draft-ietf-lamps-rfc5751-bis-03.txt   draft-ietf-lamps-rfc5751-bis-04.txt 
LAMPS J. Schaad LAMPS J. Schaad
Internet-Draft August Cellars Internet-Draft August Cellars
Obsoletes: RFC5751 (if approved) B. Ramsdell Obsoletes: RFC5751 (if approved) B. Ramsdell
Intended status: Standards Track Brute Squad Labs, Inc. Intended status: Standards Track Brute Squad Labs, Inc.
Expires: August 27, 2017 S. Turner Expires: September 14, 2017 S. Turner
sn3rd sn3rd
February 23, 2017 March 13, 2017
Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
Message Specification Message Specification
draft-ietf-lamps-rfc5751-bis-03 draft-ietf-lamps-rfc5751-bis-04
Abstract Abstract
This document defines Secure/Multipurpose Internet Mail Extensions This document defines Secure/Multipurpose Internet Mail Extensions
(S/MIME) version 4.0. S/MIME provides a consistent way to send and (S/MIME) version 4.0. S/MIME provides a consistent way to send and
receive secure MIME data. Digital signatures provide authentication, receive secure MIME data. Digital signatures provide authentication,
message integrity, and non-repudiation with proof of origin. message integrity, and non-repudiation with proof of origin.
Encryption provides data confidentiality. Compression can be used to Encryption provides data confidentiality. Compression can be used to
reduce data size. This document obsoletes RFC 5751. reduce data size. This document obsoletes RFC 5751.
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 27, 2017. This Internet-Draft will expire on September 14, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 42 skipping to change at page 2, line 42
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Specification Overview . . . . . . . . . . . . . . . . . 4 1.1. Specification Overview . . . . . . . . . . . . . . . . . 4
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5
1.3. Conventions Used in This Document . . . . . . . . . . . . 6 1.3. Conventions Used in This Document . . . . . . . . . . . . 6
1.4. Compatibility with Prior Practice of S/MIME . . . . . . . 7 1.4. Compatibility with Prior Practice of S/MIME . . . . . . . 7
1.5. Changes from S/MIME v3 to S/MIME v3.1 . . . . . . . . . . 7 1.5. Changes from S/MIME v3 to S/MIME v3.1 . . . . . . . . . . 7
1.6. Changes from S/MIME v3.1 to S/MIME v3.2 . . . . . . . . . 8 1.6. Changes from S/MIME v3.1 to S/MIME v3.2 . . . . . . . . . 8
1.7. Changes for S/MIME v4.0 . . . . . . . . . . . . . . . . . 9 1.7. Changes for S/MIME v4.0 . . . . . . . . . . . . . . . . . 9
2. CMS Options . . . . . . . . . . . . . . . . . . . . . . . . . 9 2. CMS Options . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 10 2.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 10
2.2. SignatureAlgorithmIdentifier . . . . . . . . . . . . . . 10 2.2. SignatureAlgorithmIdentifier . . . . . . . . . . . . . . 10
2.3. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 11 2.3. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 11
2.4. General Syntax . . . . . . . . . . . . . . . . . . . . . 11 2.4. General Syntax . . . . . . . . . . . . . . . . . . . . . 12
2.4.1. Data Content Type . . . . . . . . . . . . . . . . . . 12 2.4.1. Data Content Type . . . . . . . . . . . . . . . . . . 12
2.4.2. SignedData Content Type . . . . . . . . . . . . . . . 12 2.4.2. SignedData Content Type . . . . . . . . . . . . . . . 12
2.4.3. EnvelopedData Content Type . . . . . . . . . . . . . 12 2.4.3. EnvelopedData Content Type . . . . . . . . . . . . . 12
2.4.4. AuthEnvelopedData Content Type . . . . . . . . . . . 12 2.4.4. AuthEnvelopedData Content Type . . . . . . . . . . . 12
2.4.5. CompressedData Content Type . . . . . . . . . . . . . 12 2.4.5. CompressedData Content Type . . . . . . . . . . . . . 12
2.5. Attributes and the SignerInfo Type . . . . . . . . . . . 13 2.5. Attributes and the SignerInfo Type . . . . . . . . . . . 13
2.5.1. Signing Time Attribute . . . . . . . . . . . . . . . 13 2.5.1. Signing Time Attribute . . . . . . . . . . . . . . . 13
2.5.2. SMIME Capabilities Attribute . . . . . . . . . . . . 14 2.5.2. SMIME Capabilities Attribute . . . . . . . . . . . . 14
2.5.3. Encryption Key Preference Attribute . . . . . . . . . 15 2.5.3. Encryption Key Preference Attribute . . . . . . . . . 15
2.6. SignerIdentifier SignerInfo Type . . . . . . . . . . . . 16 2.6. SignerIdentifier SignerInfo Type . . . . . . . . . . . . 17
2.7. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 17 2.7. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 17
2.7.1. Deciding Which Encryption Method to Use . . . . . . . 17 2.7.1. Deciding Which Encryption Method to Use . . . . . . . 17
2.7.2. Choosing Weak Encryption . . . . . . . . . . . . . . 19 2.7.2. Choosing Weak Encryption . . . . . . . . . . . . . . 19
2.7.3. Multiple Recipients . . . . . . . . . . . . . . . . . 19 2.7.3. Multiple Recipients . . . . . . . . . . . . . . . . . 19
3. Creating S/MIME Messages . . . . . . . . . . . . . . . . . . 19 3. Creating S/MIME Messages . . . . . . . . . . . . . . . . . . 19
3.1. Preparing the MIME Entity for Signing, Enveloping, or 3.1. Preparing the MIME Entity for Signing, Enveloping, or
Compressing . . . . . . . . . . . . . . . . . . . . . . . 20 Compressing . . . . . . . . . . . . . . . . . . . . . . . 20
3.1.1. Canonicalization . . . . . . . . . . . . . . . . . . 21 3.1.1. Canonicalization . . . . . . . . . . . . . . . . . . 21
3.1.2. Transfer Encoding . . . . . . . . . . . . . . . . . . 22 3.1.2. Transfer Encoding . . . . . . . . . . . . . . . . . . 22
3.1.3. Transfer Encoding for Signing Using multipart/signed 22 3.1.3. Transfer Encoding for Signing Using multipart/signed 22
skipping to change at page 3, line 42 skipping to change at page 3, line 42
3.10. Identifying an S/MIME Message . . . . . . . . . . . . . . 36 3.10. Identifying an S/MIME Message . . . . . . . . . . . . . . 36
4. Certificate Processing . . . . . . . . . . . . . . . . . . . 36 4. Certificate Processing . . . . . . . . . . . . . . . . . . . 36
4.1. Key Pair Generation . . . . . . . . . . . . . . . . . . . 37 4.1. Key Pair Generation . . . . . . . . . . . . . . . . . . . 37
4.2. Signature Generation . . . . . . . . . . . . . . . . . . 37 4.2. Signature Generation . . . . . . . . . . . . . . . . . . 37
4.3. Signature Verification . . . . . . . . . . . . . . . . . 37 4.3. Signature Verification . . . . . . . . . . . . . . . . . 37
4.4. Encryption . . . . . . . . . . . . . . . . . . . . . . . 38 4.4. Encryption . . . . . . . . . . . . . . . . . . . . . . . 38
4.5. Decryption . . . . . . . . . . . . . . . . . . . . . . . 38 4.5. Decryption . . . . . . . . . . . . . . . . . . . . . . . 38
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
5.1. Media Type for application/pkcs7-mime . . . . . . . . . . 38 5.1. Media Type for application/pkcs7-mime . . . . . . . . . . 38
5.2. Media Type for application/pkcs7-signature . . . . . . . 39 5.2. Media Type for application/pkcs7-signature . . . . . . . 39
5.3. Register authEnvelopedData smime-type . . . . . . . . . . 40 5.3. Register authEnveloped-data smime-type . . . . . . . . . 40
6. Security Considerations . . . . . . . . . . . . . . . . . . . 40 6. Security Considerations . . . . . . . . . . . . . . . . . . . 40
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
7.1. Normative References . . . . . . . . . . . . . . . . . . 44 7.1. Normative References . . . . . . . . . . . . . . . . . . 44
7.2. Informative References . . . . . . . . . . . . . . . . . 48 7.2. Informative References . . . . . . . . . . . . . . . . . 48
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 51 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 51
Appendix B. Historic Mail Considerations . . . . . . . . . . . . 53 Appendix B. Historic Mail Considerations . . . . . . . . . . . . 53
B.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 54 B.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 54
B.2. Signature Algorithms . . . . . . . . . . . . . . . . . . 54 B.2. Signature Algorithms . . . . . . . . . . . . . . . . . . 54
B.3. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 56 B.3. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 56
B.4. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 56 B.4. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 56
skipping to change at page 6, line 30 skipping to change at page 6, line 30
types, or both. types, or both.
