draft-ietf-smime-3850bis-03.txt   draft-ietf-smime-3850bis-04.txt 
S/MIME WG Blake Ramsdell, SendMail S/MIME WG Blake Ramsdell, SendMail
Internet Draft Sean Turner, IECA Internet Draft Sean Turner, IECA
Intended Status: Standard Track June 3, 2008 Intended Status: Standard Track June 30, 2008
Obsoletes: 3850 (once approved) Obsoletes: 3850 (once approved)
Expires: December 3, 2008 Expires: December 30, 2008
Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2
Certificate Handling Certificate Handling
draft-ietf-smime-3850bis-03.txt draft-ietf-smime-3850bis-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on December 3, 2008. This Internet-Draft will expire on December 30, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This document specifies conventions for X.509 certificate usage by This document specifies conventions for X.509 certificate usage by
Secure/Multipurpose Internet Mail Extensions (S/MIME) agents. S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME) agents. S/MIME
provides a method to send and receive secure MIME messages, and provides a method to send and receive secure MIME messages, and
certificates are an integral part of S/MIME agent processing. S/MIME certificates are an integral part of S/MIME agent processing. S/MIME
agents validate certificates as described in RFC 3280bis, the agents validate certificates as described in RFC 5280, the Internet
Internet X.509 Public Key Infrastructure Certificate and CRL Profile. X.509 Public Key Infrastructure Certificate and CRL Profile. S/MIME
S/MIME agents must meet the certificate processing requirements in agents must meet the certificate processing requirements in this
this document as well as those in RFC 3280bis. This document document as well as those in RFC 5280. This document obsoletes RFC
obsoletes RFC 3850. 3850.
Discussion Discussion
This draft is being discussed on the 'ietf-smime' mailing list. To This draft is being discussed on the 'ietf-smime' mailing list. To
subscribe, send a message to ietf-smime-request@imc.org with the subscribe, send a message to ietf-smime-request@imc.org with the
single word subscribe in the body of the message. There is a Web site single word subscribe in the body of the message. There is a Web site
for the mailing list at <http://www.imc.org/ietf-smime/>. for the mailing list at <http://www.imc.org/ietf-smime/>.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
1.1. Definitions...............................................3 1.1. Definitions...............................................3
1.2. Conventions used in this document.........................4 1.2. Conventions used in this document.........................4
1.3. Compatibility with Prior Practice S/MIME..................4 1.3. Compatibility with Prior Practice S/MIME..................4
1.4. Changes Since S/MIME V3.1 (RFC 3850)......................4 1.4. Changes Since S/MIME v3.1.................................4
2. CMS Options....................................................5 2. CMS Options....................................................5
2.1. Certificate Revocation Lists..............................5 2.1. Certificate Revocation Lists..............................5
2.2. Certificate Choices.......................................5 2.2. Certificate Choices.......................................5
2.2.1. Historical Note About CMS Certificates...............5
2.3. CertificateSet............................................6 2.3. CertificateSet............................................6
3. Using Distinguished Names For Internet Mail....................7 3. Using Distinguished Names For Internet Mail....................7
4. Certificate Processing.........................................8 4. Certificate Processing.........................................8
4.1. Certificate Revocation Lists..............................9 4.1. Certificate Revocation Lists..............................9
4.2. Certificate Path Validation...............................9 4.2. Certificate Path Validation...............................9
4.3. Certificate and CRL Signing Algorithms and Key Sizes.....10 4.3. Certificate and CRL Signing Algorithms and Key Sizes.....10
4.4. PKIX Certificate Extensions..............................11 4.4. PKIX Certificate Extensions..............................11
4.4.1. Basic Constraints...................................11
4.4.2. Key Usage Certificate Extension.....................12
4.4.3. Subject Alternative Name............................12
4.4.4. Extended Key Usage Extension........................12
5. IANA Considerations...........................................13 5. IANA Considerations...........................................13
