draft-ietf-smime-escertid-06.txt   rfc5035.txt 
Network Working Group J. Schaad Network Working Group J. Schaad
Internet-Draft Soaring Hawk Consulting Request for Comments: 5035 Soaring Hawk Consulting
Updates: 2634 (if approved) April 24, 2007 Updates: 2634 August 2007
Intended status: Standards Track Category: Standards Track
Expires: October 26, 2007
ESS Update: Adding CertID Algorithm Agility
draft-ietf-smime-escertid-06.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 26, 2007. Enhanced Security Services (ESS) Update:
Adding CertID Algorithm Agility
Copyright Notice Status of This Memo
Copyright (C) The IETF Trust (2007). This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract Abstract
In the original Enhanced Security Services for S/MIME document (RFC In the original Enhanced Security Services for S/MIME document (RFC
2634), a structure for cryptographically linking the certificate to 2634), a structure for cryptographically linking the certificate to
be used in validation with the signature was introduced, this be used in validation with the signature was introduced; this
structure was hardwired to use SHA-1. This document allows for the structure was hardwired to use SHA-1. This document allows for the
structure to have algorithm agility and defines a new attribute for structure to have algorithm agility and defines a new attribute for
this purpose. this purpose.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Updates to RFC 2634 . . . . . . . . . . . . . . . . . . . 3 1.2. Updates to RFC 2634 . . . . . . . . . . . . . . . . . . . 2
2. Replace Section 5.4 'Signing Certificate Attribute 2. Replace Section 5.4 'Signing Certificate Attribute
Definitions' . . . . . . . . . . . . . . . . . . . . . . . . . 4 Definitions' . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Insert new section 5.4.1 'Signing Certificate Attribute 3. Insert New Section 5.4.1 'Signing Certificate Attribute
Definition Version 2' . . . . . . . . . . . . . . . . . . . . 5 Definition Version 2' . . . . . . . . . . . . . . . . . . . . 4
4. Insert new section 5.4.1.1 'Certificate Identification 4. Insert New Section 5.4.1.1 'Certificate Identification
Version 2' . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Version 2' . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Insert new section 5.4.2 ' Signing Certificate Attribute 5. Insert New Section 5.4.2 'Signing Certificate Attribute
Defintion Version 1 . . . . . . . . . . . . . . . . . . . . . 9 Definition Version 1' . . . . . . . . . . . . . . . . . . . . 7
6. Insert new section 5.4.2.1 Certificate Identification 6. Insert New Section 5.4.2.1 'Certificate Identification
Version 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Version 1' . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8. Normative References . . . . . . . . . . . . . . . . . . . . . 13 8. Normative References . . . . . . . . . . . . . . . . . . . . . 10
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 19
Intellectual Property and Copyright Statements . . . . . . . . . . 20
1. Introduction 1. Introduction
In the original Enhanced Security Services (ESS) for S/MIME In the original Enhanced Security Services (ESS) for S/MIME document
document[ESS], a structure for cryptographically linking the [ESS], a structure for cryptographically linking the certificate to
certificate to be used in validation with the signature was defined. be used in validation with the signature was defined. This
This structure, called ESSCertID, identifies a certificate by its structure, called ESSCertID, identifies a certificate by its hash.
hash. The structure is hardwired to use a SHA-1 hash value. The The structure is hardwired to use a SHA-1 hash value. The recent
recent attacks on SHA-1 require that we define a new attribute which attacks on SHA-1 require that we define a new attribute that allows
allows for the use of different algorithms. This document performs for the use of different algorithms. This document performs that
that task. task.
This document defines the structure ESSCertIDv2 along with a new This document defines the structure ESSCertIDv2 along with a new
attribute SigningCertificateV2 which uses the updated structure. attribute SigningCertificateV2, which uses the updated structure.
This document allows for the structure to have algorithm agility by This document allows for the structure to have algorithm agility by
including an algorithm identifier and defines a new signed attribute including an algorithm identifier and defines a new signed attribute
to use the new structure.. to use the new structure.
This document specifies the continued use of ESSCertID to ensure This document specifies the continued use of ESSCertID to ensure
compatiblity when SHA-1 is used to for certificate disamiguation. compatibility when SHA-1 is used for certificate disambiguation.
