draft-ietf-smime-rfc3369bis-01.txt   draft-ietf-smime-rfc3369bis-02.txt 
S/MIME Working Group R. Housley S/MIME Working Group R. Housley
Internet-Draft Vigil Security Internet-Draft Vigil Security
When Approved, Obsoletes: 3369 March 2004 When Approved, Obsoletes: 3369 March 2004
Cryptographic Message Syntax (CMS) Cryptographic Message Syntax (CMS)
<draft-ietf-smime-rfc3369bis-01.txt> <draft-ietf-smime-rfc3369bis-02.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
skipping to change at page 9, line 41 skipping to change at page 9, line 41
algorithm that is not included in this set. The message digesting algorithm that is not included in this set. The message digesting
process is described in Section 5.4. process is described in Section 5.4.
encapContentInfo is the signed content, consisting of a content encapContentInfo is the signed content, consisting of a content
type identifier and the content itself. Details of the type identifier and the content itself. Details of the
EncapsulatedContentInfo type are discussed in section 5.2. EncapsulatedContentInfo type are discussed in section 5.2.
certificates is a collection of certificates. It is intended that certificates is a collection of certificates. It is intended that
the set of certificates be sufficient to contain certification the set of certificates be sufficient to contain certification
paths from a recognized "root" or "top-level certification paths from a recognized "root" or "top-level certification
authority" to all of the signers in the signerInfos field. There authority" to all of the
may be more certificates than necessary, and there may be
certificates sufficient to contain certification paths from two or signers in the signerInfos field. There may be more certificates
more independent top-level certification authorities. There may than necessary, and there may be certificates sufficient to
also be fewer certificates than necessary, if it is expected that contain certification paths from two or more independent top-level
recipients have an alternate means of obtaining necessary certification authorities. There may also be fewer certificates
certificates (e.g., from a previous set of certificates). The than necessary, if it is expected that recipients have an
signer's certificate MAY be included. The use of version 1 alternate means of obtaining necessary certificates (e.g., from a
attribute certificates is strongly discouraged. previous set of certificates). The signer's certificate MAY be
included. The use of version 1 attribute certificates is strongly
discouraged.
crls is a collection of revocation status information. It is crls is a collection of revocation status information. It is
intended that the collection contain information sufficient to intended that the collection contain information sufficient to
determine whether the certificates in the certificates field are determine whether the certificates in the certificates field are
valid, but such correspondence is not necessary. Certificate valid, but such correspondence is not necessary. Certificate
revocation lists (CRLs) are the primary source of revocation revocation lists (CRLs) are the primary source of revocation
status information. There MAY be more CRLs than necessary, and status information. There MAY be more CRLs than necessary, and
there MAY also be fewer CRLs than necessary. there MAY also be fewer CRLs than necessary.
signerInfos is a collection of per-signer information. There MAY signerInfos is a collection of per-signer information. There MAY
skipping to change at page 11, line 38 skipping to change at page 11, line 38
[OLDMSG] and RFC 2633 for S/MIME v3 [MSG]. S/MIME v2 encapsulates [OLDMSG] and RFC 2633 for S/MIME v3 [MSG]. S/MIME v2 encapsulates
the MIME content in a Data type (that is, an OCTET STRING) carried in the MIME content in a Data type (that is, an OCTET STRING) carried in
the SignedData contentInfo content ANY field, and S/MIME v3 carries the SignedData contentInfo content ANY field, and S/MIME v3 carries
the MIME content in the SignedData encapContentInfo eContent OCTET the MIME content in the SignedData encapContentInfo eContent OCTET
STRING. Therefore, in both S/MIME v2 and S/MIME v3, the MIME content STRING. Therefore, in both S/MIME v2 and S/MIME v3, the MIME content
is placed in an OCTET STRING and the message digest is computed over is placed in an OCTET STRING and the message digest is computed over
the identical portions of the content. That is, the message digest the identical portions of the content. That is, the message digest
is computed over the octets comprising the value of the OCTET STRING, is computed over the octets comprising the value of the OCTET STRING,
neither the tag nor length octets are included. neither the tag nor length octets are included.
