summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc1848.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc1848.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc1848.txt')
-rw-r--r--doc/rfc/rfc1848.txt2691
1 files changed, 2691 insertions, 0 deletions
diff --git a/doc/rfc/rfc1848.txt b/doc/rfc/rfc1848.txt
new file mode 100644
index 0000000..2cfe325
--- /dev/null
+++ b/doc/rfc/rfc1848.txt
@@ -0,0 +1,2691 @@
+
+
+
+
+
+
+Network Working Group S. Crocker
+Request For Comments: 1848 CyberCash, Inc.
+Category: Standards Track N. Freed
+ Innosoft International, Inc.
+ J. Galvin
+ S. Murphy
+ Trusted Information Systems
+ October 1995
+
+
+ MIME Object Security Services
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Abstract
+
+ This document defines MIME Object Security Services (MOSS), a
+ protocol that uses the multipart/signed and multipart/encrypted
+ framework [7] to apply digital signature and encryption services to
+ MIME objects. The services are offered through the use of end-to-end
+ cryptography between an originator and a recipient at the application
+ layer. Asymmetric (public key) cryptography is used in support of
+ the digital signature service and encryption key management.
+ Symmetric (secret key) cryptography is used in support of the
+ encryption service. The procedures are intended to be compatible
+ with a wide range of public key management approaches, including both
+ ad hoc and certificate-based schemes. Mechanisms are provided to
+ support many public key management approaches.
+
+Table of Contents
+
+ 1. Introduction ............................................. 3
+ 2. Applying MIME Object Security Services ................... 4
+ 2.1 Digital Signature Service ............................... 4
+ 2.1.1 Canonicalization ...................................... 5
+ 2.1.2 Digital Signature Control Information ................. 7
+ 2.1.2.1 Version: ............................................ 8
+ 2.1.2.2 Originator-ID: ...................................... 8
+ 2.1.2.3 MIC-Info: ........................................... 8
+ 2.1.3 application/moss-signature Content Type Definition .... 9
+ 2.1.4 Use of multipart/signed Content Type .................. 10
+ 2.2 Encryption Service ...................................... 11
+
+
+
+Crocker, et al Standards Track [Page 1]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ 2.2.1 Encryption Control Information ........................ 12
+ 2.2.1.1 DEK-Info: ........................................... 13
+ 2.2.1.2 Recipient-ID: ....................................... 14
+ 2.2.1.3 Key-Info: ........................................... 14
+ 2.2.2 application/moss-keys Content Type Definition ......... 15
+ 2.2.3 Use of multipart/encrypted Content Type ............... 16
+ 3. Removing MIME Object Security Services ................... 17
+ 3.1 Digital Signature Service ............................... 18
+ 3.1.1 Preparation ........................................... 18
+ 3.1.2 Verification .......................................... 19
+ 3.1.3 Results ............................................... 19
+ 3.2 Encryption Service ...................................... 20
+ 3.2.1 Preparation ........................................... 20
+ 3.2.2 Decryption ............................................ 20
+ 3.2.3 Results ............................................... 21
+ 4. Identifying Originators, Recipients, and Their Keys ...... 21
+ 4.1 Name Forms .............................................. 23
+ 4.1.1 Email Addresses ....................................... 23
+ 4.1.2 Arbitrary Strings ..................................... 23
+ 4.1.3 Distinguished Names ................................... 23
+ 4.2 Identifiers ............................................. 24
+ 4.2.1 Email Address ......................................... 25
+ 4.2.2 Arbitrary String ...................................... 25
+ 4.2.3 Distinguished Name .................................... 26
+ 4.2.4 Public Key ............................................ 26
+ 4.2.5 Issuer Name and Serial Number ......................... 27
+ 5. Key Management Content Types ............................. 27
+ 5.1 application/mosskey-request Content Type Definition ..... 28
+ 5.2 application/mosskey-data Content Type Definition ........ 29
+ 6. Examples ................................................. 31
+ 6.1 Original Message Prepared for Protection ................ 31
+ 6.2 Sign Text of Original Message ........................... 32
+ 6.3 Sign Headers and Text of Original Message ............... 32
+ 6.4 Encrypt Text of a Message ............................... 33
+ 6.5 Encrypt the Signed Text of a Message .................... 35
+ 6.6 Protecting Audio Content ................................ 37
+ 6.6.1 Sign Audio Content .................................... 37
+ 6.6.2 Encrypt Audio Content ................................. 37
+ 7. Observations ............................................. 38
+ 8. Comparison of MOSS and PEM Protocols ..................... 39
+ 9. Security Considerations .................................. 41
+ 10. Acknowledgements ........................................ 41
+ 11. References .............................................. 41
+ 12. Authors' Addresses ...................................... 43
+ Appendix A: Collected Grammar .............................. 44
+ Appendix B: Imported Grammar ............................... 47
+
+
+
+
+
+Crocker, et al Standards Track [Page 2]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+1. Introduction
+
+ MIME [2], an acronym for "Multipurpose Internet Mail Extensions",
+ defines the format of the contents of Internet mail messages and
+ provides for multi-part textual and non-textual message bodies. An
+ Internet electronic mail message consists of two parts: the headers
+ and the body. The headers form a collection of field/value pairs
+ structured according to STD 11, RFC 822 [1], whilst the body, if
+ structured, is defined according to MIME. MIME does not provide for
+ the application of security services.
+
+ PEM [3-6], an acronym for "Privacy Enhanced Mail", defines message
+ encryption and message authentication procedures for text-based
+ electronic mail messages using a certificate-based key management
+ mechanism. The specifications include several features that are
+ easily and more naturally supported by MIME, for example, the
+ transfer encoding operation, the Content-Domain header, and the
+ support services specified by its Part IV [6]. The specification is
+ limited by specifying the application of security services to text
+ messages only.