1.1. Notation 1.1. Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in[RFC2119]. document are to be interpreted as described in[RFC2119].
1.2. Updates to RFC 2634 1.2. Updates to RFC 2634
This document updates section 5.4 of RFC 2634. Once the updates are This document updates Section 5.4 of RFC 2634. Once the updates are
applied, the revised section will have the following structure: applied, the revised section will have the following structure:
5.4 Signing Certificate Attribute Definitions 5.4 Signing Certificate Attribute Definitions
5.4.1 Signing Certificate Attribute Definition Version 2 5.4.1 Signing Certificate Attribute Definition Version 2
5.4.1.1 Certificate Identification Version 2 5.4.1.1 Certificate Identification Version 2
5.4.2 Signing Certificate Attribute Definition Version 1 5.4.2 Signing Certificate Attribute Definition Version 1
skipping to change at page 4, line 18 skipping to change at page 3, line 18
The signing certificate attribute is designed to prevent simple The signing certificate attribute is designed to prevent simple
substitution and re-issue attacks, and to allow for a restricted set substitution and re-issue attacks, and to allow for a restricted set
of certificates to be used in verifying a signature. of certificates to be used in verifying a signature.
Two different attributes exist for this due to a flaw in the original Two different attributes exist for this due to a flaw in the original
design. The only substantial difference between the two attributes design. The only substantial difference between the two attributes
is that SigningCertificateV2 allows for hash algorithm agility, while is that SigningCertificateV2 allows for hash algorithm agility, while
SigningCertificate forces the use of the SHA-1 hash algorithm. With SigningCertificate forces the use of the SHA-1 hash algorithm. With
the recent advances in the ability to create hash collisions for the recent advances in the ability to create hash collisions for
SHA-1 it is wise to move forward sooner rather than later. SHA-1, it is wise to move forward sooner rather than later.
When the SHA-1 hash function is used, the SigningCertificate When the SHA-1 hash function is used, the SigningCertificate
attribute MUST be used. The SigningCertificateV2 attribute MUST be attribute MUST be used. The SigningCertificateV2 attribute MUST be
used if any algorithm other than SHA-1 is used and SHOULD NOT be used used if any algorithm other than SHA-1 is used and SHOULD NOT be used
for SHA-1. Applications SHOULD recognize both attributes as long as for SHA-1. Applications SHOULD recognize both attributes as long as
they consider SHA-1 able to distinguish between two different they consider SHA-1 able to distinguish between two different
certificates. (I.e. the possibility of a collision is sufficiently certificates, (i.e., the possibility of a collision is sufficiently
low.) If both attributes exist in a single message they are low). If both attributes exist in a single message, they are
independently evaluated. independently evaluated.
Four cases exist which need to be taken into account when using this Four cases exist that need to be taken into account when using this
attribute for correct processing: attribute for correct processing:
1. Signature Validates and the hashes match: This is the success 1. Signature validates and the hashes match: This is the success
case. case.
2. Signature Validates and the hashes do not match: In this case the 2. Signature validates and the hashes do not match: In this case,
certificate contained the correct public key, but the certificate the certificate contained the correct public key, but the
containing the public key is not the one that the signer intended certificate containing the public key is not the one that the
to be used. In this case the application should attempt a search signer intended to be used. In this case the application should
for a different certificate with the same public key and for attempt a search for a different certificate with the same public
which the hashes match. If no such certificate can be found, key and for which the hashes match. If no such certificate can
this is a failure case. be found, this is a failure case.
3. Signature Fails Validation and the hashes match: In this case it 3. Signature fails validation and the hashes match: In this case, it
can be assumed that the signature has been modified in some can be assumed that the signature has been modified in some
fashion. This is a failure case. fashion. This is a failure case.
4. Signature Fails Validation and the Hashes do not match: In this 4. Signature fails validation and the hashes do not match: In this
case it can be either that the signature has been modified, or case, it can be either that the signature has been modified, or
that the wrong certificate has been used. Applications should that the wrong certificate has been used. Applications should
attempt a search for a different certificate which matches the attempt a search for a different certificate that matches the
hash value in the attribute and use the new certificate to retry hash value in the attribute and use the new certificate to retry
the signature validation. the signature validation.