There are incompatibilities between the CMS and PKCS #7 signedData There are incompatibilities between the CMS and PKCS #7 SignedData
types when the encapsulated content is not formatted using the Data types when the encapsulated content is not formatted using the Data
type. For example, when an RFC 2634 [ESS] signed receipt is type. For example, when an RFC 2634 [ESS] signed receipt is
encapsulated in the CMS signedData type, then the Receipt SEQUENCE is encapsulated in the CMS SignedData type, then the Receipt SEQUENCE is
encoded in the signedData encapContentInfo eContent OCTET STRING and encoded in the SignedData encapContentInfo eContent OCTET STRING and
the message digest is computed using the entire Receipt SEQUENCE the message digest is computed using the entire Receipt SEQUENCE
encoding (including tag, length and value octets). However, if an encoding (including tag, length and value octets). However, if an
RFC 2634 signed receipt is encapsulated in the PKCS #7 signedData RFC 2634 signed receipt is encapsulated in the PKCS #7 SignedData
type, then the Receipt SEQUENCE is DER encoded [X.509-88] in the type, then the Receipt SEQUENCE is DER encoded [X.509-88] in the
SignedData contentInfo content ANY field (a SEQUENCE, not an OCTET SignedData contentInfo content ANY field (a SEQUENCE, not an OCTET
STRING). Therefore, the message digest is computed using only the STRING). Therefore, the message digest is computed using only the
value octets of the Receipt SEQUENCE encoding. value octets of the Receipt SEQUENCE encoding.
The following strategy can be used to achieve backward compatibility The following strategy can be used to achieve backward compatibility
with PKCS #7 when processing SignedData content types. If the with PKCS #7 when processing SignedData content types. If the
implementation is unable to ASN.1 decode the signedData type using implementation is unable to ASN.1 decode the SignedData type using
the CMS signedData encapContentInfo eContent OCTET STRING syntax, the CMS SignedData encapContentInfo eContent OCTET STRING syntax,
then the implementation MAY attempt to decode the signedData type then the implementation MAY attempt to decode the SignedData type
using the PKCS #7 SignedData contentInfo content ANY syntax and using the PKCS #7 SignedData contentInfo content ANY syntax and
compute the message digest accordingly. compute the message digest accordingly.
The following strategy can be used to achieve backward compatibility The following strategy can be used to achieve backward compatibility
with PKCS #7 when creating a SignedData content type in which the with PKCS #7 when creating a SignedData content type in which the
encapsulated content is not formatted using the Data type. encapsulated content is not formatted using the Data type.
Implementations MAY examine the value of the eContentType, and then Implementations MAY examine the value of the eContentType, and then
adjust the expected DER encoding of eContent based on the object adjust the expected DER encoding of eContent based on the object
identifier value. For example, to support Microsoft AuthentiCode, identifier value. For example, to support Microsoft AuthentiCode,
the following information MAY be included: the following information MAY be included:
skipping to change at page 13, line 29 skipping to change at page 13, line 29
reference, the key identifier matches the X.509 reference, the key identifier matches the X.509
subjectKeyIdentifier extension value. When other certificate subjectKeyIdentifier extension value. When other certificate
formats are referenced, the documents that specify the certificate formats are referenced, the documents that specify the certificate
format and their use with the CMS must include details on matching format and their use with the CMS must include details on matching
the key identifier to the appropriate certificate field. the key identifier to the appropriate certificate field.
Implementations MUST support the reception of the Implementations MUST support the reception of the
issuerAndSerialNumber and subjectKeyIdentifier forms of issuerAndSerialNumber and subjectKeyIdentifier forms of
SignerIdentifier. When generating a SignerIdentifier, SignerIdentifier. When generating a SignerIdentifier,
implementations MAY support one of the forms (either implementations MAY support one of the forms (either
issuerAndSerialNumber or subjectKeyIdentifier) and always use it, issuerAndSerialNumber or subjectKeyIdentifier) and always use it,
or implementations MAY arbitrarily mix the two forms. or implementations MAY arbitrarily mix the two forms. However,
subjectKeyIdentifier MUST be used to refer to a public key
contained in a non-X.509 certificate.
digestAlgorithm identifies the message digest algorithm, and any digestAlgorithm identifies the message digest algorithm, and any
associated parameters, used by the signer. The message digest is associated parameters, used by the signer. The message digest is
computed on either the content being signed or the content computed on either the content being signed or the content
together with the signed attributes using the process described in together with the signed attributes using the process described in
section 5.4. The message digest algorithm SHOULD be among those section 5.4. The message digest algorithm SHOULD be among those
listed in the digestAlgorithms field of the associated SignerData. listed in the digestAlgorithms field of the associated SignerData.
