression provides data
compression.
1. Introduction 1. Introduction
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a
consistent way to send and receive secure MIME data. Based on the consistent way to send and receive secure MIME data. Based on the
popular Internet MIME standard, S/MIME provides the following popular Internet MIME standard, S/MIME provides the following
cryptographic security services for electronic messaging applications: cryptographic security services for electronic messaging applications:
authentication, message integrity and non-repudiation of origin (using authentication, message integrity and non-repudiation of origin (using
digital signatures) and data confidentiality (using encryption). digital signatures) and data confidentiality (using encryption).
S/MIME can be used by traditional mail user agents (MUAs) to add S/MIME can be used by traditional mail user agents (MUAs) to add
skipping to change at line 64 skipping to change at line 72
and encryption services to MIME data. The MIME standard [MIME-SPEC] and encryption services to MIME data. The MIME standard [MIME-SPEC]
provides a general structure for the content type of Internet messages provides a general structure for the content type of Internet messages
and allows extensions for new content type applications. and allows extensions for new content type applications.
This specification defines how to create a MIME body part that has This specification defines how to create a MIME body part that has
been cryptographically enhanced according to CMS [CMS], which is been cryptographically enhanced according to CMS [CMS], which is
derived from PKCS #7 [PKCS-7]. This specification also defines the derived from PKCS #7 [PKCS-7]. This specification also defines the
application/pkcs7-mime MIME type that can be used to transport those application/pkcs7-mime MIME type that can be used to transport those
body parts. body parts.
This specification also discusses how to use the multipart/signed MIME This document also discusses how to use the multipart/signed MIME
type defined in [MIME-SECURE] to transport S/MIME signed messages. type defined in [MIME-SECURE] to transport S/MIME signed messages.
multipart/signed is used in conjunction with the multipart/signed is used in conjunction with the
application/pkcs7-signature MIME type, which is used to transport application/pkcs7-signature MIME type, which is used to transport
a detached S/MIME signature. a detached S/MIME signature.
In order to create S/MIME messages, an S/MIME agent MUST follow the In order to create S/MIME messages, an S/MIME agent MUST follow the
specifications in this document, as well as the specifications specifications in this document, as well as the specifications
listed in the Cryptographic Message Syntax document [CMS]. listed in the Cryptographic Message Syntax document [CMS] [CMSALG].
Throughout this specification, there are requirements and Throughout this specification, there are requirements and
recommendations made for how receiving agents handle incoming recommendations made for how receiving agents handle incoming
messages. There are separate requirements and recommendations for how messages. There are separate requirements and recommendations for how
sending agents create outgoing messages. In general, the best strategy sending agents create outgoing messages. In general, the best strategy
is to "be liberal in what you receive and conservative in what you is to "be liberal in what you receive and conservative in what you
send". Most of the requirements are placed on the handling of incoming send". Most of the requirements are placed on the handling of incoming
messages while the recommendations are mostly on the creation of messages while the recommendations are mostly on the creation of
outgoing messages. outgoing messages.
skipping to change at line 127 skipping to change at line 135
characters. <CR> and <LF> occur only as part of a <CR><LF> end of line characters. <CR> and <LF> occur only as part of a <CR><LF> end of line
delimiter. delimiter.
8-bit data: Text data with lines less than 998 characters, and where 8-bit data: Text data with lines less than 998 characters, and where
none of the characters are NULL characters. <CR> and <LF> occur only none of the characters are NULL characters. <CR> and <LF> occur only
as part of a <CR><LF> end of line delimiter. as part of a <CR><LF> end of line delimiter.
Binary data: Arbitrary data. Binary data: Arbitrary data.
Transfer Encoding: A reversible transformation made on data so 8-bit Transfer Encoding: A reversible transformation made on data so 8-bit
or binary data may be sent via a channel that only transmits 7-bit or binary data can be sent via a channel that only transmits 7-bit
data. data.
Receiving agent: Software that interprets and processes S/MIME CMS Receiving agent: Software that interprets and processes S/MIME CMS
objects, MIME body parts that contain CMS content types, or both. objects, MIME body parts that contain CMS content types, or both.
Sending agent: Software that creates S/MIME CMS content types, MIME Sending agent: Software that creates S/MIME CMS content types, MIME
body parts that contain CMS content types, or both. body parts that contain CMS content types, or both.
S/MIME agent: User software that is a receiving agent, a sending S/MIME agent: User software that is a receiving agent, a sending
agent, or both. agent, or both.
1.4 Compatibility with Prior Practice of S/MIME 1.4 Compatibility with Prior Practice of S/MIME
S/MIME version 3.1 agents should attempt to have the greatest S/MIME version 3.1 agents SHOULD attempt to have the greatest
interoperability possible with agents for prior versions of S/MIME. interoperability possible with agents for prior versions of S/MIME.
S/MIME version 2 is described in RFC 2311 through RFC 2315, inclusive S/MIME version 2 is described in RFC 2311 through RFC 2315, inclusive
and S/MIME version 3 is described in RFC 2630 through RFC 2634 and S/MIME version 3 is described in RFC 2630 through RFC 2634
inclusive. RFC 2311 also has historical information about the inclusive. RFC 2311 also has historical information about the
development of S/MIME. development of S/MIME.
1.5 Changes Since S/MIME v3.0 1.5 Changes Since S/MIME v3.0
The RSA public key algorithm was changed to a MUST implement key The RSA public key algorithm was changed to a MUST implement key
wrapping algorithm, and the Diffie-Hellman algorithm changed to a wrapping algorithm, and the Diffie-Hellman algorithm changed to a
skipping to change at line 204 skipping to change at line 212
If using rsaEncryption, sending and receiving agents MUST support the If using rsaEncryption, sending and receiving agents MUST support the
digest algorithms in section 2.1 as specified. digest algorithms in section 2.1 as specified.
