Internet DraftInternet-Draft                                                T Dean
draft-ietf-smime-domsec-02.txt
draft-ietf-smime-domsec-03.txt                                W Ottaway
Expires March 1, 19th April 2000                                       DERA

                    Domain Security Services using S/MIME

Status of this memo

This document is an Internet-Draft and is in full conformance with all
provisions of section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute working
documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."

     The list of current Internet-Drafts can be accessed at
     http://www.ietf.org/ietf/1id-abstracts.txt

     The list of Internet-Draft Shadow Directories can be accessed at
     http://www.ietf.org/shadow.html.

To view the entire list of Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net ( Northern Europe),
munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
ftp.isi.edu(US West Coast).

Abstract

This document describes how the S/MIME protocol can be processed and
generated by a number of components of a messaging communication system, such as
message transfer agents, guards and gateways to deliver security
services. These services are collectively referred to as 'Domain
Security Services'. The mechanisms described in this document are
designed to solve a number of interoperability problems and technical
limitations that arise when different security domains wish to
communicate securely - for example when two domains use incompatible
messaging technologies such as X.400 and SMTP/MIME. This document is
also applicable to organisations and enterprises that do not have
encryption or signing capabilities at internal PKIs
which are not accessible by the desktop, outside world, but wish to interoperate
securely using the S/MIME protocol.

This draft is being discussed on the 'ietf-smime' mailing list. To
subscribe, send a message to:
     ietf-smime-request@imc.org
with the single word
     subscribe
in the body of the message. There is a Web site for the mailing list at
<http://www.imc.org/ietf-smime/>.

Acknowledgements

Significant comments were made by Trevor Freeman, Russ Housley,
Dave
Kemp and Kemp, Jim Schaad. Schaad, Greg Colla and Michael Zolotarev.

1. Introduction

The S/MIME [1] series of standards define a data encapsulation format
for the provision of a number of security services including data
integrity, confidentiality, and authentication. S/MIME is designed for
use by messaging clients to deliver security services to distributed
messaging applications.

There are many circumstances when it is not feasible desirable or practical to
provide end-to-end ('desktop-to-desktop') (desktop-to-desktop) security services, particularly
between different security domains. An organisation which that is considering
providing end-to-end security services will typically have to deal with
some if not all of the following issues:

1) Heterogeneous Message Access Methods: users Users are accessing mail using
   mechanisms which re-format messages, such as using Web browsers.
   Message reformatting in the Message Store makes end-to-end encryption
   and signature validation impossible.

2) Message screening and audit: server-based Server-based mechanisms such as
   searching for prohibited words or other content, virus scanning, and
   audit, are incompatible with end-to-end encryption.

3) Cross-certification problems: PKI deployment issues: There may not be any cross-certificate
   links certificate paths between
   two organisations. Or an organisation may be sensitive about parts aspects
   of its PKI and unwilling to expose them to outside access. For either
   of these reasons, direct end-to-end encryption and signature validation and
   encryption are impossible.

4) Heterogeneous Message transports: one One organisation using X.400 wishes
   to communicate with another using SMTP. Message reformatting at
   gateways makes end-to-end encryption and signature validation
   impossible.

5) Cost: providing the necessary key management infrastructure and other
   items such as hardware tokens for all users may be too expensive.

One solution

This document describes an approach to solving these problems is to provide by
providing message security services at the level of a domain or an
organisation. This document specifies how these 'domain security
services' can be provided using the S/MIME protocol. Domain security
services may replace or complement mechanisms at the desktop. For
example, a domain may decide to provide desktop-to-
desktop desktop-to-desktop signatures
but domain-to-domain encryption services. Or it may allow desktop-to-desktop desktop-to-
desktop services for intra-domain use, but enforce domain-based services
for communication with other domains.