Sending agent: Software that creates S/MIME CMS content types, Sending agent: Software that creates S/MIME CMS content types,
MIME body parts that contain CMS content types, or MIME body parts that contain CMS content types, or
both. both.
S/MIME agent: User software that is a receiving agent, a sending S/MIME agent: User software that is a receiving agent, a sending
agent, or both. agent, or both.
Data Integrity Service: A security service that protects againist Data Integrity Service: A security service that protects againist
unauthorized changes to data by insuring that unauthorized changes to data by ensuring that
changes to the data are detectable. [RFC4949] changes to the data are detectable. [RFC4949]
Data Confidentiality: The property that data is not discolsed to Data Confidentiality: The property that data is not discolsed to
system entities unless they have been authorize to system entities unless they have been authorized
know the data. [RFC4949] to know the data. [RFC4949]
Data Origination: The corroboration that the source of the data Data Origination: The corroboration that the source of the data
received is as claimed. [RFC4949]. received is as claimed. [RFC4949].
1.3. Conventions Used in This Document 1.3. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
We define some additional terms here: We define the additional requirement levels:
SHOULD+ This term means the same as SHOULD. However, the authors SHOULD+ This term means the same as SHOULD. However, the authors
expect that a requirement marked as SHOULD+ will be expect that a requirement marked as SHOULD+ will be
promoted at some future time to be a MUST. promoted at some future time to be a MUST.
SHOULD- This term means the same as SHOULD. However, the authors SHOULD- This term means the same as SHOULD. However, the authors
expect that a requirement marked as SHOULD- will be demoted expect that a requirement marked as SHOULD- will be demoted
to a MAY in a future version of this document. to a MAY in a future version of this document.
MUST- This term means the same as MUST. However, the authors MUST- This term means the same as MUST. However, the authors
expect that this requirement will no longer be a MUST in a expect that this requirement will no longer be a MUST in a
future document. Although its status will be determined at future document. Although its status will be determined at
a later time, it is reasonable to expect that if a future a later time, it is reasonable to expect that if a future
revision of a document alters the status of a MUST- revision of a document alters the status of a MUST-
requirement, it will remain at least a SHOULD or a SHOULD-. requirement, it will remain at least a SHOULD or a SHOULD-.
The term RSA in this document almost always refers to the PKCS#1 v1.5
RSA signature or encryption algorithms even when not qualified as
such. There are a couple of places where it refers to the general
RSA cryptographic operation, these can be determined from the context
where it is used.
1.4. Compatibility with Prior Practice of S/MIME 1.4. Compatibility with Prior Practice of S/MIME
S/MIME version 4.0 agents ought to attempt to have the greatest S/MIME version 4.0 agents ought to attempt to have the greatest
interoperability possible with agents for prior versions of S/MIME. interoperability possible with agents for prior versions of S/MIME.
S/MIME version 2 is described in RFC 2311 through RFC 2315 inclusive S/MIME version 2 is described in RFC 2311 through RFC 2315 inclusive
[SMIMEv2], S/MIME version 3 is described in RFC 2630 through RFC 2634 [SMIMEv2], S/MIME version 3 is described in RFC 2630 through RFC 2634
inclusive and RFC 5035 [SMIMEv3], S/MIME version 3.1 is described in inclusive and RFC 5035 [SMIMEv3], S/MIME version 3.1 is described in
RFC 3850, RFC 3851, RFC 3852, RFC 2634, and RFC 5035 [SMIMEv3.1], and RFC 3850, RFC 3851, RFC 3852, RFC 2634, and RFC 5035 [SMIMEv3.1], and
S/MIME version 3.2 is described in [SMIMEv3.2]. [RFC2311] also has S/MIME version 3.2 is described in [SMIMEv3.2]. [RFC2311] also has
historical information about the development of S/MIME. historical information about the development of S/MIME.
skipping to change at page 9, line 36 skipping to change at page 9, line 41
1.7. Changes for S/MIME v4.0 1.7. Changes for S/MIME v4.0
- Add the use of AuthEnvelopedData, including defining and - Add the use of AuthEnvelopedData, including defining and
registering an smime-type value (Section 2.4.4 and Section 3.4). registering an smime-type value (Section 2.4.4 and Section 3.4).
- Update the content encryption algorithms (Section 2.7 and - Update the content encryption algorithms (Section 2.7 and
Section 2.7.1.2): Add AES-256 GCM, add ChaCha200-Poly1305, remove Section 2.7.1.2): Add AES-256 GCM, add ChaCha200-Poly1305, remove
AES-192 CBC, mark tripleDES as historic. AES-192 CBC, mark tripleDES as historic.
- Update the set of signature algorithms (Section 2.2: Add EdDSA and - Update the set of signature algorithms (Section 2.2): Add EdDSA
ECDSA, mark DSA as historic and ECDSA, mark DSA as historic
- Update the set of digest algorithms (Section 2.1: Add SHA-512, - Update the set of digest algorithms (Section 2.1): Add SHA-512,
mark SHA-1 as historic. mark SHA-1 as historic.
- Update the size of keys to be used for RSA encryption and RSA - Update the size of keys to be used for RSA encryption and RSA
signing (Section 4). signing (Section 4).
- Create Appendix B which deals with considerations for dealing with - Create Appendix B which deals with considerations for dealing with
historic email messages. historic email messages.
2. CMS Options 2. CMS Options
skipping to change at page 14, line 16 skipping to change at page 14, line 21
19YY; if YY is less than 50, the year is interpreted as 20YY. 19YY; if YY is less than 50, the year is interpreted as 20YY.
Receiving agents MUST be able to process signing-time attributes that Receiving agents MUST be able to process signing-time attributes that
are encoded in either UTCTime or GeneralizedTime. are encoded in either UTCTime or GeneralizedTime.
2.5.2. SMIME Capabilities Attribute 2.5.2. SMIME Capabilities Attribute
The SMIMECapabilities attribute includes signature algorithms (such The SMIMECapabilities attribute includes signature algorithms (such
as "sha256WithRSAEncryption"), symmetric algorithms (such as "AES-128 as "sha256WithRSAEncryption"), symmetric algorithms (such as "AES-128
CBC"), authenticated symmetric algorithms (such as "AES-128 GCM") and CBC"), authenticated symmetric algorithms (such as "AES-128 GCM") and
key encipherment algorithms (such as "rsaEncryption"). There are key encipherment algorithms (such as "rsaEncryption"). The presence
also several identifiers that indicate support for other optional of an algorthm based SMIME Capability attribute in this sequence
features such as binary encoding and compression. The implies that the sender can deal with the algorithm as well as
undertanding the ASN.1 structures associated with that algorithm.