Note that S/MIME v3 clients might only implement signing or signature Note that S/MIME v3 clients might only implement signing or signature
verification using id-dsa-with-sha1, and might also use id-dsa as an verification using id-dsa-with-sha1, and might also use id-dsa as an
AlgorithmIdentifier in this field. Receiving clients SHOULD recognize AlgorithmIdentifier in this field. Receiving clients SHOULD recognize
id-dsa as equivalent to id-dsa-with-sha1, and sending clients MUST use id-dsa as equivalent to id-dsa-with-sha1, and sending clients MUST use
id-dsa-with-sha1 if using that algorithm. Also note that S/MIME v2 id-dsa-with-sha1 if using that algorithm. Also note that S/MIME v2
clients are only required to verify digital signatures using the clients are only required to verify digital signatures using the
rsaEncryption algorithm with SHA-1 or MD5, and may not implement rsaEncryption algorithm with SHA-1 or MD5, and might not implement
id-dsa-with-sha1 or id-dsa at all. id-dsa-with-sha1 or id-dsa at all.
2.3 KeyEncryptionAlgorithmIdentifier 2.3 KeyEncryptionAlgorithmIdentifier
Sending and receiving agents MUST support rsaEncryption, defined in Sending and receiving agents MUST support rsaEncryption, defined in
[CMSALG]. [CMSALG].
Sending and receiving agents SHOULD support Diffie-Hellman defined in Sending and receiving agents SHOULD support Diffie-Hellman defined in
[CMSALG], using the ephemeral-static mode. [CMSALG], using the ephemeral-static mode.
skipping to change at line 253 skipping to change at line 261
Sending agents MUST use the SignedData content type to apply a digital Sending agents MUST use the SignedData content type to apply a digital
signature to a message or, in a degenerate case where there is no signature to a message or, in a degenerate case where there is no
signature information, to convey certificates. Applying a signature to signature information, to convey certificates. Applying a signature to
a message provides authentication, message integrity, and a message provides authentication, message integrity, and
non-repudiation of origin. non-repudiation of origin.
2.4.3 EnvelopedData Content Type 2.4.3 EnvelopedData Content Type
This content type is used to apply data confidentiality to a message. This content type is used to apply data confidentiality to a message.
A sender needs to have access to a public key for each intended A sender needs to have access to a public key for each intended
message recipient to use this service. This content type does not message recipient to use this service.
provide authentication.
2.4.4 CompressedData Content Type 2.4.4 CompressedData Content Type
This content type is used to apply data compression to a message. This This content type is used to apply data compression to a message. This
content type does not provide authentication, message integrity, content type does not provide authentication, message integrity,
non-repudiation, or data confidentiality, and is only used to reduce non-repudiation, or data confidentiality, and is only used to reduce
message size. message size.
See section 3.6 for further guidance on the use of this type in See section 3.6 for further guidance on the use of this type in
conjunction with other CMS types. conjunction with other CMS types.
skipping to change at line 289 skipping to change at line 296
- id-messageDigest (section 11.2 in [CMS]) - id-messageDigest (section 11.2 in [CMS])
- id-contentType (section 11.1 in [CMS]) - id-contentType (section 11.1 in [CMS])
Further, receiving agents SHOULD be able to handle zero or one Further, receiving agents SHOULD be able to handle zero or one
instance in the signingCertificate signed attribute, as defined in instance in the signingCertificate signed attribute, as defined in
section 5 of [ESS]. section 5 of [ESS].
Sending agents SHOULD generate one instance of the signingCertificate Sending agents SHOULD generate one instance of the signingCertificate
signed attribute in each SignerInfo structure. signed attribute in each SignerInfo structure.
Additional attributes and values for these attributes may be defined Additional attributes and values for these attributes might be defined
in the future. Receiving agents SHOULD handle attributes or values in the future. Receiving agents SHOULD handle attributes or values
that it does not recognize in a graceful manner. that it does not recognize in a graceful manner.
Interactive sending agents that include signed attributes that are not Interactive sending agents that include signed attributes that are not
listed here SHOULD display those attributes to the user, so that the listed here SHOULD display those attributes to the user, so that the
user is aware of all of the data being signed. user is aware of all of the data being signed.
2.5.1 Signing-Time Attribute 2.5.1 Signing-Time Attribute
The signing-time attribute is used to convey the time that a message The signing-time attribute is used to convey the time that a message
skipping to change at line 337 skipping to change at line 344
include multiple instances of the SMIMECapabilities attribute. CMS include multiple instances of the SMIMECapabilities attribute. CMS
defines the ASN.1 syntax for Attribute to include attrValues SET OF defines the ASN.1 syntax for Attribute to include attrValues SET OF
AttributeValue. A SMIMECapabilities attribute MUST only include a AttributeValue. A SMIMECapabilities attribute MUST only include a
single instance of AttributeValue. There MUST NOT be zero or multiple single instance of AttributeValue. There MUST NOT be zero or multiple
instances of AttributeValue present in the attrValues SET OF instances of AttributeValue present in the attrValues SET OF
AttributeValue. AttributeValue.
The semantics of the SMIMECapabilities attribute specify a partial The semantics of the SMIMECapabilities attribute specify a partial
list as to what the client announcing the SMIMECapabilities can list as to what the client announcing the SMIMECapabilities can
support. A client does not have to list every capability it supports, support. A client does not have to list every capability it supports,
and probably should not list all its capabilities so that the and need not list all its capabilities so that the capabilities list
capabilities list doesn't get too long. In an SMIMECapabilities doesn't get too long. In an SMIMECapabilities attribute, the object
attribute, the object identifiers (OIDs) are listed in order of their identifiers (OIDs) are listed in order of their preference, but SHOULD
preference, but SHOULD be logically separated along the lines of their be logically separated along the lines of their categories (signature
categories (signature algorithms, symmetric algorithms, key algorithms, symmetric algorithms, key encipherment algorithms, etc.)
encipherment algorithms, etc.)
The structure of the SMIMECapabilities attribute is to facilitate The structure of the SMIMECapabilities attribute is to facilitate
simple table lookups and binary comparisons in order to determine simple table lookups and binary comparisons in order to determine
matches. For instance, the DER-encoding for the SMIMECapability for matches. For instance, the DER-encoding for the SMIMECapability for
DES EDE3 CBC MUST be identically encoded regardless of the DES EDE3 CBC MUST be identically encoded regardless of the
implementation. Because of the requirement for identical encoding, implementation. Because of the requirement for identical encoding,
individuals documenting algorithms to be used in the SMIMECapabilities individuals documenting algorithms to be used in the SMIMECapabilities
attribute SHOULD explicitly document the correct byte sequence for the attribute SHOULD explicitly document the correct byte sequence for the
common cases. common cases.