3. Insert new section 5.4.1 'Signing Certificate Attribute Definition 3. Insert New Section 5.4.1 'Signing Certificate Attribute Definition
Version 2' Version 2'
5.4.1 Signing Certificate Attribute Definition Version 2 5.4.1 Signing Certificate Attribute Definition Version 2
The signing certificate attribute is designed to prevent the simple The signing certificate attribute is designed to prevent the simple
substitution and re-issue attacks, and to allow for a restricted set substitution and re-issue attacks, and to allow for a restricted set
of certificates to be used in verifying a signature. of certificates to be used in verifying a signature.
SigningCertificateV2 is identified by the OID: SigningCertificateV2 is identified by the OID:
skipping to change at page 5, line 27 skipping to change at page 4, line 27
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 } smime(16) id-aa(2) 47 }
The attribute has the ASN.1 definition: The attribute has the ASN.1 definition:
SigningCertificateV2 ::= SEQUENCE { SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDv2, certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL policies SEQUENCE OF PolicyInformation OPTIONAL
} }
certs contains the list of certificates that are to be used in certs
contains the list of certificates that are to be used in
validating the message. The first certificate identified in the validating the message. The first certificate identified in the
sequence of certificate identifiers MUST be the certificate used sequence of certificate identifiers MUST be the certificate used
to verify the signature. The encoding of the ESSCertIDv2 for this to verify the signature. The encoding of the ESSCertIDv2 for this
certificate SHOULD include the issuerSerial field. If other certificate SHOULD include the issuerSerial field. If other
constraints ensure that issuerAndSerialNumber will be present in constraints ensure that issuerAndSerialNumber will be present in
the SignerInfo, the issuerSerial field MAY be omitted. The the SignerInfo, the issuerSerial field MAY be omitted. The
certificate identified is used during the signature verification certificate identified is used during the signature verification
process. If the hash of the certificate does not match the process. If the hash of the certificate does not match the
certificate used to verify the signature, the signature MUST be certificate used to verify the signature, the signature MUST be
considered invalid. considered invalid.
skipping to change at page 6, line 5 skipping to change at page 5, line 5
Certificates can be either attribute certificates (limiting Certificates can be either attribute certificates (limiting
authorizations) or public key certificates (limiting path authorizations) or public key certificates (limiting path
validation). The issuerSerial field (in the ESSCertIDv2 validation). The issuerSerial field (in the ESSCertIDv2
structure) SHOULD be present for these certificates, unless the structure) SHOULD be present for these certificates, unless the
client who is validating the signature is expected to have easy client who is validating the signature is expected to have easy
access to all the certificates required for validation. If only access to all the certificates required for validation. If only
the signing certificate is present in the sequence, there are no the signing certificate is present in the sequence, there are no
restrictions on the set of certificates used in validating the restrictions on the set of certificates used in validating the
signature. signature.
policies contains a sequence of policy information terms that policies
identify those certificate policies that the signer asserts apply contains a sequence of policy information terms that identify
to the certificate, and under which the certificate should be those certificate policies that the signer asserts apply to the
relied upon. This value suggests a policy value to be used in the certificate, and under which the certificate should be relied
upon. This value suggests a policy value to be used in the
relying party's certification path validation. The definition of relying party's certification path validation. The definition of
PolicyInformation can be found in[RFC3280]. PolicyInformation can be found in[RFC3280].
If present, the SigningCertificateV2 attribute MUST be a signed If present, the SigningCertificateV2 attribute MUST be a signed
attribute; it MUST NOT be an unsigned attribute. CMS defines attribute; it MUST NOT be an unsigned attribute. CMS defines
SignedAttributes as a SET OF Attribute. A SignerInfo MUST NOT SignedAttributes as a SET OF Attribute. A SignerInfo MUST NOT
include multiple instances of the SigningCertificateV2 attribute. include multiple instances of the SigningCertificateV2 attribute.
CMS defines the ASN.1 syntax for the signed attributes to include CMS defines the ASN.1 syntax for the signed attributes to include
attrValues SET OF AttributeValue. A SigningCertificateV2 attribute attrValues SET OF AttributeValue. A SigningCertificateV2 attribute
MUST include only a single instance of AttributeValue. There MUST MUST include only a single instance of AttributeValue. There MUST
NOT be zero or multiple instances of AttributeValue present in the NOT be zero or multiple instances of AttributeValue present in the
attrValues SET OF AttributeValue. attrValues SET OF AttributeValue.