There are also several identifiers that indicate support for other
optional features such as binary encoding and compression. The
SMIMECapabilities were designed to be flexible and extensible so SMIMECapabilities were designed to be flexible and extensible so
that, in the future, a means of identifying other capabilities and that, in the future, a means of identifying other capabilities and
preferences such as certificates can be added in a way that will not preferences such as certificates can be added in a way that will not
cause current clients to break. cause current clients to break.
If present, the SMIMECapabilities attribute MUST be a If present, the SMIMECapabilities attribute MUST be a
SignedAttribute; it MUST NOT be an UnsignedAttribute. CMS defines SignedAttribute; it MUST NOT be an UnsignedAttribute. CMS defines
SignedAttributes as a SET OF Attribute. The SignedAttributes in a SignedAttributes as a SET OF Attribute. The SignedAttributes in a
signerInfo MUST NOT include multiple instances of the signerInfo MUST NOT include multiple instances of the
SMIMECapabilities attribute. CMS defines the ASN.1 syntax for SMIMECapabilities attribute. CMS defines the ASN.1 syntax for
skipping to change at page 26, line 15 skipping to change at page 26, line 15
the file extensions. the file extensions.
3.2.2. The smime-type Parameter 3.2.2. The smime-type Parameter
The application/pkcs7-mime content type defines the optional "smime- The application/pkcs7-mime content type defines the optional "smime-
type" parameter. The intent of this parameter is to convey details type" parameter. The intent of this parameter is to convey details
about the security applied (signed or enveloped) along with about the security applied (signed or enveloped) along with
information about the contained content. This specification defines information about the contained content. This specification defines
the following smime-types. the following smime-types.
Name CMS Type Inner Content Name CMS Type Inner Content
enveloped-data EnvelopedData id-data enveloped-data EnvelopedData id-data
signed-data SignedData id-data signed-data SignedData id-data
certs-only SignedData id-data certs-only SignedData id-data
compressed-data CompressedData id-data compressed-data CompressedData id-data
authEnvelopedData AuthEnvelopedData id-data authEnveloped-data AuthEnvelopedData id-data
In order for consistency to be obtained with future specifications, In order for consistency to be obtained with future specifications,
the following guidelines SHOULD be followed when assigning a new the following guidelines SHOULD be followed when assigning a new
smime-type parameter. smime-type parameter.
1. If both signing and encryption can be applied to the content, 1. If both signing and encryption can be applied to the content,
then three values for smime-type SHOULD be assigned "signed-*", then three values for smime-type SHOULD be assigned "signed-*",
"authEnv-*", and "enveloped-*". If one operation can be "authEnv-*", and "enveloped-*". If one operation can be
assigned, then this can be omitted. Thus, since "certs-only" can assigned, then this can be omitted. Thus, since "certs-only" can
only be signed, "signed-" is omitted. only be signed, "signed-" is omitted.
skipping to change at page 27, line 34 skipping to change at page 27, line 34
object. object.
Step 4. The ContentInfo object is inserted into an Step 4. The ContentInfo object is inserted into an
application/pkcs7-mime MIME entity. application/pkcs7-mime MIME entity.
The smime-type parameter for enveloped-only messages is "enveloped- The smime-type parameter for enveloped-only messages is "enveloped-
data". The file extension for this type of message is ".p7m". data". The file extension for this type of message is ".p7m".
A sample message would be: A sample message would be:
Content-Type: application/pkcs7-mime; name=smime.p7m; Content-Type: application/pkcs7-mime; name=smime.p7m;
smime-type=enveloped-data smime-type=enveloped-data
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7m Content-Disposition: attachment; filename=smime.p7m
MIIBHgYJKoZIhvcNAQcDoIIBDzCCAQsCAQAxgcAwgb0CAQAwJjASMRAwDgYDVQQDEwdDYXJ MIIBHgYJKoZIhvcNAQcDoIIBDzCCAQsCAQAxgcAwgb0CAQAwJjASMRAwDgYDVQQDEw
sUlNBAhBGNGvHgABWvBHTbi7NXXHQMA0GCSqGSIb3DQEBAQUABIGAC3EN5nGIiJi2lsGPcP dDYXJsUlNBAhBGNGvHgABWvBHTbi7NXXHQMA0GCSqGSIb3DQEBAQUABIGAC3EN5nGI
2iJ97a4e8kbKQz36zg6Z2i0yx6zYC4mZ7mX7FBs3IWg+f6KgCLx3M1eCbWx8+MDFbbpXadC iJi2lsGPcP2iJ97a4e8kbKQz36zg6Z2i0yx6zYC4mZ7mX7FBs3IWg+f6KgCLx3M1eC
DgO8/nUkUNYeNxJtuzubGgzoyEd8Ch4H/dd9gdzTd+taTEgS0ipdSJuNnkVY4/M652jKKHR bWx8+MDFbbpXadCDgO8/nUkUNYeNxJtuzubGgzoyEd8Ch4H/dd9gdzTd+taTEgS0ip
LFf02hosdR8wQwYJKoZIhvcNAQcBMBQGCCqGSIb3DQMHBAgtaMXpRwZRNYAgDsiSf8Z9P43 dSJuNnkVY4/M652jKKHRLFf02hosdR8wQwYJKoZIhvcNAQcBMBQGCCqGSIb3DQMHBA
LrY4OxUk660cu1lXeCSFOSOpOJ7FuVyU= gtaMXpRwZRNYAgDsiSf8Z9P43LrY4OxUk660cu1lXeCSFOSOpOJ7FuVyU=
3.4. Creating an Authenticated Enveloped-Only Message 3.4. Creating an Authenticated Enveloped-Only Message
This section describes the format for enveloping a MIME entity This section describes the format for enveloping a MIME entity
without signing it. Authenticated enveloped messages provide without signing it. Authenticated enveloped messages provide
confidentiality and integrity. It is important to note that sending confidentiality and data integrity. It is important to note that
authenticated enveloped messages does not provide for authentication sending authenticated enveloped messages does not provide for
when using S/MIME. It is possible to replace ciphertext in such a authentication when using S/MIME. It is possible to replace
way that the processed message will still be valid, but the meaning ciphertext in such a way that the processed message will still be
can be altered. However this is substantially more difficult than it valid, but the meaning can be altered. However this is substantially
is for an enveloped-only message as the more difficult than it is for an enveloped-only message as the
Step 1. The MIME entity to be enveloped is prepared according to Step 1. The MIME entity to be enveloped is prepared according to
Section 3.1. Section 3.1.
Step 2. The MIME entity and other required data is processed into a Step 2. The MIME entity and other required data is processed into a
CMS object of type AuthEnvelopedData. In addition to CMS object of type AuthEnvelopedData. In addition to
encrypting a copy of the content-encryption key for each encrypting a copy of the content-encryption key for each
recipient, a copy of the content-encryption key SHOULD be recipient, a copy of the content-encryption key SHOULD be
encrypted for the originator and included in the encrypted for the originator and included in the
AuthEnvelopedData (see [RFC5083]). AuthEnvelopedData (see [RFC5083]).
Step 3. The AuthEnvelopedData object is wrapped in a CMS ContentInfo Step 3. The AuthEnvelopedData object is wrapped in a CMS ContentInfo
object. object.
Step 4. The ContentInfo object is inserted into an Step 4. The ContentInfo object is inserted into an
application/pkcs7-mime MIME entity. application/pkcs7-mime MIME entity.