+
+ MOSS is based in large part on the PEM protocol as defined by RFC
+ 1421. Many of PEMs features and most of its protocol specification
+ are included here. A comparison of MOSS and PEM may be found in
+ Section 8.
+
+ In order to make use of the MOSS services, a user (where user is not
+ limited to being a human, e.g., it could be a process or a role) is
+ required to have at least one public/private key pair. The public
+ key must be made available to other users with whom secure
+ communication is desired. The private key must not be disclosed to
+ any other user.
+
+ An originator's private key is used to digitally sign MIME objects; a
+ recipient would use the originator's public key to verify the digital
+ signature. A recipient's public key is used to encrypt the data
+ encrypting key that is used to encrypt the MIME object; a recipient
+ would use the corresponding private key to decrypt the data
+ encrypting key so that the MIME object can be decrypted.
+
+ As long as the private keys are protected from disclosure, i.e., the
+ private keys are accessible only to the user to whom they have been
+ assigned, the recipient of a digitally signed message will know from
+ whom the message was sent and the originator of an encrypted message
+ will know that only the intended recipient is able to read it. For
+ assurance, the ownership of the public keys used in verifying digital
+ signatures and encrypting messages should be verified. A stored
+ public key should be protected from modification.
+
+
+
+Crocker, et al Standards Track [Page 3]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ The framework defined in [7] provides an embodiment of a MIME object
+ and its digital signature or encryption keys. When used by MOSS the
+ framework provides digital signature and encryption services to
+ single and multi-part textual and non-textual MIME objects.
+
+2. Applying MIME Object Security Services
+
+ The application of the MOSS digital signature service requires the
+ following components.
+
+ (1) The data to be signed.
+
+ (2) The private key of the originator.
+
+ The data to be signed is prepared according to the description below.
+ The digital signature is created by generating a hash of the data and
+ encrypting the hash value with the private key of the originator.
+ The digital signature, some additional ancillary information
+ described below, and the data are then embodied in a multipart/signed
+ body part. Finally, the multipart/signed body part may be
+ transferred to a recipient or processed further, for example, it may
+ be encrypted.
+
+ The application of the MOSS encryption service requires the following
+ components.
+
+ (1) The data to be encrypted.
+
+ (2) A data encrypting key to encrypt the data.
+
+ (3) The public key of the recipient.
+
+ The data to be encrypted is prepared according to the description
+ below. The originator creates a data encrypting key and encrypts the
+ data. The recipient's public key is used to encrypt the data
+ encrypting key. The encrypted data, the encrypted data encrypting
+ key, and some additional ancillary information described below are
+ then embodied in a multipart/encrypted body part, ready to be
+ transferred to a recipient or processed further, for example, it may
+ be signed.
+
+ The next two sections describe the digital signature and encryption
+ services, respectively, in detail.
+
+2.1. Digital Signature Service
+
+ The MOSS digital signature service is applied to MIME objects,
+ specifically a MIME body part. The MIME body part is created
+
+
+
+Crocker, et al Standards Track [Page 4]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ according to a local convention and then made available to the
+ digital signature service.
+
+ The following sequence of steps comprises the application of the
+ digital signature service.
+
+
+ (1) The body part to be signed must be canonicalized.
+
+
+ (2) The digital signature and other control information must be gen-
+ erated.
+
+
+ (3) The control information must be embodied in an appropriate MIME
+ content type.
+
+
+ (4) The control information body part and the data body part must be
+ embodied in a multipart/signed content type.
+
+
+ Each of these steps is described below.
+
+2.1.1. Canonicalization
+
+ The body part must be converted to a canonical form that is uniquely
+ and unambiguously representable in at least the environment where the
+ digital signature is created and the environment where the digital
+ signature will be verified, i.e., the originator and recipient's
+ environment, respectively. This is required in order to ensure that
+ both the originator and recipient have the same data with which to
+ calculate the digital signature; the originator needs to be able to
+ create the digital signature value while the recipient needs to be
+ able to compare a re-computed value with the received value. If the
+ canonical form is representable on many different host computers, the
+ signed data may be forwarded by recipients to additional recipients,
+ who will also be able to verify the original signature. This service
+ is called forwardable authentication.
+
+ The canonicalization transformation is a two step process. First,
+ the body part must be converted to a form that is unambiguously
+ representable on as many different host computers as possible.
+ Second, the body part must have its line delimiters converted to a
+ unique and unambiguous representation.
+
+ The representation chosen to satisfy the first step is 7bit, as
+ defined by MIME; the high order bit of each octet of the data to be
+
+
+
+Crocker, et al Standards Track [Page 5]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ signed must be zero. A MIME body part is comprised of two parts:
+ headers and content. Since the headers of body parts are already
+ required to be represented in 7bit, this step does not require
+ changes to the headers. This step requires that if the content is
+ not already 7bit then it must be encoded with an appropriate MIME
+ content transfer encoding and a Content-Transfer-Encoding: header
+ must be added to the headers. For example, if the content to be
+ signed contains 8bit or binary data, the content must be encoded with
+ either the quoted-printable or base64 encoding as defined by MIME.
+
+ IMPLEMENTORS NOTE: Since the MIME standard explicitly disallows
+ nested content transfer encodings, i.e., the content types
+ multipart and message may not themselves be encoded, the 7bit
+ transformation requires each nested body part to be individually
+ encoded in a 7bit representation. Any valid MIME encoding, e.g.,
+ quoted-printable or base64, may be used and, in fact, a different
+ encoding may be used on each of the non-7bit body parts.