6. Security Considerations.......................................13 6. Security Considerations.......................................13
Appendix A. References...........................................15 7. References....................................................14
A.1. Normative References.....................................15 7.1. Normative References.....................................14
A.2. Informative References...................................16 7.2. Informative References...................................15
Appendix B. Acknowledgements.....................................17 Appendix A. Moving S/MIME v2 Certificate Handling to Historic
Status...............................................18
Appendix B. Acknowledgements.....................................19
1. Introduction 1. Introduction
S/MIME (Secure/Multipurpose Internet Mail Extensions), described in S/MIME (Secure/Multipurpose Internet Mail Extensions), described in
[SMIME-MSG], provides a method to send and receive secure MIME [SMIME-MSG], provides a method to send and receive secure MIME
messages. Before using a public key to provide security services, messages. Before using a public key to provide security services,
the S/MIME agent MUST verify that the public key is valid. S/MIME the S/MIME agent MUST verify that the public key is valid. S/MIME
agents MUST use PKIX certificates to validate public keys as agents MUST use PKIX certificates to validate public keys as
described in the Internet X.509 Public Key Infrastructure (PKIX) described in the Internet X.509 Public Key Infrastructure (PKIX)
Certificate and CRL Profile [KEYM]. S/MIME agents MUST meet the Certificate and CRL Profile [KEYM]. S/MIME agents MUST meet the
skipping to change at page 4, line 35 skipping to change at page 4, line 32
expect that this requirement will no longer be a MUST in a future expect that this requirement will no longer be a MUST in a future
document. Although its status will be determined at a later document. Although its status will be determined at a later
time, it is reasonable to expect that if a future revision of a time, it is reasonable to expect that if a future revision of a
document alters the status of a MUST- requirement, it will remain document alters the status of a MUST- requirement, it will remain
at least a SHOULD or a SHOULD-. at least a SHOULD or a SHOULD-.
1.3. Compatibility with Prior Practice S/MIME 1.3. Compatibility with Prior Practice S/MIME
S/MIME version 3.2 agents should attempt to have the greatest S/MIME version 3.2 agents should attempt to have the greatest
interoperability possible with agents for prior versions of S/MIME. interoperability possible with agents for prior versions of S/MIME.
S/MIME version 2 is described in RFC 2311 through RFC 2315, inclusive S/MIME version 2 is described in RFC 2311 through RFC 2315 inclusive
S/MIME version 3 is described in RFC 2630 through RFC 2634 inclusive, [SMIMEv2], S/MIME version 3 is described in RFC 2630 through RFC 2634
and S/MIME version 3.1 is described in RFC 3850 through 3851 inclusive [SMIMEv3], and S/MIME version 3.1 is described in RFC 3850
inclusive and RFC 2634. RFC 2311 also has historical information through RFC 3852 and RFC 2634 [SMIMEv3.1]. RFC 2311 also has
about the development of S/MIME. historical information about the development of S/MIME.
1.4. Changes Since S/MIME V3.1 (RFC 3850) 1.4. Changes Since S/MIME v3.1
Conventions Used in This Document: Moved to section 1.2. Added Conventions Used in This Document: Moved to section 1.2. Added
definitions for SHOULD+, SHOULD-, and MUST-. definitions for SHOULD+, SHOULD-, and MUST-.
Sec 1.2: Added text about v3.1 RFCs. Sec 1.3: Added text about v3.1 RFCs.
Sec 3: Updated note to indicate emailAddress IA5String upper bound is Sec 3: Updated note to indicate emailAddress IA5String upper bound is
255 characters. 255 characters.
Sec 4.3: RSA with SHA-256 (PKCS #1 v1.5) added as MUST, RSA with SHA- Sec 4.3: RSA with SHA-256 (PKCS #1 v1.5) added as MUST, RSA with SHA-
1 changed to MUST-, DSA with SHA-1, and RSA with MD5 changed to 1 changed to MUST-, DSA with SHA-1, and RSA with MD5 changed to
SHOULD-, and RSA-PS with SHA-256. Updated key sizes. SHOULD-, and RSA-PSS with SHA-256. Updated key sizes.
Sec A.1: Updated references to latest versions of PKIX profile and Sec 7: Moved references from Appendix B to this section. Updated
S/MIME Message Specification. references to latest versions of PKIX profile and S/MIME Message
Specification. Changed reference from KEYMALG to KEYM.
Sec A.1: Changed reference from KEYMALG to KEYM. App A: Added Appendix B to move S/MIME v2 Certificate Handling to
Historic Status.