For any capability, the associated parameters for the OID MUST specify For any capability, the associated parameters for the OID MUST specify
all of the parameters necessary to differentiate between two instances all of the parameters necessary to differentiate between two instances
of the same algorithm. For instance, the number of rounds and block of the same algorithm. For instance, the number of rounds and block
size for RC5 must be specified in addition to the key length. size for RC5 needs to be specified in addition to the key length.
The OIDs that correspond to algorithms SHOULD use the same OID as the The OIDs that correspond to algorithms SHOULD use the same OID as the
actual algorithm, except in the case where the algorithm usage is actual algorithm, except in the case where the algorithm usage is
ambiguous from the OID. For instance, in an earlier specification, ambiguous from the OID. For instance, in an earlier specification,
rsaEncryption was ambiguous because it could refer to either a rsaEncryption was ambiguous because it could refer to either a
signature algorithm or a key encipherment algorithm. In the event that signature algorithm or a key encipherment algorithm. In the event that
an OID is ambiguous, it needs to be arbitrated by the maintainer of an OID is ambiguous, it needs to be arbitrated by the maintainer of
the registered SMIMECapabilities list as to which type of algorithm the registered SMIMECapabilities list as to which type of algorithm
will use the OID, and a new OID MUST be allocated under the will use the OID, and a new OID MUST be allocated under the
smimeCapabilities OID to satisfy the other use of the OID. smimeCapabilities OID to satisfy the other use of the OID.
The registered SMIMECapabilities list specifies the parameters for The registered SMIMECapabilities list specifies the parameters for
OIDs that need them, most notably key lengths in the case of variable- OIDs that need them, most notably key lengths in the case of variable-
length symmetric ciphers. In the event that there are no length symmetric ciphers. In the event that there are no
differentiating parameters for a particular OID, the parameters MUST differentiating parameters for a particular OID, the parameters MUST
be omitted, and MUST NOT be encoded as NULL. be omitted, and MUST NOT be encoded as NULL.
Additional values for the SMIMECapabilities attribute may be defined Additional values for the SMIMECapabilities attribute might be defined
in the future. Receiving agents MUST handle a SMIMECapabilities object in the future. Receiving agents MUST handle a SMIMECapabilities object
that has values that it does not recognize in a graceful manner. that has values that it does not recognize in a graceful manner.
Section 2.7.1 explains a strategy for caching capabilities. Section 2.7.1 explains a strategy for caching capabilities.
2.5.2.1 SMIMECapability For the RC2 Algorithm 2.5.2.1 SMIMECapability For the RC2 Algorithm
For the RC2 algorithm preference SMIMECapability, the capabilityID For the RC2 algorithm preference SMIMECapability, the capabilityID
MUST be set to the value rC2-CBC as defined in [CMSALG]. The MUST be set to the value rC2-CBC as defined in [CMSALG]. The
parameters field MUST contain SMIMECapabilitiesParametersForRC2CBC parameters field MUST contain SMIMECapabilitiesParametersForRC2CBC
skipping to change at line 401 skipping to change at line 407
value 128, NOT the corresponding parameter version of 58. value 128, NOT the corresponding parameter version of 58.
2.5.3 Encryption Key Preference Attribute 2.5.3 Encryption Key Preference Attribute
The encryption key preference attribute allows the signer to The encryption key preference attribute allows the signer to
unambiguously describe which of the signer's certificates has the unambiguously describe which of the signer's certificates has the
signer's preferred encryption key. This attribute is designed to signer's preferred encryption key. This attribute is designed to
enhance behavior for interoperating with those clients which use enhance behavior for interoperating with those clients which use
separate keys for encryption and signing. This attribute is used to separate keys for encryption and signing. This attribute is used to
convey to anyone viewing the attribute which of the listed convey to anyone viewing the attribute which of the listed
certificates should be used for encrypting a session key for future certificates is appropriate for encrypting a session key for future
encrypted messages. encrypted messages.
If present, the SMIMEEncryptionKeyPreference attribute MUST be a If present, the SMIMEEncryptionKeyPreference attribute MUST be a
SignedAttribute; it MUST NOT be an UnsignedAttribute. CMS defines SignedAttribute; it MUST NOT be an UnsignedAttribute. CMS defines
SignedAttributes as a SET OF Attribute. The SignedAttributes in a SignedAttributes as a SET OF Attribute. The SignedAttributes in a
signerInfo MUST NOT include multiple instances of the signerInfo MUST NOT include multiple instances of the
SMIMEEncryptionKeyPreference attribute. CMS defines the ASN.1 syntax SMIMEEncryptionKeyPreference attribute. CMS defines the ASN.1 syntax
for Attribute to include attrValues SET OF AttributeValue. A for Attribute to include attrValues SET OF AttributeValue. A
SMIMEEncryptionKeyPreference attribute MUST only include a single SMIMEEncryptionKeyPreference attribute MUST only include a single
instance of AttributeValue. There MUST NOT be zero or multiple instance of AttributeValue. There MUST NOT be zero or multiple
instances of AttributeValue present in the attrValues SET OF instances of AttributeValue present in the attrValues SET OF
AttributeValue. AttributeValue.
The sending agent SHOULD include the referenced certificate in the set The sending agent SHOULD include the referenced certificate in the set
of certificates included in the signed message if this attribute is of certificates included in the signed message if this attribute is
used. The certificate may be omitted if it has been previously made used. The certificate MAY be omitted if it has been previously made
available to the receiving agent. Sending agents SHOULD use this available to the receiving agent. Sending agents SHOULD use this
attribute if the commonly used or preferred encryption certificate is attribute if the commonly used or preferred encryption certificate is
not the same as the certificate used to sign the message. not the same as the certificate used to sign the message.
Receiving agents SHOULD store the preference data if the signature on Receiving agents SHOULD store the preference data if the signature on
the message is valid and the signing time is greater than the the message is valid and the signing time is greater than the
currently stored value. (As with the SMIMECapabilities, the clock skew currently stored value. (As with the SMIMECapabilities, the clock skew
should be checked and the data not used if the skew is too great.) SHOULD be checked and the data not used if the skew is too great.)