Messages

Whether or not a domain based service is inherently better or worse than
desktop based solutions is an open question. Some experts believe that
only end-to-end solutions can be processed and generated truly made secure, while others believe
that the benefits offered by a number of components of a
messaging system, such things as message transfer agents, guards and gateways.
Any of these agents may provide content checking at domain
boundaries offers considerable increase in practical security services. for many
real systems. The term 'Third Party' as used additional service of allowing signature checking at
several points on a communications path is also an extra benefit in many
situations. This debate is outside the scope of this document means any entity in document. What is
offered here is a
messaging system other than the originator and final recipient(s) set of tools that
processes messages. This includes integrators can tailor in different
ways to meet different needs in different circumstances.

Message Transfer Agents transfer agents (MTAs),
domain mail servers, guards and guards, firewalls operating at security
boundaries, and protocol
translation gateways all provide domain security services. As with
desktop based solutions, these components must be resilient against a
wide variety of attacks intended to subvert the security services.
Therefore, careful consideration should be given to security of these
components, to make sure that translate between different protocol
formats. A third party may sign, encrypt, decrypt, their siting and check signatures
on a message. configuration minimises
the possibility of attack.

Throughout this draft the terms MAY, MUST, MUST NOT and SHOULD NOT are used
in capital letters. This conforms to the definitions in [2].

2. Overview of Domain Security Services

In a distributed system, a message is sent from

This section gives an originator to a set
of recipients that may be in the same or different security domains.
This section first defines what is meant by a security domain. It then
gives an informal overview informal overview of the security services that
are provided by S/MIME between different security domains. These
services are provided by a combination of mechanisms in the sender's and
recipient's domains.

Later sections describe definitively how these services map onto
elements of the S/MIME protocol.

2.1 Definition of a Security

The following security mechanisms are specified in this document:

1. Domain

A signature
2. Review signature
3. Additional attributes signature
4. Domain encryption and decryption

The term 'security domain' as used in this document is defined as a
collection of hardware and personnel operating under a single security
authority and performing a common business function. Members of a
security domain will of necessity share a high degree of mutual trust,
due to their shared aims and objectives.

A security domain is typically protected from direct outside attack by
physical measures and from indirect (electronic) attack by a combination
of firewalls and guards at network boundaries. The interface between two
security domains is termed a 'security boundary'. One example of a
security domain is an organisational network ('Intranet').

2.2 Signing by a third party

2.1 Domain Signature

A third-party may sign messages for one or more Domain signature is an S/MIME signature generated on behalf of the following reasons:

1. When messages need to a set
of users in a domain. A Domain signature can be reformatted inside the message transfer
   system. Message reformatting is needed at gateways used to authenticate
information sent between X.400 and
   SMTP-MIME domains, or on conversion between HTTP-MIME and SMTP-MIME
   message representations. The third party signature is needed because
   the reformatting process renders the originator's signature
   unverifiable by for example, when two 'Intranets' are
connected using the recipient(s).

2. To bridge between Internet. It can be used when two domains that have employ
incompatible or disconnected signature systems, such as schemes internally or when there are no cross-certificate
certification links between their Public Key Infrastructures (PKIs). The third party
   signature is needed because PKIs. In both cases messages from the
originator's domain are signed over the original message and signature is not
   directly verifiable
(if present) using an algorithm, key, and certificate which can be
processed by the recipient(s). It is typically created at
   the boundary between the domains.

3. When end users do not have signing capabilities at the desktop. A third party may wish to convey the signature semantics to the
recipient(s) when creating its digital signature. This document
specifies three domain signature types is sometimes referred
to convey these semantics, as follows. an "organisational signature".

2.2 Review Signature

A third party may sign a message, and optionally add additional
attributes review messages before they are forwarded to it. An example is the addition of the 'Equivalent Label'
attribute defined final
recipient(s) who may be in ESS [4]. In this case the 'additional attributes'
signature is used.

A third party may wish to declare that it is acting as a proxy on
behalf of an originator in a domain. In this case the 'Domain'
Signature is used.