4. Insert new section 5.4.1.1 'Certificate Identification Version 2' 4. Insert New Section 5.4.1.1 'Certificate Identification Version 2'
Insert the following text as a new section. Insert the following text as a new section.
5.4.1.1 Certificate Identification Version 2 5.4.1.1 Certificate Identification Version 2
The best way to identify certificates is an often-discussed issue. The best way to identify certificates is an often-discussed issue.
The ESSCertIDv2 structure supplies two different fields that are used The ESSCertIDv2 structure supplies two different fields that are used
for this purpose. for this purpose.
The hash of the entire certificate allows for a verifier to check The hash of the entire certificate allows for a verifier to check
skipping to change at page 7, line 28 skipping to change at page 5, line 46
are frequently used by certificate stores as a method of indexing and are frequently used by certificate stores as a method of indexing and
retrieving certificates as well. The use of the hash is required by retrieving certificates as well. The use of the hash is required by
this structure since the detection of substituted certificates is this structure since the detection of substituted certificates is
based on the fact they would map to different hash values. based on the fact they would map to different hash values.
The issuer/serial number pair is the method of identification of The issuer/serial number pair is the method of identification of
certificates used in[RFC3280]. That document imposes a restriction certificates used in[RFC3280]. That document imposes a restriction
for certificates that the issuer distinguished name must be present. for certificates that the issuer distinguished name must be present.
The issuer/serial number pair would therefore normally be sufficient The issuer/serial number pair would therefore normally be sufficient
to identify the correct signing certificate. (This assumes the same to identify the correct signing certificate. (This assumes the same
issuer name is not re-used from the set of trust anchors.) The issuer name is not reused from the set of trust anchors.) The
issuer/serial number pair can be stored in the sid field of the issuer/serial number pair can be stored in the sid field of the
SignerInfo object. However the sid field is not covered by the SignerInfo object. However, the sid field is not covered by the
signature. In the cases where the issuer/serial number pair is not signature. In the cases where the issuer/serial number pair is not
used in the sid or the issuer/serial number pair needs to be signed, used in the sid or the issuer/serial number pair needs to be signed,
it SHOULD be placed in the issuerSerial field of the ESSCertIDv2 it SHOULD be placed in the issuerSerial field of the ESSCertIDv2
structure. structure.
Attribute certificates and additional public key certificates Attribute certificates and additional public key certificates
containing information do not have an issuer/serial number pair containing information do not have an issuer/serial number pair
represented anywhere in a SignerInfo object. When an attribute represented anywhere in a SignerInfo object. When an attribute
certificate or an additional public key certificate is not included certificate or an additional public key certificate is not included
in the SignedData object, it becomes much more difficult to get the in the SignedData object, it becomes much more difficult to get the
correct set of certificates based only on a hash of the certificate. correct set of certificates based only on a hash of the certificate.
For this reason, these certificates SHOULD be identified by the For this reason, these certificates SHOULD be identified by the
IssuerSerial object. IssuerSerial object.
This document defines a certificate identifier as: This document defines a certificate identifier as:
ESSCertIDv2 ::= SEQUENCE { ESSCertIDv2 ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier hashAlgorithm AlgorithmIdentifier
DEFAULT {algorithm id-sha256 parameters NULL}, DEFAULT {algorithm id-sha256},
certHash Hash, certHash Hash,
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
Hash ::= OCTET STRING Hash ::= OCTET STRING
IssuerSerial ::= SEQUENCE { IssuerSerial ::= SEQUENCE {
issuer GeneralNames, issuer GeneralNames,
serialNumber CertificateSerialNumber serialNumber CertificateSerialNumber
} }
The fields of ESSCertIDv2 are defined as follows: The fields of ESSCertIDv2 are defined as follows:
hashAlgorithm contains the identifier of the algorithm used in hashAlgorithm
computing certHash. contains the identifier of the algorithm used in computing
certHash.
certHash is computed over the entire DER encoded certificate certHash
including the signature. is computed over the entire DER-encoded certificate (including the
signature) using the SHA-1 algorithm.
issuerSerial holds the identification of the certificate. The issuerSerial
issuerSerial would normally be present unless the value can be holds the identification of the certificate. The issuerSerial
inferred from other information (e.g. the sid field of the would normally be present unless the value can be inferred from
SignerInfo object). other information (e.g., the sid field of the SignerInfo object).