The smime-type parameter for authenticated enveloped-only messages is The smime-type parameter for authenticated enveloped-only messages is
"authEnvelopedData". The file extension for this type of message is "authEnveloped-data". The file extension for this type of message is
".p7m". ".p7m".
A sample message would be: A sample message would be:
Content-Type: application/pkcs7-mime; smime-type=authEnvelopedData; Content-Type: application/pkcs7-mime; smime-type=authEnveloped-data;
name=smime.p7m name=smime.p7m
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7m Content-Disposition: attachment; filename=smime.p7m
MIIDWQYLKoZIhvcNAQkQARegggNIMIIDRAIBADGBvjCBuwIBADAmMBIxEDAO MIIDWQYLKoZIhvcNAQkQARegggNIMIIDRAIBADGBvjCBuwIBADAmMBIxEDAO
BgNVBAMTB0NhcmxSU0ECEEY0a8eAAFa8EdNuLs1dcdAwCwYJKoZIhvcNAQEB BgNVBAMTB0NhcmxSU0ECEEY0a8eAAFa8EdNuLs1dcdAwCwYJKoZIhvcNAQEB
BIGAgyZJo0ERTxA4xdTri5P5tVMyh0RARepTUCORZvlUbcUlaI8IpJZH3/J1 BIGAgyZJo0ERTxA4xdTri5P5tVMyh0RARepTUCORZvlUbcUlaI8IpJZH3/J1
Fv6MxTRS4O/K+ZcTlQmYeWLQvwdltQdOIP3mhpqXzTnOYhTK1IDtF2zx75Lg Fv6MxTRS4O/K+ZcTlQmYeWLQvwdltQdOIP3mhpqXzTnOYhTK1IDtF2zx75Lg
vE+ilpcLIzXfJB4RCBPtBWaHAof4Wb+VMQvLkk9OolX4mRSH1LPktgAwggJq vE+ilpcLIzXfJB4RCBPtBWaHAof4Wb+VMQvLkk9OolX4mRSH1LPktgAwggJq
BgkqhkiG9w0BBwEwGwYJYIZIAWUDBAEGMA4EDGPizioC9OHSsnNx4oCCAj7Y BgkqhkiG9w0BBwEwGwYJYIZIAWUDBAEGMA4EDGPizioC9OHSsnNx4oCCAj7Y
skipping to change at page 31, line 5 skipping to change at page 31, line 5
Step 4. The ContentInfo object is inserted into an Step 4. The ContentInfo object is inserted into an
application/pkcs7-mime MIME entity. application/pkcs7-mime MIME entity.
The smime-type parameter for messages using application/pkcs7-mime The smime-type parameter for messages using application/pkcs7-mime
with SignedData is "signed-data". The file extension for this type with SignedData is "signed-data". The file extension for this type
of message is ".p7m". of message is ".p7m".
A sample message would be: A sample message would be:
Content-Type: application/pkcs7-mime; smime-type=signed-data; Content-Type: application/pkcs7-mime; smime-type=signed-data;
name=smime.p7m name=smime.p7m
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7m Content-Disposition: attachment; filename=smime.p7m
MIIDmQYJKoZIhvcNAQcCoIIDijCCA4YCAQExCTAHBgUrDgMCGjAtBgkqhkiG9w0BBwGgIAQ MIIDmQYJKoZIhvcNAQcCoIIDijCCA4YCAQExCTAHBgUrDgMCGjAtBgkqhkiG9w0BBw
eDQpUaGlzIGlzIHNvbWUgc2FtcGxlIGNvbnRlbnQuoIIC4DCCAtwwggKboAMCAQICAgDIMA GgIAQeDQpUaGlzIGlzIHNvbWUgc2FtcGxlIGNvbnRlbnQuoIIC4DCCAtwwggKboAMC
kGByqGSM44BAMwEjEQMA4GA1UEAxMHQ2FybERTUzAeFw05OTA4MTcwMTEwNDlaFw0zOTEyM AQICAgDIMAkGByqGSM44BAMwEjEQMA4GA1UEAxMHQ2FybERTUzAeFw05OTA4MTcwMT
zEyMzU5NTlaMBMxETAPBgNVBAMTCEFsaWNlRFNTMIIBtjCCASsGByqGSM44BAEwggEeAoGB EwNDlaFw0zOTEyMzEyMzU5NTlaMBMxETAPBgNVBAMTCEFsaWNlRFNTMIIBtjCCASsG
AIGNze2D6gqeOT7CSCij5EeT3Q7XqA7sU8WrhAhP/5Thc0h+DNbzREjR/p+vpKGJL+HZMMg ByqGSM44BAEwggEeAoGBAIGNze2D6gqeOT7CSCij5EeT3Q7XqA7sU8WrhAhP/5Thc0
23j+bv7dM3F9piuR10DcMkQiVm96nXvn89J8v3UOoi1TxP7AHCEdNXYjDw7Wz41UIddU5dh h+DNbzREjR/p+vpKGJL+HZMMg23j+bv7dM3F9piuR10DcMkQiVm96nXvn89J8v3UOo
DEeL3/nbCElzfy5FEbteQJllzzflvbAhUA4kemGkVmuBPG2o+4NyErYov3k80CgYAmONAUi i1TxP7AHCEdNXYjDw7Wz41UIddU5dhDEeL3/nbCElzfy5FEbteQJllzzflvbAhUA4k
TKqOfs+bdlLWWpMdiM5BAI1XPLLGjDDHlBd3ZtZ4s2qBT1YwHuiNrhuB699ikIlp/R1z0oI emGkVmuBPG2o+4NyErYov3k80CgYAmONAUiTKqOfs+bdlLWWpMdiM5BAI1XPLLGjDD
Xks+kPht6pzJIYo7dhTpzi5dowfNI4W4LzABfG1JiRGJNkS9+MiVSlNWteL5c+waYTYfEX/ HlBd3ZtZ4s2qBT1YwHuiNrhuB699ikIlp/R1z0oIXks+kPht6pzJIYo7dhTpzi5dow
Cve3RUP+YdMLRgUpgObo2OQOBhAACgYBc47ladRSWC6l63eM/qeysXty9txMRNKYWiSgRI9 fNI4W4LzABfG1JiRGJNkS9+MiVSlNWteL5c+waYTYfEX/Cve3RUP+YdMLRgUpgObo2
k0hmd1dRMSPUNbb+VRv/qJ8qIbPiR9PQeNW2PIu0WloErjhdbOBoA/6CN+GvIkq1MauCcNH OQOBhAACgYBc47ladRSWC6l63eM/qeysXty9txMRNKYWiSgRI9k0hmd1dRMSPUNbb+
u8Iv2YUgFxirGX6FYvxuzTU0pY39mFHssQyhPB+QUD9RqdjTjPypeL08oPluKOBgTB/MAwG VRv/qJ8qIbPiR9PQeNW2PIu0WloErjhdbOBoA/6CN+GvIkq1MauCcNHu8Iv2YUgFxi
A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgbAMB8GA1UdIwQYMBaAFHBEPoIub4feStN14z0 rGX6FYvxuzTU0pY39mFHssQyhPB+QUD9RqdjTjPypeL08oPluKOBgTB/MAwGA1UdEw
gvEMrk/EfMB0GA1UdDgQWBBS+bKGz48H37UNwpM4TAeL945f+zTAfBgNVHREEGDAWgRRBbG EB/wQCMAAwDgYDVR0PAQH/BAQDAgbAMB8GA1UdIwQYMBaAFHBEPoIub4feStN14z0g
ljZURTU0BleGFtcGxlLmNvbTAJBgcqhkjOOAQDAzAAMC0CFFUMpBkfQiuJcSIzjYNqtT1na vEMrk/EfMB0GA1UdDgQWBBS+bKGz48H37UNwpM4TAeL945f+zTAfBgNVHREEGDAWgR
79FAhUAn2FTUlQLXLLd2ud2HeIQUltDXr0xYzBhAgEBMBgwEjEQMA4GA1UEAxMHQ2FybERT RBbGljZURTU0BleGFtcGxlLmNvbTAJBgcqhkjOOAQDAzAAMC0CFFUMpBkfQiuJcSIz
UwICAMgwBwYFKw4DAhowCQYHKoZIzjgEAwQuMCwCFD1cSW6LIUFzeXle3YI5SKSBer/sAhQ jYNqtT1na79FAhUAn2FTUlQLXLLd2ud2HeIQUltDXr0xYzBhAgEBMBgwEjEQMA4GA1
mCq7s/CTFHOEjgASeUjbMpx5g6A== UEAxMHQ2FybERTUwICAMgwBwYFKw4DAhowCQYHKoZIzjgEAwQuMCwCFD1cSW6LIUFz
eXle3YI5SKSBer/sAhQmCq7s/CTFHOEjgASeUjbMpx5g6A==
3.5.3. Signing Using the multipart/signed Format 3.5.3. Signing Using the multipart/signed Format
This format is a clear-signing format. Recipients without any S/MIME This format is a clear-signing format. Recipients without any S/MIME
or CMS processing facilities are able to view the message. It makes or CMS processing facilities are able to view the message. It makes
use of the multipart/signed media type described in [RFC1847]. The use of the multipart/signed media type described in [RFC1847]. The
multipart/signed media type has two parts. The first part contains multipart/signed media type has two parts. The first part contains
the MIME entity that is signed; the second part contains the the MIME entity that is signed; the second part contains the
"detached signature" CMS SignedData object in which the "detached signature" CMS SignedData object in which the
encapContentInfo eContent field is absent. encapContentInfo eContent field is absent.
