view Side-By-Side changes
Date: Tue, 09 Apr 2002 06:10:18 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Tue, 22 Nov 1994 23:00:00 GMT ETag: "304ba0-f841-2ed277f0" Accept-Ranges: bytes Content-Length: 63553 Connection: close Content-Type: text/plain Network Working GroupSteveS. CrockerINTERNET DRAFT NedRequest For Comments: 1848 CyberCash, Inc. Category: Standards Track N. Freeddraft-ietf-pem-mime-07.txt JimInnosoft International, Inc. J. GalvinSandyS. MurphyNovember 1994 PEMTrusted Information Systems October 1995 MIME Object Security Servicesand MIMEStatus of this Memo This documentisspecifies an InternetDraft. Internet Drafts are working documents ofstandards track protocol for the InternetEngineering Task Force (IETF), its Areas,community, andits Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are valid for a maximum of six monthsrequests discussion andmay be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet Drafts as reference material orsuggestions for improvements. Please refer tocite them other than as ``work in progress''. To learnthe currentstatusedition ofany Internet Draft, please checkthe1id-abstracts.txt listing contained in one of"Internet Official Protocol Standards" (STD 1) for theInternet Drafts Shadow Directories on ds.internic.net (US East Coast), venera.isi.edu (US West Coast), munnari.oz.au (Pacific Rim), or nic.nordu.net (Europe).standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This documentspecifies how the services ofdefines MIMEand PEM can be used inObject Security Services (MOSS), acomplementary fashion. MIME, an acronym for "Multipurpose Internet Mail Extensions", defines the format ofprotocol that uses thecontents of Internet mail messages and provides for multi-part textualmultipart/signed andnon-textual message bodies. PEM, an acronym for "Privacy Enhanced Mail", provides message authentication/integritymultipart/encrypted framework [7] to apply digital signature andmessageencryption servicesfor Internet mail messages. An Internet electronic mail message consists of two parts:to MIME objects. The services are offered through theheadersuse of end-to-end cryptography between an originator andthe body. The headers formacollection of field/value pairs structured according to RFC822 [1], whilst the body, if structured, is defined according to MIME [2]. MIME does not provide forrecipient at the application layer. Asymmetric (public key) cryptography is used in support ofsecurity services. Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 1] INTERNET DRAFT PEMthe digital signature service andMIME November 1994 PEM [3-6] specifies how to applyencryptionand authentication/integrity services to the contentskey management. Symmetric (secret key) cryptography is used in support ofa textual electronic mail message but does not provide message structuring or type labelling facilities. This document specifies howthe encryption service. The procedures are intended touse PEMbe compatible with a wide range of public key management approaches, including both ad hoc and certificate-based schemes. Mechanisms are provided to support many public key management approaches. Table of Contents 1. Introduction ............................................. 3 2. Applying MIME Object Security Services ................... 4 2.1 Digital Signature Service ............................... 4 2.1.1 Canonicalization ...................................... 5 2.1.2 Digital Signature Control Information ................. 7 2.1.2.1 Version: ............................................ 8 2.1.2.2 Originator-ID: ...................................... 8 2.1.2.3 MIC-Info: ........................................... 8 2.1.3 application/moss-signature Content Type Definition .... 9 2.1.4 Use of multipart/signed Content Type .................. 10 2.2 Encryption Service ...................................... 11 Crocker, et al Standards Track [Page 1] RFC 1848 MIME Object Security Services October 1995 2.2.1 Encryption Control Information ........................ 12 2.2.1.1 DEK-Info: ........................................... 13 2.2.1.2 Recipient-ID: ....................................... 14 2.2.1.3 Key-Info: ........................................... 14 2.2.2 application/moss-keys Content Type Definition ......... 15 2.2.3 Use of multipart/encrypted Content Type ............... 16 3. Removing MIME Object Security Services ................... 17 3.1 Digital Signature Service ............................... 18 3.1.1 Preparation ........................................... 18 3.1.2 Verification .......................................... 19 3.1.3 Results ............................................... 19 3.2 Encryption Service ...................................... 20 3.2.1 Preparation ........................................... 20 3.2.2 Decryption ............................................ 20 3.2.3 Results ............................................... 21 4. Identifying Originators, Recipients, and Their Keys ...... 21 4.1 Name Forms .............................................. 23 4.1.1 Email Addresses ....................................... 23 4.1.2 Arbitrary Strings ..................................... 23 4.1.3 Distinguished Names ................................... 23 4.2 Identifiers ............................................. 24 4.2.1 Email Address ......................................... 25 4.2.2 Arbitrary String ...................................... 25 4.2.3 Distinguished Name .................................... 26 4.2.4 Public Key ............................................ 26 4.2.5 Issuer Name and Serial Number ......................... 27 5. Key Management Content Types ............................. 27 5.1 application/mosskey-request Content Type Definition ..... 28 5.2 application/mosskey-data Content Type Definition ........ 29 6. Examples ................................................. 31 6.1 Original Message Prepared for Protection ................ 31 6.2 Sign Text of Original Message ........................... 32 6.3 Sign Headers and Text of Original Message ............... 32 6.4 Encrypt Text of a Message ............................... 33 6.5 Encrypt the Signed Text of a Message .................... 35 6.6 Protecting Audio Content ................................ 37 6.6.1 Sign Audio Content .................................... 37 6.6.2 Encrypt Audio Content ................................. 37 7. Observations ............................................. 38 8. Comparison of MOSS and PEM Protocols ..................... 39 9. Security Considerations .................................. 41 10. Acknowledgements ........................................ 41 11. References .............................................. 41 12. Authors' Addresses ...................................... 43 Appendix A: Collected Grammar .............................. 44 Appendix B: Imported Grammar ............................... 47 Crocker, et al Standards Track [Page 2] RFC 1848 MIME Object Security Services October 1995 1. Introduction MIME [2], an acronym for "Multipurpose Internet Mail Extensions", defines the format of the contents of Internet mail messages and provides for multi-part textual and non-textual message bodies. An Internet electronic mail message consists of two parts: the headers and the body. The headers form a collection of field/value pairs structured according to STD 11, RFC 822 [1], whilst the body, if structured, is defined according to MIME. MIME does not provide for the application of security services. PEM [3-6], an acronym for "Privacy Enhanced Mail", defines message encryption and message authentication procedures for text-based electronic mail messages using a certificate-based key management mechanism. The specifications include several features that are easily and more naturally supported by MIME, for example, the transfer encoding operation, the Content-Domain header, and the support services specified by its Part IV [6]. The specification is limited by specifying the application of security services to text messages only. MOSS is based in large part on the PEM protocol as defined by RFC 1421. Many of PEMs features and most of its protocol specification are included here. A comparison of MOSS and PEM may be found in Section 8. In order to make use of the MOSS services, a user (where user is not limited to being a human, e.g., it could be a process or a role) is required to have at least one public/private key pair. The public key must be made available to other users with whom secure communication is desired. The private key must not be disclosed to any other user. An originator's private key is used to digitally sign MIME objects; a recipient would use the originator's public key to verify the digital signature. A recipient's public key is used to encrypt the data encrypting key that is used to encrypt the MIME object; a recipient would use the corresponding private key to decrypt the data encrypting key so that the MIME object can be decrypted. As long as the private keys are protected from disclosure, i.e., the private keys are accessible only to the user to whom they have been assigned, the recipient of a digitally signed message will know from whom the message was sent and the originator of an encrypted message will know that only the intended recipient is able to read it. For assurance, the ownership of the public keys used in verifying digital signatures and encrypting messages should be verified. A stored public key should be protected from modification. Crocker, et al Standards Track [Page 3] RFC 1848 MIME Object Security Services October 1995 The framework defined in [7] provides an embodiment of a MIME object and its digital signature or encryption keys. When used by MOSS the framework provides digital signature and encryption services to single and multi-part textual and non-textual MIME objects. 2. Applying MIME Object Security Services The application of the MOSS digital signature service requires the following components. (1) The data to be signed. (2) The private key of the originator. The data to be signed is prepared according to the description below. The digital signature is created by generating a hash of the data and encrypting the hash value with the private key of the originator. The digital signature, some additional ancillary information described below, and the data are then embodied in a multipart/signed body part. Finally, the multipart/signed body part may be transferred to a recipient or processed further, for example, it may be encrypted. The application of the MOSS encryption service requires the following components. (1) The data to be encrypted. (2) A data encrypting key to encrypt the data. (3) The public key of the recipient. The data to be encrypted is prepared according to the description below. The originator creates a data encrypting key and encrypts the data. The recipient's public key is used to encrypt the data encrypting key. The encrypted data, the encrypted data encrypting key, and some additional ancillary information described below are then embodied in a multipart/encrypted body part, ready to be transferred to a recipient or processed further, for example, it may be signed. The next two sections describe the digital signature and encryption services, respectively, in detail. 2.1. Digital Signature Service The MOSS digital signature service is applied to MIME objects, specifically a MIME body part. The MIME body part is created Crocker, et al Standards Track [Page 4] RFC 1848 MIME Object Security Services October 1995 according to a local convention and then made available to the digital signature service. The following sequence of steps comprises the application of the digital signature service. (1) The body part to be signed must be canonicalized. (2) The digital signature and other control information must be gen- erated. (3) The control information must be embodied in an appropriate MIME content type. (4) The control information body part and the data body part must be embodied in a multipart/signed content type. Each of these steps is described below. 2.1.1. Canonicalization The body part must be converted to a canonical form that is uniquely and unambiguously representable in at least the environment where the digital signature is created and the environment where the digital signature will be verified, i.e., the originator and recipient's environment, respectively. This is required in order to ensure that both the originator and recipient have the same data with which to calculate the digital signature; the originator needs to be able to create the digital signature value while the recipient needs to be able to compare a re-computed value with the received value. If the canonical form is representable on many different host computers, the signed data may be forwarded by recipients to additional recipients, who will also be able to verify the original signature. This service is called forwardable authentication. The canonicalization transformation is a two step process. First, the body part must be converted to a form that is unambiguously representable on as many different host computers as possible. Second, the body part must have its line delimiters converted to a unique and unambiguous representation. The representation chosen to satisfy the first step is 7bit, as defined by MIME; the high order bit of each octet of the data to be Crocker, et al Standards Track [Page 5] RFC 1848 MIME Object Security Services October 1995 signed must be zero. A MIME body part is comprised of two parts: headers and content. Since the headers of body parts are already required to be represented in 7bit, this step does not require changes to the headers. This step requires that if the content is not already 7bit then it must be encoded with an appropriate MIME content transfer encoding and a Content-Transfer-Encoding: header must be added to the headers. For example, if the content to be signed contains 8bit or binary data, the content must be encoded with either the quoted-printable or base64 encoding as defined by MIME. IMPLEMENTORS NOTE: Since the MIME standard explicitly disallows nested content transfer encodings, i.e., the content types multipart and message may not themselves be encoded, the 7bit transformation requires each nested body part to be individually encoded in a 7bit representation. Any valid MIME encoding, e.g., quoted-printable or base64, may be used and, in fact, a different encoding may be used on each of the non-7bit body parts. Representing all content types in a 7bit format transforms them into text-based content types. However, text-based content types present a unique problem. In particular, the line delimiter used for a text-based content type is specific to a local