The fields of IssuerSerial are defined as follows: The fields of IssuerSerial are defined as follows:
issuer contains the issuer name of the certificate. For non- issuer
attribute certificates, the issuer MUST contain only the issuer contains the issuer name of the certificate. For non-attribute
name from the certificate encoded in the directoryName choice of certificates, the issuer MUST contain only the issuer name from
the certificate encoded in the directoryName choice of
GeneralNames. For attribute certificates, the issuer MUST contain GeneralNames. For attribute certificates, the issuer MUST contain
the issuer name field from the attribute certificate. the issuer name field from the attribute certificate.
serialNumber holds the serial number that uniquely identifies the serialNumber
certificate for the issuer. holds the serial number that uniquely identifies the certificate
for the issuer.
5. Insert new section 5.4.2 ' Signing Certificate Attribute Defintion 5. Insert New Section 5.4.2 'Signing Certificate Attribute Definition
Version 1 Version 1'
(Note: This section does not present new material. This section (Note: This section does not present new material. This section
contains the original contents of Section 5.4 in [ESS], which are contains the original contents of Section 5.4 in [ESS], which are
retained with minor changes in this specification to achive backwards retained with minor changes in this specification to achieve
compatibility.) backwards compatibility.)
Insert the following text as a new section. Insert the following text as a new section.
5.4.2 Signing Certificate Attribute Definition Version 1 5.4.2 Signing Certificate Attribute Definition Version 1
The signing certificate attribute is designed to prevent the simple The signing certificate attribute is designed to prevent the simple
substitution and re-issue attacks, and to allow for a restricted set substitution and re-issue attacks, and to allow for a restricted set
of certificates to be used in verifying a signature. of certificates to be used in verifying a signature.
The definition of SigningCertificate is The definition of SigningCertificate is
skipping to change at page 10, line 12 skipping to change at page 8, line 16
restrictions on the set of certificates used in validating the restrictions on the set of certificates used in validating the
signature. signature.
The sequence of policy information terms identifies those certificate The sequence of policy information terms identifies those certificate
policies that the signer asserts apply to the certificate, and under policies that the signer asserts apply to the certificate, and under
which the certificate should be relied upon. This value suggests a which the certificate should be relied upon. This value suggests a
policy value to be used in the relying party's certification path policy value to be used in the relying party's certification path
validation. validation.
If present, the SigningCertificate attribute MUST be a signed If present, the SigningCertificate attribute MUST be a signed
attribute; it MUST NOT be an unsigned attribute. CMS defines attribute; it MUST NOT be an unsigned attribute. Cryptographic
SignedAttributes as a SET OF Attribute. A SignerInfo MUST NOT Message Syntax (CMS) defines SignedAttributes as a SET OF Attribute.
include multiple instances of the SigningCertificate attribute. CMS A SignerInfo MUST NOT include multiple instances of the
defines the ASN.1 syntax for the signed attributes to include SigningCertificate attribute. CMS defines the ASN.1 syntax for the
attrValues SET OF AttributeValue. A SigningCertificate attribute signed attributes to include attrValues SET OF AttributeValue. A
MUST include only a single instance of AttributeValue. There MUST SigningCertificate attribute MUST include only a single instance of
NOT be zero or multiple instances of AttributeValue present in the AttributeValue. There MUST NOT be zero or multiple instances of
attrValues SET OF AttributeValue. AttributeValue present in the attrValues SET OF AttributeValue.
6. Insert new section 5.4.2.1 Certificate Identification Version 1 6. Insert New Section 5.4.2.1 'Certificate Identification Version 1'
(Note: This section does not present new material. This section (Note: This section does not present new material. This section
contains the original contents of Section 5.4 in [ESS], which are contains the original contents of Section 5.4 in [ESS], which are
retained with minor changes in this specification to achive backwards retained with minor changes in this specification to achieve
compatibility.) backwards compatibility.)