Implementations MAY fail to validate signatures that use a digest Implementations MAY fail to validate signatures that use a digest
algorithm that is not included in the SignedData digestAlgorithms algorithm that is not included in the SignedData digestAlgorithms
set. set.
skipping to change at page 15, line 16 skipping to change at page 15, line 19
content-type attribute MUST NOT be included in a countersignature content-type attribute MUST NOT be included in a countersignature
unsigned attribute as defined in section 11.4. A separate encoding unsigned attribute as defined in section 11.4. A separate encoding
of the signedAttrs field is performed for message digest calculation. of the signedAttrs field is performed for message digest calculation.
The IMPLICIT [0] tag in the signedAttrs is not used for the DER The IMPLICIT [0] tag in the signedAttrs is not used for the DER
encoding, rather an EXPLICIT SET OF tag is used. That is, the DER encoding, rather an EXPLICIT SET OF tag is used. That is, the DER
encoding of the EXPLICIT SET OF tag, rather than of the IMPLICIT [0] encoding of the EXPLICIT SET OF tag, rather than of the IMPLICIT [0]
tag, MUST be included in the message digest calculation along with tag, MUST be included in the message digest calculation along with
the length and content octets of the SignedAttributes value. the length and content octets of the SignedAttributes value.
When the signedAttrs field is absent, only the octets comprising the When the signedAttrs field is absent, only the octets comprising the
value of the signedData encapContentInfo eContent OCTET STRING (e.g., value of the SignedData encapContentInfo eContent OCTET STRING (e.g.,
the contents of a file) are input to the message digest calculation. the contents of a file) are input to the message digest calculation.
This has the advantage that the length of the content being signed This has the advantage that the length of the content being signed
need not be known in advance of the signature generation process. need not be known in advance of the signature generation process.
Although the encapContentInfo eContent OCTET STRING tag and length Although the encapContentInfo eContent OCTET STRING tag and length
octets are not included in the message digest calculation, they are octets are not included in the message digest calculation, they are
protected by other means. The length octets are protected by the protected by other means. The length octets are protected by the
nature of the message digest algorithm since it is computationally nature of the message digest algorithm since it is computationally
infeasible to find any two distinct message contents of any length infeasible to find any two distinct message contents of any length
that have the same message digest. that have the same message digest.
skipping to change at page 20, line 15 skipping to change at page 20, line 15
PKCS #1 v1.5, then a graceful failure must be implemented. PKCS #1 v1.5, then a graceful failure must be implemented.
Implementations MUST support key transport, key agreement, and Implementations MUST support key transport, key agreement, and
previously distributed symmetric key-encryption keys, as represented previously distributed symmetric key-encryption keys, as represented
by ktri, kari, and kekri, respectively. Implementations MAY support by ktri, kari, and kekri, respectively. Implementations MAY support
the password-based key management as represented by pwri. the password-based key management as represented by pwri.
Implementations MAY support any other key management technique as Implementations MAY support any other key management technique as
represented by ori. Since each recipient can employ a different key represented by ori. Since each recipient can employ a different key
management technique and future specifications could define management technique and future specifications could define
additional key management techniques, all implementations MUST additional key management techniques, all implementations MUST
gracefully handle unimplemented alternatives within the RecipientInfo gracefully handle
CHOICE, all implementations MUST gracefully handle unimplemented
versions of otherwise supported alternatives within the RecipientInfo unimplemented alternatives within the RecipientInfo CHOICE, all
CHOICE, and all implementations MUST gracefully handle unimplemented implementations MUST gracefully handle unimplemented versions of
or unknown ori alternatives. otherwise supported alternatives within the RecipientInfo CHOICE, and
all implementations MUST gracefully handle unimplemented or unknown
ori alternatives.