Receiving agents SHOULD respect the sender's encryption key preference Receiving agents SHOULD respect the sender's encryption key preference
attribute if possible. This however represents only a preference and attribute if possible. This however represents only a preference and
the receiving agent may use any certificate in replying to the sender the receiving agent can use any certificate in replying to the sender
that is valid. that is valid.
Section 2.7.1 explains a strategy for caching preference data. Section 2.7.1 explains a strategy for caching preference data.
2.5.3.1 Selection of Recipient Key Management Certificate 2.5.3.1 Selection of Recipient Key Management Certificate
In order to determine the key management certificate to be used when In order to determine the key management certificate to be used when
sending a future CMS EnvelopedData message for a particular recipient, sending a future CMS EnvelopedData message for a particular recipient,
the following steps SHOULD be followed: the following steps SHOULD be followed:
- If an SMIMEEncryptionKeyPreference attribute is found in a - If an SMIMEEncryptionKeyPreference attribute is found in a
SignedData object received from the desired recipient, this SignedData object received from the desired recipient, this
identifies the X.509 certificate that should be used as the X.509 identifies the X.509 certificate that SHOULD be used as the X.509
key management certificate for the recipient. key management certificate for the recipient.
- If an SMIMEEncryptionKeyPreference attribute is not found in a - If an SMIMEEncryptionKeyPreference attribute is not found in a
SignedData object received from the desired recipient, the set of SignedData object received from the desired recipient, the set of
X.509 certificates should be searched for a X.509 certificate with X.509 certificates SHOULD be searched for a X.509 certificate with
the same subject name as the signing X.509 certificate which can be the same subject name as the signing X.509 certificate which can be
used for key management. used for key management.
- Or use some other method of determining the user's key management - Or use some other method of determining the user's key management
key. If a X.509 key management certificate is not found, then key. If a X.509 key management certificate is not found, then
encryption cannot be done with the signer of the message. If encryption cannot be done with the signer of the message. If
multiple X.509 key management certificates are found, the S/MIME multiple X.509 key management certificates are found, the S/MIME
agent can make an arbitrary choice between them. agent can make an arbitrary choice between them.
2.6 SignerIdentifier SignerInfo Type 2.6 SignerIdentifier SignerInfo Type
skipping to change at line 521 skipping to change at line 527
Before sending a message, the sending agent MUST decide whether it is Before sending a message, the sending agent MUST decide whether it is
willing to use weak encryption for the particular data in the message. willing to use weak encryption for the particular data in the message.
If the sending agent decides that weak encryption is unacceptable for If the sending agent decides that weak encryption is unacceptable for
this data, then the sending agent MUST NOT use a weak algorithm such this data, then the sending agent MUST NOT use a weak algorithm such
as RC2/40. The decision to use or not use weak encryption overrides as RC2/40. The decision to use or not use weak encryption overrides
any other decision in this section about which encryption algorithm to any other decision in this section about which encryption algorithm to
use. use.
Sections 2.7.2.1 through 2.7.2.4 describe the decisions a sending Sections 2.7.2.1 through 2.7.2.4 describe the decisions a sending
agent SHOULD use in deciding which type of encryption should be agent SHOULD use in deciding which type of encryption will be
applied to a message. These rules are ordered, so the sending agent applied to a message. These rules are ordered, so the sending agent
SHOULD make its decision in the order given. SHOULD make its decision in the order given.
2.7.1.1 Rule 1: Known Capabilities 2.7.1.1 Rule 1: Known Capabilities
If the sending agent has received a set of capabilities from the If the sending agent has received a set of capabilities from the
recipient for the message the agent is about to encrypt, then the recipient for the message the agent is about to encrypt, then the
sending agent SHOULD use that information by selecting the first sending agent SHOULD use that information by selecting the first
capability in the list (that is, the capability most preferred by the capability in the list (that is, the capability most preferred by the
intended recipient) for which the sending agent knows how to encrypt. intended recipient) for which the sending agent knows how to encrypt.
skipping to change at line 561 skipping to change at line 567
SHOULD allow a human sender to determine the risks of sending data SHOULD allow a human sender to determine the risks of sending data
using RC2/40 or a similarly weak encryption algorithm before sending using RC2/40 or a similarly weak encryption algorithm before sending
the data, and possibly allow the human to use a stronger encryption the data, and possibly allow the human to use a stronger encryption
method such as tripleDES. method such as tripleDES.
2.7.3 Multiple Recipients 2.7.3 Multiple Recipients
If a sending agent is composing an encrypted message to a group of If a sending agent is composing an encrypted message to a group of
recipients where the encryption capabilities of some of the recipients recipients where the encryption capabilities of some of the recipients
do not overlap, the sending agent is forced to send more than one do not overlap, the sending agent is forced to send more than one
message. It should be noted that if the sending agent chooses to send message. Please note that if the sending agent chooses to send a
a message encrypted with a strong algorithm, and then send the same message encrypted with a strong algorithm, and then send the same
message encrypted with a weak algorithm, someone watching the message encrypted with a weak algorithm, someone watching the
communications channel may be able to learn the contents of the communications channel could learn the contents of the
strongly-encrypted message simply by decrypting the weakly-encrypted strongly-encrypted message simply by decrypting the weakly-encrypted
message. message.
3. Creating S/MIME Messages 3. Creating S/MIME Messages
This section describes the S/MIME message formats and how they are This section describes the S/MIME message formats and how they are
created. S/MIME messages are a combination of MIME bodies and CMS created. S/MIME messages are a combination of MIME bodies and CMS
content types. Several MIME types as well as several CMS content types content types. Several MIME types as well as several CMS content types
are used. The data to be secured is always a canonical MIME entity. are used. The data to be secured is always a canonical MIME entity.
The MIME entity and other data, such as certificates and algorithm The MIME entity and other data, such as certificates and algorithm
skipping to change at line 594 skipping to change at line 600
for signed-only data, and several formats for signed and enveloped for signed-only data, and several formats for signed and enveloped
data. Several formats are required to accommodate several data. Several formats are required to accommodate several
environments, in particular for signed messages. The criteria for environments, in particular for signed messages. The criteria for
choosing among these formats are also described. choosing among these formats are also described.
