draft-ietf-lamps-rfc5751-bis-04.txt   draft-ietf-lamps-rfc5751-bis-05.txt 
LAMPS J. Schaad LAMPS J. Schaad
Internet-Draft August Cellars Internet-Draft August Cellars
Obsoletes: RFC5751 (if approved) B. Ramsdell Obsoletes: 5751 (if approved) B. Ramsdell
Intended status: Standards Track Brute Squad Labs, Inc. Intended status: Standards Track Brute Squad Labs, Inc.
Expires: September 14, 2017 S. Turner Expires: October 9, 2017 S. Turner
sn3rd sn3rd
March 13, 2017 April 7, 2017
Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
Message Specification Message Specification
draft-ietf-lamps-rfc5751-bis-04 draft-ietf-lamps-rfc5751-bis-05
Abstract Abstract
This document defines Secure/Multipurpose Internet Mail Extensions This document defines Secure/Multipurpose Internet Mail Extensions
(S/MIME) version 4.0. S/MIME provides a consistent way to send and (S/MIME) version 4.0. S/MIME provides a consistent way to send and
receive secure MIME data. Digital signatures provide authentication, receive secure MIME data. Digital signatures provide authentication,
message integrity, and non-repudiation with proof of origin. message integrity, and non-repudiation with proof of origin.
Encryption provides data confidentiality. Compression can be used to Encryption provides data confidentiality. Compression can be used to
reduce data size. This document obsoletes RFC 5751. reduce data size. This document obsoletes RFC 5751.
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 14, 2017. This Internet-Draft will expire on October 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 43 skipping to change at page 3, line 43
4. Certificate Processing . . . . . . . . . . . . . . . . . . . 36 4. Certificate Processing . . . . . . . . . . . . . . . . . . . 36
4.1. Key Pair Generation . . . . . . . . . . . . . . . . . . . 37 4.1. Key Pair Generation . . . . . . . . . . . . . . . . . . . 37
4.2. Signature Generation . . . . . . . . . . . . . . . . . . 37 4.2. Signature Generation . . . . . . . . . . . . . . . . . . 37
4.3. Signature Verification . . . . . . . . . . . . . . . . . 37 4.3. Signature Verification . . . . . . . . . . . . . . . . . 37
4.4. Encryption . . . . . . . . . . . . . . . . . . . . . . . 38 4.4. Encryption . . . . . . . . . . . . . . . . . . . . . . . 38
4.5. Decryption . . . . . . . . . . . . . . . . . . . . . . . 38 4.5. Decryption . . . . . . . . . . . . . . . . . . . . . . . 38
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
5.1. Media Type for application/pkcs7-mime . . . . . . . . . . 38 5.1. Media Type for application/pkcs7-mime . . . . . . . . . . 38
5.2. Media Type for application/pkcs7-signature . . . . . . . 39 5.2. Media Type for application/pkcs7-signature . . . . . . . 39
5.3. Register authEnveloped-data smime-type . . . . . . . . . 40 5.3. Register authEnveloped-data smime-type . . . . . . . . . 40
6. Security Considerations . . . . . . . . . . . . . . . . . . . 40 6. IANA Considertions . . . . . . . . . . . . . . . . . . . . . 40
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 7. Security Considerations . . . . . . . . . . . . . . . . . . . 41
7.1. Normative References . . . . . . . . . . . . . . . . . . 44 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
7.2. Informative References . . . . . . . . . . . . . . . . . 48 8.1. Normative References . . . . . . . . . . . . . . . . . . 44
8.2. Informative References . . . . . . . . . . . . . . . . . 48
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 51 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 51
Appendix B. Historic Mail Considerations . . . . . . . . . . . . 53 Appendix B. Historic Mail Considerations . . . . . . . . . . . . 53
B.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 54 B.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 54
B.2. Signature Algorithms . . . . . . . . . . . . . . . . . . 54 B.2. Signature Algorithms . . . . . . . . . . . . . . . . . . 54
B.3. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 56 B.3. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 56
B.4. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 56 B.4. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 56
Appendix C. Moving S/MIME v2 Message Specification to Historic Appendix C. Moving S/MIME v2 Message Specification to Historic
Status . . . . . . . . . . . . . . . . . . . . . . . 56 Status . . . . . . . . . . . . . . . . . . . . . . . 56
Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 57 Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 57
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57
skipping to change at page 9, line 24 skipping to change at page 9, line 24
Section 4: Updated reference to CERT v3.2. Section 4: Updated reference to CERT v3.2.
