draft-ietf-smime-3850bis-01.txt   draft-ietf-smime-3850bis-02.txt 
S/MIME WG Blake Ramsdell, SendMail S/MIME WG Blake Ramsdell, SendMail
Internet Draft Sean Turner, IECA Internet Draft Sean Turner, IECA
Intended Status: Standard Track February 21, 2008 Intended Status: Standard Track May 12, 2008
Obsoletes: 3850 (once approved) Obsoletes: 3850 (once approved)
Expires: August 21, 2008 Expires: November 12, 2008
Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2
Certificate Handling Certificate Handling
draft-ietf-smime-3850bis-01.txt draft-ietf-smime-3850bis-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on August 21, 2008. This Internet-Draft will expire on November 12, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This document specifies conventions for X.509 certificate usage by This document specifies conventions for X.509 certificate usage by
Secure/Multipurpose Internet Mail Extensions (S/MIME) agents. S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME) agents. S/MIME
provides a method to send and receive secure MIME messages, and provides a method to send and receive secure MIME messages, and
skipping to change at page 2, line 49 skipping to change at page 3, line 14
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
1.1. Definitions...............................................3 1.1. Definitions...............................................3
1.2. Compatibility with Prior Practice S/MIME..................4 1.2. Compatibility with Prior Practice S/MIME..................4
1.3. Changes Since S/MIME V3.1 (RFC 3850)......................4 1.3. Changes Since S/MIME V3.1 (RFC 3850)......................4
2. CMS Options....................................................5 2. CMS Options....................................................5
2.1. Certificate Revocation Lists..............................5 2.1. Certificate Revocation Lists..............................5
2.2. Certificate Choices.......................................5 2.2. Certificate Choices.......................................5
2.2.1. Historical Note About CMS Certificates...............5 2.2.1. Historical Note About CMS Certificates...............6
2.3. CertificateSet............................................6 2.3. CertificateSet............................................6
3. Using Distinguished Names For Internet Mail....................7 3. Using Distinguished Names For Internet Mail....................7
4. Certificate Processing.........................................8 4. Certificate Processing.........................................8
4.1. Certificate Revocation Lists..............................9 4.1. Certificate Revocation Lists..............................9
4.2. Certificate Path Validation...............................9 4.2. Certificate Path Validation...............................9
4.3. Certificate and CRL Signing Algorithms...................10 4.3. Certificate and CRL Signing Algorithms...................10
4.4. PKIX Certificate Extensions..............................10 4.4. PKIX Certificate Extensions..............................10
4.4.1. Basic Constraints...................................11 4.4.1. Basic Constraints...................................11
4.4.2. Key Usage Certificate Extension.....................11 4.4.2. Key Usage Certificate Extension.....................11
4.4.3. Subject Alternative Name............................12 4.4.3. Subject Alternative Name............................12
4.4.4. Extended Key Usage Extension........................12 4.4.4. Extended Key Usage Extension........................12
5. IANA Considerations...........................................12 5. IANA Considerations...........................................13
6. Security Considerations.......................................13 6. Security Considerations.......................................13
1. Introduction 1. Introduction
S/MIME (Secure/Multipurpose Internet Mail Extensions), described in S/MIME (Secure/Multipurpose Internet Mail Extensions), described in
[SMIME-MSG], provides a method to send and receive secure MIME [SMIME-MSG], provides a method to send and receive secure MIME
messages. Before using a public key to provide security services, messages. Before using a public key to provide security services,
the S/MIME agent MUST verify that the public key is valid. S/MIME the S/MIME agent MUST verify that the public key is valid. S/MIME
agents MUST use PKIX certificates to validate public keys as agents MUST use PKIX certificates to validate public keys as
described in the Internet X.509 Public Key Infrastructure (PKIX) described in the Internet X.509 Public Key Infrastructure (PKIX)
skipping to change at page 10, line 31 skipping to change at page 10, line 38
- MUST support RSA with SHA-256, as specified in [CMS-SHA2] - MUST support RSA with SHA-256, as specified in [CMS-SHA2]
- MUST- support RSA with SHA-1, as specified in [CMSALG] - MUST- support RSA with SHA-1, as specified in [CMSALG]
- SHOULD+ support RSA-PSS with SHA-256, as specified in [RSAPSS] - SHOULD+ support RSA-PSS with SHA-256, as specified in [RSAPSS]
- SHOULD- support DSA with SHA-1, as specified in [CMSALG]. - SHOULD- support DSA with SHA-1, as specified in [CMSALG].
- SHOULD- support RSA with MD5, as specified in [CMSALG]. - SHOULD- support RSA with MD5, as specified in [CMSALG].
Key sizes from 1024 bits to 2048 bits MUST be supported. A receiving agent MUST be capable of verifying the signatures on
certificates and CRLs with key sizes from 512 bits to 2048 bits.
4.4. PKIX Certificate Extensions 4.4. PKIX Certificate Extensions
PKIX describes an extensible framework in which the basic certificate PKIX describes an extensible framework in which the basic certificate
information can be extended and how such extensions can be used to information can be extended and how such extensions can be used to
control the process of issuing and validating certificates. The PKIX control the process of issuing and validating certificates. The PKIX
Working Group has ongoing efforts to identify and create extensions Working Group has ongoing efforts to identify and create extensions
which have value in particular certification environments. Further, which have value in particular certification environments. Further,
there are active efforts underway to issue PKIX certificates for there are active efforts underway to issue PKIX certificates for
business purposes. This document identifies the minimum required set business purposes. This document identifies the minimum required set
skipping to change at page 17, line 19 skipping to change at page 17, line 19
be a v3. be a v3.
A number of the members of the S/MIME Working Group have also worked A number of the members of the S/MIME Working Group have also worked
very hard and contributed to v3 of this document. Any list of people very hard and contributed to v3 of this document. Any list of people
is doomed to omission and for that I apologize. In alphabetical is doomed to omission and for that I apologize. In alphabetical
order, the following people stand out in my mind due to the fact that order, the following people stand out in my mind due to the fact that
they made direct contributions to this document. they made direct contributions to this document.
Bill Flanigan, Trevor Freeman, Elliott Ginsburg, Paul Hoffman, Russ Bill Flanigan, Trevor Freeman, Elliott Ginsburg, Paul Hoffman, Russ
Housley, David P. Kemp, Michael Myers, John Pawling, Denis Pinkas, Housley, David P. Kemp, Michael Myers, John Pawling, Denis Pinkas,
Jim Schaad. and Jim Schaad.
Author's Addresses Author's Addresses
Blake Ramsdell Blake Ramsdell
SendMail SendMail
Email: ramsdell@sendmail.com Email: blake@sendmail.com
Sean Turner Sean Turner
IECA, Inc. IECA, Inc.
3057 Nutley Street, Suite 106 3057 Nutley Street, Suite 106
Fairfax, VA 22031 Fairfax, VA 22031
USA USA
Email: turners@ieca.com Email: turners@ieca.com
 End of changes. 9 change blocks. 
9 lines changed or deleted 10 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/