draft-ietf-smime-escertid-00.txt   draft-ietf-smime-escertid-01.txt 
Network Working Group J. Schaad Network Working Group J. Schaad
Internet-Draft Soaring Hawk Consulting Internet-Draft Soaring Hawk Consulting
Expires: September 22, 2006 March 21, 2006 Expires: October 19, 2006 April 17, 2006
ESS Update: Adding CertID Algorithm Agility ESS Update: Adding CertID Algorithm Agility
draft-ietf-smime-escertid-00.txt draft-ietf-smime-escertid-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 22, 2006. This Internet-Draft will expire on October 19, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
In the original Enhanged Security Services for S/MIME draft, a In the original Enhanced Security Services for S/MIME draft, a
structure for cryptographically linking the certificate to be used in structure for cryptographically linking the certificate to be used in
validation with the signature was introduced, this structure was validation with the signature was introduced, this structure was
hardwired to use SHA-1. This document allows for the structure to hardwired to use SHA-1. This document allows for the structure to
have algorithm agility and defines new attributes to deal with the have algorithm agility and defines new attributes to deal with the
updating. updating.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 3
skipping to change at page 3, line 7 skipping to change at page 3, line 7
4. Insert new section 5.4.1.1 . . . . . . . . . . . . . . . . . . 7 4. Insert new section 5.4.1.1 . . . . . . . . . . . . . . . . . . 7
5. Insert new section 5.4.2 . . . . . . . . . . . . . . . . . . . 9 5. Insert new section 5.4.2 . . . . . . . . . . . . . . . . . . . 9
6. Renumber Section 5.4.1 Certificate Identification . . . . . . 11 6. Renumber Section 5.4.1 Certificate Identification . . . . . . 11
7. Normative References . . . . . . . . . . . . . . . . . . . . . 11 7. Normative References . . . . . . . . . . . . . . . . . . . . . 11
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17
Intellectual Property and Copyright Statements . . . . . . . . . . 18 Intellectual Property and Copyright Statements . . . . . . . . . . 18
1. Introduction 1. Introduction
In the original Enhanged Security Services (ESS) for S/MIME draft In the original Enhanced Security Services (ESS) for S/MIME draft
[ESS], a structure for cryptographically linking the certificate to [ESS], a structure for cryptographically linking the certificate to
be used in validation with the signature was defined. This be used in validation with the signature was defined. This
structure, called ESSCertID was hardwired to use a SHA-1 hash value. structure, called ESSCertID was hardwired to use a SHA-1 hash value.
The recent attacks on SHA-1 require that we change define a new The recent attacks on SHA-1 require that we change define a new
attribute which allows for the use of a different algorithm. This attribute which allows for the use of a different algorithm. This
document performs that task. document performs that task.
This document defines the structure ESSCertIDEx along with a new This document defines the structure ESSCertIDv2 along with a new
attribute SigningCertificateEx which uses the updated structure. attribute SigningCertificateV2 which uses the updated structure.
This document allows for the structure to have algorithm agility and This document allows for the structure to have algorithm agility and
defines new attributes to deal with the updating. defines new attributes to deal with the updating.
1.1. Notation 1.1. Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Replace Section 5.4 Signing Certificate Attribute Definitions 2. Replace Section 5.4 Signing Certificate Attribute Definitions
The signing certificate attribute is designed to prevent simple The signing certificate attribute is designed to prevent simple
substitution and re-issue attacks, and to allow for a restricted set substitution and re-issue attacks, and to allow for a restricted set
of authorization certificates to be used in verifying a signature. of authorization certificates to be used in verifying a signature.
Two different attributes exist for this due to a flaw in the original Two different attributes exist for this due to a flaw in the original
design. The only substantial difference between the two attributes design. The only substantial difference between the two attributes
is that SigningCertificateEx allows for hash algorithm agility, while is that SigningCertificateV2 allows for hash algorithm agility, while
SigningCertificateEx forces the use of the SHA-1 hash algoirthm. SigningCertificate forces the use of the SHA-1 hash algorithm. With
With the recent advances in the ability to create hash collisions for the recent advances in the ability to create hash collisions for
SHA-1 it is deemed wise to move forward sooner rather than later. SHA-1 it is deemed wise to move forward sooner rather than later.