A third party may review messages before they are released from same or a different security domain. This is used when organisational
Organisational policy or and good security practice often require that
messages be reviewed before they are released to external recipients.
Having reviewed a message, a 'review and release' an S/MIME signature is added to it. The it - a review
signature. An agent MAY check the review and release signature may be
checked by a firewall at the domain
boundary, to ensure that only reviewed messages are released.

2.3 Additional Attributes Signature

A third party MAY add additional attributes to a signed message. An
S/MIME signature is used for this purpose - an additional attributes
signature. An example of an additional attribute is the 'Equivalent
Label' attribute defined in ESS [3].

2.4 Domain Encryption and Decryption

Domain encryption is S/MIME encryption performed on behalf of a
collection of users in a domain. Domain encryption can be used to
protect information between domains, for example, when two 'Intranets'
are connected using the Internet. It can also be used when end users do
not have encryption capabilities at the desktop, or when two domains
employ incompatible encryption schemes. schemes internally. In the latter case
messages from the originator's domain are re-encrypted using an
algorithm, key, and certificate which can be decrypted by the recipient(s).
recipient(s) or an entity in their domain.

3. Mapping of Domain Security the Signature Services to the S/MIME Protocol

This section describes the S/MIME Protocol elements that are used to
provide the security services described above. ESS [4] [3] introduces the
concept of triple-wrapped messages that are first signed, then
encrypted, then signed again. This document also uses this concept of
triple-wrapping. In addition, this document also uses the concept of
'signature encapsulation'. 'Signature encapsulation' denotes a complete
signed message that is wrapped in a second signature, the second
signature covering both the content and the first (inner) signature.

Signature Encapsulation may MAY be performed on the inner or and/or the outer
signature of a triple-wrapped message. The term 'parallel signatures'
means two or more signatures calculated over the same content. This
capability is described in CMS [3], where a set of one or more
SignerInfos can be attached to signed data.

For example, the originator signs a message which is then encapsulated
with an 'additional attributes' signature. This is then encrypted. A
reviewer then signs this encrypted data, which is then encapsulated by
a domain signature.

3.1 Naming conventions and Signature Types

An authenticated attribute is used to indicate entity receiving an S/MIME signed message would normally expect the type
signature to be that of signature.
The ASN.1 [5] notation the originator of this attribute is:-

   SignatureType ::= SEQUENCE OF OBJECT IDENTIFIER

   id-signatureType OBJECT IDENTIFIER ::= { iso (1) member-body (2)
        us (840) rsadsi (113549) <TBD> }

If present, the SignatureType attribute MUST be an authenticated
attribute, as message. However, the
message security services defined in [3]. If the SignatureType attribute is absent this draft require the recipient SHOULD NOT make any assumptions about to
be able accept messages signed by other entities and the type of
signature.

This section originator.
When other entities sign the message the name in the certificate will
not match the message senders name. An S/MIME implementation would flag
an error if there were a mismatch between the name in the certificate
and the message sender's name. (This check prevents a number of types of
masquerade attack.)

To resolve this incompatibility, this document defines a naming
convention that specifies the following form that the signing agents name SHOULD
take. Adherence to this naming convention avoids the problems of
uncontrolled naming and the possible masquerade attacks that this would
produce.

As an assistance to implementation, a signed attribute is defined to be
included in the S/MIME signature - the 'signature type' attribute. On
receiving a message containing this attribute, the naming convention
checks are invoked.

Implementations conforming to this standard MUST support the naming
convention for signature generation and verification. Implementations
conforming to this standard MUST recognise the signature type attribute
for signature verification. Implementations conforming to this standard
SHOULD support the signature type attribute for signature generation;
however, this is not mandated.

3.1.1 Naming conventions

The following naming conventions are specified for agents generating
signatures specified in this document:

* For a domain signature, an agent generating this signature MUST be
  named 'domain-signing-authority'

* For a review signature, an agent generating this signature MUST be
  named 'review-authority'.

* For an additional attributes signature, an agent generating this
  signature MUST be named 'attribute-authority'.