RecipientInfo ::= CHOICE { RecipientInfo ::= CHOICE {
ktri KeyTransRecipientInfo, ktri KeyTransRecipientInfo,
kari [1] KeyAgreeRecipientInfo, kari [1] KeyAgreeRecipientInfo,
kekri [2] KEKRecipientInfo, kekri [2] KEKRecipientInfo,
pwri [3] PasswordRecipientinfo, pwri [3] PasswordRecipientinfo,
ori [4] OtherRecipientInfo } ori [4] OtherRecipientInfo }
EncryptedKey ::= OCTET STRING EncryptedKey ::= OCTET STRING
skipping to change at page 21, line 16 skipping to change at page 21, line 19
the sender to protect the content-encryption key. The content- the sender to protect the content-encryption key. The content-
encryption key is encrypted with the recipient's public key. The encryption key is encrypted with the recipient's public key. The
RecipientIdentifier provides two alternatives for specifying the RecipientIdentifier provides two alternatives for specifying the
recipient's certificate, and thereby the recipient's public key. recipient's certificate, and thereby the recipient's public key.
The recipient's certificate must contain a key transport public The recipient's certificate must contain a key transport public
key. Therefore, a recipient X.509 version 3 certificate that key. Therefore, a recipient X.509 version 3 certificate that
contains a key usage extension MUST assert the keyEncipherment contains a key usage extension MUST assert the keyEncipherment
bit. The issuerAndSerialNumber alternative identifies the bit. The issuerAndSerialNumber alternative identifies the
recipient's certificate by the issuer's distinguished name and the recipient's certificate by the issuer's distinguished name and the
certificate serial number; the subjectKeyIdentifier identifies the certificate serial number; the subjectKeyIdentifier identifies the
signer's certificate by a key identifier. When an X.509 recipient's certificate by a key identifier. When an X.509
certificate is referenced, the key identifier matches the X.509 certificate is referenced, the key identifier matches the X.509
subjectKeyIdentifier extension value. When other certificate subjectKeyIdentifier extension value. When other certificate
formats are referenced, the documents that specify the certificate formats are referenced, the documents that specify the certificate
format and their use with the CMS must include details on matching format and their use with the CMS must include details on matching
the key identifier to the appropriate certificate field. For the key identifier to the appropriate certificate field. For
recipient processing, implementations MUST support both of these recipient processing, implementations MUST support both of these
alternatives for specifying the recipient's certificate. For alternatives for specifying the recipient's certificate. For
sender processing, implementations MUST support at least one of sender processing, implementations MUST support at least one of
these alternatives. these alternatives.
skipping to change at page 22, line 42 skipping to change at page 22, line 42
version is the syntax version number. It MUST always be 3. version is the syntax version number. It MUST always be 3.
originator is a CHOICE with three alternatives specifying the originator is a CHOICE with three alternatives specifying the
sender's key agreement public key. The sender uses the sender's key agreement public key. The sender uses the
corresponding private key and the recipient's public key to corresponding private key and the recipient's public key to
generate a pairwise key. The content-encryption key is encrypted generate a pairwise key. The content-encryption key is encrypted
in the pairwise key. The issuerAndSerialNumber alternative in the pairwise key. The issuerAndSerialNumber alternative
identifies the sender's certificate, and thereby the sender's identifies the sender's certificate, and thereby the sender's
public key, by the issuer's distinguished name and the certificate public key, by the issuer's distinguished name and the certificate
serial number. The subjectKeyIdentifier alternative identifies serial number. The subjectKeyIdentifier alternative identifies
the sender's certificate, and thereby the sender's public key, a the sender's certificate, and thereby the sender's public key, by
key identifier. When an X.509 certificate is referenced, the key a key identifier. When an X.509 certificate is referenced, the
identifier matches the X.509 subjectKeyIdentifier extension value. key identifier matches the X.509 subjectKeyIdentifier extension
When other certificate formats are referenced, the documents that value. When other certificate formats are referenced, the
specify the certificate format and their use with the CMS must documents that specify the certificate format and their use with
must include details on matching the key identifier to the the CMS must must include details on matching the key identifier
appropriate certificate field. The originatorKey alternative to the appropriate certificate field. The originatorKey
includes the algorithm identifier and sender's key agreement alternative includes the algorithm identifier and sender's key
public key. This alternative permits originator anonymity since agreement public key. This alternative permits originator
the public key is not certified. Implementations MUST support all anonymity since the public key is not certified. Implementations
three alternatives for specifying the sender's public key. MUST support all three alternatives for specifying the sender's
public key.
ukm is optional. With some key agreement algorithms, the sender ukm is optional. With some key agreement algorithms, the sender
provides a User Keying Material (UKM) to ensure that a different provides a User Keying Material (UKM) to ensure that a different
key is generated each time the same two parties generate a key is generated each time the same two parties generate a
pairwise key. Implementations MUST support recipient processing pairwise key. Implementations MUST support recipient processing
of a KeyAgreeRecipientInfo SEQUENCE that includes a ukm field. of a KeyAgreeRecipientInfo SEQUENCE that includes a ukm field.