2. CMS Options 2. CMS Options
The CMS message format allows for a wide variety of options in The CMS message format allows for a wide variety of options in
content and algorithm support. This section puts forth a number of content and algorithm support. This section puts forth a number of
support requirements and recommendations in order to achieve a base support requirements and recommendations in order to achieve a base
level of interoperability among all S/MIME implementations. Most of level of interoperability among all S/MIME implementations. Most of
the CMS format for S/MIME messages is defined in [SMIME-MSG]. the CMS format for S/MIME messages is defined in [SMIME-MSG].
2.1. Certificate Revocation Lists 2.1. Certificate Revocation Lists
skipping to change at page 8, line 26 skipping to change at page 8, line 26
A receiving agent needs to provide some certificate retrieval A receiving agent needs to provide some certificate retrieval
mechanism in order to gain access to certificates for recipients of mechanism in order to gain access to certificates for recipients of
digital envelopes. There are many ways to implement certificate digital envelopes. There are many ways to implement certificate
retrieval mechanisms. X.500 directory service is an excellent retrieval mechanisms. X.500 directory service is an excellent
example of a certificate retrieval-only mechanism that is compatible example of a certificate retrieval-only mechanism that is compatible
with classic X.500 Distinguished Names. Another method under with classic X.500 Distinguished Names. Another method under
consideration by the IETF is to provide certificate retrieval consideration by the IETF is to provide certificate retrieval
services as part of the existing Domain Name System (DNS). Until services as part of the existing Domain Name System (DNS). Until
such mechanisms are widely used, their utility may be limited by the such mechanisms are widely used, their utility may be limited by the
small number of correspondent's certificates that can be retrieved. small number of the correspondent's certificates that can be
At a minimum, for initial S/MIME deployment, a user agent could retrieved. At a minimum, for initial S/MIME deployment, a user agent
automatically generate a message to an intended recipient requesting could automatically generate a message to an intended recipient
that recipient's certificate in a signed return message. requesting the recipient's certificate in a signed return message.
Receiving and sending agents SHOULD also provide a mechanism to allow Receiving and sending agents SHOULD also provide a mechanism to allow
a user to "store and protect" certificates for correspondents in such a user to "store and protect" certificates for correspondents in such
a way so as to guarantee their later retrieval. In many a way so as to guarantee their later retrieval. In many
environments, it may be desirable to link the certificate environments, it may be desirable to link the certificate
retrieval/storage mechanisms together in some sort of certificate retrieval/storage mechanisms together in some sort of certificate
database. In its simplest form, a certificate database would be database. In its simplest form, a certificate database would be
local to a particular user and would function in a similar way as an local to a particular user and would function in a similar way as an
"address book" that stores a user's frequent correspondents. In this "address book" that stores a user's frequent correspondents. In this
way, the certificate retrieval mechanism would be limited to the way, the certificate retrieval mechanism would be limited to the
skipping to change at page 10, line 31 skipping to change at page 10, line 31
- MUST support RSA with SHA-256, as specified in [CMS-SHA2] - MUST support RSA with SHA-256, as specified in [CMS-SHA2]
- MUST- support RSA with SHA-1, as specified in [CMSALG] - MUST- support RSA with SHA-1, as specified in [CMSALG]
- SHOULD+ support RSA-PSS with SHA-256, as specified in [RSAPSS] - SHOULD+ support RSA-PSS with SHA-256, as specified in [RSAPSS]
- SHOULD- support DSA with SHA-1, as specified in [CMSALG]. - SHOULD- support DSA with SHA-1, as specified in [CMSALG].
- SHOULD- support RSA with MD5, as specified in [CMSALG]. - SHOULD- support RSA with MD5, as specified in [CMSALG].
The following RSA and DSA key size requirements for S/MIME receiving The following are the RSA and DSA key size requirements for S/MIME
agents during certificate and CRL signature verification: receiving agents during certificate and CRL signature verification:
0 < key size < 512 : MAY (see Section 6) 0 < key size < 512 : MAY (see Section 6)
512 <= key size <= 2048 : MUST (see Section 6) 512 <= key size <= 2048 : MUST (see Section 6)
2048 < key size <= 4096 : MAY (see Section 6) 2048 < key size <= 4096 : MAY (see Section 6)
4.4. PKIX Certificate Extensions 4.4. PKIX Certificate Extensions
PKIX describes an extensible framework in which the basic certificate PKIX describes an extensible framework in which the basic certificate
information can be extended and how such extensions can be used to information can be extended and describes how such extensions can be
control the process of issuing and validating certificates. The PKIX used to control the process of issuing and validating certificates.