+
+ Representing all content types in a 7bit format transforms them into
+ text-based content types. However, text-based content types present
+ a unique problem. In particular, the line delimiter used for a
+ text-based content type is specific to a local environment; different
+ environments use the single character carriage-return (<CR>), the
+ single character line-feed (<LF>), or the two character sequence
+ "carriage-return line-feed (<CR><LF>)".
+
+ The application of the digital signature service requires that the
+ same line delimiter be used by both the originator and the recipient.
+ This document specifies that the two character sequence "<CR><LF>"
+ must be used as the line delimiter. Thus, the second step of the
+ canonicalization transformation includes the conversion of the local
+ line delimiter to the two character sequence "<CR><LF>".
+
+ The conversion to the canonical line delimiter is only required for
+ the purposes of computing the digital signature. Thus, originators
+ must apply the line delimiter conversion before computing the digital
+ signature but must transfer the data without the line delimiter
+ conversion. Similarly, recipients must apply the line delimiter
+ conversion before computing the digital signature.
+
+ NOTE: An originator can not transfer the content with the line
+ delimiter conversion intact because the conversion process is not
+ idempotent. In particular, SMTP servers may themselves convert
+ the line delimiter to a local line delimiter, prior to the message
+ being delivered to the recipient. Thus, a recipient has no way of
+ knowing if the conversion is present or not. If the recipient
+ applies the conversion to a content in which it is already
+ present, the resulting content may have two line delimiters
+
+
+
+Crocker, et al Standards Track [Page 6]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ present, which would cause the verification of the signature to
+ fail.
+
+ IMPLEMENTORS NOTE: Implementors should be aware that the
+ conversion to a 7bit representation is a function that is required
+ in a minimally compliant MIME user agent. Further, the line
+ delimiter conversion required here is distinct from the same
+ conversion included in that function. Specifically, the line
+ delimiter conversion applied when a body part is converted to a
+ 7bit representation (transfer encoded) is performed prior to the
+ application of the transfer encoding. The line delimiter
+ conversion applied when a body part is signed is performed after
+ the body part is converted to 7bit (transfer encoded). Both line
+ delimiter conversions are required.
+
+2.1.2. Digital Signature Control Information
+
+ The application of the digital signature service generates control
+ information which includes the digital signature itself. The syntax
+ of the control information is that of a set of RFC 822 headers,
+ except that the folding of header values onto continuation lines is
+ explicitly forbidden. Each header and value pair generated by the
+ digital signature service must be output on exactly one line.
+
+ The complete set of headers generated by the digital signature
+ service is as follows.
+
+ Version:
+ indicates which version of the MOSS protocol the remaining headers
+ represent.
+
+ Originator-ID:
+ indicates the private key used to create the digital signature and
+ the corresponding public key to be used to verify it.
+
+ MIC-Info:
+ contains the digital signature value.
+
+ Each invocation of the digital signature service must emit exactly
+ one Version: header and at least one pair of Originator-ID: and MIC-
+ Info: headers. The Version: header must always be emitted first.
+ The Originator-ID: and MIC-Info: headers are always emitted in pairs
+ in the order indicated. This specification allows an originator to
+ generate multiple signatures of the data, presumably with different
+ signature algorithms, and to include them all in the control
+ information. The interpretation of the presence of multiple
+ signatures is outside the scope of this specification except that a
+ MIC-Info: header is always interpreted in the context of the
+
+
+
+Crocker, et al Standards Track [Page 7]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ immediately preceding Originator-ID: header.
+
+2.1.2.1. Version:
+
+ The version header is defined by the grammar token <version> as
+ follows.
+
+ <version> ::= "Version:" "5" CRLF
+
+ Its value is constant and MOSS implementations compliant with this
+ specification must recognize only this value and generate an error if
+ any other value is found.
+
+2.1.2.2. Originator-ID:
+
+ The purpose of the originator header is two-fold: to directly
+ identify the public key to be used to verify the digital signature
+ and to indirectly identify the user who owns both it and its
+ corresponding private key. Typically, a recipient is less interested
+ in the actual public key value, although obviously the recipient
+ needs the value to verify the signature, and more interested in
+ identifying its owner. Thus, the originator header may convey either
+ or both pieces of information:
+
+ the public key to be used to verify the signature
+
+ the name of the owner and which of the owner's public keys to use
+ to verify the signature
+
+ The decision as to what information to place in the value rests
+ entirely with the originator. The suggested value is to include
+ both. Recipients with whom the originator has previously
+ communicated will have to verify that the information presented is
+ consistent with what is already known. New recipients will want all
+ of the information, which they will need to verify prior to storing
+ in their local database.
+
+ The originator header is defined by the grammar token <origid> as
+ follows.
+
+ <origid> ::= "Originator-ID:" <id> CRLF
+
+ The grammar token <id> is defined in Section 4.
+
+2.1.2.3. MIC-Info:
+
+ The purpose of the Message Integrity Check (MIC) header is to convey
+ the digital signature value. Its value is a comma separated list of
+
+
+
+Crocker, et al Standards Track [Page 8]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ three arguments: the hash (or MIC) algorithm identifier, the
+ signature algorithm identifier, and the digital signature.
+
+ The MIC header is defined by the grammar token <micinfo> as follows.
+
+ <micinfo> ::= "MIC-Info:" <micalgid> "," <ikalgid> ","
+ <asymsignmic> CRLF
+
+ The grammar tokens for the MIC algorithms and identifiers
+ (<micalgid>), signature algorithms and identifiers (<ikalgid>), and
+ signed MIC formats (<asymsignmic>) are defined by RFC 1423. They are
+ also reprinted in Appendix B.