The reader of this section is expected to understand MIME as described The reader of this section is expected to understand MIME as described
in [MIME-SPEC] and [MIME-SECURE]. in [MIME-SPEC] and [MIME-SECURE].
3.1 Preparing the MIME Entity for Signing, Enveloping or Compressing 3.1 Preparing the MIME Entity for Signing, Enveloping or Compressing
S/MIME is used to secure MIME entities. A MIME entity may be a sub- S/MIME is used to secure MIME entities. A MIME entity can be a sub-
part, sub-parts of a message, or the whole message with all its sub- part, sub-parts of a message, or the whole message with all its sub-
parts. A MIME entity that is the whole message includes only the MIME parts. A MIME entity that is the whole message includes only the MIME
headers and MIME body, and does not include the RFC-822 headers. Note headers and MIME body, and does not include the RFC-822 headers. Note
that S/MIME can also be used to secure MIME entities used in that S/MIME can also be used to secure MIME entities used in
applications other than Internet mail. If protection of the RFC-822 applications other than Internet mail. If protection of the RFC-822
headers is required, the use of the message/rfc822 MIME type is headers is required, the use of the message/rfc822 MIME type is
explained later in this section. explained later in this section.
The MIME entity that is secured and described in this section can be The MIME entity that is secured and described in this section can be
thought of as the "inside" MIME entity. That is, it is the "innermost" thought of as the "inside" MIME entity. That is, it is the "innermost"
object in what is possibly a larger MIME message. Processing "outside" object in what is possibly a larger MIME message. Processing "outside"
MIME entities into CMS content types is described in Section 3.2, 3.4 MIME entities into CMS content types is described in Section 3.2, 3.4
and elsewhere. and elsewhere.
The procedure for preparing a MIME entity is given in [MIME-SPEC]. The The procedure for preparing a MIME entity is given in [MIME-SPEC]. The
same procedure is used here with some additional restrictions when same procedure is used here with some additional restrictions when
signing. Description of the procedures from [MIME-SPEC] are repeated signing. Description of the procedures from [MIME-SPEC] are repeated
here, but the reader should refer to that document for the exact here, but it is suggested that the reader refer to that document for
procedure. This section also describes additional requirements. the exact procedure. This section also describes additional
requirements.
A single procedure is used for creating MIME entities that are to have A single procedure is used for creating MIME entities that are to have
any combination of signing, enveloping and compressing applied. Some any combination of signing, enveloping and compressing applied. Some
additional steps are recommended to defend against known corruptions additional steps are recommended to defend against known corruptions
that can occur during mail transport that are of particular importance that can occur during mail transport that are of particular importance
for clear- signing using the multipart/signed format. It is for clear- signing using the multipart/signed format. It is
recommended that these additional steps be performed on enveloped recommended that these additional steps be performed on enveloped
messages, or signed and enveloped messages in order that the message messages, or signed and enveloped messages in order that the message
can be forwarded to any environment without modification. can be forwarded to any environment without modification.
skipping to change at line 650 skipping to change at line 657
In order to protect outer, non-content related message headers (for In order to protect outer, non-content related message headers (for
instance, the "Subject", "To", "From" and "CC" fields), the sending instance, the "Subject", "To", "From" and "CC" fields), the sending
client MAY wrap a full MIME message in a message/rfc822 wrapper in client MAY wrap a full MIME message in a message/rfc822 wrapper in
order to apply S/MIME security services to these headers. It is up to order to apply S/MIME security services to these headers. It is up to
the receiving client to decide how to present these "inner" headers the receiving client to decide how to present these "inner" headers
along with the unprotected "outer" headers. along with the unprotected "outer" headers.
When an S/MIME message is received, if the top-level protected MIME When an S/MIME message is received, if the top-level protected MIME
entity has a Content-Type of message/rfc822, it can be assumed that entity has a Content-Type of message/rfc822, it can be assumed that
the intent was to provide header protection. This entity should be the intent was to provide header protection. This entity SHOULD be
presented as the top-level message, taking into account header merging presented as the top-level message, taking into account header merging
issues as previously discussed. issues as previously discussed.
3.1.1 Canonicalization 3.1.1 Canonicalization
Each MIME entity MUST be converted to a canonical form that is Each MIME entity MUST be converted to a canonical form that is
uniquely and unambiguously representable in the environment where the uniquely and unambiguously representable in the environment where the
signature is created and the environment where the signature will be signature is created and the environment where the signature will be
verified. MIME entities MUST be canonicalized for enveloping and verified. MIME entities MUST be canonicalized for enveloping and
compressing as well as signing. compressing as well as signing.
The exact details of canonicalization depend on the actual MIME type The exact details of canonicalization depend on the actual MIME type
and subtype of an entity, and are not described here. Instead, the and subtype of an entity, and are not described here. Instead, the
standard for the particular MIME type should be consulted. For standard for the particular MIME type SHOULD be consulted. For
example, canonicalization of type text/plain is different from example, canonicalization of type text/plain is different from
canonicalization of audio/basic. Other than text types, most types canonicalization of audio/basic. Other than text types, most types
have only one representation regardless of computing platform or have only one representation regardless of computing platform or
environment which can be considered their canonical representation. In environment which can be considered their canonical representation. In
general, canonicalization will be performed by the non-security part general, canonicalization will be performed by the non-security part
of the sending agent rather than the S/MIME implementation. of the sending agent rather than the S/MIME implementation.
The most common and important canonicalization is for text, which is The most common and important canonicalization is for text, which is
often represented differently in different environments. MIME entities often represented differently in different environments. MIME entities
of major type "text" must have both their line endings and character of major type "text" MUST have both their line endings and character
set canonicalized. The line ending must be the pair of characters set canonicalized. The line ending MUST be the pair of characters
<CR><LF>, and the charset should be a registered charset [CHARSETS]. <CR><LF>, and the charset SHOULD be a registered charset [CHARSETS].
The details of the canonicalization are specified in [MIME-SPEC]. The The details of the canonicalization are specified in [MIME-SPEC]. The
chosen charset SHOULD be named in the charset parameter so that the chosen charset SHOULD be named in the charset parameter so that the
receiving agent can unambiguously determine the charset used. receiving agent can unambiguously determine the charset used.