environment; different environments use the single character carriage-return (<CR>), the single character line-feed (<LF>), or the two character sequence "carriage-return line-feed (<CR><LF>)". The application of the digital signature service requires that the same line delimiter be used by both the originator and the recipient. This document specifies that the two character sequence "<CR><LF>" must be used as the line delimiter. Thus, the second step of the canonicalization transformation includes the conversion of the local line delimiter to the two character sequence "<CR><LF>". The conversion to the canonical line delimiter is only required for the purposes of computing the digital signature. Thus, originators must apply the line delimiter conversion before computing the digital signature but must transfer the data without the line delimiter conversion. Similarly, recipients must apply the line delimiter conversion before computing the digital signature. NOTE: An originator can not transfer the content with the line delimiter conversion intact because the conversion process is not idempotent. In particular, SMTP servers may themselves convert the line delimiter to a local line delimiter, prior to the message being delivered to the recipient. Thus, a recipient has no way of knowing if the conversion is present or not. If the recipient applies the conversion to a content in which it is already present, the resulting content may have two line delimiters Crocker, et al Standards Track [Page 6] RFC 1848 MIME Object Security Services October 1995 present, which would cause the verification of the signature to fail. IMPLEMENTORS NOTE: Implementors should be aware that the conversion to a 7bit representation is a function that is required in a minimally compliant MIME user agent. Further, the line delimiter conversion required here is distinct from the same conversion included in that function. Specifically, the line delimiter conversion applied when a body part is converted to a 7bit representation (transfer encoded) is performed prior to the application of the transfer encoding. The line delimiter conversion applied when a body part is signed is performed after the body part is converted to 7bit (transfer encoded). Both line delimiter conversions are required. 2.1.2. Digital Signature Control Information The application of the digital signature service generates control information which includes the digital signature itself. The syntax of the control information is that of a set of RFC 822 headers, except that the folding of header values onto continuation lines is explicitly forbidden. Each header and value pair generated by the digital signature service must be output on exactly one line. The complete set of headers generated by the digital signature service is as follows. Version: indicates which version of the MOSS protocol the remaining headers represent. Originator-ID: indicates the private key used to create the digital signature and the corresponding public key to be used to verify it. MIC-Info: contains the digital signature value. Each invocation of the digital signature service must emit exactly one Version: header and at least one pair of Originator-ID: and MIC- Info: headers. The Version: header must always be emitted first. The Originator-ID: and MIC-Info: headers are always emitted in pairs in the order indicated. This specification allows an originator to generate multiple signatures of the data, presumably with different signature algorithms, and to include them all in the control information. The interpretation of the presence of multiple signatures is outside the scope of this specification except that a MIC-Info: header is always interpreted in the context of the Crocker, et al Standards Track [Page 7] RFC 1848 MIME Object Security Services October 1995 immediately preceding Originator-ID: header. 2.1.2.1. Version: The version header is defined by the grammar token <version> as follows. <version> ::= "Version:" "5" CRLF Its value is constant and MOSS implementations compliant with this specification must recognize only this value and generate an error if any other value is found. 2.1.2.2. Originator-ID: The purpose of the originator header is two-fold: to directly identify the public key to be used to verify the digital signature and to indirectly identify the user who owns both it and its corresponding private key. Typically, a recipient is less interested in the actual public key value, although obviously the recipient needs the value to verify the signature, and more interested in identifying its owner. Thus, the originator header may convey either or both pieces of information: the public key to be used to verify the signature the name of the owner and which of the owner's public keys to use to verify the signature The decision as to what information to place in the value rests entirely with the originator. The suggested value is to include both. Recipients with whom the originator has previously communicated will have to verify that the information presented is consistent with what is already known. New recipients will want all of the information, which they will need to verify prior to storing in their local database. The originator header is defined by the grammar token <origid> as follows. <origid> ::= "Originator-ID:" <id> CRLF The grammar token <id> is defined in Section 4. 2.1.2.3. MIC-Info: The purpose of the Message Integrity Check (MIC) header is to convey the digital signature value. Its value is a comma separated list of Crocker, et al Standards Track [Page 8] RFC 1848 MIME Object Security Services October 1995 three arguments: the hash (or MIC) algorithm identifier, the signature algorithm identifier, and the digital signature. The MIC header is defined by the grammar token <micinfo> as follows. <micinfo> ::= "MIC-Info:" <micalgid> "," <ikalgid> "," <asymsignmic> CRLF The grammar tokens for the MIC algorithms and identifiers (<micalgid>), signature algorithms and identifiers (<ikalgid>), and signed MIC formats (<asymsignmic>) are defined by RFC 1423. They are also reprinted in Appendix B. IMPLEMENTORS NOTE: RFC 1423 is referenced by the PEM protocol, which includes support for symmetric signatures and key management. As a result, some of the grammar tokens defined there, for example, <ikalgid>, will include options that are not legal for this protocol. These options must be ignored and have not been included in the appendix. 2.1.3. application/moss-signature Content Type Definition (1) MIME type name: application (2) MIME subtype name: moss-signature (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: quoted-printable is always sufficient (6) Security considerations: none The "application/moss-signature" content type is used on the second body part of an enclosing multipart/signed. Its content is comprised of the digital signature of the data in the first body part of the enclosing multipart/signed and other control information required to verify that signature, as defined by Section 2.1.2. The label "application/moss-signature" must be used as the value of the protocol parameter of the enclosing multipart/signed; the protocol parameter must be present. Part of the signature verification information will be the Message Integrity Check (MIC) algorithm(s) used during the signature creation process. The MIC algorithm(s) identified in this body part must match the MIC algorithm(s) identified in the micalg parameter of the enclosing multipart/signed. If it does (they do) not, a user agent Crocker, et al Standards Track [Page 9] RFC 1848 MIME Object Security Services October 1995 should identify the discrepancy to a user and it may choose to either halt or continue processing, giving precedence to the algorithm(s) identified in this body part. An application/moss-signature body part is constructed as follows: Content-Type: application/moss-signature <mosssig> where the grammar token <mosssig> is defined as follows. <mosssig> ::= <version> ( 1*<origasymflds> ) <version> ::= "Version:" "5" CRLF <origasymflds> ::= <origid> <micinfo> <origid> ::= "Originator-ID:" <id> CRLF <micinfo> ::= "MIC-Info:" <micalgid> "," <ikalgid> "," <asymsignmic> CRLF The token <id> is defined in Section 4. All other tokens are defined in Section 2.1.2.3. 2.1.4. Use of multipart/signed Content Type The definition of the multipart/signed content type in [7] specifies three steps for creating the body part. (1) The body part to be digitally signed is created according to a local convention, for example, with a text editor or a mail user agent. (2) The body part is prepared for the digital signature service according to the protocol parameter, in this case according to Section 2.1.1. (3) The prepared body part is digitally signed according to the protocol parameter, in this case according to Section 2.1.2. The multipart/signedand multipart/encrypted MIMEcontenttypestype is constructed as follows. Crocker, et al Standards Track [Page 10] RFC 1848 MIME Object Security Services October 1995 (1) The value of its required parameter "protocol" is set toprovide authentication/integrity"application/moss-signature". (2) The signed body part becomes its first body part. (3) Its second body part is labeled "application/moss-signature" andencryption services. We refer tois filled with the control information generated by theauthentication/integrity service as adigital signature service.This document specifies a number(4) The value ofchangesits required parameter "micalg" is set to themessage encryption and signature procedures of PEM and broadens the name forms that may besame value usedto identify public keys. Many of the changes represent a departureinmechanism, notthe MIC-Info: header ineffect. 1. Introduction This document updatesthemessage encryption and signature procedures defined by [3] and replacescontrol information. If there is more than one MIC-Info: header present thekey certification and related services defined by [6]. The changesvalue is set to[3] include the separationa comma separated list of values from theencryption and signature services, the removalMIC-Info headers. The interpretation of thelimitation to enhance only text-based messages, the removalorder of thetransfer encoding operation, the deprecationlist of values is outside theContent-Domain: and Proc-Type: headers, and the separationscope ofcertificate and certificate revocation list transmission from the security enhancements. These changes represent a departure in mechanism, not in effect, and are detailed in Section 8. In addition,thisdocument specifies four technical changes to PEM: symmetric key management in [3]specification. A multipart/signed content type with the MOSS protocol might look as follows: Content-Type: multipart/signed; protocol="application/moss-signature"; micalg="rsa-md5"; boundary="Signed Message" --Signed Message Content-Type: text/plain This isdeprecated,some example text. --Signed Message Content-Type: application/moss-signature Version: 5 Originator-ID: ID-INFORMATION MIC-Info: RSA-MD5,RSA,SIGNATURE-INFORMATION --Signed Message-- where ID-INFORMATION and SIGNATURE-INFORMATION are descriptive of thecanonicalization operationcontent that would appear in[3]a real body part. 2.2. Encryption Service The MOSS encryption service is applied to MIME objects, specifically a MIME body part. The MIME body part isgeneralized,created according to a local convention and then made available to theallowable name forms forencryption service. Crocker, et al Standards Track [Page 11] RFC 1848 MIME Object Security Services October 1995 The following sequence of steps comprises theidentificationapplication ofpublic keys is broadenedthe encryption service. (1) The body part toinclude arbitrary strings and email addresses, and users may distribute their public keys directlybe encrypted must be inlieu of certificates.MIME canonical form. (2) The data encrypting keycertificationandrelated services are replaced by the specification of two newother control information must be generated. (3) The control information must be embodied in an appropriate MIME contenttypes: application/key-request and application/key-data. These new content types are used to transmit requests for key operations (storage, retrieval, certification, revocation list retrieval, etc.)type. (4) The control information body part and theresponses to those requests. These two content types are independentencrypted data bodyparts and are not required topart must beencapsulatedembodied inany other body part. These changes representadeparture in mechanism, not in effect, andmultipart/encrypted content type. The first step is defined by MIME. The latter three steps aredetailed in Section 8. In orderdescribed below. 