draft-ietf-smime-3850bis-06.txt   draft-ietf-smime-3850bis-07.txt 
S/MIME WG Blake Ramsdell, Brute Squad Labs S/MIME WG Blake Ramsdell, Brute Squad Labs
Internet Draft Sean Turner, IECA Internet Draft Sean Turner, IECA
Intended Status: Standard Track September 18, 2008 Intended Status: Standard Track September 24, 2008
Obsoletes: 3850 (once approved) Obsoletes: 3850 (once approved)
Expires: March 18, 2009 Expires: March 24, 2009
Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2
Certificate Handling Certificate Handling
draft-ietf-smime-3850bis-06.txt draft-ietf-smime-3850bis-07.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on March 18, 2008. This Internet-Draft will expire on March 24, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This document specifies conventions for X.509 certificate usage by This document specifies conventions for X.509 certificate usage by
Secure/Multipurpose Internet Mail Extensions (S/MIME) agents. S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME) agents. S/MIME
provides a method to send and receive secure MIME messages, and provides a method to send and receive secure MIME messages, and
skipping to change at page 2, line 42 skipping to change at page 2, line 42
4.1. Certificate Revocation Lists.............................10 4.1. Certificate Revocation Lists.............................10
4.2. Certificate Path Validation..............................10 4.2. Certificate Path Validation..............................10
4.3. Certificate and CRL Signing Algorithms and Key Sizes.....11 4.3. Certificate and CRL Signing Algorithms and Key Sizes.....11
4.4. PKIX Certificate Extensions..............................12 4.4. PKIX Certificate Extensions..............................12
5. IANA Considerations...........................................14 5. IANA Considerations...........................................14
6. Security Considerations.......................................14 6. Security Considerations.......................................14
7. References....................................................16 7. References....................................................16
7.1. Normative References.....................................16 7.1. Normative References.....................................16
7.2. Informative References...................................17 7.2. Informative References...................................17
Appendix A. Moving S/MIME v2 Certificate Handling to Historic Appendix A. Moving S/MIME v2 Certificate Handling to Historic
Status...............................................20 Status...............................................19
Appendix B. Acknowledgements.....................................20 Appendix B. Acknowledgements.....................................19
1. Introduction 1. Introduction
S/MIME (Secure/Multipurpose Internet Mail Extensions), described in S/MIME (Secure/Multipurpose Internet Mail Extensions), described in
[SMIME-MSG], provides a method to send and receive secure MIME [SMIME-MSG], provides a method to send and receive secure MIME
messages. Before using a public key to provide security services, messages. Before using a public key to provide security services,
the S/MIME agent MUST verify that the public key is valid. S/MIME the S/MIME agent MUST verify that the public key is valid. S/MIME
agents MUST use PKIX certificates to validate public keys as agents MUST use PKIX certificates to validate public keys as
described in the Internet X.509 Public Key Infrastructure (PKIX) described in the Internet X.509 Public Key Infrastructure (PKIX)
Certificate and CRL Profile [KEYM]. S/MIME agents MUST meet the Certificate and CRL Profile [KEYM]. S/MIME agents MUST meet the
skipping to change at page 11, line 23 skipping to change at page 11, line 23
is found in an S/MIME message, it SHALL be used to identify the is found in an S/MIME message, it SHALL be used to identify the
signer's certificate. Otherwise, the certificate is identified in an signer's certificate. Otherwise, the certificate is identified in an
S/MIME message, either using the issuerAndSerialNumber which S/MIME message, either using the issuerAndSerialNumber which
identifies the signer's certificate by the issuer's distinguished identifies the signer's certificate by the issuer's distinguished
name and the certificate serial number, or the subjectKeyIdentifier name and the certificate serial number, or the subjectKeyIdentifier
which identifies the signer's certificate by a key identifier. which identifies the signer's certificate by a key identifier.
When decrypting an encrypted message, if a When decrypting an encrypted message, if a
SMIMEEncryptionKeyPreference attribute is found in an encapsulating SMIMEEncryptionKeyPreference attribute is found in an encapsulating
SignedData, it SHALL be used to identify the originator's certificate SignedData, it SHALL be used to identify the originator's certificate
found in OriginatorInfo. Otherwise, a) for DH encrypted messages the found in OriginatorInfo. See [CMS] for the CMS fields that reference
certificate is identified by the KeyAgreeRecipientInfo originator the originator's and recipient's certificates.
field using either the issuer and serial number or subject public key
identifier choice or the certificate is omitted and the originator's
public key is included in originatorKey b) for RSA encrypted messages
the originator's certificate is not required for decryption.
4.3. Certificate and CRL Signing Algorithms and Key Sizes 4.3. Certificate and CRL Signing Algorithms and Key Sizes
Certificates and Certificate Revocation Lists (CRLs) are signed by Certificates and Certificate Revocation Lists (CRLs) are signed by
the certificate issuer. Receiving agents: the certificate issuer. Receiving agents:
- MUST support RSA with SHA-256, as specified in [CMS-SHA2] - MUST support RSA with SHA-256, as specified in [CMS-SHA2]
- SHOULD+ support DSA with SHA-256, as specified in [CMS-SHA2] - SHOULD+ support DSA with SHA-256, as specified in [CMS-SHA2]
skipping to change at page 17, line 38 skipping to change at page 17, line 25
November 2000. November 2000.
[IMF] Resnick, P., "Internet Message Format", work-in- [IMF] Resnick, P., "Internet Message Format", work-in-
progress. progress.
[RSAPSS] Schaad, J., "Use of RSASA-PSS Signature Algorithm in [RSAPSS] Schaad, J., "Use of RSASA-PSS Signature Algorithm in
Cryptographic Message Syntax (CMS)", RFC 4056, June Cryptographic Message Syntax (CMS)", RFC 4056, June
2005. 2005.
[SMIME-MSG] Ramsdell, B., and S. Turner, "S/MIME Version 3.2 [SMIME-MSG] Ramsdell, B., and S. Turner, "S/MIME Version 3.2
Message Specification", draft-ietf-smime-3851bis, work- Message Specification", draft-ietf-smime-3851bis-
in-progress. 07.txt, work-in-progress.
[X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824- [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-
1:2002. Information Technology - Abstract Syntax 1:2002. Information Technology - Abstract Syntax
Notation One (ASN.1): Specification of basic notation. Notation One (ASN.1): Specification of basic notation.
7.2. Informative References 7.2. Informative References
[PKCS6] RSA Laboratories, "PKCS #6: Extended-Certificate Syntax [PKCS6] RSA Laboratories, "PKCS #6: Extended-Certificate Syntax
Standard", November 1993. Standard", November 1993.
 End of changes. 7 change blocks. 
14 lines changed or deleted 10 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/