+
+ IMPLEMENTORS NOTE: RFC 1423 is referenced by the PEM protocol,
+ which includes support for symmetric signatures and key
+ management. As a result, some of the grammar tokens defined
+ there, for example, <ikalgid>, will include options that are not
+ legal for this protocol. These options must be ignored and have
+ not been included in the appendix.
+
+2.1.3. application/moss-signature Content Type Definition
+
+ (1) MIME type name: application
+
+ (2) MIME subtype name: moss-signature
+
+ (3) Required parameters: none
+
+ (4) Optional parameters: none
+
+ (5) Encoding considerations: quoted-printable is always sufficient
+
+ (6) Security considerations: none
+
+ The "application/moss-signature" content type is used on the second
+ body part of an enclosing multipart/signed. Its content is comprised
+ of the digital signature of the data in the first body part of the
+ enclosing multipart/signed and other control information required to
+ verify that signature, as defined by Section 2.1.2. The label
+ "application/moss-signature" must be used as the value of the
+ protocol parameter of the enclosing multipart/signed; the protocol
+ parameter must be present.
+
+ Part of the signature verification information will be the Message
+ Integrity Check (MIC) algorithm(s) used during the signature creation
+ process. The MIC algorithm(s) identified in this body part must
+ match the MIC algorithm(s) identified in the micalg parameter of the
+ enclosing multipart/signed. If it does (they do) not, a user agent
+
+
+
+Crocker, et al Standards Track [Page 9]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ should identify the discrepancy to a user and it may choose to either
+ halt or continue processing, giving precedence to the algorithm(s)
+ identified in this body part.
+
+ An application/moss-signature body part is constructed as follows:
+
+ Content-Type: application/moss-signature
+
+ <mosssig>
+
+ where the grammar token <mosssig> is defined as follows.
+
+ <mosssig> ::= <version> ( 1*<origasymflds> )
+
+ <version> ::= "Version:" "5" CRLF
+
+ <origasymflds> ::= <origid> <micinfo>
+
+ <origid> ::= "Originator-ID:" <id> CRLF
+
+ <micinfo> ::= "MIC-Info:" <micalgid> "," <ikalgid> ","
+ <asymsignmic> CRLF
+
+ The token <id> is defined in Section 4. All other tokens are defined
+ in Section 2.1.2.3.
+
+2.1.4. Use of multipart/signed Content Type
+
+ The definition of the multipart/signed content type in [7] specifies
+ three steps for creating the body part.
+
+
+ (1) The body part to be digitally signed is created according to a
+ local convention, for example, with a text editor or a mail user
+ agent.
+
+
+ (2) The body part is prepared for the digital signature service
+ according to the protocol parameter, in this case according to
+ Section 2.1.1.
+
+
+ (3) The prepared body part is digitally signed according to the
+ protocol parameter, in this case according to Section 2.1.2.
+
+
+ The multipart/signed content type is constructed as follows.
+
+
+
+
+Crocker, et al Standards Track [Page 10]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ (1) The value of its required parameter "protocol" is set to
+ "application/moss-signature".
+
+
+ (2) The signed body part becomes its first body part.
+
+
+ (3) Its second body part is labeled "application/moss-signature" and
+ is filled with the control information generated by the digital
+ signature service.
+
+
+ (4) The value of its required parameter "micalg" is set to the same
+ value used in the MIC-Info: header in the control information.
+ If there is more than one MIC-Info: header present the value is
+ set to a comma separated list of values from the MIC-Info
+ headers. The interpretation of the order of the list of values
+ is outside the scope of this specification.
+
+
+ A multipart/signed content type with the MOSS protocol might look as
+ follows:
+
+ Content-Type: multipart/signed;
+ protocol="application/moss-signature";
+ micalg="rsa-md5"; boundary="Signed Message"
+
+ --Signed Message
+ Content-Type: text/plain
+
+ This is some example text.
+
+ --Signed Message
+ Content-Type: application/moss-signature
+
+ Version: 5
+ Originator-ID: ID-INFORMATION
+ MIC-Info: RSA-MD5,RSA,SIGNATURE-INFORMATION
+ --Signed Message--
+
+ where ID-INFORMATION and SIGNATURE-INFORMATION are descriptive of the
+ content that would appear in a real body part.
+
+2.2. Encryption Service
+
+ The MOSS encryption service is applied to MIME objects, specifically
+ a MIME body part. The MIME body part is created according to a local
+ convention and then made available to the encryption service.
+
+
+
+Crocker, et al Standards Track [Page 11]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ The following sequence of steps comprises the application of the
+ encryption service.
+
+
+ (1) The body part to be encrypted must be in MIME canonical form.
+
+
+ (2) The data encrypting key and other control information must be
+ generated.
+
+
+ (3) The control information must be embodied in an appropriate MIME
+ content type.
+
+
+ (4) The control information body part and the encrypted data body
+ part must be embodied in a multipart/encrypted content type.
+
+
+ The first step is defined by MIME. The latter three steps are
+ described below.
+
+2.2.1. Encryption Control Information
+
+ The application of the encryption service generates control
+ information which includes the data encrypting key used to encrypt
+ the data itself. The syntax of the control information is that of a
+ set of RFC 822 headers, except that the folding of header values onto
+ continuation lines is explicitly forbidden. Each header and value
+ pair generated by the encryption service must be output on exactly
+ one line.
+
+ First, the originator must retrieve the public key of the recipient.
+ The retrieval may be from a local database or from a remote service.
+ The acquisition of the recipient's public key is outside the scope of
+ the specification, although Section 5 defines one possible mechanism.
+
+ With the public key, the originator encrypts the data encrypting key
+ according to the Key-Info: header defined below. The complete set of
+ headers generated by the encryption service is as follows.