2.2.1. Encryption Control Information The application of the encryption service generates control information which includes the data encrypting key used tomake useencrypt the data itself. The syntax of thePEM services,control information is that of auserset of RFC 822 headers, except that the folding of header values onto continuation lines isrequired to have at leastexplicitly forbidden. Each header and value pair generated by the encryption service must be output on exactly onepublic/private key pair. Prior to this specification,line. First, the originator must retrieve the public keywas required toof the recipient. The retrieval may beembodied infrom acertificate, an object that Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 2] INTERNET DRAFT PEM and MIME November 1994 bindslocal database or from a remote service. The acquisition of the recipient's public keywith a distinguished name, a name form that identifiedis outside theownerscope of the specification, although Section 5 defines one possible mechanism. With the publickey.key, the originator encrypts the data encrypting key according to the Key-Info: header defined below. Theembodiment was issuedcomplete set of headers generated bya certification authority, a role that was expected to be trustworthy insofar as it verifiedtheidentityencryption service is as follows. Version: indicates which version of theowner prior to issuingMOSS protocol thecertificate. However,remaining headers represent and is defined in Section 2.1.2.1. DEK-Info: indicates thedeployment of certificatesalgorithm and mode used to encrypt thecreation ofdata. Crocker, et al Standards Track [Page 12] RFC 1848 MIME Object Security Services October 1995 Recipient-ID: indicates thehierarchy of certification authorities has been problematic. Instead, this specification basespublic key used to encrypt thePEM services on a public/privatedata encrypting keypair. Eachthat was used to encrypt the data. Key-Info: contains data encrypting key encrypted with the recipient's public key. Each invocation of the encryption service must emit exactly one Version: header, exactly one DEK-Info: header, and at least one pairis required to belong to a user (where user is not limited to being a human, e.g., it could be a process or a role) which has a name. Thereof Recipient-ID: and Key-Info: headers. Headers are3 name forms specified by this document. For backward compatibility (and forward compatibility ifalways emitted in the order indicated. The Recipient-ID: and Key-Info: headers are always emitted in pairs in theX.500 Directory becomes a ubiquitous service)order indicated, one pair for each recipient of thename formsencrypted data. A Key-Info: header is always interpreted in the context of the immediately preceding Recipient-ID: header. IMPLEMENTORS NOTE: Implementors should always generate adistinguished name. In addition, email addressesRecipient-ID: andarbitrary strings are allowed. SinceKey-Info header pair representing the originator of the encrypted data. By doing so, if an originator sends auser may have more than one key pair,message to aname formrecipient that isinsufficient for uniquely identifying a key pair. A unique key selector mustreturned undelivered, the originator will beassignedable toeach key pair.decrypt the message and determine an appropriate course of action based on its content. If not, an originator will not be able to review the message that was sent. 2.2.1.1. DEK-Info: Thecombinationpurpose ofa name formthe data encrypting key information header is to indicate the algorithm and mode used to encrypt the data, along with any cryptographic parameters that may be required, e.g., initialization vectors. Its value is either akey selector uniquely identifiessingle argument indicating the algorithm and mode or akeycomma separated pair of arguments where the second argument carries any cryptographic parameters required by the algorithm andeachmode indicated in the first argument. The data encrypting keypairinformation header isuniquely identifieddefined bya name formthe grammar token <dekinfo> as follows. <dekinfo> ::= "DEK-Info" ":" <dekalgid> [ "," <dekparameters> ] CRLF The grammar tokens for the encryption algorithm andkey selector combination. Throughout this document, this combination is called an identifier. Theremode identifier (<dekalgid>) and the optional cryptographic parameters (<dekparameters>) are5 identifiers specifieddefined bythis document. NOTE: InRFC 1423. They are also reprinted in Appendix B. Crocker, et al Standards Track [Page 13] RFC 1848 MIME Object Security Services October 1995 2.2.1.2. Recipient-ID: The purpose of the recipient header is to identify the private key that must be used to decrypt thesimplest case,data encrypting keyselectorsthat will beassigned byused to decrypt theowners ofdata. Presumably the recipient owns the private keypairs. This works best when users generate their ownand thus is less interested in identifying the owner of the keypairs for personal use, which they distribute to others asserting by declaration thatand more interested in thepublicprivate keybelongs to them. Whenvalue itself. Nonetheless, theassertion thatrecipient header may convey either or both pieces of information: the public keybelongs to them is made by a third party, for example when a certification authority issues a certificate to a user accordingcorresponding to[4],the private keyselector mayto beassigned by that third party. With a key pair for one's self and software that is both MIME and PEM aware, an originating user may digitally sign arbitrary data and send itused toone or more recipients. Withdecrypt thepublic keys ofdata encrypting key therecipients, a user may encryptname of thedata so that onlyowner and which of theintended recipients canowner's private keys to use to decryptand read it. This specification separates these two services so that an originator may apply either or both, in either order.the data encrypting key Thename forms and identifiers are described in detaildecision as to what information to place in thenext section. Succeeding sections specify how PEM and MIME are used together and other ancillary details. Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 3] INTERNET DRAFT PEM and MIME November 1994 2. Name Forms and Identifiers Currently, [3] requiresvalue rests entirely with theuse of certificatesoriginator. The suggested choice is to include just the public key. However, some recipients may prefer that originators not include their public key. How this preference is conveyed tocreateandreceive PEM messages. Within certificates, [4] requiresmanaged by theuseoriginator is outside the scope ofdistinguished names as specifiedthis specification. The recipient header is defined by theX.500 Seriesgrammar token <recipid> as follows. <recipid> ::= "Recipient-ID:" <id> CRLF The grammar token <id> is defined in Section 4. 2.2.1.3. Key-Info: The purpose ofRecommendations. However, the Internet community has a great deal more experience withtheuse of electronic mail addresses as a name form and therekey information header isa desire to be able to use arbitrary stringstoidentifyconvey theowners of public keys. Hence, thereencrypted data encrypting key. Its value is aneed to support name formscomma separated list of two arguments: the algorithm and mode identifier in whichdo not conform totheexpected usage of distinguished names. When receiving PEM messages itdata encrypting key isnecessary to be able to uniquely identifyencrypted and the encrypted data encrypting key. The keypair used to create the message. A certificate is one mechanism that accomplishes this, since itinformation header isuniquely identifieddefined by thecombination of its issuer's distinguished namegrammar token <asymkeyinfo> as follows. <asymkeyinfo> ::= "Key-Info" ":" <ikalgid> "," <asymencdek> CRLF The grammar tokens for the encryption algorithm andits serial number. In any case, anmode identifieris required that consists of both a name form(<ikalgid>) andkey selector. In addition, users may distribute their public keys via mechanisms outsidethescope ofencrypted data encrypting key format (<asymsignmic>) are defined by RFC 1423. They are also reprinted in Appendix B. IMPLEMENTORS NOTE: RFC 1423 is referenced by the PEMspecification,protocol, which includes support forexample, in a file via FTP. Users receiving such keys will probably assign name forms to them to be displayed when receiving messages created with them.symmetric signatures and key Crocker, et al Standards Track [Page 14] RFC 1848 MIME Object Security Services October 1995 management. As a result,it is desirable tosome of the grammar tokens defined there, for example, <ikalgid>, will include options that are not legal for this protocol. These options must beable to explicitly specifyignored and have not been included in thepublic keyappendix. 2.2.2. application/moss-keys Content Type Definition (1) MIME type name: application (2) MIME subtype name: moss-keys (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: quoted-printable is always sufficient (6) Security considerations: none The "application/moss-keys" content type is usedrather than an identifier ofon thepublic key. NOTE: A featurefirst body part of an enclosing multipart/encrypted. Its content is comprised ofbeing able to specifythepublicdata encryption keyexplicitly is that it allows usersused toexchange encrypted, anonymous mail. In particular, receiving users will always know a message comes fromencrypt thesame originating user. The principal objective ofdata in thevarious Originatorsecond body part andRecipient fields specified in [3] isother control information required toidentify which public key has beendecrypt the data, as defined by Section 2.2.1. The label "application/moss-keys" must be usedor is required. This document reducesas thesetvalue offields by specifying exactly two: Originator-ID: for originators and Recipient-ID: for recipients. This specification defines 5 identifiers with whichthepublic key used may be indicated in eachprotocol parameter ofthese fields. Inthenext sectionenclosing multipart/encrypted; the3 name forms are described in detail. Following thatprotocol parameter must be present. An application/moss-keys body part is constructed as follows: Content-Type: application/moss-keys <mosskeys> where thespecification of the 5 identifiers. 2.1. Name Forms There are 3 name forms specified by this document: email addresses, distinguished names, and arbitrary strings. Crocker/Freed/Galvin/Murphy Expires: May 1995<mosskeys> token is defined as follows. <mosskeys> ::= <version> <dekinfo> 1*<recipasymflds> <version> ::= "Version:" "5" CRLF <dekinfo> ::= "DEK-Info" ":" <dekalgid> [ "," <dekparameters> ] CRLF <recipasymflds> ::= <recipid> <asymkeyinfo> <recipid> ::= "Recipient-ID:" <id> CRLF <asymkeyinfo> ::= "Key-Info" ":" <ikalgid> "," <asymencdek> CRLF Crocker, et al Standards Track [Page4] INTERNET DRAFT PEM and15] RFC 1848 MIMENovember 1994 2.1.1. Email AddressesObject Security Services October 1995 Theemail address (grammartoken<emailstr>) used must be a valid RFC822 address, which<id> is defined interms of the two grammar tokens <addr-spec> and <route-addr>.Section 4. Thegrammar for these two tokens is included in the Appendix as a convenience; the definitive source for these tokenstoken <version> isnecessarily RFC822 [1]. <emailstr> ::= <addr-spec> / <route-addr> ; an electronic mail address asdefinedby ; these twoin Section 2.1.2.1. All other tokensfrom RFC822 For example, the strings "crocker@tis.com", "galvin@tis.com", "murphy@tis.com", and "ned@innosoft.com"areall email addresses. 2.1.2. Arbitrary Stringsdefined in Section 2.2.1.3. 2.2.3. Use of multipart/encrypted Content Type Thearbitrary string (grammar token <string>) must have a lengthdefinition ofat least 1. There are no other restrictions onthevalue chosen. <string> ::= ; a non-null sequence of characters For example,multipart/encrypted body part in [7] specifies three steps for creating thestring Jim "the SAAG mailing list maintainer" Galvin is an arbitrary string. 2.1.3. Distinguished Namesbody part. (1) Thedistinguished name (grammar token <dnamestr>) mustbody part to beconstructedencrypted is created according tothe guidelines of the X.500 Directory. The actual syntax of the distinguished name is outside the scope of this specification. However, RFC1422,a local convention, for example,specifies syntactic restrictions based onwith aparticular choice oftext editor or acertification hierarchymail user agent. (2) The body part is prepared forcertificates. For the purposes of conveying a distinguished name from an originatorencryption according toa recipient, itthe protocol parameter, in this case the body part must beASN.1 encoded and then printably encodedin MIME canonical form. (3) The prepared body part is encrypted according to thebase64 encoding defined by MIME. <dnamestr> ::= <encbin> ; a printably encoded, ASN.1 encoded ; distinguished name (as definedprotocol parameter, in this case according to Section 2.2.1. The multipart/encrypted content type is constructed as follows. (1) The value of its required parameter "protocol" is set to "application/moss-keys". (2) The first body part is labeled "application/moss-keys" and is filled with the control information generated by the'Name' ; production specified in X.501) Crocker/Freed/Galvin/Murphy Expires: May 1995encryption service. (3) The encrypted body part becomes the content of its second body part, which is labeled "application/octet-stream". A multipart/encrypted content type with the MOSS protocol might look as follows: Crocker, et al Standards Track [Page5] INTERNET DRAFT PEM and16] RFC 1848 MIMENovember 1994 For example, /Country Name=US /State or Province Name=MD /Organization Name=Trusted Information Systems /Organizational Unit Name=Glenwood /Common Name=James M. Galvin/ is a distinguished name in a user friendly format (line breaksObject Security Services October 1995 Content-Type: multipart/encrypted; protocol="application/moss-keys"; boundary="Encrypted Message" --Encrypted Message Content-Type: application/moss-keys Version: 5 DEK-Info: DES-CBC,DEK-INFORMATION Recipient-ID: ID-INFORMATION Key-Info: RSA,KEY-INFORMATION --Encrypted Message Content-Type: application/octet-stream ENCRYPTED-DATA --Encrypted Message-- where DEK-INFORMATION, ID-INFORMATION, andleading spaces present only to improve readability). When encoded, itKEY-INFORMATION are descriptive of the content that would appearas follows (line breaks present only to improve readability): MG0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3RlZCBJ bmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZDEYMBYGA1UEAxMP SmFtZXMgTS4gR2Fsdmlu 2.2. Identifiers There are 5 typesin a real body part. 3. Removing MIME Object Security Services The verification ofidentifiers specified by this document: email address identifiers, arbitrary string identifiers, distinguished name identifiers,thepublic keys themselves,MOSS digital signature service requires the following components. (1) A recipient to verify the digital signature. (2) A multipart/signed body part with two body parts: the signed data andissuer name serial number pairs from a certificate. Allthe control information. (3) The public key ofthese have approximatelythesame structure (except issuer name and serial number which has 'TYPE, STRING, KEYSEL' for historical reasons): TYPE, KEYSEL, STRINGoriginator. TheTYPE field is a literal string, one for eachsigned data and control information of thepossible identifiers.enclosing multipart/signed are prepared according to the description below. TheKEYSEL fielddigital signature isused to distinguish betweenverified by re-computing themultiple public keys that may be associated withhash of thename form indata, decrypting theSTRING field. Its value must be distinct from all other KEYSELs assigned by whomever assigned this KEYSEL. A suggestedhash value in the control information with the originator's public key, and comparing the two hash values. If the two hash values are equal, the signature isto use a portion (low-order 16 or 32 bits) or allvalid. The decryption of theactual publicMOSS encryption service requires the following components. Crocker, et al Standards Track [Page 17] RFC 1848 MIME Object Security Services October 1995 (1) A recipient to decrypt the data. (2) A multipart/encrypted body part with two body parts: the encrypted data and the control information. (3) The private keyused.of the recipient. TheSTRING fieldencrypted data and control information of the enclosing multipart/encrypted are prepared according to the description below. The data encrypting key is decrypted with thename formrecipient's private key andhas a different syntax accordingused to decrypt thevalue ofdata. The next two sections describe the digital signature and encryption services in detail, respectively. 