Note that some charsets such as ISO-2022 have multiple representations Note that some charsets such as ISO-2022 have multiple representations
for the same characters. When preparing such text for signing, the for the same characters. When preparing such text for signing, the
canonical representation specified for the charset MUST be used. canonical representation specified for the charset MUST be used.
3.1.2 Transfer Encoding 3.1.2 Transfer Encoding
When generating any of the secured MIME entities below, except the When generating any of the secured MIME entities below, except the
signing using the multipart/signed format, no transfer encoding at all signing using the multipart/signed format, no transfer encoding at all
is required. S/MIME implementations MUST be able to deal with binary is required. S/MIME implementations MUST be able to deal with binary
MIME objects. If no Content-Transfer-Encoding header is present, the MIME objects. If no Content-Transfer-Encoding header is present, the
transfer encoding should be considered 7BIT. transfer encoding is presumed to be 7BIT.
S/MIME implementations SHOULD however use transfer encoding described S/MIME implementations SHOULD however use transfer encoding described
in section 3.1.3 for all MIME entities they secure. The reason for in section 3.1.3 for all MIME entities they secure. The reason for
securing only 7-bit MIME entities, even for enveloped data that are securing only 7-bit MIME entities, even for enveloped data that are
not exposed to the transport, is that it allows the MIME entity to be not exposed to the transport, is that it allows the MIME entity to be
handled in any environment without changing it. For example, a trusted handled in any environment without changing it. For example, a trusted
gateway might remove the envelope, but not the signature, of a gateway might remove the envelope, but not the signature, of a
message, and then forward the signed message on to the end recipient message, and then forward the signed message on to the end recipient
so that they can verify the signatures directly. If the transport so that they can verify the signatures directly. If the transport
internal to the site is not 8-bit clean, such as on a wide-area internal to the site is not 8-bit clean, such as on a wide-area
skipping to change at line 757 skipping to change at line 764
of the first part of a multipart/signed message. If a compliant agent of the first part of a multipart/signed message. If a compliant agent
that can not transmit 8-bit or binary data encounters a that can not transmit 8-bit or binary data encounters a
multipart/signed message with 8-bit or binary data in the first part, multipart/signed message with 8-bit or binary data in the first part,
it would have to return the message to the sender as undeliverable. it would have to return the message to the sender as undeliverable.
3.1.4 Sample Canonical MIME Entity 3.1.4 Sample Canonical MIME Entity
This example shows a multipart/mixed message with full transfer This example shows a multipart/mixed message with full transfer
encoding. This message contains a text part and an attachment. The encoding. This message contains a text part and an attachment. The
sample message text includes characters that are not US-ASCII and thus sample message text includes characters that are not US-ASCII and thus
must be transfer encoded. Though not shown here, the end of each line need to be transfer encoded. Though not shown here, the end of each
is <CR><LF>. The line ending of the MIME headers, the text, and line is <CR><LF>. The line ending of the MIME headers, the text, and
transfer encoded parts, all must be <CR><LF>. transfer encoded parts, all MUST be <CR><LF>.
Note that this example is not of an S/MIME message. Note that this example is not of an S/MIME message.
Content-Type: multipart/mixed; boundary=bar Content-Type: multipart/mixed; boundary=bar
--bar --bar
Content-Type: text/plain; charset=iso-8859-1 Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable Content-Transfer-Encoding: quoted-printable
=A1Hola Michael! =A1Hola Michael!
skipping to change at line 803 skipping to change at line 810
3.2 The application/pkcs7-mime Type 3.2 The application/pkcs7-mime Type
The application/pkcs7-mime type is used to carry CMS content types The application/pkcs7-mime type is used to carry CMS content types
including EnvelopedData, SignedData and CompressedData. The details of including EnvelopedData, SignedData and CompressedData. The details of
constructing these entities is described in subsequent sections. This constructing these entities is described in subsequent sections. This
section describes the general characteristics of the section describes the general characteristics of the
application/pkcs7-mime type. application/pkcs7-mime type.
The carried CMS object always contains a MIME entity that is prepared The carried CMS object always contains a MIME entity that is prepared
as described in section 3.1 if the eContentType is id-data. Other as described in section 3.1 if the eContentType is id-data. Other
contents may be carried when the eContentType contains different contents MAY be carried when the eContentType contains different
values. See [ESS] for an example of this with signed receipts. values. See [ESS] for an example of this with signed receipts.
Since CMS content types are binary data, in most cases base-64 Since CMS content types are binary data, in most cases base-64
transfer encoding is appropriate, in particular when used with SMTP transfer encoding is appropriate, in particular when used with SMTP
transport. The transfer encoding used depends on the transport through transport. The transfer encoding used depends on the transport through
which the object is to be sent, and is not a characteristic of the which the object is to be sent, and is not a characteristic of the
MIME type. MIME type.
Note that this discussion refers to the transfer encoding of the CMS Note that this discussion refers to the transfer encoding of the CMS
object or "outside" MIME entity. It is completely distinct from, and object or "outside" MIME entity. It is completely distinct from, and
skipping to change at line 884 skipping to change at line 891
enveloped-data EnvelopedData id-data enveloped-data EnvelopedData id-data
signed-data SignedData id-data signed-data SignedData id-data
certs-only SignedData none certs-only SignedData none
compressed-data CompressedData id-data compressed-data CompressedData id-data
In order that consistency can be obtained with future, the following In order that consistency can be obtained with future, the following
guidelines should be followed when assigning a new smime-type guidelines SHOULD be followed when assigning a new smime-type
parameter. parameter.
1. If both signing and encryption can be applied to the content, then 1. If both signing and encryption can be applied to the content, then
two values for smime-type SHOULD be assigned "signed-*" and two values for smime-type SHOULD be assigned "signed-*" and
"encrypted-*". If one operation can be assigned then this may be "encrypted-*". If one operation can be assigned then this can be
omitted. Thus since "certs-only" can only be signed, "signed-" is omitted. Thus since "certs-only" can only be signed, "signed-" is
omitted. omitted.
2. A common string for a content oid should be assigned. We use "data" 2. A common string for a content oid SHOULD be assigned. We use "data"
for the id-data content OID when MIME is the inner content. for the id-data content OID when MIME is the inner content.