+
+ Version:
+ indicates which version of the MOSS protocol the remaining headers
+ represent and is defined in Section 2.1.2.1.
+
+ DEK-Info:
+ indicates the algorithm and mode used to encrypt the data.
+
+
+
+
+Crocker, et al Standards Track [Page 12]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ Recipient-ID:
+ indicates the public key used to encrypt the data encrypting key
+ that was used to encrypt the data.
+
+ Key-Info:
+ contains data encrypting key encrypted with the recipient's public
+ key.
+
+ Each invocation of the encryption service must emit exactly one
+ Version: header, exactly one DEK-Info: header, and at least one pair
+ of Recipient-ID: and Key-Info: headers. Headers are always emitted
+ in the order indicated. The Recipient-ID: and Key-Info: headers are
+ always emitted in pairs in the order indicated, one pair for each
+ recipient of the encrypted data. A Key-Info: header is always
+ interpreted in the context of the immediately preceding Recipient-ID:
+ header.
+
+ IMPLEMENTORS NOTE: Implementors should always generate a
+ Recipient-ID: and Key-Info header pair representing the originator
+ of the encrypted data. By doing so, if an originator sends a
+ message to a recipient that is returned undelivered, the
+ originator will be able to decrypt the message and determine an
+ appropriate course of action based on its content. If not, an
+ originator will not be able to review the message that was sent.
+
+2.2.1.1. DEK-Info:
+
+ The purpose of the data encrypting key information header is to
+ indicate the algorithm and mode used to encrypt the data, along with
+ any cryptographic parameters that may be required, e.g.,
+ initialization vectors. Its value is either a single argument
+ indicating the algorithm and mode or a comma separated pair of
+ arguments where the second argument carries any cryptographic
+ parameters required by the algorithm and mode indicated in the first
+ argument.
+
+ The data encrypting key information header is defined by the grammar
+ token <dekinfo> as follows.
+
+ <dekinfo> ::= "DEK-Info" ":" <dekalgid>
+ [ "," <dekparameters> ] CRLF
+
+ The grammar tokens for the encryption algorithm and mode identifier
+ (<dekalgid>) and the optional cryptographic parameters
+ (<dekparameters>) are defined by RFC 1423. They are also reprinted
+ in Appendix B.
+
+
+
+
+
+Crocker, et al Standards Track [Page 13]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+2.2.1.2. Recipient-ID:
+
+ The purpose of the recipient header is to identify the private key
+ that must be used to decrypt the data encrypting key that will be
+ used to decrypt the data. Presumably the recipient owns the private
+ key and thus is less interested in identifying the owner of the key
+ and more interested in the private key value itself. Nonetheless,
+ the recipient header may convey either or both pieces of information:
+
+ the public key corresponding to the private key to be used to
+ decrypt the data encrypting key
+
+ the name of the owner and which of the owner's private keys to use
+ to decrypt the data encrypting key
+
+ The decision as to what information to place in the value rests
+ entirely with the originator. The suggested choice is to include
+ just the public key. However, some recipients may prefer that
+ originators not include their public key. How this preference is
+ conveyed to and managed by the originator is outside the scope of
+ this specification.
+
+ The recipient header is defined by the grammar token <recipid> as
+ follows.
+
+ <recipid> ::= "Recipient-ID:" <id> CRLF
+
+ The grammar token <id> is defined in Section 4.
+
+2.2.1.3. Key-Info:
+
+ The purpose of the key information header is to convey the encrypted
+ data encrypting key. Its value is a comma separated list of two
+ arguments: the algorithm and mode identifier in which the data
+ encrypting key is encrypted and the encrypted data encrypting key.
+
+ The key information header is defined by the grammar token
+ <asymkeyinfo> as follows.
+
+ <asymkeyinfo> ::= "Key-Info" ":" <ikalgid> "," <asymencdek> CRLF
+
+ The grammar tokens for the encryption algorithm and mode identifier
+ (<ikalgid>) and the encrypted data encrypting key format
+ (<asymsignmic>) are defined by RFC 1423. They are also reprinted in
+ Appendix B.
+
+ IMPLEMENTORS NOTE: RFC 1423 is referenced by the PEM protocol,
+ which includes support for symmetric signatures and key
+
+
+
+Crocker, et al Standards Track [Page 14]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ management. As a result, some of the grammar tokens defined
+ there, for example, <ikalgid>, will include options that are not
+ legal for this protocol. These options must be ignored and have
+ not been included in the appendix.
+
+2.2.2. application/moss-keys Content Type Definition
+
+ (1) MIME type name: application
+
+ (2) MIME subtype name: moss-keys
+
+ (3) Required parameters: none
+
+ (4) Optional parameters: none
+
+ (5) Encoding considerations: quoted-printable is always sufficient
+
+ (6) Security considerations: none
+
+ The "application/moss-keys" content type is used on the first body
+ part of an enclosing multipart/encrypted. Its content is comprised
+ of the data encryption key used to encrypt the data in the second
+ body part and other control information required to decrypt the data,
+ as defined by Section 2.2.1. The label "application/moss-keys" must
+ be used as the value of the protocol parameter of the enclosing
+ multipart/encrypted; the protocol parameter must be present.
+
+ An application/moss-keys body part is constructed as follows:
+
+ Content-Type: application/moss-keys
+
+ <mosskeys>
+
+ where the <mosskeys> token is defined as follows.