3.1. Digital Signature Service This section describes the processing steps necessary to verify theTYPE field.MOSS digital signature service. Theidentifier used in eachdefinition of theoriginatormultipart/signed body part in [7] specifies three steps for receiving it. (1) The digitally signed body part andrecipient fields is described bythefollowing grammar.control information body part are prepared for processing. (2) Thedefinition ofprepared body parts are made available to thekey selector token is included here since it used by severaldigital signature verification process. (3) The results of theidentifiers Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 6] INTERNET DRAFT PEMdigital signature verification process are made available to the user andMIME November 1994 below. <id> ::= <id-email> / <id-string> / <id-dname> / <id-publickey> / <id-issuer> <keysel> ::= <encbin> ; a printably encoded non-null sequence of octetsprocessing continues with the digitally signed body part, as returned by the digital signature verification process. Each ofthe identifier name formsthese steps is described below.2.2.1. Email Address3.1.1. Preparation Theemail address identifier hasdigitally signed body part (the data) and thefollowing syntax. <id-email> ::= "EN" "," <keysel> "," <emailstr> CRLF The syntax ofcontrol information body part are separated from thetoken <emailstr>enclosing multipart/signed body part. Crocker, et al Standards Track [Page 18] RFC 1848 MIME Object Security Services October 1995 The control information isdefined in Section 2.1.1. 2.2.2. Arbitrary Stringprepared by removing any content transfer encodings that may be present. Thearbitrary string identifier hasdigitally signed body part is prepared by leaving thefollowing syntax. <id-string> ::= "STR" "," <keysel> "," <string> CRLF The syntax ofcontent transfer encodings intact and canonicalizing thetoken <string> is defined inline delimiters according to Step 2 of Section2.1.2. 2.2.3. Distinguished Name The distinguished name identifier has2.1.1. 3.1.2. Verification First, the recipient must obtain thefollowing syntax. <id-dname> ::= "DN" "," <keysel> "," <dnamestr> CRLF The syntaxpublic key of thetoken <dnamestr> is defined in Section 2.1.3. 2.2.4. Public Keyoriginator. The public keyidentifier hasmay be contained in the control information or it may be necessary for the recipient to retrieve thefollowing syntax. Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 7] INTERNET DRAFT PEM and MIME November 1994 <id-publickey> ::= "PK" "," <publickey> [ "," <id-subset> ] CRLF <publickey> ::= <encbin> ; a printably encoded, ASN.1 encodedpublic key(as ; defined by the 'SubjectPublicKeyInfo' production ; specifiedbased on information present inX.509) <id-subset> ::= <id-email> / <id-string> / <id-dname>the control information. Theobject subjectPublicKeyInfo is importedretrieval may be fromthe X.500 Directorya local database or from a remote service. The acquisition of thecertificate object. Itoriginator's public key iscurrentlyoutside the scope of the specification, although Section 5 defines one possible mechanism. With thebest choice for a general purposepublickey encoding. In normal usage,key, thetoken <id-subset>recipient decrypts the hash value contained in the control information. Then, a new hash value isexpectedcomputed over the body part purported tobe absent. When present, it represents a mechanism by whichhave been digitally signed. Finally, the two hash values are compared to determine the accuracy of the digital signature. 3.1.3. Results There are two required components of the results of the verification process. The first is anidentifier (name form and key selector) can be associated withindication as to whether a publickey. Recipientskey could be found that allows the hash values in the previous step to compare equal. Such an indication verifies only that the data received is the same data that was digitally signed. The second indication identifies the owner ofathe public keyidentifierwho is presumably the holder of the private key that created the digital signature. The indication musttake careinclude a testament as toverifythe accuracy of thepurported association. If not, it may be possible forowner identification. At issue is amalicious originator to assert an identifier that accordsrecipient knowing who created theoriginator unauthorized privileges. See Section 5.2digital signature. In order formore details. 2.2.5. Issuer Name and Serial Number The issuerthe recipient to know with certainty who digitally signed the message, the binding between the owner's name andserial number identifier hasthefollowing syntax. <id-issuer> ::= "IS" "," <dnamestr> "," <serial> CRLF <serial> ::= 1*<hexchar> ; hex dump ofpublic key must have been verified by theserial numberrecipient prior to the verification ofa certificatethe digital signature. The<id-issuer> identifier is included for backward compatibility (and forward compatibility if X.500 Directory certificates become ubiquitously available) withverification of theID-ASymmetric fields definedbinding may have been completed offline and stored in[3]. Its syntax was chosen such thata trusted, local database or, if theolder fieldsowner's name and public key areeasily convertedembodied in a certificate, it may be possible tothis new form by prefixing the old value with "IS," and replacing the field name with an appropriate new ID field name. 3. Applying PEMcomplete it in realtime. See Section 5 for more information. Crocker, et al Standards Track [Page 19] RFC 1848 MIME Object Security Servicesto MIME Body Parts The nextOctober 1995 3.2. Encryption Service This section describes the processing steps necessary toprepare a MIME body part for the application of PEM security services. The succeeding two sections describe the content of the multipart/signed and multipart/encrypted body parts resulting fromdecrypt theapplication of PEM Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 8] INTERNET DRAFT PEM and MIME November 1994 security services to MIME body parts. 3.1. PEM Processing StepsMOSS encryption service. The definition of themultipart/signed andmultipart/encrypted bodypartspart in [7] specifies threesteps for creating both body parts.steps for receiving it. (1) The encrypted body partto be protected is created according to a local convention. (2) Theand the control information body partisare prepared forprotection according to the protocol parameter. (3)processing. (2) The prepared bodypart is protected according to the protocol parameter. This specification makes no changesparts are made available tostep one inthesequence. For step two, there is no preparation necessary fordecryption process. (3) The results of theencryption service. Fordecryption process are made available to thedigital signature service,user and processing continues with the decrypted bodypart must be canonicalizedpart, asdescribed below. This specification makes no changes to step three in the sequence. Prior toreturned by theapplicationdecryption process. Each ofthe digital signature service, thethese steps is described below. 3.2.1. Preparation The encrypted body partmust be in a canonical form. Transforming(the data) and the control information body partto be signed into a canonical form is a necessary and essential step inare separated from thedigital signature process.enclosing multipart/encrypted body part. Thecanonical form must satisfybody parts are prepared for thepropertydecryption process by removing any content transfer encodings thatit is uniquely and unambiguously representablemay be present. 3.2.2. Decryption First, the recipient must locate the encrypted data encrypting key inboththeoriginator and recipient's local environment. Thiscontrol information. Each Recipient-ID: header isrequiredchecked in order toensure that bothsee if it identifies theoriginator andrecipienthaveor a public key of the recipient. If it does, the immediately following Key-Info: header will contain thesamedata encrypting key encrypted withwhich to calculatethedigital signature;public key of theoriginator needs to be ablerecipient. The recipient must use the corresponding private key toincludedecrypt thedigital signature value when transferringdata encrypting key. The data is decrypted with the data encrypting key. The decrypted data will be a MIME object, a body part,while the recipient needsready to be processed by a MIME agent. Crocker, et al Standards Track [Page 20] RFC 1848 MIME Object Security Services October 1995 3.2.3. Results If the recipient is able tocomparelocate and decrypt are-computed value withdata encrypting key, from thereceived value. Further,point of view of MOSS thecanonical formdecryption shouldsatisfy the property that it is representable on as many different host computers as possible. By satisfying this property, signed data maybeforwarded by recipientsconsidered successful. An indication of the owner of the private key used toadditional recipients, who will alsodecrypt the data encrypting key must beablemade available toverifytheoriginal signature. This service is called forwardable authentication. The canonicalization transformationuser. Ultimately, the success of the decryption is dependent on the ability of atwo step process. First,MIME agent to continue processing with the decrypted bodypart must be convertedpart. 4. Identifying Originators, Recipients, and Their Keys In the PEM specifications, public keys are required to be embodied in certificates, an object that binds each public key with a distinguished name. A distinguished name is a name form that identifies the owner of the public key. The embodiment is issued by a certification authority, a role that isuniquely and unambiguously representable on as many different host computersexpected to be trustworthy insofar aspossible. Second,thebody part mustcertification authority would haveits line delimiters convertedprocedures toa unique and unambigous representationverify the identity of the owner prior tocomputingissuing the certificate. In MOSS, a user is not required to have a certificate. The MOSS services require that the user have at least one public/private key pair. The MOSS protocol requires the digital signature andpriorencryption services to emit Originator-ID: and Recipient-ID: headers, as appropriate. In the discussion above the actual value of these headers was omitted, having been relegated to this section. Although the value of eachverificationof these headers serves a distinct purpose, for simplicity thedigital signature. Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 9] INTERNET DRAFT PEMsingle grammar token <id> represents the value that may be assigned to either header. One possible value for the Originator-ID: andMIME November 1994 The representation of all body parts inRecipient-ID: headers is thefirst steppublic key values themselves. However, while it isspecified totrue that the public keys alone could be7bit, as definedexchanged and used by[2]. Sinceusers to communicate, theheadersvalues are, in fact, large and cumbersome. In addition, public keys would appear as a random sequence ofbody parts are already required tocharacters and, as a result, would not berepresentable in 7bit, this step requiresimmediately consumable by human users. NOTE: It should be pointed out thatif the dataa feature of being able tobe signedspecify the public key explicitly isnot already 7bit thenthat itmust be encoded with an appropriate MIME content transfer encoding. Note: sinceallows users to exchange encrypted, anonymous mail. In particular, receiving users will always know a message comes from theMIME standard explicitly disallows nested content transfer encodings, i.e.,same originating user even if thecontent types multipart and message may not themselves be encoded, body parts enclosed within,real identity of the originating user is unknown. Recognizing that the use of public keys is, in general, unsuitable forexample, a multipart content type must be encodeduse by humans, MOSS allows other identifiers in Originator-ID: and Recipient-ID: headers. These other identifiers are comprised of two parts: a7bit representation. Any validname form and a key selector. Crocker, et al Standards Track [Page 21] RFC 1848 MIMEencoding may be selected for encodingObject Security Services October 1995 The name form is chosen and asserted by thecontent of each ofuser who owns thenon-7bit body parts. As may be requiredpublic/private key pair. Three name forms are specified byMIME, an appropriate Content-Transfer-Encoding: headerthis document. The use of a distinguished name isadded and includedretained for compatibility with PEM (and compatibility with thedata to be signed. Upon receipt,X.500 Directory should it become aMIME implementation would verifyubiquitous service). However, thesignatureInternet community has a great deal of experience with thedata prioruse of electronic mail addresses as a name form. Also, arbitrary strings are useful todecodingidentify thedataowners of public keys when private name forms are used. Hence, email addresses anddisplaying it to the recipient. Representing all complex content typesarbitrary strings are included as7bit transforms them into text-based content types. However, text-based content types presentname forms to increase flexibility. Since aunique problem. In particular,user may have more than one public key and may wish to use theline delimiter usedsame name form for each public key, atext-based content typename form isspecific toinsufficient for uniquely identifying alocal environment; different environments use the single character carriage-return (<CR>), the single character line-feed (<LF>), or the two character sequence "carriage-return line- feed (<CR><LF>)".public key. A unique "key selector" must be assigned to each public key. Theapplicationcombination ofthe digital signature service requires that the same line delimiter be used by both the originatora name form and therecipient. This document specifies that the two character sequence "<CR><LF>" must be used as the line delimiter. Thus, the second step ofkey selector uniquely identifies a public key. Throughout this document, this combination is called an identifier. There are 5 identifiers specified by this document. NOTE: In thecanonicalization transformation includessimplest case, key selectors will be assigned by theconversionowners of thelocal line delimiterpublic/private key pairs. This works best when users generate their own key pairs for personal use, from which they distribute their public key to others asserting by declaration that thetwo character sequence "<CR><LF>". The conversionpublic key belongs to them. When thecanonical line delimiter is only