This name shall appear in the 'common name (CN)' component of the
subject field in the X.509 certificate.  Additionally, if the
certificate contains an SMTP e-mail address, this name shall appear in
the end entity component of the address - on the left-hand side of the
'@' symbol.

In the case of a domain signature, an additional naming rule is
defined: the 'name mapping rule'. The name mapping rule states that
for a domain signing authority, the domain component of its name MUST be
the same as, or an ascendant of, the domain name of the message
originator(s) that it is representing. The domain component is defined
as follows:

* In the case of an X.500 distinguished subject name of an X.509
  certificate, the domain component is the country, organisation,
  organisational unit, state, and locality components of the
  distinguished name.

* If the certificate contains an SMTP e-mail address, the domain
  component is defined to be the SMTP address component on the right-
  hand side of the '@' symbol.

For example, a domain signing authority acting on behalf of John Doe of
the Acme corporation, whose distinguished name is 'cn=John Doe,
ou=marketing,o=acme,c=us' and whose e-mail address is
John.Doe@marketing.acme.com, could have a certificate containing a
distinguished name of 'cn=domain-signing-authority, o=acme,c=us' and an
e-mail address of 'domain-signing-authority@acme.com'.

Any message received where the domain component of the domain signing
agents name does not match, or is not an ascendant of, the originator's
domain name MUST be rejected.

This naming rule prevents agents from one organisation masquerading as
domain signing authorities on behalf of another. For the other types of signature:

1) Originator Signature
2) Domain Signature
3) Additional Attributes Signature
4) Review
signature defined in this document, no such named mapping rule is
defined.

Implementations conforming to this standard MUST support this name
mapping convention as a minimum. Implementations MAY choose to
supplement this convention with other locally defined conventions.
However, these MUST be agreed between sender and Release recipient domains prior
to secure exchange of messages.

On verifying the signature, a receiving agent MUST ensure that the
naming convention has been adhered to. Any message that violates the
convention shall be rejected as invalid.

3.1.2 Signature type attribute

An S/MIME authenticated attribute is also used to indicate the type of
signature. This should be used in conjunction with the naming
conventions specified in the previous section. When an S/MIME signed
message containing the signature type attribute is received it triggers
the software to verify that the correct naming convention has been used.

The ASN.1 [4] notation of this attribute is: -

   SignatureType ::= SEQUENCE OF OBJECT IDENTIFIER

   id-signatureType OBJECT IDENTIFIER ::= { iso (1) member-body (2)
        us (840) rsadsi (113549) <TBD> }

If present, the SignatureType attribute MUST be an authenticated
attribute, as defined in [5]. If the SignatureType attribute is absent
the recipient SHOULD assume that the signature is that of the message
originator.

Each of these the signature types is defined here are generated and processed
exactly as described in [3]. [5]. They are distinguished by the presence of
the following values in the SignatureType authenticated attribute:

id-sigtype-originator-sig OBJECT IDENTIFIER ::= { id-signatureType 1}

id-sigtype-domain-sig OBJECT IDENTIFIER ::= { id-signatureType 2 } for a
domain signature.

id-sigtype-add-attrib-sig OBJECT IDENTIFIER ::= { id-signatureType 3}
id-sigtype-review-release-sig
for an additional attributes signature.

id-sigtype-review OBJECT IDENTIFIER ::= { id-signatureType 4}

These for a
review signature.

For completeness, an attribute type is also specified for an originator
signature. However, this signature types may type is optional. It is defined as
follows:

id-sigtype-originator-sig OBJECT IDENTIFIER ::= { id-signatureType 1}
for an originator's signature.

The originator signature MUST NOT encapsulate other signatures, or any signatures. The
other
type of content, or may signature types specified in this document MAY encapsulate other
signatures. All the signature types MAY be added in parallel to other
signatures as documented in [3]. [5].