+
+ <mosskeys> ::= <version> <dekinfo> 1*<recipasymflds>
+
+ <version> ::= "Version:" "5" CRLF
+
+ <dekinfo> ::= "DEK-Info" ":" <dekalgid>
+ [ "," <dekparameters> ] CRLF
+
+ <recipasymflds> ::= <recipid> <asymkeyinfo>
+
+ <recipid> ::= "Recipient-ID:" <id> CRLF
+
+ <asymkeyinfo> ::= "Key-Info" ":" <ikalgid> "," <asymencdek> CRLF
+
+
+
+
+Crocker, et al Standards Track [Page 15]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ The token <id> is defined in Section 4. The token <version> is
+ defined in Section 2.1.2.1. All other tokens are defined in Section
+ 2.2.1.3.
+
+2.2.3. Use of multipart/encrypted Content Type
+
+ The definition of the multipart/encrypted body part in [7] specifies
+ three steps for creating the body part.
+
+
+ (1) The body part to be encrypted is created according to a local
+ convention, for example, with a text editor or a mail user
+ agent.
+
+
+ (2) The body part is prepared for encryption according to the
+ protocol parameter, in this case the body part must be in MIME
+ canonical form.
+
+
+ (3) The prepared body part is encrypted according to the protocol
+ parameter, in this case according to Section 2.2.1.
+
+
+ The multipart/encrypted content type is constructed as follows.
+
+
+ (1) The value of its required parameter "protocol" is set to
+ "application/moss-keys".
+
+
+ (2) The first body part is labeled "application/moss-keys" and is
+ filled with the control information generated by the encryption
+ service.
+
+
+ (3) The encrypted body part becomes the content of its second body
+ part, which is labeled "application/octet-stream".
+
+
+ A multipart/encrypted content type with the MOSS protocol might look
+ as follows:
+
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 16]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ Content-Type: multipart/encrypted;
+ protocol="application/moss-keys";
+ boundary="Encrypted Message"
+
+ --Encrypted Message
+ Content-Type: application/moss-keys
+
+ Version: 5
+ DEK-Info: DES-CBC,DEK-INFORMATION
+ Recipient-ID: ID-INFORMATION
+ Key-Info: RSA,KEY-INFORMATION
+
+ --Encrypted Message
+ Content-Type: application/octet-stream
+
+ ENCRYPTED-DATA
+ --Encrypted Message--
+
+ where DEK-INFORMATION, ID-INFORMATION, and KEY-INFORMATION are
+ descriptive of the content that would appear in a real body part.
+
+3. Removing MIME Object Security Services
+
+ The verification of the MOSS digital signature service requires the
+ following components.
+
+
+ (1) A recipient to verify the digital signature.
+
+
+ (2) A multipart/signed body part with two body parts: the signed
+ data and the control information.
+
+
+ (3) The public key of the originator.
+
+
+ The signed data and control information of the enclosing
+ multipart/signed are prepared according to the description below.
+ The digital signature is verified by re-computing the hash of the
+ data, decrypting the hash value in the control information with the
+ originator's public key, and comparing the two hash values. If the
+ two hash values are equal, the signature is valid.
+
+ The decryption of the MOSS encryption service requires the following
+ components.
+
+
+
+
+
+Crocker, et al Standards Track [Page 17]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ (1) A recipient to decrypt the data.
+
+
+ (2) A multipart/encrypted body part with two body parts: the
+ encrypted data and the control information.
+
+
+ (3) The private key of the recipient.
+
+
+ The encrypted data and control information of the enclosing
+ multipart/encrypted are prepared according to the description below.
+ The data encrypting key is decrypted with the recipient's private key
+ and used to decrypt the data.
+
+ The next two sections describe the digital signature and encryption
+ services in detail, respectively.
+
+3.1. Digital Signature Service
+
+ This section describes the processing steps necessary to verify the
+ MOSS digital signature service. The definition of the
+ multipart/signed body part in [7] specifies three steps for receiving
+ it.
+
+
+ (1) The digitally signed body part and the control information body
+ part are prepared for processing.
+
+
+ (2) The prepared body parts are made available to the digital
+ signature verification process.
+
+
+ (3) The results of the digital signature verification process are
+ made available to the user and processing continues with the
+ digitally signed body part, as returned by the digital signature
+ verification process.
+
+
+ Each of these steps is described below.
+
+3.1.1. Preparation
+
+ The digitally signed body part (the data) and the control information
+ body part are separated from the enclosing multipart/signed body
+ part.
+
+
+
+
+Crocker, et al Standards Track [Page 18]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ The control information is prepared by removing any content transfer
+ encodings that may be present.
+
+ The digitally signed body part is prepared by leaving the content
+ transfer encodings intact and canonicalizing the line delimiters
+ according to Step 2 of Section 2.1.1.
+
+3.1.2. Verification
+
+ First, the recipient must obtain the public key of the originator.
+ The public key may be contained in the control information or it may
+ be necessary for the recipient to retrieve the public key based on
+ information present in the control information. The retrieval may be
+ from a local database or from a remote service. The acquisition of
+ the originator's public key is outside the scope of the
+ specification, although Section 5 defines one possible mechanism.
+
+ With the public key, the recipient decrypts the hash value contained
+ in the control information. Then, a new hash value is computed over
+ the body part purported to have been digitally signed.
+
+ Finally, the two hash values are compared to determine the accuracy
+ of the digital signature.
+
+3.1.3. Results
+
+ There are two required components of the results of the verification
+ process. The first is an indication as to whether a public key could
+ be found that allows the hash values in the previous step to compare
+ equal. Such an indication verifies only that the data received is
+ the same data that was digitally signed.
+
+ The second indication identifies the owner of the public key who is
+ presumably the holder of the private key that created the digital
+ signature. The indication must include a testament as to the
+ accuracy of the owner identification.
+
+ At issue is a recipient knowing who created the digital signature.