required for the purposes of computing the digital signature. Thus, originators must apply the line delimiter conversion before computing the digital signature but must transfer the data without the line delimiter conversion. Similarly, recipients must apply the line delimiter conversion before computing the digital signature. NOTE: An originator can not transfer the content with the line delimiter conversion intact because the conversion process is not idempotent. In particular, SMTP servers may themselves convertassertion that theline delimiterpublic key belongs to them is made by alocal line delimiter, priorthird party, for example when a certification authority issues a certificate tothe message being delivereda user according to [4], theuser. Thus, a recipient has no waykey selector may be assigned by that third party. The value ofknowing if the conversion is present or not. Thus, if the recipient appliestheconversionkey selector must be unique with respect toa content inthe name form with which itis Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 10] INTERNET DRAFT PEM and MIME November 1994 already present,forms an identifier. Although theresulting contentsame key selector value mayhavebe used by more than one name form it must not be used for twoline delimiters present, which would causedifferent keys with theverification ofsame name form. When considered separately, neither a name form nor a key selector is sufficient for identifying thesignaturepublic key tofail. IMPLEMENTORS NOTE: Implementors shouldbeaware that the conversionused. Either could be used to determine a7bit representation is a functionset of public keys thatis available in a minimally compliant MIME user agent. Further, the line delimiter conversion required here is distinct from the same conversion includedmay be tried inthat function. Specifically,turn until theline delimiter conversion applied when a body partdesired public key isconverted toidentified. With a7bit representationpublic/private key pair for one's self and software that isperformed priorMOSS aware, an originating user may digitally sign arbitrary data and send it toapplication of the transfer encoding. The line delimiter conversion applied when a body part is signed is performed afterone or more recipients. With thebody is converted to 7bit. 3.2. Usepublic keys ofmultipart/signed Content Type Using this content type requiresthespecification ofrecipients, acontrol information content type, the label of which is used asuser may encrypt thevalue fordata so that only therequired protocol parameter. Section 3.4 definesintended recipients can decrypt and read it. With thecontrol information content type of application/pem-signature. The value ofname forms assigned to therequired parameter "protocol" is "application/pem-signature"public keys, originators and recipients can easily recognize their peers in a communication. In thevalue of the required parameter "micalg" is one ofnext section thevalid choices from [5], for example: Content-Type: multipart/signed; protocol="application/pem-signature"; micalg="rsa-md5"; boundary="Signed Message" --Signed Message Content-Type: text/plain This is some example text. --Signed Message Content-Type: application/pem-signature SIGNATURE INFORMATION --Signed Message-- where SIGNATURE INFORMATION3 name forms are described in detail. Following that isdescriptivethe specification of thecontent that would appear in a real body part. Crocker/Freed/Galvin/Murphy Expires: May 19955 identifiers. Crocker, et al Standards Track [Page11] INTERNET DRAFT PEM and22] RFC 1848 MIMENovember 1994 3.3. Use of multipart/encrypted Content Type UsingObject Security Services October 1995 4.1. Name Forms There are 3 name forms specified by thiscontent type requires the specification ofdocument: email addresses, distinguished names, and arbitrary strings. 4.1.1. Email Addresses The email address (grammar token <emailstr>) used must be acontrol information content type, the label ofvalid RFC822 address, which isused as the value for the required protocol parameter. Section 3.5 defines the control information content typedefined in terms ofapplication/pem-keys. The valueone of therequired parameter "protocol" is "application/pem-keys",two grammar tokens <addr-spec> or <route-addr>. The grammar forexample: Content-Type: multipart/encrypted; protocol="application/pem-keys"; boundary="Encrypted Message" --Encrypted Message Content-Type: application/pem-keys KEY DATA --Encrypted Message Content-Type: application/octet-stream ENCRYPTED DATA WOULD BE HERE --Encrypted Message-- 3.4. application/pem-signature Content Type Definition (1) MIME type name: application (2) MIME subtype name: pem-signature (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: quoted-printable is always sufficient (6) Security considerations: none This content typethese two tokens isused onincluded in thesecond body part of an enclosing multipart/signed whenAppendix as a convenience; theprotocol used is PEM. Itdefinitive source for these tokens iscomprisednecessarily RFC822 [1]. <emailstr> ::= <addr-spec> / <route-addr> ; an electronic mail address as defined by ; one of these two tokens from RFC822 For example, thedigital signaturestrings "crocker@tis.com", "galvin@tis.com", "murphy@tis.com", and "ned@innosoft.com" are all email addresses. 4.1.2. Arbitrary Strings The arbitrary string (grammar token <string>) must have a length of at least 1. There are no other restrictions on the value chosen. <string> ::= ; a non-null sequence of characters For example, thedata, whichstring the SAAG mailing list maintainer is an arbitrary string. 4.1.3. Distinguished Names The distinguished name (grammar token <dnamestr>) must be constructed according to thefirst body partguidelines of theenclosing multipart/signed, and the information required to verify that signature.X.500 Directory. Thelabel application/pem-signatureactual syntax of the distinguished name isused asoutside thevaluescope ofthe protocol parameterthis specification. However, RFC1422, for example, specifies syntactic restrictions based on its choice ofthe enclosing multipart/signed. It is an errora certification hierarchy for certificates. For theprotocol parameter to be missingpurposes of conveying a distinguished name fromthe enclosing multipart/signed body part or for its valuean originator to a recipient, it must bedifferent from Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 12] INTERNET DRAFT PEMASN.1 encoded andMIME November 1994 application/pem-signature when this body part is used. Included in the signature verification information will bethen printably encoded according to theMessage Integrity Check (MIC) algorithm used duringbase64 encoding defined by MIME. Crocker, et al Standards Track [Page 23] RFC 1848 MIME Object Security Services October 1995 <dnamestr> ::= <encbin> ; a printably encoded, ASN.1 encoded ; distinguished name (as defined by thesignature creation process. The MIC algorithm identified'Name' ; production specified inthis body part must match the MIC algorithm identifiedX.501 [8]) For example, /Country Name=US /State or Province Name=MD /Organization Name=Trusted Information Systems /Organizational Unit Name=Glenwood /Common Name=James M. Galvin/ is a distinguished name in a user friendly format (line breaks and leading spaces present only to improve readability). When encoded, it would appear as follows (line breaks present only to improve readability): MG0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3RlZCBJ bmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZDEYMBYGA1UEAxMP SmFtZXMgTS4gR2Fsdmlu 4.2. Identifiers There are 5 types of identifiers specified by this document: email address identifiers arbitrary string identifiers distinguished name identifiers themicalg parameterpublic keys themselves issuer name serial number pairs from a certificate All of these have approximately theenclosing multipart/signed. If it does not,same structure (except issuer name and serial number which has 'TYPE, STRING, KEYSEL' for historical reasons): TYPE, KEYSEL, STRING The TYPE field is auser agent should identifyliteral string chosen from thediscrepancy to a userset "EN", "STR", "DN", "PK", andmay choose to either halt or continue processing, giving precedence to the algorithm identified in this body part. An application/pem-signature body part is constructed as follows: Content-Type: application/pem-signature <pemsig> where"IS", one for each of the<pemsig> token is defined as follows. <pemsig> ::= <version> ( 1*<origasymflds> ) <version> ::= "Version:" "5" CRLF <origasymflds> ::= <origid> <micinfo> <origid> ::= "Originator-ID:" <id> CRLFpossible identifiers. Thetoken <id>KEYSEL field isdefinedused to distinguish between the multiple public keys that may be associated with the name form inSection 2.2. 3.5. application/pem-keys Content Type Definition (1) MIME type name: application (2)the STRING field. Its value must be unique with respect to all other key selectors used Crocker, et al Standards Track [Page 24] RFC 1848 MIMEsubtype name: pem-keys (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: quoted-printable is always sufficient (6)Object Securityconsiderations: none Crocker/Freed/Galvin/Murphy Expires: MayServices October 1995[Page 13] INTERNET DRAFT PEM and MIME November 1994 This content type is used onwith thefirst body part of an enclosing multipart/encrypted. It is comprisedsame name form. An example would be to use a portion (low- order 16 or 32 bits) or all of thedata encryptionactual public keyusedused. The STRING field is the name form and has a different syntax according toencryptthedata, locatedvalue of the TYPE field. The identifier used inthe second body parteach of theenclosing multipart/encrypted,originator and recipient fields is described by theinformation required to perform the decryption.following grammar. Thelabel application/pem-keysdefinition of the key selector token is included here since it usedas the valueby several of theprotocol parameteridentifiers below. <id> ::= <id-email> / <id-string> / <id-dname> / <id-publickey> / <id-issuer> <keysel> ::= 1*<hexchar> ; hex dump of a non-null sequence of octets Each of theenclosing multipart/encrypted. Itidentifier name forms isan error fordescribed below. 4.2.1. Email Address The email address identifier has theprotocol parameter to be missing infollowing syntax. <id-email> ::= "EN" "," <keysel> "," <emailstr> CRLF The syntax of theenclosing multipart/encrypted body part or for its value to be different from application/pem-keys when this body parttoken <emailstr> isused. An application/pem-keys body partdefined in Section 4.1.1. For example: EN,1,galvin@tis.com isconstructed as follows: Content-Type: application/pem-keys <pemkeys> wherean email address identifier. 4.2.2. Arbitrary String The arbitrary string identifier has the following syntax. <id-string> ::= "STR" "," <keysel> "," <string> CRLF The syntax of the<pemkeys>token <string> is definedas follows. <pemkeys> ::= <version> <dekinfo> 1*<recipasymflds> <version> ::= "Version:" "5" CRLF <recipasymflds> ::= <recipid> <asymkeyinfo> <recipid>in Section 4.1.2. For example: STR,1,The SAAG mailing list maintainer is an arbitrary string identifier. Crocker, et al Standards Track [Page 25] RFC 1848 MIME Object Security Services October 1995 4.2.3. Distinguished Name The distinguished name identifier has the following syntax. <id-dname> ::="Recipient-ID:" <id>"DN" "," <keysel> "," <dnamestr> CRLF<asymkeyinfo>The syntax of the token <dnamestr> is defined in Section 4.1.3. For example (line breaks present only to improve readability): DN,1,MG0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3R lZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZDEYMBYGA1U EAxMPSmFtZXMgTS4gR2Fsdmlu is a distinguished name identifier. 4.2.4. Public Key The public key identifier has the following syntax. <id-publickey> ::="Key-Info" ":" <ikalgid>"PK" ","<asymencdek><publickey> [ "," <id-subset> ] CRLFThe token <id> is<publickey> ::= <encbin> ; a printably encoded, ASN.1 encoded public ; key (as defined by the ; 'SubjectPublicKeyInfo' production specified ; inSection 2.2. 4. Removing PEM Security ServicesX.509 [9]) <id-subset> ::= <id-email> / <id-string> / <id-dname> The production SubjectPublicKeyInfo is imported fromPEM Body Parts This section describestheprocessing steps necessaryX.500 Directory from the certificate object. It is currently the best choice for a general purpose public key encoding. For example, (line breaks present only toverify or decryptimprove readability): PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6BekJmG 4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn 0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB is a public key identifier without thePEM security services that have been appliedoptional <id-subset>. In normal usage, the token <id-subset> is expected toMIME body parts. Outer layers of PEM security services mustbeprocessed prior to processing inner layerspresent. It represents a mechanism by which an identifier (name form and key selector) can be associated with a public key. Recipients ofPEM security services. Processing includesauser choosingpublic key identifier must take care todisplay a content without removingverify thePEM security services. The definitionaccuracy of themultipart/signed and multipart/encrypted body parts in [7] specifies three stepspurported association. If they do not, it may be possible forreceiving both body parts. Crocker/Freed/Galvin/Murphy Expires: May 1995a malicious originator to assert an identifier that accords the Crocker, et al Standards Track [Page14] INTERNET DRAFT PEM and26] RFC 1848 MIMENovember 1994 (1)Object Security Services October 1995 originator unauthorized privileges. See Section 5.2 for more details. For example, (line breaks present only to improve readability): PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6BekJmG 4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn 0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,2,galvin@tis.com is a public key identifier with the optional <id-subset>. 