draft-ietf-smime-rfc3369bis-00.txt   draft-ietf-smime-rfc3369bis-01.txt 
S/MIME Working Group R. Housley S/MIME Working Group R. Housley
Internet-Draft Vigil Security Internet-Draft Vigil Security
When Approved, Obsoletes: 3369 March 2004 When Approved, Obsoletes: 3369 March 2004
Cryptographic Message Syntax (CMS) Cryptographic Message Syntax (CMS)
<draft-ietf-smime-rfc3369bis-00.txt> <draft-ietf-smime-rfc3369bis-01.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract Abstract
This document describes the Cryptographic Message Syntax (CMS). This This document describes the Cryptographic Message Syntax (CMS). This
syntax is used to digitally sign, digest, authenticate, or encrypt syntax is used to digitally sign, digest, authenticate, or encrypt
arbitrary message content. arbitrary message content.
Table of Contents Table of Contents
1. Introduction ................................................ ?? 1 Introduction ............................................. ??
1.1 Changes Since RFC 2630 ...................................... ?? 1.1 Changes Since RFC 2630 ................................... ??
1.2 Changes Since RFC 3369 ...................................... ?? 1.2 Changes Since RFC 3369 ................................... ??
1.3 Terminology ................................................. ?? 1.3 Terminology .............................................. ??
2. General Overview ............................................ ?? 2 General Overview ......................................... ??
3. General Syntax .............................................. ?? 3 General Syntax ........................................... ??
4. Data Content Type ........................................... ?? 4 Data Content Type ........................................ ??
5. Signed-data Content Type .................................... ?? 5 Signed-data Content Type ................................. ??
5.1 SignedData Type ............................................. ?? 5.1 SignedData Type .......................................... ??
5.2 EncapsulatedContentInfo Type ................................ ?? 5.2 EncapsulatedContentInfo Type ............................. ??
5.2.1 Compatibility with PKCS #7 ................................ ?? 5.2.1 Compatibility with PKCS #7 ............................... ??
5.3 SignerInfo Type ............................................. ?? 5.3 SignerInfo Type .......................................... ??
5.4 Message Digest Calculation Process .......................... ?? 5.4 Message Digest Calculation Process ....................... ??
5.5 Signature Generation Process ................................ ?? 5.5 Signature Generation Process ............................. ??
5.6 Signature Verification Process .............................. ?? 5.6 Signature Verification Process ........................... ??
6. Enveloped-data Content Type ................................. ?? 6 Enveloped-data Content Type .............................. ??
6.1 EnvelopedData Type .......................................... ?? 6.1 EnvelopedData Type ....................................... ??
6.2 RecipientInfo Type .......................................... ?? 6.2 RecipientInfo Type ....................................... ??
6.2.1 KeyTransRecipientInfo Type ................................ ?? 6.2.1 KeyTransRecipientInfo Type ............................... ??
6.2.2 KeyAgreeRecipientInfo Type ................................ ?? 6.2.2 KeyAgreeRecipientInfo Type ............................... ??
6.2.3 KEKRecipientInfo Type ..................................... ?? 6.2.3 KEKRecipientInfo Type .................................... ??
6.2.4 PasswordRecipientInfo Type ................................ ?? 6.2.4 PasswordRecipientInfo Type ............................... ??
6.2.5 OtherRecipientInfo Type ................................... ?? 6.2.5 OtherRecipientInfo Type .................................. ??
6.3 Content-encryption Process .................................. ?? 6.3 Content-encryption Process ............................... ??
6.4 Key-encryption Process ...................................... ?? 6.4 Key-encryption Process ................................... ??
7. Digested-data Content Type .................................. ?? 7 Digested-data Content Type ............................... ??
8. Encrypted-data Content Type ................................. ?? 8 Encrypted-data Content Type .............................. ??
9. Authenticated-data Content Type ............................. ?? 9 Authenticated-data Content Type .......................... ??
9.1 AuthenticatedData Type ...................................... ?? 9.1 AuthenticatedData Type ................................... ??
9.2 MAC Generation .............................................. ?? 9.2 MAC Generation ........................................... ??
9.3 MAC Verification ............................................ ?? 9.3 MAC Verification ......................................... ??
10. Useful Types ................................................ ?? 10 Useful Types ............................................. ??
10.1 Algorithm Identifier Types ................................. ?? 10.1 Algorithm Identifier Types ............................... ??
10.1.1 DigestAlgorithmIdentifier ................................ ?? 10.1.1 DigestAlgorithmIdentifier ................................ ??
10.1.2 SignatureAlgorithmIdentifier ............................. ?? 10.1.2 SignatureAlgorithmIdentifier ............................. ??
10.1.3 KeyEncryptionAlgorithmIdentifier ......................... ?? 10.1.3 KeyEncryptionAlgorithmIdentifier ......................... ??
10.1.4 ContentEncryptionAlgorithmIdentifier ..................... ?? 10.1.4 ContentEncryptionAlgorithmIdentifier ..................... ??
10.1.5 MessageAuthenticationCodeAlgorithm ....................... ?? 10.1.5 MessageAuthenticationCodeAlgorithm ....................... ??
10.1.6 KeyDerivationAlgorithmIdentifier ......................... ?? 10.1.6 KeyDerivationAlgorithmIdentifier ......................... ??
10.2 Other Useful Types ......................................... ?? 10.2 Other Useful Types ....................................... ??
10.2.1 CertificateRevocationLists ............................... ?? 10.2.1 RevocationInfoChoices .................................... ??
10.2.2 CertificateChoices ....................................... ?? 10.2.2 CertificateChoices ....................................... ??
10.2.3 CertificateSet ........................................... ?? 10.2.3 CertificateSet ........................................... ??
10.2.4 IssuerAndSerialNumber .................................... ?? 10.2.4 IssuerAndSerialNumber .................................... ??