+ In order for the recipient to know with certainty who digitally
+ signed the message, the binding between the owner's name and the
+ public key must have been verified by the recipient prior to the
+ verification of the digital signature. The verification of the
+ binding may have been completed offline and stored in a trusted,
+ local database or, if the owner's name and public key are embodied in
+ a certificate, it may be possible to complete it in realtime. See
+ Section 5 for more information.
+
+
+
+
+
+Crocker, et al Standards Track [Page 19]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+3.2. Encryption Service
+
+ This section describes the processing steps necessary to decrypt the
+ MOSS encryption service. The definition of the multipart/encrypted
+ body part in [7] specifies three steps for receiving it.
+
+
+ (1) The encrypted body part and the control information body part
+ are prepared for processing.
+
+
+ (2) The prepared body parts are made available to the decryption
+ process.
+
+
+ (3) The results of the decryption process are made available to the
+ user and processing continues with the decrypted body part, as
+ returned by the decryption process.
+
+
+ Each of these steps is described below.
+
+3.2.1. Preparation
+
+ The encrypted body part (the data) and the control information body
+ part are separated from the enclosing multipart/encrypted body part.
+ The body parts are prepared for the decryption process by removing
+ any content transfer encodings that may be present.
+
+3.2.2. Decryption
+
+ First, the recipient must locate the encrypted data encrypting key in
+ the control information. Each Recipient-ID: header is checked in
+ order to see if it identifies the recipient or a public key of the
+ recipient.
+
+ If it does, the immediately following Key-Info: header will contain
+ the data encrypting key encrypted with the public key of the
+ recipient. The recipient must use the corresponding private key to
+ decrypt the data encrypting key.
+
+ The data is decrypted with the data encrypting key. The decrypted
+ data will be a MIME object, a body part, ready to be processed by a
+ MIME agent.
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 20]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+3.2.3. Results
+
+ If the recipient is able to locate and decrypt a data encrypting key,
+ from the point of view of MOSS the decryption should be considered
+ successful. An indication of the owner of the private key used to
+ decrypt the data encrypting key must be made available to the user.
+
+ Ultimately, the success of the decryption is dependent on the ability
+ of a MIME agent to continue processing with the decrypted body part.
+
+4. Identifying Originators, Recipients, and Their Keys
+
+ In the PEM specifications, public keys are required to be embodied in
+ certificates, an object that binds each public key with a
+ distinguished name. A distinguished name is a name form that
+ identifies the owner of the public key. The embodiment is issued by
+ a certification authority, a role that is expected to be trustworthy
+ insofar as the certification authority would have procedures to
+ verify the identity of the owner prior to issuing the certificate.
+
+ In MOSS, a user is not required to have a certificate. The MOSS
+ services require that the user have at least one public/private key
+ pair. The MOSS protocol requires the digital signature and
+ encryption services to emit Originator-ID: and Recipient-ID: headers,
+ as appropriate. In the discussion above the actual value of these
+ headers was omitted, having been relegated to this section. Although
+ the value of each of these headers serves a distinct purpose, for
+ simplicity the single grammar token <id> represents the value that
+ may be assigned to either header.
+
+ One possible value for the Originator-ID: and Recipient-ID: headers
+ is the public key values themselves. However, while it is true that
+ the public keys alone could be exchanged and used by users to
+ communicate, the values are, in fact, large and cumbersome. In
+ addition, public keys would appear as a random sequence of characters
+ and, as a result, would not be immediately consumable by human users.
+
+ NOTE: It should be pointed out that a feature of being able to
+ specify the public key explicitly is that it allows users to
+ exchange encrypted, anonymous mail. In particular, receiving
+ users will always know a message comes from the same originating
+ user even if the real identity of the originating user is unknown.
+
+ Recognizing that the use of public keys is, in general, unsuitable
+ for use by humans, MOSS allows other identifiers in Originator-ID:
+ and Recipient-ID: headers. These other identifiers are comprised of
+ two parts: a name form and a key selector.
+
+
+
+
+Crocker, et al Standards Track [Page 21]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ The name form is chosen and asserted by the user who owns the
+ public/private key pair. Three name forms are specified by this
+ document. The use of a distinguished name is retained for
+ compatibility with PEM (and compatibility with the X.500 Directory
+ should it become a ubiquitous service). However, the Internet
+ community has a great deal of experience with the use of electronic
+ mail addresses as a name form. Also, arbitrary strings are useful to
+ identify the owners of public keys when private name forms are used.
+ Hence, email addresses and arbitrary strings are included as name
+ forms to increase flexibility.
+
+ Since a user may have more than one public key and may wish to use
+ the same name form for each public key, a name form is insufficient
+ for uniquely identifying a public key. A unique "key selector" must
+ be assigned to each public key. The combination of a name form and
+ the key selector uniquely identifies a public key. Throughout this
+ document, this combination is called an identifier. There are 5
+ identifiers specified by this document.
+
+ NOTE: In the simplest case, key selectors will be assigned by the
+ owners of the public/private key pairs. This works best when
+ users generate their own key pairs for personal use, from which
+ they distribute their public key to others asserting by
+ declaration that the public key belongs to them. When the
+ assertion that the public key belongs to them is made by a third
+ party, for example when a certification authority issues a
+ certificate to a user according to [4], the key selector may be
+ assigned by that third party.
+
+ The value of the key selector must be unique with respect to the name
+ form with which it forms an identifier. Although the same key
+ selector value may be used by more than one name form it must not be
+ used for two different keys with the same name form. When considered
+ separately, neither a name form nor a key selector is sufficient for
+ identifying the public key to be used. Either could be used to
+ determine a set of public keys that may be tried in turn until the
+ desired public key is identified.