Section 4.1: Updated RSA and DSA key size discussion. Moved last Section 4.1: Updated RSA and DSA key size discussion. Moved last
four sentences to security considerations. Updated reference to four sentences to security considerations. Updated reference to
randomness requirements for security. randomness requirements for security.
Section 5: Added IANA registration templates to update media type Section 5: Added IANA registration templates to update media type
registry to point to this document as opposed to RFC 2311. registry to point to this document as opposed to RFC 2311.
Section 6: Updated security considerations. Section 7: Updated security considerations.
Section 7: Moved references from Appendix B to this section. Updated Section 7: Moved references from Appendix B to this section. Updated
references. Added informational references to SMIMEv2, SMIMEv3, and references. Added informational references to SMIMEv2, SMIMEv3, and
SMIMEv3.1. SMIMEv3.1.
Appendix C: Added Appendix C to move S/MIME v2 to Historic status. Appendix C: Added Appendix C to move S/MIME v2 to Historic status.
1.7. Changes for S/MIME v4.0 1.7. Changes for S/MIME v4.0
- Add the use of AuthEnvelopedData, including defining and - Add the use of AuthEnvelopedData, including defining and
skipping to change at page 32, line 38 skipping to change at page 32, line 38
The protocol parameter MUST be "application/pkcs7-signature". Note The protocol parameter MUST be "application/pkcs7-signature". Note
that quotation marks are required around the protocol parameter that quotation marks are required around the protocol parameter
because MIME requires that the "/" character in the parameter value because MIME requires that the "/" character in the parameter value
MUST be quoted. MUST be quoted.
The micalg parameter allows for one-pass processing when the The micalg parameter allows for one-pass processing when the
signature is being verified. The value of the micalg parameter is signature is being verified. The value of the micalg parameter is
dependent on the message digest algorithm(s) used in the calculation dependent on the message digest algorithm(s) used in the calculation
of the Message Integrity Check. If multiple message digest of the Message Integrity Check. If multiple message digest
algorithms are used, they MUST be separated by commas per [MIME- algorithms are used, they MUST be separated by commas per [RFC1847].
SECURE]. The values to be placed in the micalg parameter SHOULD be The values to be placed in the micalg parameter SHOULD be from the
from the following: following:
Algorithm Value Used Algorithm Value Used
MD5 md5 MD5 md5
SHA-1 sha-1 SHA-1 sha-1
SHA-224 sha-224 SHA-224 sha-224
SHA-256 sha-256 SHA-256 sha-256
SHA-384 sha-384 SHA-384 sha-384
SHA-512 sha-512 SHA-512 sha-512
Any other (defined separately in algorithm profile or "unknown" if Any other (defined separately in algorithm profile or "unknown" if
not defined) not defined)
skipping to change at page 40, line 44 skipping to change at page 40, line 44
5.3. Register authEnveloped-data smime-type 5.3. Register authEnveloped-data smime-type
IANA is required to register the following value in the "Parameter IANA is required to register the following value in the "Parameter
Values for the smime-type Parameter" registry. The values to be Values for the smime-type Parameter" registry. The values to be
registered are: registered are:
smime-type value: authEnveloped-data smime-type value: authEnveloped-data
Reference: [[This Document, Section 3.2.2]] Reference: [[This Document, Section 3.2.2]]
6. Security Considerations 6. IANA Considertions
This document has no new IANA considerations.