skipping to change at page 33, line 14 skipping to change at page 33, line 14
(Historical note: some early implementations of S/MIME emitted and (Historical note: some early implementations of S/MIME emitted and
expected "rsa-md5", "rsa-sha1", and "sha1" for the micalg parameter.) expected "rsa-md5", "rsa-sha1", and "sha1" for the micalg parameter.)
Receiving agents SHOULD be able to recover gracefully from a micalg Receiving agents SHOULD be able to recover gracefully from a micalg
parameter value that they do not recognize. Future names for this parameter value that they do not recognize. Future names for this
parameter will be consistent with the IANA "Hash Function Textual parameter will be consistent with the IANA "Hash Function Textual
Names" registry. Names" registry.
3.5.3.3. Sample multipart/signed Message 3.5.3.3. Sample multipart/signed Message
Content-Type: multipart/signed; Content-Type: multipart/signed;
micalg=SHA1; micalg=SHA1;
boundary="----=_NextBoundry____Fri,_06_Sep_2002_00:25:21"; boundary="----=_NextBoundry____Fri,_06_Sep_2002_00:25:21";
protocol="application/pkcs7-signature" protocol="application/pkcs7-signature"
This is a multi-part message in MIME format. This is a multi-part message in MIME format.
------=_NextBoundry____Fri,_06_Sep_2002_00:25:21 ------=_NextBoundry____Fri,_06_Sep_2002_00:25:21
This is some sample content. This is some sample content.
------=_NextBoundry____Fri,_06_Sep_2002_00:25:21 ------=_NextBoundry____Fri,_06_Sep_2002_00:25:21
Content-Type: application/pkcs7-signature; name=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7s Content-Disposition: attachment; filename=smime.p7s
MIIDdwYJKoZIhvcNAQcCoIIDaDCCA2QCAQExCTAHBgUrDgMCGjALBgkqhkiG9w0BBwGgggL MIIDdwYJKoZIhvcNAQcCoIIDaDCCA2QCAQExCTAHBgUrDgMCGjALBgkqhkiG9w0BBw
gMIIC3DCCApugAwIBAgICAMgwCQYHKoZIzjgEAzASMRAwDgYDVQQDEwdDYXJsRFNTMB4XDT GgggLgMIIC3DCCApugAwIBAgICAMgwCQYHKoZIzjgEAzASMRAwDgYDVQQDEwdDYXJs
k5MDgxNzAxMTA0OVoXDTM5MTIzMTIzNTk1OVowEzERMA8GA1UEAxMIQWxpY2VEU1MwggG2M RFNTMB4XDTk5MDgxNzAxMTA0OVoXDTM5MTIzMTIzNTk1OVowEzERMA8GA1UEAxMIQW
IIBKwYHKoZIzjgEATCCAR4CgYEAgY3N7YPqCp45PsJIKKPkR5PdDteoDuxTxauECE//lOFz xpY2VEU1MwggG2MIIBKwYHKoZIzjgEATCCAR4CgYEAgY3N7YPqCp45PsJIKKPkR5Pd
SH4M1vNESNH+n6+koYkv4dkwyDbeP5u/t0zcX2mK5HXQNwyRCJWb3qde+fz0ny/dQ6iLVPE DteoDuxTxauECE//lOFzSH4M1vNESNH+n6+koYkv4dkwyDbeP5u/t0zcX2mK5HXQNw
/sAcIR01diMPDtbPjVQh11Tl2EMR4vf+dsISXN/LkURu15AmWXPN+W9sCFQDiR6YaRWa4E8 yRCJWb3qde+fz0ny/dQ6iLVPE/sAcIR01diMPDtbPjVQh11Tl2EMR4vf+dsISXN/Lk
baj7g3IStii/eTzQKBgCY40BSJMqo5+z5t2UtZakx2IzkEAjVc8ssaMMMeUF3dm1nizaoFP URu15AmWXPN+W9sCFQDiR6YaRWa4E8baj7g3IStii/eTzQKBgCY40BSJMqo5+z5t2U
VjAe6I2uG4Hr32KQiWn9HXPSgheSz6Q+G3qnMkhijt2FOnOLl2jB80jhbgvMAF8bUmJEYk2 tZakx2IzkEAjVc8ssaMMMeUF3dm1nizaoFPVjAe6I2uG4Hr32KQiWn9HXPSgheSz6Q
RL34yJVKU1a14vlz7BphNh8Rf8K97dFQ/5h0wtGBSmA5ujY5A4GEAAKBgFzjuVp1FJYLqXr +G3qnMkhijt2FOnOLl2jB80jhbgvMAF8bUmJEYk2RL34yJVKU1a14vlz7BphNh8Rf8
d4z+p7Kxe3L23ExE0phaJKBEj2TSGZ3V1ExI9Q1tv5VG/+onyohs+JH09B41bY8i7RaWgSu K97dFQ/5h0wtGBSmA5ujY5A4GEAAKBgFzjuVp1FJYLqXrd4z+p7Kxe3L23ExE0phaJ
OF1s4GgD/oI34a8iSrUxq4Jw0e7wi/ZhSAXGKsZfoVi/G7NNTSljf2YUeyxDKE8H5BQP1Gp KBEj2TSGZ3V1ExI9Q1tv5VG/+onyohs+JH09B41bY8i7RaWgSuOF1s4GgD/oI34a8i
2NOM/Kl4vTyg+W4o4GBMH8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwHwYDVR0j SrUxq4Jw0e7wi/ZhSAXGKsZfoVi/G7NNTSljf2YUeyxDKE8H5BQP1Gp2NOM/Kl4vTy
BBgwFoAUcEQ+gi5vh95K03XjPSC8QyuT8R8wHQYDVR0OBBYEFL5sobPjwfftQ3CkzhMB4v3 g+W4o4GBMH8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwHwYDVR0jBBgwFo
jl/7NMB8GA1UdEQQYMBaBFEFsaWNlRFNTQGV4YW1wbGUuY29tMAkGByqGSM44BAMDMAAwLQ AUcEQ+gi5vh95K03XjPSC8QyuT8R8wHQYDVR0OBBYEFL5sobPjwfftQ3CkzhMB4v3j
IUVQykGR9CK4lxIjONg2q1PWdrv0UCFQCfYVNSVAtcst3a53Yd4hBSW0NevTFjMGECAQEwG l/7NMB8GA1UdEQQYMBaBFEFsaWNlRFNTQGV4YW1wbGUuY29tMAkGByqGSM44BAMDMA
DASMRAwDgYDVQQDEwdDYXJsRFNTAgIAyDAHBgUrDgMCGjAJBgcqhkjOOAQDBC4wLAIUM/mG AwLQIUVQykGR9CK4lxIjONg2q1PWdrv0UCFQCfYVNSVAtcst3a53Yd4hBSW0NevTFj
f6gkgp9Z0XtRdGimJeB/BxUCFGFFJqwYRt1WYcIOQoGiaowqGzVI MGECAQEwGDASMRAwDgYDVQQDEwdDYXJsRFNTAgIAyDAHBgUrDgMCGjAJBgcqhkjOOA
QDBC4wLAIUM/mGf6gkgp9Z0XtRdGimJeB/BxUCFGFFJqwYRt1WYcIOQoGiaowqGzVI
------=_NextBoundry____Fri,_06_Sep_2002_00:25:21-- ------=_NextBoundry____Fri,_06_Sep_2002_00:25:21--
The content that is digested (the first part of the multipart/signed) The content that is digested (the first part of the multipart/signed)
consists of the bytes: consists of the bytes:
54 68 69 73 20 69 73 20 73 6f 6d 65 20 73 61 6d 70 6c 65 20 63 6f 6e 54 68 69 73 20 69 73 20 73 6f 6d 65 20 73 61 6d 70 6c 65 20 63 6f 6e
74 65 6e 74 2e 0d 0a 74 65 6e 74 2e 0d 0a
3.6. Creating a Compressed-Only Message 3.6. Creating a Compressed-Only Message
This section describes the format for compressing a MIME entity. This section describes the format for compressing a MIME entity.
skipping to change at page 36, line 33 skipping to change at page 36, line 33
type information, and it becomes a bit difficult to identify S/MIME type information, and it becomes a bit difficult to identify S/MIME