10.2.5 CMSVersion ............................................... ?? 10.2.5 CMSVersion ............................................... ??
10.2.6 UserKeyingMaterial ....................................... ?? 10.2.6 UserKeyingMaterial ....................................... ??
10.2.7 OtherKeyAttribute ........................................ ?? 10.2.7 OtherKeyAttribute ........................................ ??
11. Useful Attributes ........................................... ?? 11 Useful Attributes ........................................ ??
11.1 Content Type ............................................... ?? 11.1 Content Type ............................................. ??
11.2 Message Digest ............................................. ?? 11.2 Message Digest ........................................... ??
11.3 Signing Time ............................................... ?? 11.3 Signing Time ............................................. ??
11.4 Countersignature ........................................... ?? 11.4 Countersignature ......................................... ??
12. ASN.1 Modules ............................................... ?? 12 ASN.1 Modules ............................................ ??
12.1 CMS ASN.1 Module ........................................... ?? 12.1 CMS ASN.1 Module ......................................... ??
12.2 Version 1 Attribute Certificate ASN.1 Module ............... ?? 12.2 Version 1 Attribute Certificate ASN.1 Module ............. ??
13. Normative References ........................................ ?? 13 Normative References ..................................... ??
14. Informative References ...................................... ?? 14 Informative References ................................... ??
15. Security Considerations ..................................... ?? 15 Security Considerations .................................. ??
16. Acknowledgments ............................................. ?? 16 Acknowledgments .......................................... ??
17. Author Address .............................................. ?? 17 Author Address ........................................... ??
17. Full Copyright Statement .................................... ?? 18 Full Copyright Statement ................................. ??
1. Introduction 1. Introduction
This document describes the Cryptographic Message Syntax (CMS). This This document describes the Cryptographic Message Syntax (CMS). This
syntax is used to digitally sign, digest, authenticate, or encrypt syntax is used to digitally sign, digest, authenticate, or encrypt
arbitrary message content. arbitrary message content.
The CMS describes an encapsulation syntax for data protection. It The CMS describes an encapsulation syntax for data protection. It
supports digital signatures and encryption. The syntax allows supports digital signatures and encryption. The syntax allows
multiple encapsulations; one encapsulation envelope can be nested multiple encapsulations; one encapsulation envelope can be nested
skipping to change at page 5, line 17 skipping to change at page 5, line 17
cryptographic algorithms has been moved to a separate document cryptographic algorithms has been moved to a separate document
[CMSALG]. Separation of the protocol and algorithm specifications [CMSALG]. Separation of the protocol and algorithm specifications
allows the IETF to update each document independently. This allows the IETF to update each document independently. This
specification does not require the implementation of any particular specification does not require the implementation of any particular
algorithms. Rather, protocols that rely on the CMS are expected to algorithms. Rather, protocols that rely on the CMS are expected to
choose appropriate algorithms for their environment. The algorithms choose appropriate algorithms for their environment. The algorithms
may be selected from [CMSALG] or elsewhere. may be selected from [CMSALG] or elsewhere.
1.2 Changes Since RFC 3369 1.2 Changes Since RFC 3369
This document obsoletes RFC 3369 [CMS2]. As discussed above, RFC This document obsoletes RFC 3369 [CMS2]. As discussed in the
3369 introduced an extension mechanism to support new key management previous section, RFC 3369 introduced an extension mechanism to
schemes without further changes to the CMS. This document introduces support new key management schemes without further changes to the
a similar extension mechanism to support additional certificate CMS. This document introduces a similar extension mechanism to
formats for the verification of digital signatures without further support additional certificate formats and revocation status
changes to the CMS. Backward compatibility with both RFC 2630 and information formats without further changes to the CMS. These
RFC 3369 is preserved. extensions are primarily documented in section 10.2.1 and section
10.2.2. Backward compatibility with both RFC 2630 and RFC 3369 is
preserved.
Since the publication of RFC 3369, a few errata have been noted.
These errata are posted on the RFC Editor web site. These errors
have been corrected in this document.
The text in section 11.4 that describes the counter signature
unsigned attribute is clarified. Hopefully the revised text is
clearer about the portion of the SignerInfo signature that is covered
by a countersignature.
1.3 Terminology 1.3 Terminology
In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD, In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as
described in [STDWORDS]. described in [STDWORDS].
2 General Overview 2 General Overview
The CMS is general enough to support many different content types. The CMS is general enough to support many different content types.
skipping to change at page 8, line 29 skipping to change at page 8, line 39
id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
The signed-data content type shall have ASN.1 type SignedData: The signed-data content type shall have ASN.1 type SignedData:
SignedData ::= SEQUENCE { SignedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
digestAlgorithms DigestAlgorithmIdentifiers, digestAlgorithms DigestAlgorithmIdentifiers,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL, certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos } signerInfos SignerInfos }
DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
SignerInfos ::= SET OF SignerInfo SignerInfos ::= SET OF SignerInfo
The fields of type SignedData have the following meanings: The fields of type SignedData have the following meanings:
version is the syntax version number. The appropriate value version is the syntax version number. The appropriate value
depends on certificates, eContentType, and SignerInfo. The depends on certificates, eContentType, and SignerInfo. The
version MUST be assigned as follows: version MUST be assigned as follows:
IF (certificates is present) AND IF ((certificates is present) AND
(any certificates with a type of other are present) (any certificates with a type of other are present)) OR
((crls is present) AND
(any crls with a type of other are present))
THEN version MUST be 5 THEN version MUST be 5
ELSE ELSE
IF (certificates is present) AND IF (certificates is present) AND
(any version 2 attribute certificates are present) (any version 2 attribute certificates are present)
THEN version MUST be 4 THEN version MUST be 4
ELSE ELSE
IF ((certificates is present) AND IF ((certificates is present) AND
(any version 1 attribute certificates are present)) OR (any version 1 attribute certificates are present)) OR
(encapContentInfo eContentType is other than id-data) OR (any SignerInfo structures are version 3) OR
(any SignerInfo structures are version 3) (encapContentInfo eContentType is other than id-data)
THEN version MUST be 3 THEN version MUST be 3
ELSE version MUST be 1 ELSE version MUST be 1
digestAlgorithms is a collection of message digest algorithm digestAlgorithms is a collection of message digest algorithm
identifiers. There MAY be any number of elements in the identifiers. There MAY be any number of elements in the
collection, including zero. Each element identifies the message collection, including zero. Each element identifies the message
digest algorithm, along with any associated parameters, used by digest algorithm, along with any associated parameters, used by
one or more signer. The collection is intended to list the one or more signer. The collection is intended to list the
message digest algorithms employed by all of the signers, in any message digest algorithms employed by all of the signers, in any
order, to facilitate one-pass signature verification. order, to facilitate one-pass signature verification.