Working Group has ongoing efforts to identify and create extensions The PKIX Working Group has ongoing efforts to identify and create
which have value in particular certification environments. Further, extensions which have value in particular certification environments.
there are active efforts underway to issue PKIX certificates for Further, there are active efforts underway to issue PKIX certificates
business purposes. This document identifies the minimum required set for business purposes. This document identifies the minimum required
of certificate extensions which have the greatest value in the S/MIME set of certificate extensions which have the greatest value in the
environment. The syntax and semantics of all the identified S/MIME environment. The syntax and semantics of all the identified
extensions are defined in [KEYM]. extensions are defined in [KEYM].
Sending and receiving agents MUST correctly handle the basic Sending and receiving agents MUST correctly handle the basic
constraints, key usage, authority key identifier, subject key constraints, key usage, authority key identifier, subject key
identifier, and subject alternative names certificate extensions when identifier, and subject alternative names certificate extensions when
they appear in end-entity and CA certificates. Some mechanism SHOULD they appear in end-entity and CA certificates. Some mechanism SHOULD
exist to gracefully handle other certificate extensions when they exist to gracefully handle other certificate extensions when they
appear in end-entity or CA certificates. appear in end-entity or CA certificates.
Certificates issued for the S/MIME environment SHOULD NOT contain any Certificates issued for the S/MIME environment SHOULD NOT contain any
skipping to change at page 11, line 46 skipping to change at page 11, line 46
4.4.1. Basic Constraints 4.4.1. Basic Constraints
The basic constraints extension serves to delimit the role and The basic constraints extension serves to delimit the role and
position that an issuing authority or end-entity certificate plays in position that an issuing authority or end-entity certificate plays in
a certification path. a certification path.
For example, certificates issued to CAs and subordinate CAs contain a For example, certificates issued to CAs and subordinate CAs contain a
basic constraint extension that identifies them as issuing authority basic constraint extension that identifies them as issuing authority
certificates. End-entity certificates contain an extension that certificates. End-entity certificates contain an extension that
constrains the certificate from being an issuing authority constrains the certificate from being an issuing authority
certificate. certificate (see Section 4.4.2).
Certificates SHOULD contain a basicConstraints extension in CA Certificates SHOULD contain a basicConstraints extension in CA
certificates, and SHOULD NOT contain that extension in end entity certificates, and SHOULD NOT contain that extension in end entity
certificates. certificates.
4.4.2. Key Usage Certificate Extension 4.4.2. Key Usage Certificate Extension
The key usage extension serves to limit the technical purposes for The key usage extension serves to limit the technical purposes for
which a public key listed in a valid certificate may be used. Issuing which a public key listed in a valid certificate may be used. Issuing
authority certificates may contain a key usage extension that authority certificates may contain a key usage extension that
skipping to change at page 14, line 22 skipping to change at page 14, line 22
There are certainly other instances where a certificate may be There are certainly other instances where a certificate may be
invalid, and it is the responsibility of the processing software to invalid, and it is the responsibility of the processing software to
check them all thoroughly, and to decide what to do if the check check them all thoroughly, and to decide what to do if the check
fails. fails.
It is possible for there to be multiple unexpired CRLs for a CA. If It is possible for there to be multiple unexpired CRLs for a CA. If
an agent is consulting CRLs for certificate validation, it SHOULD an agent is consulting CRLs for certificate validation, it SHOULD
make sure that the most recently issued CRL for that CA is consulted, make sure that the most recently issued CRL for that CA is consulted,
since an S/MIME message sender could deliberately include an older since an S/MIME message sender could deliberately include an older
unexpired CRL in an S/MIME message. This older CRL might not include unexpired CRL in an S/MIME message. This older CRL might not include
recent revoked certificates, which might lead an agent to accept a recently revoked certificates, which might lead an agent to accept a
certificate that has been revoked in a subsequent CRL. certificate that has been revoked in a subsequent CRL.