A SignerInfo MUST NOT include multiple instances of SignatureType. An
authenticated attribute representing a SignatureType MAY include
multiple instances of different SignatureType values as an
AttributeValue of attrValues [3], [5], as long as the SignatureType
'additional attributes' is not present.

The following sections describe the conditions under which each of these
types of signature may be generated, and how they are processed.

3.1.1 Originator Signature

The 'originator signature' is used to indicate that the signer is the
originator of the message and its contents. The 'originator signature'
is indicated by the presence of the value id-sigtype-originator-sig in
the 'signature type' authenticated attribute. There MUST be only one
'originator signature' signature present in a S/MIME encoding.

3.1.2

3.2 Domain Signature Generation and Verification

A 'domain signature' is a proxy signature generated on a user's behalf
in
a the user's domain. The signature MUST adhere to the naming
conventions in 3.1.1, including the name mapping convention. A 'domain
signature' on a message authenticates the fact that the message has
originated in that domain. Before signing, a process generating a
'domain signature' MUST first satisfy itself of the authenticity of the
message originator. This is achieved by one of two methods. Either the
'originator's signature' is checked, if S/MIME signatures are used
inside a domain. Or if not, some mechanism external to S/MIME is used,
such as the physical address of the originating client or an
authenticated IP link.

If the originator's authenticity is successfully verified by one of the
above methods and all other signatures present are valid, a 'domain
signature' may MAY be added to a message in one of the following ways:

1) An unsigned message has a null signature added to it (i.e. the
   message is wrapped in a SignedData, signedData that has no signerInfo attached),
   and then a SignerInfo is
   attached containing the 'domain signature'. signature' is added as defined in methods 2) or 3)
   below. The originator's information is included as part of a header
   field in the encapsulated message.

2) Signature Encapsulation is used to wrap the original signed message
   with a 'domain signature'.

3) The original signed message has a 'domain signature' added in
   parallel.

An entity generating a domain signature MUST do so using a certificate
containing a subject name that follows the naming convention specified
in 3.1.1.

When a 'domain signature' is applied the mlExpansionHistory and
eSSSecurityLabel attributes MUST be copied from other signerInfos as
stated in [4]. [3].

If the originator's authenticity is not successfully verified, verified or all
the signatures present are not valid, a 'domain signature' MUST NOT be
generated.

On reception, the 'domain signature' may SHOULD be used to verify the
authenticity of a message. A check MUST be made to ensure that both the
naming convention and the name mapping convention have been used as
specified in this standard.

A recipient MAY assume that successful verification of the domain
signature also authenticates the message originator.

If there is a SignerInfo with the an originator signature
type 'originator', its present, the name in that
certificate should SHOULD be used to identify the originator. This information
can then be displayed to the recipient.

Alternatively, if a 'domain signature' has encapsulated a complete
MIME-encoded message, the originator information (SMTP 'From' field)
contained within it denotes the originator of the message.

If neither of these cases is true no assumptions can be made about the
originator.

A domain signer can be assumed to have verified any signatures that it
encapsulates. Therefore, it is not necessary to verify these signatures
before treating the message as authentic. However, this standard does
not preclude a recipient from attempting to verify any other signatures
that are present.

The 'domain signature' is indicated by the presence of the value Id-at-
sigtype-domain-sig
Id-at-sigtype-domain-sig in the a 'signature type' authenticated attribute.

There MAY be multiple 'domain signature' signatures in a an S/MIME
encoding.

3.1.3

3.3 Additional Attributes Signature generation and verification

The 'additional attributes' signature type indicates that the
SignerInfo contains additional attributes that are associated with the
message.

All attributes in the applicable SignerInfo MUST be treated as
additional attributes. Successful verification of an 'additional
attributes' signature means only that the attributes are authentically
bound to the message. A recipient MUST NOT assume that its successful
verification also authenticates the message originator. The authenticity
of

An entity generating an 'additional attributes' signature MUST do so
using a certificate containing a subject name that follows the message originator should naming
convention specified in 3.1.1. On reception, a check MUST be verified by checking the signature of made to
ensure that the appropriate type, if present. naming convention has been used.