3. If no common string is assigned. Then the common string of 3. If no common string is assigned. Then the common string of
"OID.<oid>" is recommended (for example, "OID.1.3.6.1.5.5.7.6.1" would "OID.<oid>" is recommended (for example, "OID.1.3.6.1.5.5.7.6.1" would
be DES40). be DES40).
It is explicitly intended that this field be a suitable hint for mail It is explicitly intended that this field be a suitable hint for mail
client applications to indicate whether a message is "signed" or client applications to indicate whether a message is "signed" or
"encrypted" without having to tunnel into the CMS payload. "encrypted" without having to tunnel into the CMS payload.
3.3 Creating an Enveloped-only Message 3.3 Creating an Enveloped-only Message
This section describes the format for enveloping a MIME entity without This section describes the format for enveloping a MIME entity without
signing it. It is important to note that sending enveloped but not signing it. It is important to note that sending enveloped but not
signed messages does not provide for data integrity. It is possible to signed messages does not provide for data integrity. It is possible to
replace ciphertext in such a way that the processed message will still replace ciphertext in such a way that the processed message will still
be valid, but the meaning may be altered. be valid, but the meaning can be altered.
Step 1. The MIME entity to be enveloped is prepared according to Step 1. The MIME entity to be enveloped is prepared according to
section 3.1. section 3.1.
Step 2. The MIME entity and other required data is processed into a Step 2. The MIME entity and other required data is processed into a
CMS object of type EnvelopedData. In addition to encrypting a copy of CMS object of type EnvelopedData. In addition to encrypting a copy of
the content-encryption key for each recipient, a copy of the content- the content-encryption key for each recipient, a copy of the content-
encryption key SHOULD be encrypted for the originator and included in encryption key SHOULD be encrypted for the originator and included in
the EnvelopedData (see [CMS] Section 6). the EnvelopedData (see [CMS] Section 6).
skipping to change at line 947 skipping to change at line 954
rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6
7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H
f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
0GhIGfHfQbnj756YT64V 0GhIGfHfQbnj756YT64V
3.4 Creating a Signed-only Message 3.4 Creating a Signed-only Message
There are two formats for signed messages defined for S/MIME: There are two formats for signed messages defined for S/MIME:
application/pkcs7-mime with SignedData, and multipart/signed. In application/pkcs7-mime with SignedData, and multipart/signed. In
general, the multipart/signed form is preferred for sending, and general, the multipart/signed form is preferred for sending, and
receiving agents SHOULD be able to handle both. receiving agents MUST be able to handle both.
3.4.1 Choosing a Format for Signed-only Messages 3.4.1 Choosing a Format for Signed-only Messages
There are no hard-and-fast rules when a particular signed-only format There are no hard-and-fast rules when a particular signed-only format
should be chosen because it depends on the capabilities of all the is chosen because it depends on the capabilities of all the receivers
receivers and the relative importance of receivers with S/MIME and the relative importance of receivers with S/MIME facilities being
facilities being able to verify the signature versus the importance of able to verify the signature versus the importance of receivers
receivers without S/MIME software being able to view the message. without S/MIME software being able to view the message.
Messages signed using the multipart/signed format can always be viewed Messages signed using the multipart/signed format can always be viewed
by the receiver whether they have S/MIME software or not. They can by the receiver whether they have S/MIME software or not. They can
also be viewed whether they are using a MIME-native user agent or they also be viewed whether they are using a MIME-native user agent or they
have messages translated by a gateway. In this context, "be viewed" have messages translated by a gateway. In this context, "be viewed"
means the ability to process the message essentially as if it were not means the ability to process the message essentially as if it were not
a signed message, including any other MIME structure the message might a signed message, including any other MIME structure the message might
have. have.
Messages signed using the SignedData format cannot be viewed by a Messages signed using the SignedData format cannot be viewed by a
skipping to change at line 1157 skipping to change at line 1164
An S/MIME implementation MUST be able to receive and process An S/MIME implementation MUST be able to receive and process
arbitrarily nested S/MIME within reasonable resource limits of the arbitrarily nested S/MIME within reasonable resource limits of the
recipient computer. recipient computer.
It is possible to apply any of the signing, encrypting and compressing It is possible to apply any of the signing, encrypting and compressing
operations in any order. It is up to the implementer and the user to operations in any order. It is up to the implementer and the user to
choose. When signing first, the signatories are then securely obscured choose. When signing first, the signatories are then securely obscured
by the enveloping. When enveloping first the signatories are exposed, by the enveloping. When enveloping first the signatories are exposed,
but it is possible to verify signatures without removing the but it is possible to verify signatures without removing the
enveloping. This may be useful in an environment were automatic enveloping. This can be useful in an environment were automatic
signature verification is desired, as no private key material is signature verification is desired, as no private key material is
required to verify a signature. required to verify a signature.
There are security ramifications to choosing whether to sign first or There are security ramifications to choosing whether to sign first or
encrypt first. A recipient of a message that is encrypted and then encrypt first. A recipient of a message that is encrypted and then
signed can validate that the encrypted block was unaltered, but cannot signed can validate that the encrypted block was unaltered, but cannot
determine any relationship between the signer and the unencrypted determine any relationship between the signer and the unencrypted
contents of the message. A recipient of a message that is signed-then- contents of the message. A recipient of a message that is signed-then-
encrypted can assume that the signed message itself has not been encrypted can assume that the signed message itself has not been
altered, but that a careful attacker may have changed the altered, but that a careful attacker could have changed the
unauthenticated portions of the encrypted message. unauthenticated portions of the encrypted message.
When using compression, keep the following guidelines in mind: When using compression, keep the following guidelines in mind:
- Compression of binary encoded encrypted data is discouraged, since - Compression of binary encoded encrypted data is discouraged, since
it will not yield significant compression. Base64 encrypted data it will not yield significant compression. Base64 encrypted data
could very well benefit, however. could very well benefit, however.
- If a lossy compression algorithm is used with signing, you will need - If a lossy compression algorithm is used with signing, you will need
to compress first, then sign. to compress first, then sign.
skipping to change at line 1264 skipping to change at line 1271
All generated key pairs MUST be generated from a good source of non- All generated key pairs MUST be generated from a good source of non-
deterministic random input [RANDOM] and the private key MUST be deterministic random input [RANDOM] and the private key MUST be
protected in a secure fashion. protected in a secure fashion.