When determining the time for a certificate validity check, agents When determining the time for a certificate validity check, agents
have to be careful to use a reliable time. Unless it is from a have to be careful to use a reliable time. Unless it is from a
trusted agent, this time MUST NOT be the SigningTime attribute found trusted agent, this time MUST NOT be the SigningTime attribute found
in an S/MIME message. For most sending agents, the SigningTime in an S/MIME message. For most sending agents, the SigningTime
attribute could be deliberately set to direct the receiving agent to attribute could be deliberately set to direct the receiving agent to
check a CRL that could have out-of-date revocation status for a check a CRL that could have out-of-date revocation status for a
certificate, or cause an improper result when checking the Validity certificate, or cause an improper result when checking the Validity
field of a certificate. field of a certificate.
Appendix A. References 7. References
A.1. Normative References 7.1. Normative References
[ACAUTH] Farrell, S. and R. Housley, "An Internet Attribute [ACAUTH] Farrell, S. and R. Housley, "An Internet Attribute
Certificate Profile for Authorization", RFC 3281, April Certificate Profile for Authorization", RFC 3281, April
2002. 2002.
[CMS] Housely, R., "Cryptographic Message Syntax (CMS)", RFC [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
3852, July 2004. 3852, July 2004.
Housley, R., "Cryptographic Message Syntax (CMS) Housley, R., "Cryptographic Message Syntax (CMS)
Multiple Signer Clarification", RFC 4852, April 2007. Multiple Signer Clarification", RFC 4852, April 2007.
[CMSALG] Housley, R., "Cryptographic Message Syntax (CMS) [CMSALG] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002. Algorithms", RFC 3370, August 2002.
[CMS-SHA2] Turner. S., "Using SHA2 Algorithms with Cryptographic [CMS-SHA2] Turner. S., "Using SHA2 Algorithms with Cryptographic
Message Syntax", work in progress. Message Syntax", work in progress.
skipping to change at page 15, line 47 skipping to change at page 15, line 30
[IMF] Resnick, P., "Internet Message Format", work-in- [IMF] Resnick, P., "Internet Message Format", work-in-
progress. progress.
[RSAPSS] Schaad, J., "Use of RSASA-PSS Signature Algorithm in [RSAPSS] Schaad, J., "Use of RSASA-PSS Signature Algorithm in
Cryptographic Message Syntax (CMS)", RFC 4056, June Cryptographic Message Syntax (CMS)", RFC 4056, June
2005. 2005.
[SMIME-MSG] Ramsdell, B., and S. Turner, "S/MIME Version 3.2 [SMIME-MSG] Ramsdell, B., and S. Turner, "S/MIME Version 3.2
Message Specification", work in progress. Message Specification", work in progress.
[X.208-88] ITU-T. Recommendation X.208: Specification of Abstract [X.208-88] ITU-T Recommendation X.208 (1988) | ISO/IEC ISO/IEC
Syntax Notation One (ASN.1). 1988. 8824-1:1988. Specification of Abstract Syntax Notation
One (ASN.1).
A.2. Informative References 7.2. Informative References
[PKCS6] RSA Laboratories, "PKCS #6: Extended-Certificate Syntax [PKCS6] RSA Laboratories, "PKCS #6: Extended-Certificate Syntax
Standard", November 1993. Standard", November 1993.
[RC95] Rogier, N. and Chauvaud, P., "The compression function
of MD2 is not collision free," Presented at Selected
Areas in Cryptography '95, May 1995.
[SECLABEL] Nicolls, W., "Implementing Company Classification [SECLABEL] Nicolls, W., "Implementing Company Classification
Policy with the S/MIME Security Label", RFC 3114, May Policy with the S/MIME Security Label", RFC 3114, May
2002. 2002.
[SMIMEv2] Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L. and
L. Repka, "S/MIME Version 2 Message Specification", RFC
2311, March 1998.
Dusse, S., Hoffman, P., Ramsdell, B., and J. Weinstein,
"S/MIME Version 2 Certificate Handling", RFC 2312,
March 1998.
Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC
2313, March 1998.
Kaliski, B., "PKCS #10: Certificate Request Syntax
Version 1.5", RFC 2314, March 1998.
Kaliski, B., "PKCS #7: Certificate Message Syntax
Version 1.5", RFC 2314, March 1998.
[SMIMEv3] Housley, R., "Cryptographic Message Syntax", RFC 2630,
June 1999.
Rescorla, E., "Diffie-Hellman Key Agreement Method",
RFC 2631, June 1999.