The SigningCertificateEx attribute is now the perfered attribute to When the SHA-1 hash function is used, the SigningCertificate
be used. Applications SHOULD use the SigningCertificateEx attribute attribute MUST be used. The SigningCertificateV2 attribute MUST be
even if they use SHA-1 as the hash algorithm. Applications SHOULD used if any algorithm other than SHA-1 is used and SHOULD NOT be used
recognize both attributes as long as they consider SHA-1 to be for SHA-1. Applications SHOULD recognize both attributes as long as
sufficently stable. they consider SHA-1 to be sufficiently descriminating.
3. Insert new section 5.4.1 3. Insert new section 5.4.1
5.4.1 Signing Certificate Attribute Definition 5.4.1 Signing Certificate Attribute Definition
The signing certificate attribute is designed to prevent the simple The signing certificate attribute is designed to prevent the simple
substitution and re-issue attacks, and to allow for a restricted set substitution and re-issue attacks, and to allow for a restricted set
of authorization certificates to be used in verifying a signature. of authorization certificates to be used in verifying a signature.
The definition of SigningCertificateEx is The definition of SigningCertificateV2 is
SigningCertificateEx ::= SEQUENCE { SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDEx, certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL policies SEQUENCE OF PolicyInformation OPTIONAL
} }
id-aa-signingCertificateEx OBJECT IDENTIFIER ::= { iso(1) id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) XX } smime(16) id-aa(2) XX }
certs contains the list of certificates that are to be used in certs contains the list of certificates that are to be used in
validating the message. The first certificate identified in the validating the message. The first certificate identified in the
sequence of certificate identifiers MUST be the certificate used sequence of certificate identifiers MUST be the certificate used
to verify the signature. The encoding of the ESSCertIDEx for this to verify the signature. The encoding of the ESSCertIDv2 for this
certificate SHOULD include the issuerSerial field. If other certificate SHOULD include the issuerSerial field. If other
constraints ensure that issuerAndSerialNumber will be present in constraints ensure that issuerAndSerialNumber will be present in
the SignerInfo, the issuerSerial field MAY be omitted. The the SignerInfo, the issuerSerial field MAY be omitted. The
certificate identified is used during the signature verification certificate identified is used during the signature verification
process. If the hash of the certificate does not match the process. If the hash of the certificate does not match the
certificate used to verify the signature, the signature MUST be certificate used to verify the signature, the signature MUST be
considered invalid. considered invalid.
If more than one certificate is present, subsiquent certificates If more than one certificate is present, subsequent certificates
limit the set of authorization certificates that are used during limit the set of authorization certificates that are used during
signature validation. Authorization certificates can be either signature validation. Authorization certificates can be either
attribute certificates or normal certificates. The issuerSerial attribute certificates or normal certificates. The issuerSerial
field (in the ESSCertIDEx structure) SHOULD be present for these field (in the ESSCertIDv2 structure) SHOULD be present for these
certificates, unless the client who is validating the signature is certificates, unless the client who is validating the signature is
expected to have easy access to all the certificates requred for expected to have easy access to all the certificates required for
validation. If only the signing certificate is present in the validation. If only the signing certificate is present in the
sequence, there are no restrictions on the set of authorization sequence, there are no restrictions on the set of authorization
certificates used in validating the signature. certificates used in validating the signature.
contains a sequence of policy information terms that identify policies contains a sequence of policy information terms that
those certificate policies that the signer asserts apply to the identify those certificate policies that the signer asserts apply
certificate, and under which the certificate should be relied to the certificate, and under which the certificate should be
upon. This value suggests a policy value to be used in the relied upon. This value suggests a policy value to be used in the
relying party's certification path validation. The definition of relying party's certification path validation. The definition of
PolicyInformation can be found in [PKIXCERT]. PolicyInformation can be found in [PKIXCERT].