skipping to change at page 9, line 48 skipping to change at page 10, line 5
authority" to all of the signers in the signerInfos field. There authority" to all of the signers in the signerInfos field. There
may be more certificates than necessary, and there may be may be more certificates than necessary, and there may be
certificates sufficient to contain certification paths from two or certificates sufficient to contain certification paths from two or
more independent top-level certification authorities. There may more independent top-level certification authorities. There may
also be fewer certificates than necessary, if it is expected that also be fewer certificates than necessary, if it is expected that
recipients have an alternate means of obtaining necessary recipients have an alternate means of obtaining necessary
certificates (e.g., from a previous set of certificates). The certificates (e.g., from a previous set of certificates). The
signer's certificate MAY be included. The use of version 1 signer's certificate MAY be included. The use of version 1
attribute certificates is strongly discouraged. attribute certificates is strongly discouraged.
crls is a collection of certificate revocation lists (CRLs). It crls is a collection of revocation status information. It is
is intended that the set contain information sufficient to intended that the collection contain information sufficient to
determine whether or not the certificates in the certificates determine whether the certificates in the certificates field are
field are valid, but such correspondence is not necessary. There valid, but such correspondence is not necessary. Certificate
MAY be more CRLs than necessary, and there MAY also be fewer CRLs revocation lists (CRLs) are the primary source of revocation
than necessary. status information. There MAY be more CRLs than necessary, and
there MAY also be fewer CRLs than necessary.
signerInfos is a collection of per-signer information. There MAY signerInfos is a collection of per-signer information. There MAY
be any number of elements in the collection, including zero. The be any number of elements in the collection, including zero. The
details of the SignerInfo type are discussed in section 5.3. details of the SignerInfo type are discussed in section 5.3.
Since each signer can employ a digital signature technique and Since each signer can employ a digital signature technique and
future specifications could update the syntax, all implementations future specifications could update the syntax, all implementations
MUST gracefully handle unimplemented versions of SignerInfo. MUST gracefully handle unimplemented versions of SignerInfo.
Further, since all implementations will not support every possible Further, since all implementations will not support every possible
signature algorithm, all implementations MUST gracefully handle signature algorithm, all implementations MUST gracefully handle
unimplemented signature algorithms when they are encountered. unimplemented signature algorithms when they are encountered.
skipping to change at page 13, line 14 skipping to change at page 13, line 18
the SignerIdentifier is subjectKeyIdentifier, then the version the SignerIdentifier is subjectKeyIdentifier, then the version
MUST be 3. MUST be 3.
sid specifies the signer's certificate (and thereby the signer's sid specifies the signer's certificate (and thereby the signer's
public key). The signer's public key is needed by the recipient public key). The signer's public key is needed by the recipient
to verify the signature. SignerIdentifier provides two to verify the signature. SignerIdentifier provides two
alternatives for specifying the signer's public key. The alternatives for specifying the signer's public key. The
issuerAndSerialNumber alternative identifies the signer's issuerAndSerialNumber alternative identifies the signer's
certificate by the issuer's distinguished name and the certificate certificate by the issuer's distinguished name and the certificate
serial number; the subjectKeyIdentifier identifies the signer's serial number; the subjectKeyIdentifier identifies the signer's
certificate by the X.509 subjectKeyIdentifier extension value. certificate by a key identifier. When an X.509 certificate is
reference, the key identifier matches the X.509
subjectKeyIdentifier extension value. When other certificate
formats are referenced, the documents that specify the certificate
format and their use with the CMS must include details on matching
the key identifier to the appropriate certificate field.
Implementations MUST support the reception of the Implementations MUST support the reception of the
issuerAndSerialNumber and subjectKeyIdentifier forms of issuerAndSerialNumber and subjectKeyIdentifier forms of
SignerIdentifier. When generating a SignerIdentifier, SignerIdentifier. When generating a SignerIdentifier,
implementations MAY support one of the forms (either implementations MAY support one of the forms (either
issuerAndSerialNumber or subjectKeyIdentifier) and always use it, issuerAndSerialNumber or subjectKeyIdentifier) and always use it,
or implementations MAY arbitrarily mix the two forms. or implementations MAY arbitrarily mix the two forms.
digestAlgorithm identifies the message digest algorithm, and any digestAlgorithm identifies the message digest algorithm, and any
associated parameters, used by the signer. The message digest is associated parameters, used by the signer. The message digest is
computed on either the content being signed or the content computed on either the content being signed or the content
skipping to change at page 17, line 37 skipping to change at page 17, line 48
EnvelopedData ::= SEQUENCE { EnvelopedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo, encryptedContentInfo EncryptedContentInfo,
unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL } unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL }
OriginatorInfo ::= SEQUENCE { OriginatorInfo ::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL, certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT CertificateRevocationLists OPTIONAL } crls [1] IMPLICIT RevocationInfoChoices OPTIONAL }
RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE { EncryptedContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL } encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
EncryptedContent ::= OCTET STRING EncryptedContent ::= OCTET STRING
UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
The fields of type EnvelopedData have the following meanings: The fields of type EnvelopedData have the following meanings:
skipping to change at page 18, line 7 skipping to change at page 18, line 19
EncryptedContent ::= OCTET STRING EncryptedContent ::= OCTET STRING
UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
The fields of type EnvelopedData have the following meanings: The fields of type EnvelopedData have the following meanings:
version is the syntax version number. The appropriate value version is the syntax version number. The appropriate value
depends on originatorInfo, RecipientInfo, and unprotectedAttrs. depends on originatorInfo, RecipientInfo, and unprotectedAttrs.