Delete old section 5.4.1 Delete old Section 5.4.1
Insert the following as new text Insert the following as new text
5.4.2.1 Certificate Identification Version 1 5.4.2.1 Certificate Identification Version 1
Certificates are uniquely identified using the information in the Certificates are uniquely identified using the information in the
ESSCertID structure. Discussion can be found in section 5.4.1.1. ESSCertID structure. Discussion can be found in Section 5.4.1.1.
This document defines a certificate identifier as: This document defines a certificate identifier as:
ESSCertID ::= SEQUENCE { ESSCertID ::= SEQUENCE {
certHash Hash, certHash Hash,
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
The fields of ESSCertID are defined as follows: The fields of ESSCertID are defined as follows:
certHash is computed over the entire DER encoded certificate certHash
(including the signature). is computed over the entire DER-encoded certificate (including the
signature).
issuerSerial holds the identification of the certificate. This issuerSerial
field would normally be present unless the value can be inferred holds the identification of the certificate. This field would
from other information (e.g. the sid field of the SignerInfo normally be present unless the value can be inferred from other
object). information (e.g., the sid field of the SignerInfo object).
The fields of IssuerSerial are discussed in section 5.4.1.1 The fields of IssuerSerial are discussed in Section 5.4.1.1
7. Security Considerations 7. Security Considerations
This document is designed to address the security issue of a This document is designed to address the security issue of a
substituted certificate used by the validator. If a different substituted certificate used by the validator. If a different
certificate is used by the validator than the signer the validator certificate is used by the validator than the signer, the validator
may not get the correct result. An example of this would be that the may not get the correct result. An example of this would be that the
original certificate was revoked and a new certificate with the same original certificate was revoked and a new certificate with the same
public key was issued for a different individual. Since the issuer/ public key was issued for a different individual. Since the issuer/
serial number field is not protected the attacker could replace this serial number field is not protected, the attacker could replace this
and point to the new certificate and validation would be successful. and point to the new certificate and validation would be successful.
The attributes defined in this document are to be placed in locations The attributes defined in this document are to be placed in locations
that are protected by the signature. This attribute does not provide that are protected by the signature. This attribute does not provide
any additional security if placed in an un-signed or un-authenticated any additional security if placed in an unsigned or un-authenticated
location. location.
The attributes defined in this document permit a signer to select a
hash algorithm to identify a certificate. A poorly selected hash
algorithm may provide inadequate protection against certificate
substitution or result in denial of service for this protection. By
employing the attributes defined in this specification with the same
hash algorithm used for message signing, the sender can ensure that
these attributes provide commensurate security.
Since recipients must support the hash algorithm to verify the
signature, selecting the same hash algorithm also increases the
likelihood that the hash algorithm is supported in the context of
certificate identification. Note that an unsupported hash algorithm
for certificate identification does not preclude validating the
message but does deny the message recipient protection against
certificate substitution.
To ensure that legacy implementations are provided protection against
certificate substitution, clients are permitted to include both
ESScertID and ESScertIDv2 in the same message. Since these
attributes are generated and evaluated independently, the contents
could conceivably be in conflict. Specifically, where a signer has
multiple certificates containing the same public key, the two
attributes could specify different signing certificates. The result
of signature processing may vary depending on which certificate is
used to validate the signature.
Recipients that attempt to evaluate both attributes may choose to
reject such a message.
8. Normative References 8. Normative References
[ESS] Hoffman, P., "Enhanced Security Services for S/MIME", [ESS] Hoffman, P., "Enhanced Security Services for S/MIME",
RFC 2634, June 1999. RFC 2634, June 1999.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997. Requirement Levels", RFC 2119, BCP 14, March 1997.
[RFC3280] Housley, R., Ford, W., Polk, W., and D. Solo, "Internet [RFC3280] Housley, R., Ford, W., Polk, W., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", RFC 3280, Certificate Revocation List (CRL) Profile", RFC 3280,
April 2002. April 2002.
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 3852, July 2004. RFC 3852, July 2004.
[UTF8] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
Replace the ASN.1 module in RFC 2634 with this one. Replace the ASN.1 module in RFC 2634 with this one.