A signer may MAY include any of the attributes listed in [3] [5] or in this
document when generating an 'additional attributes' signature. The
following attributes have a special meaning, when present in an
'additional attributes' signature:

1) Equivalent Label: label values in this attribute are to be treated as
   equivalent to the security label contained in an encapsulated
   SignerInfo, if present.

2) Security Label: the label value indicates the aggregate sensitivity
   of the inner message content plus any encapsulated signedData and
   envelopedData containers. The label on the original data is indicated
   by the value in the originator's signature, if present.

An 'additional attributes' signature is indicated by the presence of the
value Id-at-sigtype-add-attrib-sig in the a 'signature type' authenticated
attribute. No other Object Identifiers may MAY be included in the sequence
of OIDs if this value is present. An 'additional attributes' signature
may
MAY be added in parallel with other signatures in a SET OF SignerInfos.

There MAY be multiple 'additional attributes' signatures in a an S/MIME
encoding.

3.1.4

3.4 Review Signature generation and Release verification

The 'review and release' review signature indicates that the signer has reviewed the message.
Successful verification of a 'review and release' review signature means only that the signer
has approved the message for
release from onward transmission to the recipient(s).
When the recipient is in another domain, a domain.  A device on a domain boundary
such as a Mail Guard or firewall may be configured to check review and release
signatures. A recipient MUST NOT assume that its successful verification
also authenticates the message originator. The authenticity of

An entity generating a signed review signature MUST do so using a
certificate containing a subject name that follows the
message originator should naming convention
specified in 3.1.1. On reception, a check MUST be verified by checking the signature
identified as made to ensure that
the originators, if present. naming convention has been used.

A 'review and release' review signature is indicated by the presence of the value Id-at-sigtype-review-release-sig
Id-at-sigtype-review-sig in the a 'signature type' authenticated attribute.

There MAY be multiple 'review and release' review signatures in a an S/MIME encoding.

3.2 Domain

3.5 Originator Signature

The 'originator signature' is used to indicate that the signer is the
originator of the message and its contents. It is included in this
document for completeness only. An originator signature is indicated
either by the absence of the signature type attribute, or by the
presence of the value id-sigtype-originator-sig in a 'signature type'
authenticated attribute. There MUST be only one 'originator signature'
signature present in an S/MIME encoding and it MUST be one of the inner
most signatures.

4. Encryption and Decryption

Domain encryption is encryption performed by a third party on behalf of
a set of originators in a domain. Domain decryption is decryption
performed by a third party on behalf of a set of recipients in a domain.
These

Depending on security policy, messages may be encrypted for decryption
by the final recipient and by a domain decryption agent in the
originator's and/or the recipient's domain. This is achieved by
generating a RecipientInfo for each type of agent that is transmitted
along with the encrypted message.

The processes of domain encryption and decryption may be performed in
combination, as shown below.

  --------------------------------------------------------------------
 |                        | Recipient Decryption |  Domain Decryption |
 |------------------------|----------------------|--------------------|
 | Originator Encryption  |       Case(a)        |       Case(c)      |
 | Domain Encryption      |       Case(b)        |       Case(d)      |
  --------------------------------------------------------------------

Case (a), encryption of messages by the originator for decryption by the
final recipient(s), is described in CMS [3]. [5]. In Cases (b) and (d),
encryption is performed not by the originator but by a third party in
the sending domain. In Cases (c) and (d), decryption is performed not by
the recipient(s) but by a third party in the destination domain.

A client implementation that conforms to this standard MUST support
cases (a) and (c) for transmission, and cases (a) and (b) for reception.

A Domain Encryption implementation that conforms to this standard MUST
support cases (b) and (d), for transmission, and cases (c) and (d) for
reception.