messages. The following table lists criteria for determining whether messages. The following table lists criteria for determining whether
or not a message is an S/MIME message. A message is considered an or not a message is an S/MIME message. A message is considered an
S/MIME message if it matches any of the criteria listed below. S/MIME message if it matches any of the criteria listed below.
The file suffix in the table below comes from the "name" parameter in The file suffix in the table below comes from the "name" parameter in
the Content-Type header field, or the "filename" parameter on the the Content-Type header field, or the "filename" parameter on the
Content-Disposition header field. These parameters that give the Content-Disposition header field. These parameters that give the
file suffix are not listed below as part of the parameter section. file suffix are not listed below as part of the parameter section.
Media type parameters file Media type parameters file suffix
suffix application/pkcs7-mime n/a n/a
application/pkcs7-mime n/a n/a multipart/signed protocol= n/a
multipart/signed protocol="application/pkcs7-signature" n/a "application/pkcs7-signature"
application/octet- n/a p7m, application/octet-stream n/a p7m, p7s,
stream p7s, p7c, p7z
p7c,
p7z
4. Certificate Processing 4. Certificate Processing
A receiving agent MUST provide some certificate retrieval mechanism A receiving agent MUST provide some certificate retrieval mechanism
in order to gain access to certificates for recipients of digital in order to gain access to certificates for recipients of digital
envelopes. This specification does not cover how S/MIME agents envelopes. This specification does not cover how S/MIME agents
handle certificates, only what they do after a certificate has been handle certificates, only what they do after a certificate has been
validated or rejected. S/MIME certificate issues are covered in validated or rejected. S/MIME certificate issues are covered in
[RFC5750]. [RFC5750].
skipping to change at page 37, line 16 skipping to change at page 37, line 14
"store and protect" certificates for correspondents in such a way so "store and protect" certificates for correspondents in such a way so
as to guarantee their later retrieval. as to guarantee their later retrieval.
4.1. Key Pair Generation 4.1. Key Pair Generation
All generated key pairs MUST be generated from a good source of non- All generated key pairs MUST be generated from a good source of non-
deterministic random input [RFC4086] and the private key MUST be deterministic random input [RFC4086] and the private key MUST be
protected in a secure fashion. protected in a secure fashion.
An S/MIME user agent MUST NOT generate asymmetric keys less than 2048 An S/MIME user agent MUST NOT generate asymmetric keys less than 2048
bits for use with the RSA signature algorithm. bits for use with an RSA signature algorithm.
For 2048-bit through 4096-bit RSA with SHA-256 see [RFC5754] and For 2048-bit through 4096-bit RSA with SHA-256 see [RFC5754] and
[FIPS186-4]. The first reference provides the signature algorithm's [FIPS186-4]. The first reference provides the signature algorithm's
object identifier, and the second provides the signature algorithm's object identifier, and the second provides the signature algorithm's
definition. definition.
For RSASSA-PSS with SHA-256, see [RFC4056]. For RSAES-OAEP, see For RSASSA-PSS with SHA-256, see [RFC4056]. For RSAES-OAEP, see
[RFC3560]. [RFC3560].
4.2. Signature Generation 4.2. Signature Generation
The following are the requirements for an S/MIME agent generated RSA The following are the requirements for an S/MIME agent generated RSA
and RSASSA-PSS signatures: and RSASSA-PSS signatures:
key size <= 2047 : SHOULD NOT (see Historic Mail Considerations) key size <= 2047 : SHOULD NOT (Note 1)
2048 <= key size <= 4096 : SHOULD (see Security Considerations) 2048 <= key size <= 4096 : SHOULD (see Security Considerations)
4096 < key size : MAY (see Security Considerations) 4096 < key size : MAY (see Security Considerations)
Note 1: see Historical Mail Considerations in Section 6.
Note 2: see Security Considerations in Appendix B.
Key sizes for ECDSA and EdDSA are fixed by the curve. Key sizes for ECDSA and EdDSA are fixed by the curve.
4.3. Signature Verification 4.3. Signature Verification
The following are the requirements for S/MIME receiving agents during The following are the requirements for S/MIME receiving agents during
signature verification of RSA and RSASSA-PSS signatures: signature verification of RSA and RSASSA-PSS signatures:
key size <= 2047 : SHOULD NOT (see Historic Mail Considerations) key size <= 2047 : SHOULD NOT (Note 1)
2048 <= key size <= 4096 : MUST (see Security Considerations) 2048 <= key size <= 4096 : MUST (Note 2)
4096 < key size : MAY (see Security Considerations) 4096 < key size : MAY (Note 2)
Note 1: see Historical Mail Considerations in Section 6.
Note 2: see Security Considerations in Appendix B.
Key sizes for ECDSA and EdDSA are fixed by the curve. Key sizes for ECDSA and EdDSA are fixed by the curve.