ExtendedSecurityServices-2006 ExtendedSecurityServices-2006
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-ess-2006(30) } pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-ess-2006(30) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
-- Cryptographic Message Syntax (CMS) [RFC 3852] -- Cryptographic Message Syntax (CMS) [RFC 3852]
ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier
FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) us(840) FROM CryptographicMessageSyntax2004 { iso(1) member-body(2)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
cms-2004(24)} modules(0) cms-2004(24)}
-- PKIX Certificate and CRL Profile, Section A.1 Explicity Tagged Module -- PKIX Certificate and CRL Profile, Section A.1 Explicity Tagged Module
-- 1988 Syntax [RFC 3280] -- 1988 Syntax [RFC 3280]
AlgorithmIdentifier, CertificateSerialNumber AlgorithmIdentifier, CertificateSerialNumber
FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6)
internet(1) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
pkix1-explicit(18) }
-- PKIX Certificate and CRL Profile, Sec A.2 Implicitly Tagged Module, -- PKIX Certificate and CRL Profile, Sec A.2 Implicitly Tagged Module,
-- 1988 Syntax [RFC 3280] -- 1988 Syntax [RFC 3280]
PolicyInformation, CertificateSerialNumber, GeneralNames PolicyInformation, GeneralNames
FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
internet(1) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
security(5) mechanisms(5) pkix(7)id-mod(0)
id-pkix1-implicit(19)}; id-pkix1-implicit(19)};
-- Extended Security Services -- Extended Security Services
-- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
-- constructs in this module. A valid ASN.1 SEQUENCE can have zero or -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or
-- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE to -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE to
-- have at least one entry. MAX indicates the upper bound is unspecified. -- have at least one entry. MAX indicates the upper bound is
-- Implementations are free to choose an upper bound that suits their -- unspecified. Implementations are free to choose an upper bound that
-- environment. -- suits their environment.
-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
-- The contents are formatted as described in [UTF8] -- The contents are formatted as described in [UTF8]
-- Section 2.7 -- Section 2.7
ReceiptRequest ::= SEQUENCE { ReceiptRequest ::= SEQUENCE {
signedContentIdentifier ContentIdentifier, signedContentIdentifier ContentIdentifier,
receiptsFrom ReceiptsFrom, receiptsFrom ReceiptsFrom,
receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames
} }
ub-receiptsTo INTEGER ::= 16 ub-receiptsTo INTEGER ::= 16
skipping to change at page 18, line 33 skipping to change at page 15, line 37
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= { iso(1) id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 } smime(16) id-aa(2) 47 }
id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) 1 } csor(3) nistalgorithm(4) hashalgs(2) 1 }
ESSCertIDv2 ::= SEQUENCE { ESSCertIDv2 ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier hashAlgorithm AlgorithmIdentifier
DEFAULT {algorithm id-sha256 parameters NULL}, DEFAULT {algorithm id-sha256},
certHash Hash, certHash Hash,
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
ESSCertID ::= SEQUENCE { ESSCertID ::= SEQUENCE {
certHash Hash, certHash Hash,
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
Hash ::= OCTET STRING IssuerSerial ::= SEQUENCE { Hash ::= OCTET STRING IssuerSerial ::= SEQUENCE {
skipping to change at page 18, line 49 skipping to change at page 16, line 4
certHash Hash, certHash Hash,
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
Hash ::= OCTET STRING IssuerSerial ::= SEQUENCE { Hash ::= OCTET STRING IssuerSerial ::= SEQUENCE {
issuer GeneralNames, issuer GeneralNames,
serialNumber CertificateSerialNumber serialNumber CertificateSerialNumber
} }
END END
-- of ExtendedSecurityServices-2006 -- of ExtendedSecurityServices-2006
Author's Address Author's Address
Jim Schaad Jim Schaad
Soaring Hawk Consulting Soaring Hawk Consulting
PO Box 675 PO Box 675
Gold Bar, WA 98251 Gold Bar, WA 98251
Email: jimsch@exmsft.com EMail: jimsch@exmsft.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
skipping to change at page 20, line 44 skipping to change at line 743
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
 End of changes. 58 change blocks. 
144 lines changed or deleted 158 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/