The process of encryption and decryption is documented in CMS [3]. [5]. The
only additional requirement introduced by domain encryption and
decryption is for greater flexibility in the management of keys, as
described in the following subsections. As with signatures, a naming
convention and name mapping convention are used to locate the correct
key.

The mechanisms described below are applicable both to key agreement and
key transport systems, as documented in CMS. CMS [5]. The phrase 'encryption
key' is used as a collective term to cover the key management keys used
by both techniques.

3.2.1

4.1 Domain Encryption Naming Conventions

A domain encryption agent MUST be named 'domain-confidentiality-
authority'. Also a domain decryption agent MUST be named 'domain-
confidentiality-authority'. This name MUST appear in the 'common name
(CN)' component of the subject field in the X.509 certificate.
Additionally, if the certificate contains an SMTP e-mail address, this
name MUST appear in the end entity component of the address - on the
left-hand side of the '@' symbol.

Along with this naming convention, an additional naming rule is defined:
the 'name mapping rule'. The name mapping rule states that for an
encryption agent, the domain component of its name MUST be the same as,
or an ascendant of, the domain name of the set of entities that it
represents. The domain component is defined as follows:

* In the case of an X.500 distinguished name of an X.509 certificate,
  the domain component is the country, organisation, organisational
  unit, state, and locality components of the distinguished name.

* If the certificate contains an SMTP e-mail address, the domain
  component is defined to be the SMTP address component on the right-
  hand side of the '@' symbol.

For example, an encryption authority acting on behalf of John Doe of the
Acme corporation, whose distinguished name is 'cn=John Doe,ou=marketing,
o=acme,c=us' and whose e-mail address is John.Doe@marketing.acme.com,
could have a certificate containing a distinguished name of
'cn=domain-confidentiality-authority, o=acme,c=us' and an e-mail address
of 'domain-confidentiality-authority@acme.com'. The key associated with
this certificate would be used for encrypting messages for John Doe.

Any message received where the domain component of the domain encrypting
agents name does not match, or is not an ascendant of, the domain name
of the entities it represents MUST be rejected.

This naming rule prevents messages being encrypted for the wrong domain
decryption agent.

Implementations conforming to this standard MUST support this name
mapping convention as a minimum. Implementations may choose to
supplement this convention with other locally defined conventions.
However, these MUST be agreed between sender and recipient domains
prior to sending any messages.

4.2 Domain Encryption Key Management

Domain encryption is encryption performed by a third party on behalf of
a set of originators in a domain. Domain Encryption is shown as cases
(b) and (d) in the above table.

Domain Encryption encryption uses a domain-wide encryption key from the sender's
domain. Information about this key is conveyed to the recipient by
one of two methods:-

1) Public information about this key is held in a certificate and
   conveyed to the recipient(s) in the 'Certs'
RecipientInfo field of the
   OriginatorInfo as specified in the Envelope.

2) The recipient(s) looks up the key for the users domain by replacing
   the originator's name within the address with the CMS [5]. A domain encryption
   name [6].

   For example :-

   a) If the originator is originator@foo.com then lookup key for
      domain-encrypting-authority@foo.com.

   b) If agent
MUST be named according to the originator naming convention specified in section
4.1.  This is c=us;a=com;p=foo;s=originator then look up
      key for c=us;a=com;p=foo;s=domain-encrypting-authority.

   c) If so that the originator is c=gb;o=foo;cn=originator then look up same key for
      c=gb;o=foo;cn=domain-encrypting-authority.

An implementation conforming can be used on reply to this standard MUST support both methods. a domain-
encrypted message.

The name in the domain encryption certificate may not match agent extracts the name in any
encapsulated signatures. For example, when a message is signed by recipients address from the
originator
message and is encrypted by the domain. An implementation that
conforms to this standard MUST allow for uses this possibility. This includes
both a client and a third party implementation.