4.2.5. Issuer Name and Serial Number The issuer name and serial number identifier has the following syntax. <id-issuer> ::= "IS" "," <dnamestr> "," <serial> CRLF <serial> ::= 1*<hexchar> ; hex dump of a certificate serial number Theprotected body part and the control information body part are prepared<id-issuer> identifier is included forprocessing. (2) The prepared body parts are made available tocompatibility with theprotection removal process. (3) The results ofID-ASymmetric fields defined in [3] (and compatibility with X.500 Directory certificates should they become ubiquitously available). Its syntax was chosen such that theprotection removal processolder fields aremade availableeasily converted to this new form by prefixing theuser and processing continuesold value with "IS" (and replacing theunprotected body part, as returned by the protection removal process.field name of [3] with an appropriate new ID field name). Forstep one, the preparation for digitally signed and encrypted body parts is different, as described below. No changes are requiredexample, (line breaks present only tosteps two and three in the sequence. For multipart/signed body parts, the control information is prepared by removing any content transfer encodings that may be present. The digitally signed body partimprove readability): IS,MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3 RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZA==,02 isprepared by leaving the content transfer encodings intactan issuer name andconverting the line delimitersserial number identifier according toStep 2 of Section 3.1. Multipart/encrypted body parts are prepared by removing the content transfer encodings, if present, from both the control informationMOSS, while MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3 RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZA==,02 is an issuer name andthe encrypted body part.serial number identifier according to PEM. 5. Key Management Content Types This document defines two key managementcontent types,content types: one for requesting cryptographic key material and one for sending cryptographic key material. Since MOSS depends only on the existence of public/private key pairs, these content types provide a means for conveying public keys and an assertion as to the identity of the owner. In addition, in order to be compatible with the certificate- Crocker, et al Standards Track [Page 27] RFC 1848 MIME Object Security Services October 1995 base key management system proposed by RFC 1422, thecontents of which comprise a replacement mechanism for those defined in [6]. The firstcontenttype is application/pemkey-request, which replaces the certificationtypes may also be used to convey certificate andCRL-retrieval request messages.certificate revocation list material. Thesecond content type is application/pemkey-data, which replaces the certification reply message, the crl-storage request message, and the crl-retrieval reply message. Therefunctions defined here areno requirements forbased on the exchange of body parts. In particular, a user would send acrl-storage replymessageand none are specified in this document. This document includescontaining at least one application/mosskey-request content, as defined below. In response, aspecificationuser would expect to receive a message containing at least one application/mosskey-data content, as defined below. MIME provides a convenient framework for apublic key and certificateuser to send several requestmessage, which were previously undefined.body parts and to receive several data (response) body parts in one message. 5.1.application/pemkey-requestapplication/mosskey-request Content Type Definition (1) MIME type name: application (2) MIME subtype name:pemkey-requestmosskey-request (3) Required parameters: noneCrocker/Freed/Galvin/Murphy Expires: May 1995 [Page 15] INTERNET DRAFT PEM and MIME November 1994(4) Optional parameters: none (5) Encoding considerations: quoted-printable is always sufficient (6) Security Considerations: none The content of this body part corresponds to the following production. <request> ::= <version> ( <subject> / <issuer> / <certification> ) <version> ::= "Version:" "5" CRLF <subject> ::= "Subject:" <id> CRLF <issuer> ::= "Issuer:" <id> CRLF <certification> ::= "Certification:" <encbin> CRLFThisA user would use this content typeis usedtoprovide for some of the request messages described in [6].specify needed cryptographic key information. Theinformation inmessage containing this content type might be directed towards an automatic or manual responder, which may be mail-based, depending on the local implementation and environment. The application/mosskey-request content type is an independent body part because it is entirely independent of any other body part.As such, the application/pemkey- request content type is an independent body part. The certification request, certificate-retrieval request and crl- retrieval request are provided for directly.Crocker, et al Standards Track [Page 28] RFC 1848 MIME Object Security Services October 1995 If the application/mosskey-request content contains a Certification: field it requests certification of the self-signed certificate in the field value. If the content contains an Issuer: field it requests the Certificate Revocation List (CRL) chain beginning with the CRL of the issuer identified in the field value. If the content contains a Subject: field it requests either the public key of the subject or a certificate chain beginning with the subject identified in the field value, or both if both exist. The Subject: and Issuer: fields each contain a value of type <id>, which is defined in Section2.2. The crl-storage request is provided for by the application/pemkey-data content type described in the Section 5.2. In each case, the4. One possible responseis transmitted into receiving anapplication/pemkey-data content type.application/mosskey-request body part is to construct and return an application/mosskey-data body part. When returning public keys, certificate chains, and certificate revocation list chains, if there exists more than one, severalapplication/pemkey-dataapplication/mosskey-data body parts are to be returned in the reply message, one for each.Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 16] INTERNET DRAFT PEM and MIME November 19945.2.application/pemkey-dataapplication/mosskey-data Content Type Definition The principal objective of this content type is to convey cryptographic keying material from a source to a destination. This might be in response to the receipt of an application/mosskey-request content type or it might be in anticipation of receiving an application/mosskey-request if it is not sent, e.g., it may be combined with a multipart/signed object by an originator to ensure that a recipient has the cryptographic keying material necessary to verify the signature. When combined with other content types, the processing by a recipient is enhanced if the application/mosskey-data content type is positioned in its enclosing content type prior to the content types that will make use of its cryptographic keying material. However, no explicit provision is made in this document for determining the authenticity or accuracy of the data being conveyed. In particular, when a public key and its identifier is conveyed, there is nothing to prevent the source or an interloper along the path from the source to the destination from substituting alternate values for either the public key or theidentifier, thus setting up the destination such that when the data is used sensitive information may be intercepted and disclosed inappropriately.identifier. It is incumbent upon a recipient to verify the authenticity and accuracy of the data received in this way prior to its use.TheThis problemiscan be addressed by the use of certificates, since a certification hierarchy is a well-defined mechanism that conveniently supports the automatic verification of the data. Alternatively, theapplication/key-datasource of the application/mosskey-data body part couldbedigitallysigned by the source.sign it. In this way, if the destination believes that a correct source's Crocker, et al Standards Track [Page 29] RFC 1848 MIME Object Security Services October 1995 public key is available locally and if the destination believes the source would convey accurate data, then thekey data receivedcontents of the application/mosskey-data from the sourcecancould bebelieved.believed to be accurate. NOTE: Insofar as a certificate represents a mechanism by which a third party vouches for the binding between a name and a public key, the signing of anapplication/pemkey-dataapplication/mosskey-data body part is a similar mechanism. (1) MIME type name: application (2) MIME subtype name:pemkey-datamosskey-data (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: quoted-printable is always sufficient. (6) Security Considerations: none The content of this body part corresponds to the following production.Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 17] INTERNET DRAFT PEM and MIME November 1994 <keydata><mosskeydata> ::= <version> ( <publickeydata> / <certchain> / <crlchain> ) <version> ::= "Version:" "5" CRLF <publickeydata> ::= "Key:" "PK" "," <publickey> "," <id-subset> CRLF <certchain> ::= <cert> *( [ <crl> ] <cert> ) <crlchain> ::= 1*( <crl> [ <cert> ] ) <cert> ::= "Certificate:" <encbin> CRLF <crl> ::= "CRL:" <encbin> CRLF This content type is used to transfer public keys, certificate chains, or Certificate Revocation List (CRL) chains. The information in the body part is entirely independent of any other body part. (Note that the converse is not true: the validity of a protected body part cannot be determined without the proper public keys, certificates, or current CRL information.) As such, theapplication/pemkey-dataapplication/mosskey-data content type is an independent body part. Crocker, et al Standards Track [Page 30] RFC 1848 MIME Object Security Services October 1995 The <publickeydata> production contains exactly one public key. It is used to bind a public key with its corresponding name form and key selector. It is recommended that when responders are returning this information that the enclosing body part be digitally signed by the responder in order to protect the information. The <id-subset> token is defined in Section2.2.4.4.2.4. The <certchain> production contains one certificate chain. A certificate chain starts withathe requested certificate and continues with the certificates of subsequent issuers. Each issuer certificate included must have issued the preceding certificate. For each issuer, a CRL may be supplied. A CRL in the chain belongs to the immediately following issuer. Therefore, it potentially contains the immediately preceding certificate. The <crlchain> production contains one certificate revocation list chain. The CRLs in the chain begin with the requested CRL and continue with the CRLs of subsequent issuers. The issuer of each CRL is presumed to have issued a certificate for the issuer of the preceding CRL. For each CRL, the issuer's certificate may be supplied. A certificate in the chain must belong to the issuer of the immediately preceding CRL. The relationship between a certificate and an immediately preceding CRL is the same in both <certchain> and <crlchain>. In a <certchain> the CRLs are optional. In a <crlchain> the certificates are optional.Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 18] INTERNET DRAFT PEM and MIME November 19946. ExamplesGivenEach example is included as a separate section for ease of reference. 6.1. Original Message Prepared for Protection Except as explicitly indicated, the followingprepared for submission:is used as the message to be protected. To: Ned Freed <ned@innosoft.com> Subject: Hi Ned! How do you like the newMIME/PEM?MOSS? Jim Crocker, et al Standards Track [Page 31] RFC 1848 MIME Object Security Services October 1995 6.2. Sign Text of Original Message When the text of the original message is signed, it will look likethisthis, where lines with an ampersand '&' are digitally signed (note the use of the public key identifier with the included email nameidentifier):identifier, on the lines marked with an asterisk '*'): To: Ned Freed <ned@innosoft.com> Subject: Hi Ned! MIME-Version: 1.0 Content-Type: multipart/signed;protocol="application/pem-signature";protocol="application/moss-signature"; micalg="rsa-md5"; boundary="Signed Boundary" --Signed Boundary & Content-Type: text/plain; charset="us-ascii" & Content-ID: <21436.785186814.2@tis.com> & & How do you like the newMIME/PEM?MOSS? & & Jim --Signed Boundary Content-Type:application/pem-signatureapplication/moss-signature Content-ID: <21436.785186814.1@tis.com> Content-Transfer-Encoding: quoted-printable Version: 5 * Originator-ID:PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6B= ekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn0Lw8g= G67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,2,galvin@tis.comPK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4f= * qQ61aoC1fO6BekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8= * KRGJ9wh1HU4TrghGdhn0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,= * 2,galvin@tis.com MIC-Info:RSA-MD5,RSA,PnEvyFV3sSyTSiGh/HFgWUIFa22jbHoTrFIMVERfMZXUKzFsHbmK= tIowJlJR56OoImo+t7WjRfzpMH7MOKgPgzRnTwk0T5dOcP/lfbsOVJjleV7vTe9yoNp2P8mi/h= s7RSA-MD5,RSA,PnEvyFV3sSyTSiGh/HFgWUIFa22jbHoTrFIMVERf= MZXUKzFsHbmKtIowJlJR56OoImo+t7WjRfzpMH7MOKgPgzRnTwk0T5dOcP/lfb= sOVJjleV7vTe9yoNp2P8mi/hs7 --Signed Boundary--Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 19] INTERNET DRAFT PEM6.3. Sign Headers andMIME November 1994Text of Original Message If, instead, we choose to protect the headers with thetext,text of the original message, it will look likethis:this, where lines with an ampersand '&' are encrypted: Crocker, et al Standards Track [Page 32] RFC 1848 MIME Object Security Services October 1995 To: Ned Freed <ned@innosoft.com> Subject: Hi Ned! MIME-Version: 1.0 Content-Type: multipart/signed;protocol="application/pem-signature";protocol="application/moss-signature"; micalg="rsa-md5"; boundary="Signed Boundary" --Signed Boundary & Content-Type: message/rfc822 & Content-ID: <21468.785187044.2@tis.com> & & To: Ned Freed <ned@innosoft.com> & Subject: Hi Ned! & & & How do you like the newMIME/PEM?MOSS? & & Jim --Signed Boundary Content-Type:application/pem-signatureapplication/moss-signature Content-ID: <21468.785187044.1@tis.com> Content-Transfer-Encoding: quoted-printable Version: 5 Originator-ID:PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6B= ekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn0Lw8g= G67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,2,galvin@tis.comPK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4f= qQ61aoC1fO6BekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8= KRGJ9wh1HU4TrghGdhn0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,= 2,galvin@tis.com MIC-Info:RSA-MD5,RSA,ctbDBgkYtFW1sisb5w4/Y/p94LftgQ0IrEn3d6WTwjfxFBvAceVW= fawsZPLijVKZUYtbIqJmjKtzTJlagBawfA/KhUsvTZdR6Dj+4Gd8dBBwMKvqMKTHAUxGXYxwNd= bKRSA-MD5,RSA,ctbDBgkYtFW1sisb5w4/Y/p94LftgQ0IrEn3d6WT= wjfxFBvAceVWfawsZPLijVKZUYtbIqJmjKtzTJlagBawfA/KhUsvTZdR6Dj+4G= d8dBBwMKvqMKTHAUxGXYxwNdbK --Signed Boundary-- 6.4. Encrypt Text of a Message If we choose to encrypt the text of the following message, that is, encrypt the lines marked withasterick (*): Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 20] INTERNET DRAFT PEM and MIME November 1994asterisk '*': To: Jim Galvin <galvin@tis.com> Subject: an encrypted message * How do you like the newMIME/PEM?MOSS? * * Jim Crocker, et al Standards Track [Page 33] RFC 1848 MIME Object Security Services October 1995 the message would look as follows (note the use of the email nameidentifier):identifier, on the line marked with an asterisk '*'): To: Jim Galvin <galvin@tis.com> Subject: an encrypted message MIME-Version: 1.0 Content-Type: multipart/encrypted;protocol="application/pem-keys";protocol="application/moss-keys"; boundary="Encrypted Boundary" --Encrypted Boundary Content-Type:application/pem-keysapplication/moss-keys Content-ID: <21535.785187667.1@tis.com> Content-Transfer-Encoding: quoted-printable Version: 5 DEK-Info: DES-CBC,D488AAAE271C8159 * Recipient-ID: EN,2,galvin@tis.com Key-Info:RSA,ISbC3IR01BrYq2rp493X+Dt7WrVq3V3/U/YXbxOTY5cmiy1/7NvSqqXSK/WZ= q05lN99RDUQhdNxXI64ePAbFWQ6RGoiCrRs+Dc95oQh7EFEPoT9P6jyzcV1NzZVwfp+uRSA,ISbC3IR01BrYq2rp493X+Dt7WrVq3V3/U/YXbxOTY5cmiy1/= 7NvSqqXSK/WZq05lN99RDUQhdNxXI64ePAbFWQ6RGoiCrRs+Dc95oQh7EFEPoT= 9P6jyzcV1NzZVwfp+u --Encrypted Boundary Content-Type: application/octet-stream Content-Transfer-Encoding: base64AfR1WSeyLhy5AtcX0ktUVlbFC1vvcoCjYWy/yYjVj48eqzUVvGTGMsV6MdlynUd4jcJgRnQIQvIx m2VRgH8W8MkAlul+RWGu7jnxjp0sNsU562+RZr0f4F3K3n4wonUUP265UvvMj23RSTguZ/nl/Oxn FM6SzDgV39V/i/RofqI=AfR1WSeyLhy5AtcX0ktUVlbFC1vvcoCjYWy/yYjVj48eqzUVvGTGMsV6MdlynU d4jcJgRnQIQvIxm2VRgH8W8MkAlul+RWGu7jnxjp0sNsU562+RZr0f4F3K3n4w onUUP265UvvMj23RSTguZ/nl/OxnFM6SzDgV39V/i/RofqI= --Encrypted Boundary-- Crocker, et al Standards Track [Page 34] RFC 1848 MIME Object Security Services October 1995 6.5. Encrypt the Signed Text of a Message If, instead, we choose to sign the text before we encrypt it, the structure would be asfollows (wherefollows, where lines with anasterickasterisk '*' are digitally signed and lines with an ampersand '&' areencrypted): Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 21] INTERNET DRAFT PEM and MIME November 1994encrypted: Content-Type: multipart/encrypted; protocol="application/moss-keys"; boundary="Encrypted Boundary" --Encrypted Boundary Content-Type:application/pem-keysapplication/moss-keys KEY INFORMATION --Encrypted Boundary Content-Type: application/octet-stream & Content-Type: multipart/signed; & protocol="application/moss-signature"; & micalg="rsa-md5"; boundary="Signed Boundary" & & --Signed Boundary & * Content-Type: text/plain & * & * How do you like the newMIME/PEM?MOSS? & * & * Jim & & --Signed Boundary & Content-Type:application/pem-signatureapplication/moss-signature & & SIGNATURE INFORMATION & & --Signed Boundary-- --Encrypted Boundary-- where KEY INFORMATION and SIGNATURE INFORMATION are descriptive of the actual content that would appear in a real body part. The actual message would be like this:Crocker/Freed/Galvin/Murphy Expires: May 1995Crocker, et al Standards Track [Page22] INTERNET DRAFT PEM and35] RFC 1848 MIMENovember 1994Object Security Services October 1995 To: Jim Galvin <galvin@tis.com> Subject: an encrypted message MIME-Version: 1.0 Content-Type: multipart/encrypted;protocol="application/pem-keys";protocol="application/moss-keys"; boundary="Encrypted Boundary" --Encrypted Boundary Content-Type:application/pem-keysapplication/moss-keys Content-ID: <21546.785188458.1@tis.com> Content-Transfer-Encoding: quoted-printable Version: 5 DEK-Info: DES-CBC,11CC89F8D90F1DFE Recipient-ID: EN,2,galvin@tis.com Key-Info:RSA,AZTtlEc6xm0vjkvtVUITUh7sz+nOuOwP0tsym6CQozD9IwVIJzY8+vIfbh5B= pR0kS6prq3EGFBFR8gRMUvbgHtEKPD/4ICQ7b6ssZ7FmKhl/cJC5rVjpb4EOUlwOXwRZRSA,AZTtlEc6xm0vjkvtVUITUh7sz+nOuOwP0tsym6CQozD9IwVIJz= Y8+vIfbh5BpR0kS6prq3EGFBFR8gRMUvbgHtEKPD/4ICQ7b6ssZ7FmKhl/cJC5rV= jpb4EOUlwOXwRZ --Encrypted Boundary Content-Type: application/octet-stream Content-Transfer-Encoding: base64ZvWvtosDzRBXJzkDFFRb9Qjrgm2nDWg3zotJ3ZpExpWUG/aRJ7Vwd+PWkSfrDPJ52V/wkxwMrum6 xJHZonrtyd0AvaztvriMm2zXTefzwpGG1i5zK47PBqreLA3HDTK2U6B13vzpE8wMSVefzaCTSpXR SCh08ceVEZrIYS53/CKZV2/Sga71pGNlux8MsJpYLwdj5Q3NKocg1LMngMo8yrMAe+avMjfOnhui 49Xon1Gft+N5XDH/+wI9qxI9fkQvNZVDlWIhCYEkxd5ke549tLkJjEqHQbgJW5C+K/uxdiD2dBt+ nRCXcuO0Px3yKRyYg/9BgTf36padSHuv48xBg5YaqaEWpEzLI0Qd31vAyP23rqiPhfBn6sjhQ2Kr WhiF2l3TV8kQsIGHHZUkaUbqkXJe6PEdWWhwsqCFPDdkpjzQRrTuJH6xleNUFg+CG1V+tL4IgMjQ qm3KVojRXx8bG2auVN89NfwFswmoq4fXTrh3xyVS1VgxjKkcYI8SVVmkYjCxVviJP3zO2UzBvCoM fADtBVBz1njYETtVGDO97uT39MqL85uEgiF4E5TkOj/m04+88G0/vvN/RISKJiFQJ3FyVIB/ShX9 Dixl8WCx3rxwN5g2QFLiyQVulzuNhimSD4ZxEo7smcTsAXUjwSLRtdjmTTutw2GmFESUaIrY81Nc pQJRPNAvF0IkN6ddwL4qvzUS99vjQp15g9FUv82lHtHwhM18a9GokVG8xYOjBBsn9anp9abh4Tp/ c/vpbunQUqnpV29rF4wj+8OwUOMi9ymGabBXAjw7DhNH2RdRVr1upQO896OX81VWB0LsA0cp+ymx hTrEI+wCHcrsNMoRK/7zAeuAi0f1t9bN594EFlLoIrBnKEa1/OUAhMT7kG1fNkSRnc8BZswIoPyR etsTurQfD40nsVHvNwE9Jz7wbBo00gd6blPADOUYFxfW5zu6ubygBqJiKPM4II2fCdNj7CptfQco RTeguKMVPLVmFg/EINuWBFm10GqlYT7p4zhfzysV/3r5LVZ1E8armTCRJ2GoYG5h+SKcytaQ0IT8 S2nLPCZl1hzdajsrqHFe8omQZvWvtosDzRBXJzkDFFRb9Qjrgm2nDWg3zotJ3ZpExpWUG/aRJ7Vwd+PWkSfrDPJ5 2V/wkxwMrum6xJHZonrtyd0AvaztvriMm2zXTefzwpGG1i5zK47PBqreLA3HDTK2 U6B13vzpE8wMSVefzaCTSpXRSCh08ceVEZrIYS53/CKZV2/Sga71pGNlux8MsJpY Lwdj5Q3NKocg1LMngMo8yrMAe+avMjfOnhui49Xon1Gft+N5XDH/+wI9qxI9fkQv NZVDlWIhCYEkxd5ke549tLkJjEqHQbgJW5C+K/uxdiD2dBt+nRCXcuO0Px3yKRyY g/9BgTf36padSHuv48xBg5YaqaEWpEzLI0Qd31vAyP23rqiPhfBn6sjhQ2KrWhiF 2l3TV8kQsIGHHZUkaUbqkXJe6PEdWWhwsqCFPDdkpjzQRrTuJH6xleNUFg+CG1V+ tL4IgMjQqm3KVojRXx8bG2auVN89NfwFswmoq4fXTrh3xyVS1VgxjKkcYI8SVVmk YjCxVviJP3zO2UzBvCoMfADtBVBz1njYETtVGDO97uT39MqL85uEgiF4E5TkOj/m 04+88G0/vvN/RISKJiFQJ3FyVIB/ShX9Dixl8WCx3rxwN5g2QFLiyQVulzuNhimS D4ZxEo7smcTsAXUjwSLRtdjmTTutw2GmFESUaIrY81NcpQJRPNAvF0IkN6ddwL4q vzUS99vjQp15g9FUv82lHtHwhM18a9GokVG8xYOjBBsn9anp9abh4Tp/c/vpbunQ UqnpV29rF4wj+8OwUOMi9ymGabBXAjw7DhNH2RdRVr1upQO896OX81VWB0LsA0cp +ymxhTrEI+wCHcrsNMoRK/7zAeuAi0f1t9bN594EFlLoIrBnKEa1/OUAhMT7kG1f NkSRnc8BZswIoPyRetsTurQfD40nsVHvNwE9Jz7wbBo00gd6blPADOUYFxfW5zu6 ubygBqJiKPM4II2fCdNj7CptfQcoRTeguKMVPLVmFg/EINuWBFm10GqlYT7p4zhf zysV/3r5LVZ1E8armTCRJ2GoYG5h+SKcytaQ0IT8S2nLPCZl1hzdajsrqHFe8omQ --Encrypted Boundary-- Crocker, et al Standards Track [Page 36] RFC 1848 MIME Object Security Services October 1995 6.6. Protecting Audio Content In addition to text, thePEMMOSS services as defined here will protect arbitrary body parts, for example, the following audio body part:Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 23] INTERNET DRAFT PEM and MIME November 1994Content-Type: audio/basic AUDIO DATA HEREwhen6.6.1. Sign Audio Content When signed an audio content would appear asfollows:follows, where lines with an ampersand '&' are digitally signed: Content-Type: multipart/signed;protocol="application/pem-signature";protocol="application/moss-signature"; micalg="rsa-md5"; boundary="Signed Boundary" --Signed Boundary & Content-Type: audio/basic & Content-Transfer-Encoding: base64base64(AUDIO DATA HERE)& & base64(AUDIO-DATA-HERE) --Signed Boundary Content-Type:application/pem-signature SIGNATURE INFORMATION HEREapplication/moss-signature SIGNATURE-INFORMATION-HERE --Signed Boundary-- where AUDIO-DATA-HERE andwhenSIGNATURE-INFORMATION-HERE are descriptive of the content that would appear in a real body part. 6.6.2. Encrypt Audio Content When encrypted an audio content would appear asfollows:follows, where lines with an ampersand '&' are encrypted: Crocker, et al Standards Track [Page 37] RFC 1848 MIME Object Security Services October 1995 Content-Type: multipart/encrypted;protocol="application/pem-keys";protocol="application/moss-keys"; boundary="Encrypted Boundary" --Encrypted Boundary Content-Type:application/pem-keys KEY INFORMATION HEREapplication/moss-keys KEY-INFORMATION-HERE --Encrypted Boundary Content-Type: application/octet-stream Content-Transfer-Encoding: base64base64(encrypted(AUDIO DATA HERE))& Content-Type: audio/basic & & base64(encrypted(AUDIO-DATA-HERE)) --Encrypted Boundary-- where KEY-INFORMATION-HERE and AUDIO-DATA-HERE are descriptive of the content that would appear in a real body part. 7. Observations The use ofthe pre-submission and post-delivery processing steps to combine PEM andMIMEcapabilitiesand the framework defined by [7] exhibits several properties:Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 24] INTERNET DRAFT PEM and MIME November 1994(1) It allowsprivacy-enhancement of anarbitrarycontent,content types to be protected, not just the body of an RFC822 message. (2)ForIt allows amultipart ormessagecontent, it allows the user to specify different privacy enhancementsto contain several body parts which may or may not beapplied to different components of the structure of the content.protected. (3) Itprovides for messages containing several privacy enhanced contents, thereby removingallows therequirement for PEM software to be able to generate or interpretcomponents of asinglemultipart or message contentwhich intermixes both unenhanced and enhanced components.to be protected with different services. The use of a MIME-capable user agent makes complex nesting ofenhancedprotected message body parts much easier. For example, the user can separately sign and encrypt a message. Thismotivates aallows complete separation of the confidentiality security service from the digital signature security service. That is, different key pairs could be used for the different services and could be protected separately. Crocker, et al Standards Track [Page 38] RFC 1848 MIME Object Security Services October 1995 This is useful for at least two reasons. First, some public key algorithms do not support both digital signatures andencryption, for example, the way that the RSA algorithm does;encryption; two key pairs would be required in this case. Second, an employee's company could be given access to the (private) decryption key but not the (private) signature key, thereby granting the company the ability to decrypt messages addressed to the employee in emergencies without also granting the company the ability to sign messages as the employee. 8.SummaryComparison ofChangesMOSS and PEM Protocols MOSS differs from PEM in the following ways. (1) When using PEM, users are required to have certificates. When using MOSS, users need only have a public/private key pair. (2) MOSS broadens the allowable name forms that users may use to identify their public keys, including arbitrary strings, email addresses, or distinguished names. (3) PEMSpecification This document updatescurrently only supports text-based electronic mail messages and the messageencryption and signature procedures definedtext is required to be represented by[3] and replacesthekey certification and related services defined by [6]. The changes are enumerated below. (1)ASCII character set with "<CR><LF>" line delimiters. These restrictions no longer apply. (4) The PEM specification currently requires that encryption services be applied only to message bodies that have been signed. By providing for each of the services separately, they may be appliedrecursivelyin any order according to the needs of the requesting application.(2) PEM implementations are currently restricted to processing only text-based electronic mail messages. In fact, the message text is required to be represented by the ASCII character set with "<CR><LF>" line delimiters. This restriction no longer applies. Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 25] INTERNET DRAFT PEM and MIME November 1994 (3)(5) MIME includes transfer encoding operations to ensure the unmodified transfer of bodyparts, which obviatesparts. Therefore, unlike PEM, MOSS does not need to include theseservices in PEM. (4)functions. (6) PEM specifies a Proc-Type: header field to identify the type of processing that was performed on the message. This functionality is subsumed by the MIME Content-Type: headers. The Proc-Type: header alsoincludedincludes a decimal number thatwasis used to distinguish among incompatible encapsulated header field interpretations which may arise as changes are made to the PEM standard. This functionality is replaced by the Version: header Crocker, et al Standards Track [Page 39] RFC 1848 MIME Object Security Services October 1995 specified in this document.(5)(7) PEM specifies a Content-Domain: header, the purpose of which is to describe the type of the content which is represented within a PEM message's encapsulated text. This functionality is subsumed by the MIME Content-Type: headers.(6)(8) The PEM specifications include a document that defines new types of PEM messages, specified by unique values used in theProc-Type:Proc- Type: header, to be used to request certificate and certificate revocation list information. This functionality is subsumed by two new content types specified in thisdocument. (7)document: application/mosskey- request and application/mosskey-data. (9) The header fields having to do with certificates (Originator- Certificate: and Issuer-Certificate:) and CRLs (CRL:) are relegated for use only in theapplication/pemkey-dataapplication/mosskey-data andapplication/pemkey-requestapplication/mosskey-request content types and are no longer allowed in the header portion of a PEM signed or encrypted message.(8)This separates key management services from the digital signature and encryption services. (10) The grammar specified here explicitly separates the header fields that may appear for the encryption and signature security services. It is the intent of this document to specify a precise expression of the allowed header fields; there is no intent to disallow the functionality of combinations of encryption and signature security found in [3].(9)(11) With the separation of the encryption and signature security services, there is no need for a MIC-Info: field in the headers associated with an encrypted message.(10)(12) In [3], when asymmetric key management is used, an Originator-ID field is required in order to identify the private key used to sign the MIC argument in the MIC-Info: field. Because noMIC-Info:MIC- Info: field is associated with the encryption security service under asymmetric keymanagment,management, there isno requirement in that case to Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 26] INTERNET DRAFT PEM and MIME November 1994 include an Originator-ID field. These changes represent a departure in mechanism, not in effect, from those specified in [3] and [6]. The following technical changesno requirement in that case to[3] and [4] are also specified by this document. (1)include an Originator-ID field. (13) Thegrammarprotocol specified here explicitly excludes symmetric key Crocker, et al Standards Track [Page 40] RFC 1848 MIME Object Security Services October 1995 management.Currently, there are no generally available implementations of symmetric key management nor are there any known plans for implementing it. As a result, the IETF standards process will require this feature to be dropped when the documents are promoted to draft standard status from proposed standard status. (2)(14) This document requires all data that is to be digitally signed to be represented in 7bit form.