7. Security Considerations
Cryptographic algorithms will be broken or weakened over time. Cryptographic algorithms will be broken or weakened over time.
Implementers and users need to check that the cryptographic Implementers and users need to check that the cryptographic
algorithms listed in this document continue to provide the expected algorithms listed in this document continue to provide the expected
level of security. The IETF from time to time may issue documents level of security. The IETF from time to time may issue documents
dealing with the current state of the art. For example: dealing with the current state of the art. For example:
- The Million Message Attack described in RFC 3218 [RFC3218]. - The Million Message Attack described in RFC 3218 [RFC3218].
- The Diffie-Hellman "small-subgroup" attacks described in RFC 2785 - The Diffie-Hellman "small-subgroup" attacks described in RFC 2785
skipping to change at page 44, line 17 skipping to change at page 44, line 25
All of the authenticated encryption algorithms in this document use All of the authenticated encryption algorithms in this document use
counter mode for the encryption portion of the algorithm. This means counter mode for the encryption portion of the algorithm. This means
that the length of the plain text will always be known as the cipher that the length of the plain text will always be known as the cipher
text length and the plain text length are always the same. This text length and the plain text length are always the same. This
information can enable passive observers to infer information based information can enable passive observers to infer information based
solely on the length of the message. Applications for which this is solely on the length of the message. Applications for which this is
a concern need to provide some type of padding so that the length of a concern need to provide some type of padding so that the length of
the message does not provide this information. the message does not provide this information.
7. References 8. References
7.1. Normative References 8.1. Normative References
[ASN.1] "Information Technology - Abstract Syntax Notation [ASN.1] "Information Technology - Abstract Syntax Notation
(ASN.1)". (ASN.1)".
ASN.1 syntax consists of the following references [X.680], ASN.1 syntax consists of the following references [X.680],
[X.681], [X.682], and [X.683]. [X.681], [X.682], and [X.683].
[CHARSETS] [CHARSETS]
"Character sets assigned by IANA.", "Character sets assigned by IANA.",
<http://www.iana.org/assignments/character-sets.>. <http://www.iana.org/assignments/character-sets.>.
skipping to change at page 44, line 51 skipping to change at page 45, line 14
[FIPS186-4] [FIPS186-4]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Digital Signature Standard (DSS)", Federal Information "Digital Signature Standard (DSS)", Federal Information
Processing Standards Publication 186-4, July 2013. Processing Standards Publication 186-4, July 2013.
[I-D.ietf-curdle-cms-ecdh-new-curves] [I-D.ietf-curdle-cms-ecdh-new-curves]
Housley, R., "Use of the Elliptic Curve Diffie-Hellamn Key Housley, R., "Use of the Elliptic Curve Diffie-Hellamn Key
Agreement Algorithm with X25519 and X448 in the Agreement Algorithm with X25519 and X448 in the
Cryptographic Message Syntax (CMS)", draft-ietf-curdle- Cryptographic Message Syntax (CMS)", draft-ietf-curdle-
cms-ecdh-new-curves-01 (work in progress), September 2016. cms-ecdh-new-curves-02 (work in progress), March 2017.
[I-D.ietf-curdle-cms-eddsa-signatures]
Housley, R., "Use of EdDSA Signatures in the Cryptographic
Message Syntax (CMS)", draft-ietf-curdle-cms-eddsa-
signatures-03 (work in progress), January 2017.
[I-D.ietf-lamps-rfc5750-bis] [I-D.ietf-lamps-rfc5750-bis]
Schaad, J., Ramsdell, B., and S. Turner, "Secure/ Schaad, J., Ramsdell, B., and S. Turner, "Secure/
Multipurpose Internet Mail Extensions (S/ MIME) Version Multipurpose Internet Mail Extensions (S/ MIME) Version
4.0 Certificate Handling", draft-ietf-lamps-rfc5750-bis-02 4.0 Certificate Handling", draft-ietf-lamps-rfc5750-bis-03
(work in progress), February 2017. (work in progress), March 2017.