3.2.2 Domain Decryption Key Management

Domain Decryption is shown as cases (c) and (d) in the above table. In
these cases, to obtain the encryption process uses a domain-wide encryption recipients domain-confidentiality-
authority public key
for and/or the recipient(s)' domain. The selection of this key recipients public key. For example,
the recipients address is achieved by
one of two methods:

1) The sending process explicitly searches used as an index for a directory search. The
directory search MAY return the recipients certificate containing and/or a domain-
confidentiality-authority attribute that contains the domain encryption key location of the recipient(s)' domain. This is
   achieved by mapping the recipient(s)' name to a
recipient's domain name decrytping agents certificate. If the directory
search returns no certificates then encryption can not be performed and
the message MUST NOT be sent. If one or both certificates are available
then
   locating the encryption certificate containing that domain name.
   Mapping from recipient names to Domain names, and conventions for originator's domain names are outside encrypting agent encrypts the scope of this standard.

2) All message for
the members of recipient and the receiving recipient's domain are issued with certificates
   containing decrypting agent.

4.3 Domain Decryption Key Management

Domain decryption is decryption performed by a single key. The private component third party on behalf of that key
a set of recipients in a domain.

Domain Decryption is held
   by an entity shown as cases (c) and (d) in the domain that performs above table. In
these cases, the decryption encryption process
   on their behalf. By selecting the appropriate certificate, has used a sending
   process will implicitly encrypt domain-wide encryption
key for decryption by the Domain
   Decryption process.

An implementation recipient(s)' domain, that conforms to this standard MUST support mechanism
(1). It may also support mechanism (2). This includes both a client and
a third party implementation.

4. has been obtained by using the
recipient's address (See example in section 4.2).

5. Security Considerations

   Domain Security Services provide a method for digitally
   signing data, digesting data, encrypting data, and authenticating
   data.

Implementations must MUST protect the signer's all private key. keys. Compromise of the
signer's private key permits masquerade.

   Implementations must protect the key management private key and the
   content-encryption key.  Compromise

Similarly, compromise of the key management private content-encryption key may result in the
disclosure of all messages protected with that key.
   Similarly, the encrypted content.

Compromise of key material is regarded as an even more serious issue for
domain security services than for an S/MIME client. This is because
compromise of the content-encryption private key may result in
   disclosure of turn compromise the encrypted content.

5. security of a
whole domain. Therefore, great care should be used when considering its
protection.

6. References

[1] Ramsdell, B., "S/MIME Version 3 Message Specification", Internet
    Draft draft-ietf-smime-msg-04, May 1998. RFC2633,
    June 1999.

[2] Bradner, S., "Key words for use in RFCs to Indicate
    Requirement Levels", BCP 14, RFC 2119, March 1997.

[3] Housley, R., "Cryptographic Message Syntax", Internet Draft
    draft-ietf-smime-cms-05.txt, March 1998.

[4] Hoffman, P., "Enhanced Security Services for S/MIME", Internet Draft
    draft-ietf-smime-ess-06.txt, May 1998.

[5] RFC 2634,
    June 1999.

[4] International Telecommunications Union, Recommendation X.208, "Open
    systems interconnection: specification of Abstract Syntax Notation
    (ASN.1)", CCITT Blue Book, 1989.

[6] Ramsdell, B., "Role Names in X.509 Certificates", Internet Draft
    draft-ramsdell-role-names, April 29 1998.

6.

[5] Housley, R., "Cryptographic Message Syntax", RFC 2630, June 1999.

7. Authors' Addresses

Tim Dean
DERA Malvern
St. Andrews Road
Malvern
Worcs
WR14 3PS

Phone: +44 (0)1684 (0) 1684 894239
Fax:   +44 (0)1684 6113 (0) 1684 896660
Email: t.dean@eris.dera.gov.uk

William Ottaway
DERA Malvern
St. Andrews Road
Malvern
Worcs
WR14 3PS

Phone: +44 (0)1684 (0) 1684 894079
Fax:   +44 (0)1684 896113 (0) 1684 896660
Email: w.ottaway@eris.dera.gov.uk

This draft expires March 1, 19th April 2000