4.4. Encryption 4.4. Encryption
The following are the requirements for an S/MIME agent when The following are the requirements for an S/MIME agent when
establishing keys for content encryption using the RSA, and RSA-OAEP establishing keys for content encryption using the RSA, and RSA-OAEP
algorithms: algorithms:
key size <= 2047 : SHOULD NOT (see Historic Mail Considerations) key size <= 2047 : SHOULD NOT (Note 1)
2048 <= key size <= 4096 : SHOULD (see Security Considerations) 2048 <= key size <= 4096 : SHOULD (Note 2)
4096 < key size : MAY (see Security Considerations) 4096 < key size : MAY (Note 2)
Note 1: see Historical Mail Considerations in Section 6.
Note 2: see Security Considerations in Appendix B.
Key sizes for ECDH are fixed by the curve. Key sizes for ECDH are fixed by the curve.
4.5. Decryption 4.5. Decryption
The following are the requirements for an S/MIME agent when The following are the requirements for an S/MIME agent when
establishing keys for content decryption using the RSA and RSAES-OAEP establishing keys for content decryption using the RSA and RSAES-OAEP
algorithms: algorithms:
key size <= 2047 : MAY (see Historic Mail Considerations) key size <= 2047 : MAY (Note 1)
2048 <= key size <= 4096 : MUST (see Security Considerations) 2048 <= key size <= 4096 : MUST (Note 2)
4096 < key size : MAY (see Security Considerations) 4096 < key size : MAY (Note 2)
Note 1: see Historical Mail Considerations in Section 6.
Note 2: see Security Considerations in Appendix B.
Key sizes for ECDH are fixed by the curve. Key sizes for ECDH are fixed by the curve.
5. IANA Considerations 5. IANA Considerations
The following information updates the media type registration for The following information updates the media type registration for
application/pkcs7-mime and application/pkcs7-signature to refer to application/pkcs7-mime and application/pkcs7-signature to refer to
this document as opposed to RFC 2311. this document as opposed to RFC 2311.
Note that other documents can define additional MIME media types for Note that other documents can define additional MIME media types for
skipping to change at page 39, line 28 skipping to change at page 39, line 28
Security Considerations: See Section 6 of this document Security Considerations: See Section 6 of this document
Interoperability Considerations: See Sections 1-6 of this document Interoperability Considerations: See Sections 1-6 of this document
Published Specification: RFC 2311, RFC 2633, and this document Published Specification: RFC 2311, RFC 2633, and this document
Applications that use this media type: Security applications Applications that use this media type: Security applications
Additional information: NONE Additional information: NONE
Person & email to contact for further information: Person & email to contact for further information: iesg@ietf.org
S/MIME working group chairs smime-chairs@ietf.org
Intended usage: COMMON Intended usage: COMMON
Restrictions on usage: NONE Restrictions on usage: NONE
Author: Sean Turner Author: Sean Turner
Change Controller: S/MIME working group delegated from the IESG Change Controller: S/MIME working group delegated from the IESG
5.2. Media Type for application/pkcs7-signature 5.2. Media Type for application/pkcs7-signature
skipping to change at page 40, line 24 skipping to change at page 40, line 24
Security Considerations: See Section 6 of this document Security Considerations: See Section 6 of this document
Interoperability Considerations: See Sections 1-6 of this document Interoperability Considerations: See Sections 1-6 of this document
Published Specification: RFC 2311, RFC 2633, and this document Published Specification: RFC 2311, RFC 2633, and this document
Applications that use this media type: Security applications Applications that use this media type: Security applications
Additional information: NONE Additional information: NONE
Person & email to contact for further information: Person & email to contact for further information: iesg@ietf.org
S/MIME working group chairs smime-chairs@ietf.org
Intended usage: COMMON Intended usage: COMMON
Restrictions on usage: NONE Restrictions on usage: NONE
Author: Sean Turner Author: Sean Turner
Change Controller: S/MIME working group delegated from the IESG Change Controller: S/MIME working group delegated from the IESG
5.3. Register authEnvelopedData smime-type 5.3. Register authEnveloped-data smime-type
IANA is required to register the following value in the "Parameter IANA is required to register the following value in the "Parameter
Values for the smime-type Parameter" registry. The values to be Values for the smime-type Parameter" registry. The values to be
registered are: registered are:
smime-type value: authEnvelopedData smime-type value: authEnveloped-data
Reference: [[This Document, Section 3.2.2]] Reference: [[This Document, Section 3.2.2]]
6. Security Considerations 6. Security Considerations
Cryptographic algorithms will be broken or weakened over time. Cryptographic algorithms will be broken or weakened over time.
Implementers and users need to check that the cryptographic Implementers and users need to check that the cryptographic
algorithms listed in this document continue to provide the expected algorithms listed in this document continue to provide the expected
level of security. The IETF from time to time may issue documents level of security. The IETF from time to time may issue documents
dealing with the current state of the art. For example: dealing with the current state of the art. For example:
skipping to change at page 41, line 29 skipping to change at page 41, line 29
software to estimate the actual cost of recovering an encrypted software to estimate the actual cost of recovering an encrypted
message content that is encrypted with a key of a particular size. message content that is encrypted with a key of a particular size.
Further, it is quite difficult to determine the cost of a failed Further, it is quite difficult to determine the cost of a failed
decryption if a recipient cannot process a message's content. Thus, decryption if a recipient cannot process a message's content. Thus,
choosing between different key sizes (or choosing whether to just use choosing between different key sizes (or choosing whether to just use
plaintext) is also impossible for most people or software. However, plaintext) is also impossible for most people or software. However,
decisions based on these criteria are made all the time, and decisions based on these criteria are made all the time, and
therefore this specification gives a framework for using those therefore this specification gives a framework for using those
estimates in choosing algorithms. estimates in choosing algorithms.
The choice of 2048 bits as the RSA asymmetric key size in this The choice of 2048 bits as an RSA asymmetric key size in this
specification is based on the desire to provide at least 100 bits of specification is based on the desire to provide at least 100 bits of
security. The key sizes that must be supported to conform to this security. The key sizes that must be supported to conform to this
specification seem appropriate for the Internet based on [RFC3766]. specification seem appropriate for the Internet based on [RFC3766].
Of course, there are environments, such as financial and medical Of course, there are environments, such as financial and medical
systems, that may select different key sizes. For this reason, an systems, that may select different key sizes. For this reason, an
implementation MAY support key sizes beyond those recommended in this implementation MAY support key sizes beyond those recommended in this
specification. specification.
Receiving agents that validate signatures and sending agents that Receiving agents that validate signatures and sending agents that
encrypt messages need to be cautious of cryptographic processing encrypt messages need to be cautious of cryptographic processing
skipping to change at page 42, line 37 skipping to change at page 42, line 37
used for digital signatures. used for digital signatures.
If a sending agent is sending the same message using different If a sending agent is sending the same message using different
strengths of cryptography, an attacker watching the communications strengths of cryptography, an attacker watching the communications
channel might be able to determine the contents of the strongly channel might be able to determine the contents of the strongly
encrypted message by decrypting the weakly encrypted version. In encrypted message by decrypting the weakly encrypted version. In
other words, a sender SHOULD NOT send a copy of a message using other words, a sender SHOULD NOT send a copy of a message using
weaker cryptography than they would use for the original of the weaker cryptography than they would use for the original of the
message. message.
Modification of the ciphertext can go undetected if authentication is Modification of the ciphertext in EnvelopedData can go undetected if
not also used, which is the case when sending EnvelopedData without authentication is not also used, which is the case when sending
wrapping it in SignedData or enclosing SignedData within it. This is EnvelopedData without wrapping it in SignedData or enclosing
one of the reasons for moving from EnvelopedData to AuthEnvelopedData SignedData within it. This is one of the reasons for moving from
as the authenticated encryption algorithms provide the authentication EnvelopedData to AuthEnvelopedData as the authenticated encryption
without needing the SignedData layer. algorithms provide the authentication without needing the SignedData
layer.