The version MUST be assigned as follows: The version MUST be assigned as follows:
IF (originatorInfo is present) AND
((any certificates with a type of other are present) OR
(any crls with a type of other are present))
THEN version is 4
ELSE
IF ((originatorInfo is present) AND IF ((originatorInfo is present) AND
(any version 2 attribute certificates are present)) OR (any version 2 attribute certificates are present)) OR
(any RecipientInfo structures include pwri) OR (any RecipientInfo structures include pwri) OR
(any RecipientInfo structures include ori) (any RecipientInfo structures include ori)
THEN version is 3 THEN version is 3
ELSE ELSE
IF (originatorInfo is present) OR IF (originatorInfo is absent) OR
(unprotectedAttrs is present) OR (unprotectedAttrs is absent) OR
(any RecipientInfo structures are a version other than 0) (all RecipientInfo structures are version 0)
THEN version is 2 THEN version is 0
ELSE version is 0 ELSE version is 2
originatorInfo optionally provides information about the originatorInfo optionally provides information about the
originator. It is present only if required by the key management originator. It is present only if required by the key management
algorithm. It may contain certificates and CRLs: algorithm. It may contain certificates and CRLs:
certs is a collection of certificates. certs may contain certs is a collection of certificates. certs may contain
originator certificates associated with several different key originator certificates associated with several different key
management management algorithms. certs may also contain attribute
certificates associated with the originator. The certificates
algorithms. certs may also contain attribute certificates contained in certs are intended to be sufficient for all
associated with the originator. The certificates contained in recipients to build certification paths from a recognized
certs are intended to be sufficient for all recipients to build "root" or "top-level certification authority." However, certs
certification paths from a recognized "root" or "top-level may contain more certificates than necessary, and there may be
certification authority." However, certs may contain more certificates sufficient to make certification paths from two or
certificates than necessary, and there may be certificates more independent top-level certification authorities.
sufficient to make certification paths from two or more
independent top-level certification authorities.
Alternatively, certs may contain fewer certificates than Alternatively, certs may contain fewer certificates than
necessary, if it is expected that recipients have an alternate necessary, if it is expected that recipients have an alternate
means of obtaining necessary certificates (e.g., from a means of obtaining necessary certificates (e.g., from a
previous set of certificates). previous set of certificates).
crls is a collection of CRLs. It is intended that the set crls is a collection of CRLs. It is intended that the set
contain information sufficient to determine whether or not the contain information sufficient to determine whether or not the
certificates in the certs field are valid, but such certificates in the certs field are valid, but such
correspondence is not necessary. There MAY be more CRLs than correspondence is not necessary. There MAY be more CRLs than
necessary, and there MAY also be fewer CRLs than necessary. necessary, and there MAY also be fewer CRLs than necessary.
skipping to change at page 20, line 39 skipping to change at page 21, line 6
subjectKeyIdentifier [0] SubjectKeyIdentifier } subjectKeyIdentifier [0] SubjectKeyIdentifier }
The fields of type KeyTransRecipientInfo have the following meanings: The fields of type KeyTransRecipientInfo have the following meanings:
version is the syntax version number. If the RecipientIdentifier version is the syntax version number. If the RecipientIdentifier
is the CHOICE issuerAndSerialNumber, then the version MUST be 0. is the CHOICE issuerAndSerialNumber, then the version MUST be 0.
If the RecipientIdentifier is subjectKeyIdentifier, then the If the RecipientIdentifier is subjectKeyIdentifier, then the
version MUST be 2. version MUST be 2.
rid specifies the recipient's certificate or key that was used by rid specifies the recipient's certificate or key that was used by
the sender to protect the content-encryption key. The the sender to protect the content-encryption key. The content-
encryption key is encrypted with the recipient's public key. The
RecipientIdentifier provides two alternatives for specifying the RecipientIdentifier provides two alternatives for specifying the
recipient's certificate, and thereby the recipient's public key. recipient's certificate, and thereby the recipient's public key.
The recipient's certificate must contain a key transport public The recipient's certificate must contain a key transport public
key. Therefore, a recipient X.509 version 3 certificate that key. Therefore, a recipient X.509 version 3 certificate that
contains a key usage extension MUST assert the keyEncipherment contains a key usage extension MUST assert the keyEncipherment
bit. The content-encryption key is encrypted with the recipient's bit. The issuerAndSerialNumber alternative identifies the
public key. The issuerAndSerialNumber alternative identifies the
recipient's certificate by the issuer's distinguished name and the recipient's certificate by the issuer's distinguished name and the
certificate serial number; the subjectKeyIdentifier identifies the certificate serial number; the subjectKeyIdentifier identifies the
recipient's certificate by the X.509 subjectKeyIdentifier signer's certificate by a key identifier. When an X.509
extension value. For recipient processing, implementations MUST certificate is referenced, the key identifier matches the X.509
support both of these alternatives for specifying the recipient's subjectKeyIdentifier extension value. When other certificate
certificate; and for sender processing, implementations MUST formats are referenced, the documents that specify the certificate
support at least one of these alternatives. format and their use with the CMS must include details on matching
the key identifier to the appropriate certificate field. For
recipient processing, implementations MUST support both of these
alternatives for specifying the recipient's certificate. For
sender processing, implementations MUST support at least one of
these alternatives.
keyEncryptionAlgorithm identifies the key-encryption algorithm, keyEncryptionAlgorithm identifies the key-encryption algorithm,
and any associated parameters, used to encrypt the content- and any associated parameters, used to encrypt the content-
encryption key for the recipient. The key-encryption process is encryption key for the recipient. The key-encryption process is
described in Section 6.4. described in Section 6.4.
encryptedKey is the result of encrypting the content-encryption encryptedKey is the result of encrypting the content-encryption
key for the recipient. key for the recipient.