(3)9. Security Considerations This entire documentbroadensis about security. 10. Acknowledgements David H. Crocker suggested theallowable name forms that users may use to identify their public keys. Users mayusearbitrary stringsof a multipart structure for the MIME and PEM interaction, which has evolved into the MOSS protocol. The MOSS protocol is a direct descendant of the PEM protocol. The authors gratefully acknowledge the editors of those specification, especially John Linn and Steve Kent. This work would not have been possible had it not been for all of the PEM developers, users, and interested persons who are always present on the PEM developers mailing list and at PEM working group meetings at IETF meetings, especially, Amanda Walker, Bob Juenemann, Steve Dusse, Jeff Thomson, and Rhys Weatherly. 11. References [1] Crocker, D., "Standard for the Format of ARPA Internet Text Messages", STD 11, RFC 822, University of Delaware, August 1982. [2] Borenstein, N., and N. Freed, "MIME (Multipurpose Internet Mail Extension) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies", RFC 1521, Bellcore and Innosoft, September 1993. [3] Linn, J., "Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures", RFC 1421, IAB IRTF PSRG, IETF PEM WG, February 1993. [4] Kent, S., "Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management", RFC 1422, BBN Communications, February 1993. [5] Balenson, D., "Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers", RFC 1423, Trusted Information Systems, February 1993. Crocker, et al Standards Track [Page 41] RFC 1848 MIME Object Security Services October 1995 [6] Kaliski, B., "Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification andemail addresses as their name. Further, users may distribute their public key directlyRelated Services", RFC 1424, RSA Laboratories, February 1993. [7] Galvin, J., Murphy, S., Crocker, S., and N. Freed, "Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted", RFC 1847, Trusted Information Systems and Innosoft, September 1995. [8] The Directory -- Models. X.501, 1988. Developed inlieu of using certificates. In support of this change the Originator-ID-ASymmetric:collaboration, andRecipient-ID- ASymmetric: fields are deprecatedtechnically aligned, with ISO 9594-2. [9] The Directory -- Authentication Framework. X.509, 1988. Developed infavor of Originator-ID:collaboration, andRecipient-ID: fields, respectively. 9.technically aligned, with ISO 9594-8. Crocker, et al Standards Track [Page 42] RFC 1848 MIME Object Security Services October 1995 12. Authors' Addresses Steve Crocker CyberCash, Inc. 2086 Hunters Crest Way Vienna, VA 22181 Phone: +1 703 620 1222 Fax: +1 703 391 2651 EMail: crocker@cybercash.com James M. Galvin Trusted Information Systems 3060 Washington Road Glenwood, MD 21738 Phone: +1 301 854 6889 Fax: +1 301 854 5363 EMail: galvin@tis.com Sandra Murphy Trusted Information Systems 3060 Washington Road Glenwood, MD 21738 Phone: +1 301 854 6889 Fax: +1 301 854 5363 EMail: murphy@tis.com Ned Freed Innosoft International, Inc. 1050 East Garvey Avenue South West Covina, CA 91790 Phone: +1 818 919 3600 Fax: +1 818 919 3614 EMail: ned@innosoft.com Crocker, et al Standards Track [Page 43] RFC 1848 MIME Object Security Services October 1995 Appendix A: Collected Grammar The version of the grammar in this document is as follows: <version> ::= "Version:" "5" CRLF The following grammar tokens are used throughout this specification: <encbin> ::= 1*<encbingrp> <encbingrp> ::= 4*4<encbinchar> <encbinchar> ::= <ALPHA> / <DIGIT> / "+" / "/" / "=" <hexchar> ::= <DIGIT> / "A" / "B" / "C" / "D" / "E" / "F" ; no lower case The content of anapplication/pem-signatureapplication/moss-signature body part is as follows:<pemsig><mosssig> ::= <version> ( 1*<origasymflds> ) <version> ::= "Version:" "5" CRLF <origasymflds> ::= <origid> <micinfo> <origid> ::= "Originator-ID:" <id> CRLF <micinfo> ::= "MIC-Info:" <micalgid> "," <ikalgid> "," <asymsignmic> CRLF The content of anapplication/pem-keysapplication/moss-keys body part is as follows:Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 27] INTERNET DRAFT PEM and MIME November 1994 <pemkeys><mosskeys> ::= <version> <dekinfo> 1*<recipasymflds> <version> ::= "Version:" "5" CRLF <dekinfo> ::= "DEK-Info" ":" <dekalgid> [ "," <dekparameters> ] CRLF <recipasymflds> ::= <recipid> <asymkeyinfo> <recipid> ::= "Recipient-ID:" <id> CRLF <asymkeyinfo> ::= "Key-Info" ":" <ikalgid> "," <asymencdek> CRLF Crocker, et al Standards Track [Page 44] RFC 1848 MIME Object Security Services October 1995 Identifiers are defined as follows: <id> ::= <id-subset> / <id-publickey> / <id-issuer> <id-subset> ::= <id-email> / <id-string> / <id-dname> <id-email> ::= "EN" "," <keysel> "," <emailstr> CRLF <id-string> ::= "STR" "," <keysel> "," <string> CRLF <id-dname> ::= "DN" "," <keysel> "," <dnamestr> CRLF <id-publickey> ::= "PK" "," <publickey> [ "," <id-subset> ] CRLF <id-issuer> ::= "IS" "," <dnamestr> "," <serial> CRLF <keysel> ::=<encbin>1*<hexchar> ; hex dump of aprintably encodednon-null sequence of octets <emailstr> ::= <addr-spec> / <route-addr> ; an electronic mail address as defined by ; these two tokens from RFC822 <string> ::= ; a non-null sequence of characters <dnamestr> ::= <encbin> ; a printably encoded, ASN.1 encoded ;distinguished namedistinguished name (as defined by the 'Name' ; production specified in X.501 [8]) <publickey> ::= <encbin> ; a printably encoded, ASN.1 encoded public ; key (as defined by the ; 'SubjectPublicKeyInfo' production specified ;subjectPublicKeyInfoin X.509 [9]) <serial> ::= 1*<hexchar> ; hex dump ofthe serial number ofa certificateCrocker/Freed/Galvin/Murphy Expires: May 1995 [Page 28] INTERNET DRAFT PEM and MIME November 1994serial number The content of anapplication/pemkey-requestapplication/mosskey-request body part is as follows: <request> ::= <version> ( <subject> / <issuer> / <certification> )<subject> ::= "Subject:" <id> CRLF <issuer> ::= "Issuer:" <id> CRLF <certification> ::= "Certification:" <encbin> CRLF The content of an application/pemkey-data body part is as follows: <keydata> ::= <version> ( <publickeydata> / <certchain> / <crlchain> ) <publickeydata> ::= "Key:" "PK" "," <publickey> "," <id-subset> CRLF <certchain> ::= <cert> *( [ <crl> ] <cert> ) <crlchain> ::= 1*( <crl> [ <cert> ] ) <cert> ::= "Certificate:" <encbin> CRLF <crl> ::= "CRL:" <encbin> CRLF 10. Security Considerations This entire document is about security. 11. Acknowledgements David H. Crocker suggested the use of a multipart structure for MIME-PEM interaction. 12. References [1] David H. Crocker. Standard for the Format of ARPA Internet Text Messages. RFC 822, University of Delaware, August 1982. [2] Nathaniel Borenstein and Ned Freed. MIME (Multipurpose Internet Mail Extension) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies. RFC 1521, Bellcore and Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 29] INTERNET DRAFT PEM and MIME November 1994 Innosoft, September 1993. Obsoletes RFC 1341. [3] John Linn. Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures. RFC 1421, February 1993. Obsoletes RFC 1113. [4] Steve Kent. Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management. RFC 1422, BBN Communications, February 1993. [5] David M. Balenson. Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers. RFC 1423, Trusted Information Systems, February 1993. [6] Burton S. Kaliski. Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services. RFC 1424, RSA Laboratories, February 1993. [7] James Galvin, Sandy Murphy, Steve<version> ::= "Version:" "5" CRLF Crocker,and Ned Freed. Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted. RFC XXXX, Trusted Information Systems and Innosoft, XXXX 1994. 13. Authors' Addresses Steve Crocker email: crocker@tis.com James M. Galvin email: galvin@tis.com Sandra Murphy email: murphy@tis.com Trusted Information Systems 3060 Washington Road Glenwood, MD 21738 Tel: +1 301 854 6889 FAX: +1 301 854 5363 Crocker/Freed/Galvin/Murphy Expires: May 1995et al Standards Track [Page30] INTERNET DRAFT PEM and45] RFC 1848 MIMENovember 1994 Ned Freed Innosoft International, Inc. 1050 East Garvey Avenue South West Covina, CA 91790 Tel: +1 818 919 3600 FAX: +1 818 919 3614 email: ned@innosoft.com Crocker/Freed/Galvin/Murphy Expires: MayObject Security Services October 1995 <subject> ::= "Subject:" <id> CRLF <issuer> ::= "Issuer:" <id> CRLF <certification> ::= "Certification:" <encbin> CRLF The content of an application/mosskey-data body part is as follows: <mosskeydata> ::= <version> ( <publickeydata> / <certchain> / <crlchain> ) <version> ::= "Version:" "5" CRLF <publickeydata> ::= "Key:" "PK" "," <publickey> "," <id-subset> CRLF <certchain> ::= <cert> *( [ <crl> ] <cert> ) <crlchain> ::= 1*( <crl> [ <cert> ] ) <cert> ::= "Certificate:" <encbin> CRLF <crl> ::= "CRL:" <encbin> CRLF Crocker, et al Standards Track [Page31] INTERNET DRAFT PEM and46] RFC 1848 MIMENovember 1994 14. Appendix:Object Security Services October 1995 Appendix B: Imported GrammarThe following productions are taken from [3]. The grammar presentedOptions normally present in[3] remainstheauthoritative source for these productions; they are repeatedgrammar reprinted here which are illegal in MOSS are excluded in this reprinting, for the convenience of the reader.<dekinfo> ::= "DEK-Info" ":" <dekalgid> [ "," <dekparameters> ] CRLF <micinfo> ::= "MIC-Info" ":" <micalgid> "," <ikalgid> "," <asymsignmic> CRLF <encbin> ::= 1*<encbingrp> <encbingrp> ::= 4*4<encbinchar> <encbinchar> ::= ALPHA / DIGIT / "+" / "/" / "="The following productions are taken from [5]. The grammar presented in [5] remains the authoritative source for these productions; they are repeated here for the convenience of the reader. <dekalgid> ::= "DES-CBC" <ikalgid> ::="DES-EDE" / "DES-ECB" /"RSA" <micalgid> ::= "RSA-MD2" / "RSA-MD5" <dekparameters> ::= <DESCBCparameters> <DESCBCparameters> ::= <IV> <IV> ::= <hexchar16> <hexchar16> ::= 16*16<hexchar> <asymsignmic> ::= <RSAsignmic> <RSAsignmic> ::= <encbin> <asymencdek> ::= <RSAencdek> <RSAencdek> ::= <encbin><hexchar16> ::= 16*16<hexchar> <hexchar> ::= DIGIT / "A" / "B" / "C" / "D" / "E" / "F" ; no lower caseThe following productions are taken from [1]. The grammar presented in [1] remains theauthorativeauthoritative source for these productions; they are repeated here for the convenience of the reader.Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 32] INTERNET DRAFT PEM and MIME November 1994<route-addr> ::= "<" [ <route> ] <addr-spec> ">" <route> ::=<local-part>1# ( "@" <domain> ) ":" ; path-relative <addr-spec> ::= <local-part> "@" <domain>; global address <local-part> ::= <word> *( "." <word> ) ; uninterpreted ; case-preserved <domain> ::= <sub-domain> *( "." <sub-domain> ) <sub-domain> ::= <domain-ref> / <domain-literal> <domain-ref> ::= <atom> ; symbolic ; reference<route-addr> ::= "<" [ <route> ] <addr-spec> ">" <route> ::= 1# ( "@" <domain><domain-literal>::= "[" *( <dtext> / <quoted-pair> )":""]" Crocker, et al Standards Track [Page 47] RFC 1848 MIME Object Security Services October 1995 <dtext> ::= <any CHAR excluding "[", "]", "\" & <CR>, & including linear-white-space> ;path-relative=> may be folded <word> ::= <atom> / <quoted-string> <quoted-string> ::= """ *( <qtext> / <quoted-pair> ) """ <qtext> ::= (any <CHAR> excepting """,""\", and CR, and including <linear-white-space>) <quoted-pair> ::=""\" <CHAR> ; may quote any ; char <linear-white-space> ::= 1*( [ CRLF ] <LWSP-char> ) ; semantics = SPACE ; CRLF => folding <LWSP-char> ::= SPACE / HTAB ; semantics = SPACE <atom> ::= 1*(any <CHAR> except <specials>, SPACE and <CTL>s) <CHAR> ::= <any ASCII character> <CTL> ::= <any ASCII control character and DEL> <specials> ::= "(" / ")" / "<" / ">" / "@"; Must be in quoted-/ "," / ";" / ":" /""\" / <"> / "." / "[" / "]" ; Must be in quoted- ; string, to use ; within a word.Crocker/Freed/Galvin/Murphy Expires: May 1995 [Page 33] INTERNET DRAFT PEM and MIME November 1994 Table of Contents Status of this Memo ............................................. 1 Abstract ........................................................ 1 1 Introduction ................................................... 2 2 Name Forms and Identifiers ..................................... 4 2.1 Name Forms ................................................... 4 2.1.1 Email Addresses ............................................ 5 2.1.2 Arbitrary Strings .......................................... 5 2.1.3 Distinguished Names ........................................ 5 2.2 Identifiers .................................................. 6 2.2.1 Email Address .............................................. 7 2.2.2 Arbitrary String ........................................... 7 2.2.3 Distinguished Name ......................................... 7 2.2.4 Public Key ................................................. 7 2.2.5 Issuer Name and Serial Number .............................. 8 3 Applying PEM Security Services to MIME Body Parts .............. 8 3.1 PEM Processing Steps ......................................... 9 3.2 Use of multipart/signed Content Type ......................... 11 3.3 Use of multipart/encrypted Content Type ...................... 12 3.4 application/pem-signature Content Type Definition ............ 12 3.5 application/pem-keys Content Type Definition ................. 13 4 Removing PEM Security Services from PEM Body Parts ............. 14 5 Key Management Content Types ................................... 15 5.1 application/pemkey-request Content Type Definition ........... 15 5.2 application/pemkey-data Content Type Definition .............. 17 6 Examples ....................................................... 19 7 Observations ................................................... 24 8 Summary of Changes to PEM Specification ........................ 25 9 Collected Grammar .............................................. 27 10 Security Considerations ....................................... 29 11 Acknowledgements .............................................. 29 12 References .................................................... 29 13 Authors' Addresses ............................................ 30 14 Appendix: Imported Grammar .................................... 32 Crocker/Freed/Galvin/Murphy Expires: May 1995<ALPHA> ::= <any ASCII alphabetic character> ; (101-132, 65.-90.) ; (141-172, 97.-122.) <DIGIT> ::= <any ASCII decimal digit>; (60-71, 48.-57.) Crocker, et al Standards Track [Page34]48] ----