--- 1/draft-ietf-lamps-cms-update-alg-id-protect-04.txt 2020-08-27 08:13:24.940181727 -0700 +++ 2/draft-ietf-lamps-cms-update-alg-id-protect-05.txt 2020-08-27 08:13:24.960182237 -0700 @@ -1,20 +1,20 @@ Network Working Group R. Housley Internet-Draft Vigil Security Updates: 5652 (if approved) August 27, 2020 Intended status: Standards Track Expires: February 28, 2021 Update to the Cryptographic Message Syntax (CMS) for Algorithm Identifier Protection - draft-ietf-lamps-cms-update-alg-id-protect-04 + draft-ietf-lamps-cms-update-alg-id-protect-05 Abstract This document updates the Cryptographic Message Syntax (CMS) specified in RFC 5652 to ensure that algorithm identifiers in signed- data and authenticated-data content types are adequately protected. Status of This Memo This Internet-Draft is submitted in full conformance with the @@ -50,29 +50,29 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Required use the same hash algorithm . . . . . . . . . . . . 3 3.1. RFC 5652, Section 5.3 . . . . . . . . . . . . . . . . . . 3 3.2. RFC 5652, Section 5.4 . . . . . . . . . . . . . . . . . . 4 3.3. RFC 5652, Section 5.6 . . . . . . . . . . . . . . . . . . 4 3.4. Backward Compatibility Considerations . . . . . . . . . . 5 3.5. Timestamp Compatibility Considerations . . . . . . . . . 5 - 4. Recommended inclusion of the CMSAlgorithmProtection attribute 6 + 4. Recommended inclusion of the CMSAlgorithmProtection attribute 5 4.1. RFC 5652, Section 14 . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 8.1. Normative References . . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . 8 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction This document updates the Cryptographic Message Syntax (CMS) [RFC5652] to ensure that algorithm identifiers in signed-data and authenticated-data content types are adequately protected. The CMS signed-data Content Type [RFC5652], unlike X.509 certificates [RFC5280], can be vulnerable to algorithm substitution attacks. In an algorithm substitution attack, the attacker changes either the @@ -170,24 +170,20 @@ Add the following paragraph as the second paragraph in Section 5.4: ADD: When the signedAttrs field is present, the same digest algorithm MUST be used to compute the digest of the encapContentInfo eContent OCTET STRING, which is carried in the message-digest attribute, and the digest of the collection of attributes that are signed. - nit: there may be a grammar nit here, relating to the parallelism of - "compute the digest of" - I think "the collection of attributes that - are signed" should also have an "of" or "digest of" prefix. - 3.3. RFC 5652, Section 5.6 Change the paragraph discussing the signed attributes as follows: OLD: The recipient MUST NOT rely on any message digest values computed by the originator. If the SignedData signerInfo includes signedAttributes, then the content message digest MUST be calculated as described in Section 5.4. For the signature to be