6.2.2 KeyAgreeRecipientInfo Type 6.2.2 KeyAgreeRecipientInfo Type
skipping to change at page 22, line 23 skipping to change at page 22, line 42
version is the syntax version number. It MUST always be 3. version is the syntax version number. It MUST always be 3.
originator is a CHOICE with three alternatives specifying the originator is a CHOICE with three alternatives specifying the
sender's key agreement public key. The sender uses the sender's key agreement public key. The sender uses the
corresponding private key and the recipient's public key to corresponding private key and the recipient's public key to
generate a pairwise key. The content-encryption key is encrypted generate a pairwise key. The content-encryption key is encrypted
in the pairwise key. The issuerAndSerialNumber alternative in the pairwise key. The issuerAndSerialNumber alternative
identifies the sender's certificate, and thereby the sender's identifies the sender's certificate, and thereby the sender's
public key, by the issuer's distinguished name and the certificate public key, by the issuer's distinguished name and the certificate
serial number. The subjectKeyIdentifier alternative identifies serial number. The subjectKeyIdentifier alternative identifies
the sender's certificate, and thereby the sender's public key, by the sender's certificate, and thereby the sender's public key, a
the X.509 subjectKeyIdentifier extension value. The originatorKey key identifier. When an X.509 certificate is referenced, the key
alternative includes the algorithm identifier and sender's key identifier matches the X.509 subjectKeyIdentifier extension value.
agreement public key. This alternative permits originator When other certificate formats are referenced, the documents that
anonymity since the public key is not certified. Implementations specify the certificate format and their use with the CMS must
MUST support all three alternatives for specifying the sender's must include details on matching the key identifier to the
public key. appropriate certificate field. The originatorKey alternative
includes the algorithm identifier and sender's key agreement
public key. This alternative permits originator anonymity since
the public key is not certified. Implementations MUST support all
three alternatives for specifying the sender's public key.
ukm is optional. With some key agreement algorithms, the sender ukm is optional. With some key agreement algorithms, the sender
provides a User Keying Material (UKM) to ensure that a different provides a User Keying Material (UKM) to ensure that a different
key is generated each time the same two parties generate a key is generated each time the same two parties generate a
pairwise key. Implementations MUST support recipient processing pairwise key. Implementations MUST support recipient processing
of a KeyAgreeRecipientInfo SEQUENCE that includes a ukm field. of a KeyAgreeRecipientInfo SEQUENCE that includes a ukm field.
Implementations that do not support key agreement algorithms that Implementations that do not support key agreement algorithms that
make use of UKMs MUST gracefully handle the presence of UKMs. make use of UKMs MUST gracefully handle the presence of UKMs.
keyEncryptionAlgorithm identifies the key-encryption algorithm, keyEncryptionAlgorithm identifies the key-encryption algorithm,
skipping to change at page 23, line 17 skipping to change at page 23, line 40
certificate by the issuer's distinguished name and the certificate certificate by the issuer's distinguished name and the certificate
serial number; the RecipientKeyIdentifier is described below. The serial number; the RecipientKeyIdentifier is described below. The
encryptedKey is the result of encrypting the content-encryption encryptedKey is the result of encrypting the content-encryption
key in the pairwise key-encryption key generated using the key key in the pairwise key-encryption key generated using the key
agreement algorithm. Implementations MUST support both agreement algorithm. Implementations MUST support both
alternatives for specifying the recipient's certificate. alternatives for specifying the recipient's certificate.
The fields of type RecipientKeyIdentifier have the following The fields of type RecipientKeyIdentifier have the following
meanings: meanings:
subjectKeyIdentifier identifies the recipient's certificate by the subjectKeyIdentifier identifies the recipient's certificate by a
X.509 subjectKeyIdentifier extension value. key identifier. When an X.509 certificate is referenced, the key
identifier matches the X.509 subjectKeyIdentifier extension value.
When other certificate formats are referenced, the documents that
specify the certificate format and their use with the CMS must
include details on matching the key identifier to the appropriate
certificate field.
date is optional. When present, the date specifies which of the date is optional. When present, the date specifies which of the
recipient's previously distributed UKMs was used by the sender. recipient's previously distributed UKMs was used by the sender.
other is optional. When present, this field contains additional other is optional. When present, this field contains additional
information used by the recipient to locate the public keying information used by the recipient to locate the public keying
material used by the sender. material used by the sender.
6.2.3 KEKRecipientInfo Type 6.2.3 KEKRecipientInfo Type
skipping to change at page 29, line 42 skipping to change at page 30, line 29
UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
MessageAuthenticationCode ::= OCTET STRING MessageAuthenticationCode ::= OCTET STRING
The fields of type AuthenticatedData have the following meanings: The fields of type AuthenticatedData have the following meanings:
version is the syntax version number. The version MUST be version is the syntax version number. The version MUST be
assigned as follows: assigned as follows:
IF (originatorInfo is present) AND
((any certificates with a type of other are present) OR
(any crls with a type of other are present))
THEN version is 3
ELSE
IF ((originatorInfo is present) AND IF ((originatorInfo is present) AND
(any version 2 attribute certificates are present)) (any version 2 attribute certificates are present))
THEN version is 1 THEN version is 1
ELSE version is 0 ELSE version is 0
originatorInfo optionally provides information about the originatorInfo optionally provides information about the
originator. It is present only if required by the key management originator. It is present only if required by the key management
algorithm. It MAY contain certificates, attribute certificates, algorithm. It MAY contain certificates, attribute certificates,
and CRLs, as defined in Section 6.1. and CRLs, as defined in Section 6.1.
skipping to change at page 34, line 44 skipping to change at page 35, line 21
Key derivation algorithms convert a password or shared secret value Key derivation algorithms convert a password or shared secret value
into a key-encryption key. into a key-encryption key.
KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
10.2 Other Useful Types 10.2 Other Useful Types
This section defines types that are used other places in the This section defines types that are used other places in the
document. The types are not listed in any particular order. document. The types are not listed in any particular order.
10.2.1 CertificateRevocationLists 10.2.1 RevocationInfoChoices
The CertificateRevocationLists type gives a set of certificate The RevocationInfoChoices type gives a set of revocation status
revocation lists (CRLs). It is intended that the set contain information alternatives. It is intended that the set contain
information sufficient to determine whether the certificates and information sufficient to determine whether the certificates and
attribute certificates with which the set is associated are revoked. attribute certificates with which the set is associated are revoked.
However, there may be more CRLs than necessary or there MAY be fewer However, there MAY be more revocation status information than
CRLs than necessary. necessary or there MAY be less revocation status information than
necessary. X.509 Certificate revocation lists (CRLs) [X.509-97] are
the primary source of revocation status information, but any other
revocation information format can be supported. The
OtherRevocationInfoFormat alternative is provided to support any
other revocation information format without further modifications to
the CMS. For example, Online Certificate Status Protocol (OCSP)
Responses [OCSP] can be supported using the
OtherRevocationInfoFormat.
The CertificateList may contain a CRL, an Authority Revocation List The CertificateList may contain a CRL, an Authority Revocation List
(ARL), a Delta CRL, or an Attribute Certificate Revocation List. All (ARL), a Delta CRL, or an Attribute Certificate Revocation List. All
of these lists share a common syntax. of these lists share a common syntax.
The CertificateList type gives a certificate revocation list (CRL).
CRLs are specified in X.509 [X.509-97], and they are profiled for use CRLs are specified in X.509 [X.509-97], and they are profiled for use
in the Internet in RFC 3280 [PROFILE]. in the Internet in RFC 3280 [PROFILE].
The definition of CertificateList is taken from X.509. The definition of CertificateList is taken from X.509.
CertificateRevocationLists ::= SET OF CertificateList RevocationInfoChoices ::= SET OF RevocationInfoChoice
RevocationInfoChoice ::= CHOICE {
crl CertificateList,
other [1] IMPLICIT OtherRevocationInfoFormat }
OtherRevocationInfoFormat ::= SEQUENCE {
otherRevInfoFormat OBJECT IDENTIFIER,
otherRevInfo ANY DEFINED BY otherRevInfoFormat }
10.2.2 CertificateChoices 10.2.2 CertificateChoices
The CertificateChoices type gives either a PKCS #6 extended The CertificateChoices type gives either a PKCS #6 extended
certificate [PKCS#6], an X.509 certificate, a version 1 X.509 certificate [PKCS#6], an X.509 certificate, a version 1 X.509
attribute certificate (ACv1) [X.509-97], a version 2 X.509 attribute attribute certificate (ACv1) [X.509-97], a version 2 X.509 attribute
certificate (ACv2) [X.509-00], or any other certificate format. The certificate (ACv2) [X.509-00], or any other certificate format. The
PKCS #6 extended certificate is obsolete. The PKCS #6 certificate is PKCS #6 extended certificate is obsolete. The PKCS #6 certificate is
included for backward compatibility, and PKCS #6 certificates SHOULD included for backward compatibility, and PKCS #6 certificates SHOULD
NOT be used. The ACv1 is also obsolete. ACv1 is included for NOT be used. The ACv1 is also obsolete. ACv1 is included for
skipping to change at page 36, line 43 skipping to change at page 37, line 37
issuer Name, issuer Name,
serialNumber CertificateSerialNumber } serialNumber CertificateSerialNumber }
CertificateSerialNumber ::= INTEGER CertificateSerialNumber ::= INTEGER
10.2.5 CMSVersion 10.2.5 CMSVersion
The CMSVersion type gives a syntax version number, for compatibility The CMSVersion type gives a syntax version number, for compatibility
with future revisions of this specification. with future revisions of this specification.
CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } CMSVersion ::= INTEGER
{ v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
10.2.6 UserKeyingMaterial 10.2.6 UserKeyingMaterial
The UserKeyingMaterial type gives a syntax for user keying material The UserKeyingMaterial type gives a syntax for user keying material
(UKM). Some key agreement algorithms require UKMs to ensure that a (UKM). Some key agreement algorithms require UKMs to ensure that a
different key is generated each time the same two parties generate a different key is generated each time the same two parties generate a
pairwise key. The sender provides a UKM for use with a specific key pairwise key. The sender provides a UKM for use with a specific key
agreement algorithm. agreement algorithm.
UserKeyingMaterial ::= OCTET STRING UserKeyingMaterial ::= OCTET STRING
skipping to change at page 40, line 35 skipping to change at page 41, line 28
include multiple instances of the signing-time attribute. include multiple instances of the signing-time attribute.
No requirement is imposed concerning the correctness of the signing No requirement is imposed concerning the correctness of the signing
time, and acceptance of a purported signing time is a matter of a time, and acceptance of a purported signing time is a matter of a
recipient's discretion. It is expected, however, that some signers, recipient's discretion. It is expected, however, that some signers,
such as time-stamp servers, will be trusted implicitly. such as time-stamp servers, will be trusted implicitly.