If present, the SigningCertificateEx attribute MUST be a signed If present, the SigningCertificateV2 attribute MUST be a signed
attribute; it MUST NOT be an unsigned attribute. CMS defines attribute; it MUST NOT be an unsigned attribute. CMS defines
SignedAttributes as a SET OF Attribute. A SignerInfo MUST NOT SignedAttributes as a SET OF Attribute. A SignerInfo MUST NOT
include multiple instances of the SigningCertificate attribute. CMS include multiple instances of the SigningCertificate attribute. CMS
defines the ASN.1 syntax for the signed attributes to include defines the ASN.1 syntax for the signed attributes to include
attrValues SET OF AttributeValue. A SigningCertificate attribute attrValues SET OF AttributeValue. A SigningCertificate attribute
MUST include only a single instance of AttributeValue. There MUST MUST include only a single instance of AttributeValue. There MUST
NOT be zero or multiple instances of AttributeValue present in the NOT be zero or multiple instances of AttributeValue present in the
attrValues SET OF AttributeValue. attrValues SET OF AttributeValue.
4. Insert new section 5.4.1.1 4. Insert new section 5.4.1.1
Insert the following text as a new section Insert the following text as a new section
5.4.1 Certificate Indentification 5.4.1.1 Certificate Identification
The best way to identify certificates is an often-discussed issue. The best way to identify certificates is an often-discussed issue.
[PKIXCERT] has imposed a restriction for SignedData objects that the The ESSCertIDV2 structure supplies two different fields that are used
issuer DN must be present in all signing certificates. The issuer/ for this purpose.
serial number pair is therefore sufficient to identify the correct
signing certificate. This information is already present, as part of The hash of the entire certificate allows for a verifier to check
the SignerInfo object, and duplication of this information would be that the certificate used in the verification process was the same as
unfortunate. A hash of the entire certificate serves the same the signer intended to be used. Hashes are convient in that they are
function (allowing the receiver to verify that the same certificate frequently used by certificate stores as a method of indexing and
is being used as when the message was signed), is smaller, and retrieving certificates as well. The use of the hash is required by
permits a detection of the simple substitution attacks. this structure since the detection of substitued certificates is
based on the fact they would map to different hash values.
The issuer/serial number pair is the method of identification of
certificates used in [PKIXCERT]. That document imposes a restriction
for certificates that the issuer DN must be present. The issuer/
serial number pair would therefore normally be sufficient to identify
the correct signing certificate. (This assumes the same issuer name
is not re-used from the set of trust anchors.) The issuer/serial
number pair can be stored in the sid field of the SignerInfo object.
However the sid field is not covered by the signature. In the cases
where the issuer/serial number pair is not used in the sid or the
issuer/serial number need to be signed, they should be placed in the
issuerSerial field of the ESSCertIDv2 structure.
Attribute certificates and additional public key certificates Attribute certificates and additional public key certificates
containing authorization information do not have an issuer/serial containing authorization information do not have an issuer/serial
number pair represented anywhere in a SignerInfo object. When an number pair represented anywhere in a SignerInfo object. When an
attribute certificate or an additional public key certificate is not attribute certificate or an additional public key certificate is not
included in the SignedData object, it becomes much more difficult to included in the SignedData object, it becomes much more difficult to
get the correct set of certificates based only on a hash of the get the correct set of certificates based only on a hash of the
certificate. For this reason, these certificates SHOULD be certificate. For this reason, these certificates SHOULD be
identified by the IssuerSerial object. identified by the IssuerSerial object.
This document defines a certificate identifier as: This document defines a certificate identifier as:
ESSCertIDEx ::= SEQUENCE { ESSCertIDv2 ::= SEQUENCE {
hashAlg AlgorithmIdentifier DEFAULT {id-sha256}
certHash Hash, certHash Hash,
hashAlg AlgorithmIdentifier DEFAULT {id-sha256},
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
Hash ::= OCTET STRING Hash ::= OCTET STRING
IssuerSerial ::= SEQUENCE { IssuerSerial ::= SEQUENCE {
issuer GeneralNames, issuer GeneralNames,
serialNumber CertificateSerialNumber serialNumber CertificateSerialNumber
} }
The fields of ESSCertIDEx are defined as follows: The fields of ESSCertIDv2 are defined as follows:
certHash is computed over the entire DER encoded certificate certHash is computed over the entire DER encoded certificate
including the signature. The issuerSerial would normally be including the signature. The issuerSerial would normally be
present unless the value can be inferred from other information. present unless the value can be inferred from other information.