Ramsdell, B., "S/MIME Version 3 Certificate Handling",
RFC 2632, June 1999.
Ramsdell, B., "S/MIME Version 3 Message Specification",
RFC 2633, June 1999.
Hoffman, P., "Enhanced Security Services for S/MIME",
RFC 2634, June 1999.
[SMIMEv3.1] Housley, R., "Cryptographic Message Syntax", RFC 3852,
July 2004.
Ramsdell, B., "S/MIME Version 3.1 Certificate
Handling", RFC 3850, July 2004.
Ramsdell, B., "S/MIME Version 3.1 Message
Specification", RFC 3851, July 2004.
Hoffman, P., "Enhanced Security Services for S/MIME",
RFC 2634, June 1999.
[X.500] ITU-T Recommendation X.500 (1997) | ISO/IEC 9594- [X.500] ITU-T Recommendation X.500 (1997) | ISO/IEC 9594-
1:1997, Information technology - Open Systems 1:1997, Information technology - Open Systems
Interconnection - The Directory: Overview of concepts, Interconnection - The Directory: Overview of concepts,
models and services. models and services.
[X.501] ITU-T Recommendation X.501 (1997) | ISO/IEC 9594- [X.501] ITU-T Recommendation X.501 (1997) | ISO/IEC 9594-
2:1997, Information technology - Open Systems 2:1997, Information technology - Open Systems
Interconnection - The Directory: Models. Interconnection - The Directory: Models.
[X.509] ITU-T Recommendation X.509 (1997) | ISO/IEC 9594- [X.509] ITU-T Recommendation X.509 (1997) | ISO/IEC 9594-
8:1997, Information technology - Open Systems 8:1997, Information technology - Open Systems
Interconnection - The Directory: Authentication Interconnection - The Directory: Authentication
framework. Framework.
[X.520] ITU-T Recommendation X.520 (1997) | ISO/IEC 9594- [X.520] ITU-T Recommendation X.520 (1997) | ISO/IEC 9594-
6:1997, Information technology - Open Systems 6:1997, Information technology - Open Systems
Interconnection - The Directory: Selected attribute Interconnection - The Directory: Selected Attribute
types. Types.
Appendix A. Moving S/MIME v2 Certificate Handling to Historic Status
The S/MIME v3 [SMIMEv3], v3.1 [SMIMEv3.1], and v3.2 (this document)
Certificate Handling documents are backwards S/MIME v2 Message
Specification RFC 2312 [SMIMEv2], with the exception of the
algorithms (dropped RC2/40 requirement and added DSA and RSA-PSS
requirements). Therefore, it is recommended that RFC 2312 [SMIMEv2]
be moved to Historic status.
Appendix B. Acknowledgements Appendix B. Acknowledgements
Many thanks go out to the other authors of the S/MIME v2 RFC: Steve Many thanks go out to the other authors of the S/MIME v2 RFC: Steve
Dusse, Paul Hoffman and Jeff Weinstein. Without v2, there wouldn't Dusse, Paul Hoffman and Jeff Weinstein. Without v2, there wouldn't
be a v3. be a v3, v3.1 or v3.2.
A number of the members of the S/MIME Working Group have also worked A number of the members of the S/MIME Working Group have also worked
very hard and contributed to v3 of this document. Any list of people very hard and contributed to this document. Any list of people is
is doomed to omission and for that I apologize. In alphabetical doomed to omission and for that I apologize. In alphabetical order,
order, the following people stand out in my mind due to the fact that the following people stand out in my mind due to the fact that they
they made direct contributions to this document. made direct contributions to this document.
Bill Flanigan, Trevor Freeman, Elliott Ginsburg, Paul Hoffman, Russ Bill Flanigan, Trevor Freeman, Elliott Ginsburg, Paul Hoffman, Russ
Housley, David P. Kemp, Michael Myers, John Pawling, Denis Pinkas, Housley, David P. Kemp, Michael Myers, John Pawling, Denis Pinkas,
and Jim Schaad. Jim Schaad, and Alfred Hoenes.
Author's Addresses Author's Addresses
Blake Ramsdell Blake Ramsdell
SendMail SendMail
Email: blake@sendmail.com Email: blake@sendmail.com
Sean Turner Sean Turner
 End of changes. 32 change blocks. 
65 lines changed or deleted 114 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/