If an S/MIME agent needs to generate an RSA key pair, then the S/MIME If an S/MIME agent needs to generate an RSA key pair, then the S/MIME
agent or some related administrative utility or function SHOULD agent or some related administrative utility or function SHOULD
generate RSA key pairs using the following guidelines. A user agent generate RSA key pairs using the following guidelines. A user agent
SHOULD generate RSA key pairs at a minimum key size of 768 bits. A SHOULD generate RSA key pairs at a minimum key size of 768 bits. A
user agent MUST NOT generate RSA key pairs less than 512 bits long. user agent MUST NOT generate RSA key pairs less than 512 bits long.
Creating keys longer than 1024 bits may cause some older S/MIME Creating keys longer than 1024 bits can cause some older S/MIME
receiving agents to not be able to verify signatures, but gives better receiving agents to not be able to verify signatures, but gives better
security and is therefore valuable. A receiving agent SHOULD be able security and is therefore valuable. A receiving agent SHOULD be able
to verify signatures with keys of any size over 512 bits. Some agents to verify signatures with keys of any size over 512 bits. Some agents
created in the United States have chosen to create 512 bit keys in created in the United States have chosen to create 512 bit keys in
order to get more advantageous export licenses. However, 512 bit keys order to get more advantageous export licenses. However, 512 bit keys
are considered by many to be cryptographically insecure. Implementers are considered by many to be cryptographically insecure. Implementers
should be aware that multiple (active) key pairs may be associated SHOULD be aware that multiple (active) key pairs can be associated
with a single individual. For example, one key pair may be used to with a single individual. For example, one key pair can be used to
support confidentiality, while a different key pair may be used for support confidentiality, while a different key pair can be used for
authentication. authentication.
5. Security 5. Security
40-bit encryption is considered weak by most cryptographers. Using 40-bit encryption is considered weak by most cryptographers. Using
weak cryptography in S/MIME offers little actual security over sending weak cryptography in S/MIME offers little actual security over sending
plaintext. However, other features of S/MIME, such as the plaintext. However, other features of S/MIME, such as the
specification of tripleDES and the ability to announce stronger specification of tripleDES and the ability to announce stronger
cryptographic capabilities to parties with whom you communicate, allow cryptographic capabilities to parties with whom you communicate, allow
senders to create messages that use strong encryption. Using weak senders to create messages that use strong encryption. Using weak
cryptography is never recommended unless the only alternative is no cryptography is never recommended unless the only alternative is no
cryptography. When feasible, sending and receiving agents should cryptography. When feasible, sending and receiving agents SHOULD
inform senders and recipients the relative cryptographic strength of inform senders and recipients the relative cryptographic strength of
messages. messages.
It is impossible for most software or people to estimate the value of It is impossible for most software or people to estimate the value of
a message. Further, it is impossible for most software or people to a message. Further, it is impossible for most software or people to
estimate the actual cost of decrypting a message that is encrypted estimate the actual cost of decrypting a message that is encrypted
with a key of a particular size. Further, it is quite difficult to with a key of a particular size. Further, it is quite difficult to
determine the cost of a failed decryption if a recipient cannot decode determine the cost of a failed decryption if a recipient cannot decode
a message. Thus, choosing between different key sizes (or choosing a message. Thus, choosing between different key sizes (or choosing
whether to just use plaintext) is also impossible. However, decisions whether to just use plaintext) is also impossible. However, decisions
based on these criteria are made all the time, and therefore this based on these criteria are made all the time, and therefore this
specification gives a framework for using those estimates in choosing specification gives a framework for using those estimates in choosing
algorithms. algorithms.
If a sending agent is sending the same message using different If a sending agent is sending the same message using different
strengths of cryptography, an attacker watching the communications strengths of cryptography, an attacker watching the communications
channel may be able to determine the contents of the strongly- channel might be able to determine the contents of the strongly-
encrypted message by decrypting the weakly-encrypted version. In other encrypted message by decrypting the weakly-encrypted version. In other
words, a sender should not send a copy of a message using weaker words, a sender SHOULD NOT send a copy of a message using weaker
cryptography than they would use for the original of the message. cryptography than they would use for the original of the message.
Modification of the ciphertext can go undetected if authentication is Modification of the ciphertext can go undetected if authentication is
not also used, which is the case when sending EnvelopedData without not also used, which is the case when sending EnvelopedData without
wrapping it in SignedData or enclosing SignedData within it. wrapping it in SignedData or enclosing SignedData within it.
See RFC 3218 [MMA] for more information about thwarting the adaptive See RFC 3218 [MMA] for more information about thwarting the adaptive
chosen ciphertext vulnerability in PKCS #1 Version 1.5 chosen ciphertext vulnerability in PKCS #1 Version 1.5
implementations. implementations.
skipping to change at line 1345 skipping to change at line 1352
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2001(14) }; pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2001(14) };
-- id-aa is the arc with all new authenticated and unauthenticated -- id-aa is the arc with all new authenticated and unauthenticated
-- attributes produced the by S/MIME Working Group -- attributes produced the by S/MIME Working Group
id-aa OBJECT IDENTIFIER ::= {iso(1) member-body(2) usa(840) id-aa OBJECT IDENTIFIER ::= {iso(1) member-body(2) usa(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) attributes(2)} rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) attributes(2)}
-- S/MIME Capabilities provides a method of broadcasting the symetric -- S/MIME Capabilities provides a method of broadcasting the symetric
-- capabilities understood. Algorithms SHOULD be ordered by
-- preference and grouped by type -- preference and grouped by type
smimeCapabilities OBJECT IDENTIFIER ::= smimeCapabilities OBJECT IDENTIFIER ::=
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 15} {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 15}
SMIMECapability ::= SEQUENCE { SMIMECapability ::= SEQUENCE {
capabilityID OBJECT IDENTIFIER, capabilityID OBJECT IDENTIFIER,
parameters ANY DEFINED BY capabilityID OPTIONAL } parameters ANY DEFINED BY capabilityID OPTIONAL }
SMIMECapabilities ::= SEQUENCE OF SMIMECapability SMIMECapabilities ::= SEQUENCE OF SMIMECapability
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/