11.4 Countersignature 11.4 Countersignature
The countersignature attribute type specifies one or more signatures The countersignature attribute type specifies one or more signatures
on the contents octets of the DER encoding of the signatureValue on the contents octets of the signature OCTET STRING in a SignerInfo
field of a SignerInfo value in signed-data. Thus, the value of the signed-data. That is, the message digest is computed
countersignature attribute type countersigns (signs in serial) over the octets comprising the value of the OCTET STRING, neither the
another signature. tag nor length octets are included. Thus, the countersignature
attribute type countersigns (signs in serial) another signature.
The countersignature attribute MUST be an unsigned attribute; it MUST The countersignature attribute MUST be an unsigned attribute; it MUST
NOT be a signed attribute, an authenticated attribute, an NOT be a signed attribute, an authenticated attribute, an
unauthenticated attribute, or an unprotected attribute. unauthenticated attribute, or an unprotected attribute.
The following object identifier identifies the countersignature The following object identifier identifies the countersignature
attribute: attribute:
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
skipping to change at page 42, line 41 skipping to change at page 43, line 41
ContentInfo ::= SEQUENCE { ContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
content [0] EXPLICIT ANY DEFINED BY contentType } content [0] EXPLICIT ANY DEFINED BY contentType }
ContentType ::= OBJECT IDENTIFIER ContentType ::= OBJECT IDENTIFIER
SignedData ::= SEQUENCE { SignedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
digestAlgorithms DigestAlgorithmIdentifiers, digestAlgorithms DigestAlgorithmIdentifiers,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL, certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos } signerInfos SignerInfos }
DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
SignerInfos ::= SET OF SignerInfo SignerInfos ::= SET OF SignerInfo
EncapsulatedContentInfo ::= SEQUENCE { EncapsulatedContentInfo ::= SEQUENCE {
eContentType ContentType, eContentType ContentType,
eContent [0] EXPLICIT OCTET STRING OPTIONAL } eContent [0] EXPLICIT OCTET STRING OPTIONAL }
SignerInfo ::= SEQUENCE { SignerInfo ::= SEQUENCE {
skipping to change at page 43, line 38 skipping to change at page 44, line 38
EnvelopedData ::= SEQUENCE { EnvelopedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo, encryptedContentInfo EncryptedContentInfo,
unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL } unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL }
OriginatorInfo ::= SEQUENCE { OriginatorInfo ::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL, certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT CertificateRevocationLists OPTIONAL } crls [1] IMPLICIT RevocationInfoChoices OPTIONAL }
RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE { EncryptedContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL } encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
EncryptedContent ::= OCTET STRING EncryptedContent ::= OCTET STRING
skipping to change at page 46, line 33 skipping to change at page 47, line 33
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
CertificateRevocationLists ::= SET OF CertificateList RevocationInfoChoices ::= SET OF RevocationInfoChoice
RevocationInfoChoice ::= CHOICE {
crl CertificateList,
other [1] IMPLICIT OtherRevocationInfoFormat }
OtherRevocationInfoFormat ::= SEQUENCE {
otherRevInfoFormat OBJECT IDENTIFIER,
otherRevInfo ANY DEFINED BY otherRevInfoFormat }
CertificateChoices ::= CHOICE { CertificateChoices ::= CHOICE {
certificate Certificate, certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
v1AttrCert [1] IMPLICIT AttributeCertificateV1, -- Obsolete v1AttrCert [1] IMPLICIT AttributeCertificateV1, -- Obsolete
v2AttrCert [2] IMPLICIT AttributeCertificateV2, v2AttrCert [2] IMPLICIT AttributeCertificateV2,
other [3] IMPLICIT OtherCertificateFormat } other [3] IMPLICIT OtherCertificateFormat }
AttributeCertificateV2 ::= AttributeCertificate AttributeCertificateV2 ::= AttributeCertificate
OtherCertificateFormat ::= SEQUENCE { OtherCertificateFormat ::= SEQUENCE {
otherCertFormat OBJECT IDENTIFIER, otherCertFormat OBJECT IDENTIFIER,
otherCert ANY DEFINED BY otherCertFormat } otherCert ANY DEFINED BY otherCertFormat }
CertificateSet ::= SET OF CertificateChoices CertificateSet ::= SET OF CertificateChoices
IssuerAndSerialNumber ::= SEQUENCE { IssuerAndSerialNumber ::= SEQUENCE {
issuer Name, issuer Name,
serialNumber CertificateSerialNumber } serialNumber CertificateSerialNumber }
CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) v5(5) } CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
UserKeyingMaterial ::= OCTET STRING UserKeyingMaterial ::= OCTET STRING
OtherKeyAttribute ::= SEQUENCE { OtherKeyAttribute ::= SEQUENCE {
keyAttrId OBJECT IDENTIFIER, keyAttrId OBJECT IDENTIFIER,
keyAttr ANY DEFINED BY keyAttrId OPTIONAL } keyAttr ANY DEFINED BY keyAttrId OPTIONAL }
-- Content Type Object Identifiers
id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 }
id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 }
id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 }
id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 }
-- The CMS Attributes -- The CMS Attributes
MessageDigest ::= OCTET STRING MessageDigest ::= OCTET STRING
SigningTime ::= Time SigningTime ::= Time
Time ::= CHOICE { Time ::= CHOICE {
utcTime UTCTime, utcTime UTCTime,
generalTime GeneralizedTime } generalTime GeneralizedTime }
Countersignature ::= SignerInfo Countersignature ::= SignerInfo
-- Attribute Object Identifiers -- Attribute Object Identifiers
id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
skipping to change at page 48, line 19 skipping to change at page 50, line 11
Signature ::= BIT STRING Signature ::= BIT STRING
END -- of CryptographicMessageSyntax2004 END -- of CryptographicMessageSyntax2004
12.2 Version 1 Attribute Certificate ASN.1 Module 12.2 Version 1 Attribute Certificate ASN.1 Module
AttributeCertificateVersion1 AttributeCertificateVersion1
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) v1AttrCert(15) } pkcs(1) pkcs-9(9) smime(16) modules(0) v1AttrCert(15) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS All -- EXPORTS All
IMPORTS IMPORTS
-- Imports from RFC 3280 [PROFILE], Appendix A.1 -- Imports from RFC 3280 [PROFILE], Appendix A.1
AlgorithmIdentifier, Attribute, CertificateSerialNumber, AlgorithmIdentifier, Attribute, CertificateSerialNumber,
Extensions, UniqueIdentifier Extensions, UniqueIdentifier
FROM PKIX1Explicit88 FROM PKIX1Explicit88
skipping to change at page 50, line 23 skipping to change at page 52, line 17
14. Informative References 14. Informative References
[CMS1] Housley, R., "Cryptographic Message Syntax", [CMS1] Housley, R., "Cryptographic Message Syntax",
RFC 2630, June 1999. RFC 2630, June 1999.