hashAlg contains the identifier of the algorithm used in computing hashAlg contains the identifier of the algorithm used in computing
certHash. certHash.
issuerSerial holds the identification of the certificate. issuerSerial holds the identification of the certificate.
skipping to change at page 9, line 41 skipping to change at page 9, line 41
certificate does not match the certificate used to verify the certificate does not match the certificate used to verify the
signature, the signature MUST be considered invalid. signature, the signature MUST be considered invalid.
If more than one certificate is present in the sequence of If more than one certificate is present in the sequence of
ESSCertIDs, the certificates after the first one limit the set of ESSCertIDs, the certificates after the first one limit the set of
authorization certificates that are used during signature validation. authorization certificates that are used during signature validation.
Authorization certificates can be either attribute certificates or Authorization certificates can be either attribute certificates or
normal certificates. The issuerSerial field (in the ESSCertID normal certificates. The issuerSerial field (in the ESSCertID
structure) SHOULD be present for these certificates, unless the structure) SHOULD be present for these certificates, unless the
client who is validating the signature is expected to have easy client who is validating the signature is expected to have easy
access to all the certificates requred for validation. If only the access to all the certificates required for validation. If only the
signing certificate is present in the sequence, there are no signing certificate is present in the sequence, there are no
restrictions on the set of authorization certificates used in restrictions on the set of authorization certificates used in
validating the signature. validating the signature.
The sequence of policy information terms identifies those certificate The sequence of policy information terms identifies those certificate
policies that the signer asserts apply to the certificate, and under policies that the signer asserts apply to the certificate, and under
which the certificate should be relied upon. This value suggests a which the certificate should be relied upon. This value suggests a
policy value to be used in the relying party's certification path policy value to be used in the relying party's certification path
validation. validation.
skipping to change at page 12, line 9 skipping to change at page 12, line 9
Certificate Revocation List (CRL) Profile", RFC 3280, Certificate Revocation List (CRL) Profile", RFC 3280,
April 2002. April 2002.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997. Requirement Levels", RFC 2119, BCP 14, March 1997.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
ExtendedSecurityServices-2006 ExtendedSecurityServices-2006
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) ess-2006(200) } pkcs(1) pkcs-9(9) smime(16) modules(0) ess-2006(TBD) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
-- Cryptographic Message Syntax (CMS) -- Cryptographic Message Syntax (CMS)
ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier,
AlgorithmIdentifier AlgorithmIdentifier
FROM CryptographicMessageSyntax { iso(1) member-body(2) us(840) FROM CryptographicMessageSyntax { iso(1) member-body(2) us(840)
skipping to change at page 16, line 8 skipping to change at page 16, line 8
-- Section 5.4 -- Section 5.4
SigningCertificate ::= SEQUENCE { SigningCertificate ::= SEQUENCE {
certs SEQUENCE OF ESSCertID, certs SEQUENCE OF ESSCertID,
policies SEQUENCE OF PolicyInformation OPTIONAL policies SEQUENCE OF PolicyInformation OPTIONAL
} }
id-aa-signingCertificate OBJECT IDENTIFIER ::= { iso(1) id-aa-signingCertificate OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 12 } smime(16) id-aa(2) 12 }
SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL
}
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) XX }
id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) 1 } csor(3) nistalgorithm(4) hashalgs(2) 1 }
ESSCertIDEx ::= SEQUENCE { ESSCertIDv2 ::= SEQUENCE {
certHash Hash, certHash Hash,
hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm
id-sha256 parameters NULL} id-sha256 parameters NULL}
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
ESSCertID ::= SEQUENCE { ESSCertID ::= SEQUENCE {
certHash Hash, certHash Hash,
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
 End of changes. 26 change blocks. 
44 lines changed or deleted 66 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/