Implementations that do not support key agreement algorithms that Implementations that do not support key agreement algorithms that
make use of UKMs MUST gracefully handle the presence of UKMs. make use of UKMs MUST gracefully handle the presence of UKMs.
keyEncryptionAlgorithm identifies the key-encryption algorithm, keyEncryptionAlgorithm identifies the key-encryption algorithm,
skipping to change at page 26, line 20 skipping to change at page 26, line 20
oriType identifies the key management technique. oriType identifies the key management technique.
oriValue contains the protocol data elements needed by a recipient oriValue contains the protocol data elements needed by a recipient
using the identified key management technique. using the identified key management technique.
6.3 Content-encryption Process 6.3 Content-encryption Process
The content-encryption key for the desired content-encryption The content-encryption key for the desired content-encryption
algorithm is randomly generated. The data to be protected is padded algorithm is randomly generated. The data to be protected is padded
as described below, then the padded data is encrypted using the as described below,
content-encryption key. The encryption operation maps an arbitrary
string of octets (the data) to another string of octets (the then the padded data is encrypted using the content-encryption key.
ciphertext) under control of a content-encryption key. The encrypted The encryption operation maps an arbitrary string of octets (the
data is included in the envelopedData encryptedContentInfo data) to another string of octets (the ciphertext) under control of a
encryptedContent OCTET STRING. content-encryption key. The encrypted data is included in the
EnvelopedData encryptedContentInfo encryptedContent OCTET STRING.
Some content-encryption algorithms assume the input length is a Some content-encryption algorithms assume the input length is a
multiple of k octets, where k is greater than one. For such multiple of k octets, where k is greater than one. For such
algorithms, the input shall be padded at the trailing end with algorithms, the input shall be padded at the trailing end with
k-(lth mod k) octets all having value k-(lth mod k), where lth is k-(lth mod k) octets all having value k-(lth mod k), where lth is
the length of the input. In other words, the input is padded at the length of the input. In other words, the input is padded at
the trailing end with one of the following strings: the trailing end with one of the following strings:
01 -- if lth mod k = k-1 01 -- if lth mod k = k-1
02 02 -- if lth mod k = k-2 02 02 -- if lth mod k = k-2
skipping to change at page 37, line 11 skipping to change at page 37, line 11
The CertificateSet type provides a set of certificates. It is The CertificateSet type provides a set of certificates. It is
intended that the set be sufficient to contain certification paths intended that the set be sufficient to contain certification paths
from a recognized "root" or "top-level certification authority" to from a recognized "root" or "top-level certification authority" to
all of the sender certificates with which the set is associated. all of the sender certificates with which the set is associated.
However, there may be more certificates than necessary, or there MAY However, there may be more certificates than necessary, or there MAY
be fewer than necessary. be fewer than necessary.
The precise meaning of a "certification path" is outside the scope of The precise meaning of a "certification path" is outside the scope of
this document. However, [PROFILE] provides a definition for X.509 this document. However, [PROFILE] provides a definition for X.509
certificates. Some applications may impose upper limits on the certificates. Some applications may impose upper limits on the
length of a certification path; others may enforce certain length of a
relationships between the subjects and issuers of certificates within
a certification path. certification path; others may enforce certain relationships between
the subjects and issuers of certificates within a certification path.
CertificateSet ::= SET OF CertificateChoices CertificateSet ::= SET OF CertificateChoices
10.2.4 IssuerAndSerialNumber 10.2.4 IssuerAndSerialNumber
The IssuerAndSerialNumber type identifies a certificate, and thereby The IssuerAndSerialNumber type identifies a certificate, and thereby
an entity and a public key, by the distinguished name of the an entity and a public key, by the distinguished name of the
certificate issuer and an issuer-specific certificate serial number. certificate issuer and an issuer-specific certificate serial number.
The definition of Name is taken from X.501 [X.501-88], and the The definition of Name is taken from X.501 [X.501-88], and the
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/