[MIME-SPEC] [MIME-SPEC]
"MIME Message Specifications". "MIME Message Specifications".
This is the set of documents that define how to use MIME. This is the set of documents that define how to use MIME.
This set of documents is [RFC2045], [RFC2046], [RFC2047], This set of documents is [RFC2045], [RFC2046], [RFC2047],
[RFC2049], [RFC4288], and [RFC4289]. [RFC2049], [RFC4288], and [RFC4289].
[RFC1847] Galvin, J., Murphy, S., Crocker, S., and N. Freed, [RFC1847] Galvin, J., Murphy, S., Crocker, S., and N. Freed,
"Security Multiparts for MIME: Multipart/Signed and "Security Multiparts for MIME: Multipart/Signed and
skipping to change at page 48, line 14 skipping to change at page 48, line 22
[X.683] "Information Technology - Abstract Syntax Notation One [X.683] "Information Technology - Abstract Syntax Notation One
(ASN.1): Parameteriztion of ASN.1 specifications", (ASN.1): Parameteriztion of ASN.1 specifications",
ITU-T X.683, ISO/IEC 8824-4:2008, November 2008. ITU-T X.683, ISO/IEC 8824-4:2008, November 2008.
[X.690] "Information Technology - ASN.1 encoding rules: [X.690] "Information Technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER).", ITU-T X.690, ISO/IEC 8825-1:2002, July 2002. (DER).", ITU-T X.690, ISO/IEC 8825-1:2002, July 2002.
7.2. Informative References 8.2. Informative References
[FIPS186-2] [FIPS186-2]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Digital Signature Standard (DSS) [With Change Notice 1]", "Digital Signature Standard (DSS) [With Change Notice 1]",
Federal Information Processing Standards Federal Information Processing Standards
Publication 186-2, January 2000. Publication 186-2, January 2000.
[RFC2268] Rivest, R., "A Description of the RC2(r) Encryption [RFC2268] Rivest, R., "A Description of the RC2(r) Encryption
Algorithm", RFC 2268, DOI 10.17487/RFC2268, March 1998, Algorithm", RFC 2268, DOI 10.17487/RFC2268, March 1998,
<http://www.rfc-editor.org/info/rfc2268>. <http://www.rfc-editor.org/info/rfc2268>.
skipping to change at page 53, line 18 skipping to change at page 53, line 18
id-cap OBJECT IDENTIFIER ::= { id-smime 11 } id-cap OBJECT IDENTIFIER ::= { id-smime 11 }
-- The preferBinaryInside OID indicates an ability to receive -- The preferBinaryInside OID indicates an ability to receive
-- messages with binary encoding inside the CMS wrapper. -- messages with binary encoding inside the CMS wrapper.
-- The preferBinaryInside attribute's value field is ABSENT. -- The preferBinaryInside attribute's value field is ABSENT.
id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 }
-- The following list OIDs to be used with S/MIME V3 -- The following list OIDs to be used with S/MIME V3
-- Signature Algorithms Not Found in [CMSALG], [CMS-SHA2], [RSAPSS], -- Signature Algorithms Not Found in [RFC3370], [RFC5754], [RFC4056],
-- and [RSAOAEP] -- and [RFC3560]
-- --
-- md2WithRSAEncryption OBJECT IDENTIFIER ::= -- md2WithRSAEncryption OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
-- 2} -- 2}
-- --
-- Other Signed Attributes -- Other Signed Attributes
-- --
-- signingTime OBJECT IDENTIFIER ::= -- signingTime OBJECT IDENTIFIER ::=
 End of changes. 15 change blocks. 
27 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/