If an implementation is concerned about compliance with National If an implementation is concerned about compliance with National
Institute of Standards and Technology (NIST) key size Institute of Standards and Technology (NIST) key size
recommendations, then see [SP800-57]. recommendations, then see [SP800-57].
If messaging environments make use of the fact that a message is If messaging environments make use of the fact that a message is
signed to change the behavior of message processing (examples would signed to change the behavior of message processing (examples would
be running rules or UI display hints), without first verifying that be running rules or UI display hints), without first verifying that
the message is actually signed and knowing the state of the the message is actually signed and knowing the state of the
signature, this can lead to incorrect handling of the message. signature, this can lead to incorrect handling of the message.
skipping to change at page 43, line 37 skipping to change at page 43, line 38
- A direct path needs to exist from the starting key to the key used - A direct path needs to exist from the starting key to the key used
as the content encryption key (CEK) which guarantees that no third as the content encryption key (CEK) which guarantees that no third
party could have seen the resulting CEK. This means that one party could have seen the resulting CEK. This means that one
needs to be using an algorithm that is called a "Direct needs to be using an algorithm that is called a "Direct
Encryption" or a "Direct Key Agreement" algorithm in other Encryption" or a "Direct Key Agreement" algorithm in other
contexts. This means that the starting key is used directly as contexts. This means that the starting key is used directly as
the CEK key, or that the starting key is used to create a secret the CEK key, or that the starting key is used to create a secret
which then is transformed into the CEK via a KDF step. which then is transformed into the CEK via a KDF step.
S/MIME implementations almost universally use ephemeral-static rather S/MIME implementations almost universally use ephemeral-static rather
than static-static key agreement and do not use a pre-existing shared than static-static key agreement and do not use a shared secret for
secret when doing encryption, this means that the first precondition encryption, this means that the first precondition is not met. There
is not met. There is a document [RFC6278] which defined how to use is a document [RFC6278] which defined how to use static-static key
static-static key agreement with CMS so that is readably doable. agreement with CMS so that is readably doable. Currently, all S/MIME
Currently, all S/MIME key agreement methods derive a KEK and wrap a key agreement methods derive a KEK and wrap a CEK. This violates the
CEK. This violates the third precondition above. New key key third precondition above. New key agreement algorithms that directly
agreement algorithms that directly created the CEK without creating created the CEK without creating an intervening KEK would need to be
an intervening KEK would need to be defined. defined.
Even when all of the preconditions are met and origination of a Even when all of the preconditions are met and origination of a
message is established by the use of an authenticated encryption message is established by the use of an authenticated encryption
algorithm, users need to be aware that there is no way to prove this algorithm, users need to be aware that there is no way to prove this
to a third party. This is because either of the parties can to a third party. This is because either of the parties can
successfully create the message (or just alter the content) based on successfully create the message (or just alter the content) based on
the fact that the CEK is going to be known to both parties. Thus the the fact that the CEK is going to be known to both parties. Thus the
origination is always built on a presumption that "I did not send origination is always built on a presumption that "I did not send
this message to myself." this message to myself."
All of the authenticated encryption algorithms in this document use All of the authenticated encryption algorithms in this document use
counter mode for the encryption portion of the algorithm. This means counter mode for the encryption portion of the algorithm. This means
that the length of the plain text will always be known as the cipher that the length of the plain text will always be known as the cipher
text length and the plain text length are always the same. This text length and the plain text length are always the same. This
information can enable passive observers to infer information based information can enable passive observers to infer information based
solely on the length of the message. Applications for which this is solely on the length of the message. Applications for which this is
a significant problem need to provide some type of padding algorithm a concern need to provide some type of padding so that the length of
so that the length of the message does not provide this information. the message does not provide this information.
7. References 7. References
7.1. Normative References 7.1. Normative References
[ASN.1] "Information Technology - Abstract Syntax Notation [ASN.1] "Information Technology - Abstract Syntax Notation
(ASN.1)". (ASN.1)".
ASN.1 syntax consists of the following references [X.680], ASN.1 syntax consists of the following references [X.680],
[X.681], [X.682], and [X.683]. [X.681], [X.682], and [X.683].
skipping to change at page 45, line 13 skipping to change at page 45, line 13
cms-ecdh-new-curves-01 (work in progress), September 2016. cms-ecdh-new-curves-01 (work in progress), September 2016.
[I-D.ietf-curdle-cms-eddsa-signatures] [I-D.ietf-curdle-cms-eddsa-signatures]
Housley, R., "Use of EdDSA Signatures in the Cryptographic Housley, R., "Use of EdDSA Signatures in the Cryptographic
Message Syntax (CMS)", draft-ietf-curdle-cms-eddsa- Message Syntax (CMS)", draft-ietf-curdle-cms-eddsa-
signatures-03 (work in progress), January 2017. signatures-03 (work in progress), January 2017.
[I-D.ietf-lamps-rfc5750-bis] [I-D.ietf-lamps-rfc5750-bis]
Schaad, J., Ramsdell, B., and S. Turner, "Secure/ Schaad, J., Ramsdell, B., and S. Turner, "Secure/
Multipurpose Internet Mail Extensions (S/ MIME) Version Multipurpose Internet Mail Extensions (S/ MIME) Version
4.0 Certificate Handling", draft-ietf-lamps-rfc5750-bis-01 4.0 Certificate Handling", draft-ietf-lamps-rfc5750-bis-02
(work in progress), October 2016. (work in progress), February 2017.
[MIME-SPEC] [MIME-SPEC]
"MIME Message Specifications". "MIME Message Specifications".
This is the set of documents that define how to use MIME. This is the set of documents that define how to use MIME.
This set of documents is [RFC2045], [RFC2046], [RFC2047], This set of documents is [RFC2045], [RFC2046], [RFC2047],
[RFC2049], [RFC4288], and [RFC4289]. [RFC2049], [RFC4288], and [RFC4289].
[RFC1847] Galvin, J., Murphy, S., Crocker, S., and N. Freed, [RFC1847] Galvin, J., Murphy, S., Crocker, S., and N. Freed,
"Security Multiparts for MIME: Multipart/Signed and "Security Multiparts for MIME: Multipart/Signed and
skipping to change at page 57, line 26 skipping to change at page 57, line 26
A number of the members of the S/MIME Working Group have also worked A number of the members of the S/MIME Working Group have also worked
very hard and contributed to this document. Any list of people is very hard and contributed to this document. Any list of people is
doomed to omission, and for that I apologize. In alphabetical order, doomed to omission, and for that I apologize. In alphabetical order,
the following people stand out in my mind because they made direct the following people stand out in my mind because they made direct
contributions to various versions of this document: contributions to various versions of this document:
Tony Capel, Piers Chivers, Dave Crocker, Bill Flanigan, Peter Tony Capel, Piers Chivers, Dave Crocker, Bill Flanigan, Peter
Gutmann, Alfred Hoenes, Paul Hoffman, Russ Housley, William Ottaway, Gutmann, Alfred Hoenes, Paul Hoffman, Russ Housley, William Ottaway,
and John Pawling. and John Pawling.
The version 4 update to the S/MIME documents was done under the
auspices of the LAMPS Working Group.
Authors' Addresses Authors' Addresses
Jim Schaad Jim Schaad
August Cellars August Cellars
Email: ietf@augustcellars.com Email: ietf@augustcellars.com
Blake Ramsdell Blake Ramsdell
Brute Squad Labs, Inc. Brute Squad Labs, Inc.
 End of changes. 45 change blocks. 
139 lines changed or deleted 162 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/