[CMS2] Housley, R., "Cryptographic Message Syntax", [CMS2] Housley, R., "Cryptographic Message Syntax",
RFC 3369, August 2002. RFC 3369, August 2002.
[CMSALG] Housley, R., "Cryptographic Message Syntax (CMS) [CMSALG] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3269, August 2002. Algorithms", RFC 3370, August 2002.
[DSS] National Institute of Standards and Technology. [DSS] National Institute of Standards and Technology.
FIPS Pub 186: Digital Signature Standard. 19 May 1994. FIPS Pub 186: Digital Signature Standard. 19 May 1994.
[ESS] Hoffman, P., "Enhanced Security Services for S/MIME", [ESS] Hoffman, P., "Enhanced Security Services for S/MIME",
RFC 2634, June 1999. RFC 2634, June 1999.
[MSG] Ramsdell, B., "S/MIME Version 3 Message Specification", [MSG] Ramsdell, B., "S/MIME Version 3 Message Specification",
RFC 2633, June 1999. RFC 2633, June 1999.
[OLDMSG] Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L. and [OCSP] Myers, M., Ankney, R., Malpani, A., Galperin, S., and
C. Adams, "X.509 Internet Public Key Infrastructure
Online Certificate Status Protocol - OCSP", RFC 2560,
June 1999.
[OLDMSG] Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L., and
L. Repka, "S/MIME Version 2 Message Specification", L. Repka, "S/MIME Version 2 Message Specification",
RFC 2311, March 1998. RFC 2311, March 1998.
[PKCS#6] RSA Laboratories. PKCS #6: Extended-Certificate Syntax [PKCS#6] RSA Laboratories. PKCS #6: Extended-Certificate Syntax
Standard, Version 1.5. November 1993. Standard, Version 1.5. November 1993.
[PKCS#7] Kaliski, B., "PKCS #7: Cryptographic Message Syntax, [PKCS#7] Kaliski, B., "PKCS #7: Cryptographic Message Syntax,
Version 1.5.", RFC 2315, March 1998. Version 1.5.", RFC 2315, March 1998.
[PKCS#9] RSA Laboratories. PKCS #9: Selected Attribute Types, [PKCS#9] RSA Laboratories. PKCS #9: Selected Attribute Types,
skipping to change at page 51, line 51 skipping to change at page 53, line 51
Implementations must randomly generate content-encryption keys, Implementations must randomly generate content-encryption keys,
message-authentication keys, initialization vectors (IVs), and message-authentication keys, initialization vectors (IVs), and
padding. Also, the generation of public/private key pairs relies on padding. Also, the generation of public/private key pairs relies on
a random numbers. The use of inadequate pseudo-random number a random numbers. The use of inadequate pseudo-random number
generators (PRNGs) to generate cryptographic keys can result in generators (PRNGs) to generate cryptographic keys can result in
little or no security. An attacker may find it much easier to little or no security. An attacker may find it much easier to
reproduce the PRNG environment that produced the keys, searching the reproduce the PRNG environment that produced the keys, searching the
resulting small set of possibilities, rather than brute force resulting small set of possibilities, rather than brute force
searching the whole key space. The generation of quality random searching the whole key space. The generation of quality random
numbers is difficult. RFC 1750 [RANDOM] offers important guidance in numbers is difficult. RFC 1750 [RANDOM] offers important guidance
this area, and Appendix 3 of FIPS Pub 186 [DSS] provides one quality in this area, and Appendix 3 of FIPS Pub 186 [DSS] provides one
PRNG technique. quality PRNG technique.
When using key agreement algorithms or previously distributed When using key agreement algorithms or previously distributed
symmetric key-encryption keys, a key-encryption key is used to symmetric key-encryption keys, a key-encryption key is used to
encrypt the content-encryption key. If the key-encryption and encrypt the content-encryption key. If the key-encryption and
content-encryption algorithms are different, the effective security content-encryption algorithms are different, the effective security
is determined by the weaker of the two algorithms. If, for example, is determined by the weaker of the two algorithms. If, for example,
content is encrypted with Triple-DES using a 168-bit Triple-DES content is encrypted with Triple-DES using a 168-bit Triple-DES
content-encryption key, and the content-encryption key is wrapped content-encryption key, and the content-encryption key is wrapped
with RC2 using a 40-bit RC2 key-encryption key, then at most 40 bits with RC2 using a 40-bit RC2 key-encryption key, then at most 40 bits
of protection is provided. A trivial search to determine the value of protection is provided. A trivial search to determine the value
skipping to change at page 53, line 20 skipping to change at page 55, line 20
Herndon, VA 20170 Herndon, VA 20170
USA USA
EMail: housley@vigilsec.com EMail: housley@vigilsec.com
18. Full Copyright Statement 18. Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published and
and distributed, in whole or in part, without restriction of any distributed, in whole or in part, without restriction of any kind,
kind, provided that the above copyright notice and this paragraph are provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than followed, or as required to translate it into languages other than
English. English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/