+
+ With a public/private key pair for one's self and software that is
+ MOSS aware, an originating user may digitally sign arbitrary data and
+ send it to one or more recipients. With the public keys of the
+ recipients, a user may encrypt the data so that only the intended
+ recipients can decrypt and read it. With the name forms assigned to
+ the public keys, originators and recipients can easily recognize
+ their peers in a communication.
+
+ In the next section the 3 name forms are described in detail.
+ Following that is the specification of the 5 identifiers.
+
+
+
+Crocker, et al Standards Track [Page 22]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+4.1. Name Forms
+
+ There are 3 name forms specified by this document: email addresses,
+ distinguished names, and arbitrary strings.
+
+4.1.1. Email Addresses
+
+ The email address (grammar token <emailstr>) used must be a valid
+ RFC822 address, which is defined in terms of one of the two grammar
+ tokens <addr-spec> or <route-addr>. The grammar for these two tokens
+ is included in the Appendix as a convenience; the definitive source
+ for these tokens is necessarily RFC822 [1].
+
+ <emailstr> ::= <addr-spec> / <route-addr>
+ ; an electronic mail address as defined by
+ ; one of these two tokens from RFC822
+
+ For example, the strings "crocker@tis.com", "galvin@tis.com",
+ "murphy@tis.com", and "ned@innosoft.com" are all email addresses.
+
+4.1.2. Arbitrary Strings
+
+ The arbitrary string (grammar token <string>) must have a length of
+ at least 1. There are no other restrictions on the value chosen.
+
+ <string> ::= ; a non-null sequence of characters
+
+ For example, the string
+
+ the SAAG mailing list maintainer
+
+ is an arbitrary string.
+
+4.1.3. Distinguished Names
+
+ The distinguished name (grammar token <dnamestr>) must be constructed
+ according to the guidelines of the X.500 Directory. The actual
+ syntax of the distinguished name is outside the scope of this
+ specification. However, RFC1422, for example, specifies syntactic
+ restrictions based on its choice of a certification hierarchy for
+ certificates.
+
+ For the purposes of conveying a distinguished name from an originator
+ to a recipient, it must be ASN.1 encoded and then printably encoded
+ according to the base64 encoding defined by MIME.
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 23]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ <dnamestr> ::= <encbin>
+ ; a printably encoded, ASN.1 encoded
+ ; distinguished name (as defined by the 'Name'
+ ; production specified in X.501 [8])
+
+ For example,
+
+ /Country Name=US
+ /State or Province Name=MD
+ /Organization Name=Trusted Information Systems
+ /Organizational Unit Name=Glenwood
+ /Common Name=James M. Galvin/
+
+ is a distinguished name in a user friendly format (line breaks and
+ leading spaces present only to improve readability). When encoded,
+ it would appear as follows (line breaks present only to improve
+ readability):
+
+ MG0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3RlZCBJ
+ bmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZDEYMBYGA1UEAxMP
+ SmFtZXMgTS4gR2Fsdmlu
+
+4.2. Identifiers
+
+ There are 5 types of identifiers specified by this document:
+
+ email address identifiers
+
+ arbitrary string identifiers
+
+ distinguished name identifiers
+
+ the public keys themselves
+
+ issuer name serial number pairs from a certificate
+
+ All of these have approximately the same structure (except issuer
+ name and serial number which has 'TYPE, STRING, KEYSEL' for
+ historical reasons):
+
+ TYPE, KEYSEL, STRING
+
+ The TYPE field is a literal string chosen from the set "EN", "STR",
+ "DN", "PK", and "IS", one for each of the possible identifiers.
+
+ The KEYSEL field is used to distinguish between the multiple public
+ keys that may be associated with the name form in the STRING field.
+ Its value must be unique with respect to all other key selectors used
+
+
+
+Crocker, et al Standards Track [Page 24]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ with the same name form. An example would be to use a portion (low-
+ order 16 or 32 bits) or all of the actual public key used.
+
+ The STRING field is the name form and has a different syntax
+ according to the value of the TYPE field.
+
+ The identifier used in each of the originator and recipient fields is
+ described by the following grammar. The definition of the key
+ selector token is included here since it used by several of the
+ identifiers below.
+
+ <id> ::= <id-email> / <id-string> / <id-dname>
+ / <id-publickey> / <id-issuer>
+
+ <keysel> ::= 1*<hexchar>
+ ; hex dump of a non-null sequence of octets
+
+ Each of the identifier name forms is described below.
+
+4.2.1. Email Address
+
+ The email address identifier has the following syntax.
+
+ <id-email> ::= "EN" "," <keysel> "," <emailstr> CRLF
+
+ The syntax of the token <emailstr> is defined in Section 4.1.1.
+
+ For example:
+
+ EN,1,galvin@tis.com
+
+ is an email address identifier.
+
+4.2.2. Arbitrary String
+
+ The arbitrary string identifier has the following syntax.
+
+ <id-string> ::= "STR" "," <keysel> "," <string> CRLF
+
+ The syntax of the token <string> is defined in Section 4.1.2.
+
+ For example:
+
+ STR,1,The SAAG mailing list maintainer
+
+ is an arbitrary string identifier.
+
+
+
+
+
+Crocker, et al Standards Track [Page 25]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+4.2.3. Distinguished Name
+
+ The distinguished name identifier has the following syntax.
+
+ <id-dname> ::= "DN" "," <keysel> "," <dnamestr> CRLF
+
+ The syntax of the token <dnamestr> is defined in Section 4.1.3.
+
+ For example (line breaks present only to improve readability):
+
+ DN,1,MG0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3R
+ lZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZDEYMBYGA1U
+ EAxMPSmFtZXMgTS4gR2Fsdmlu
+
+ is a distinguished name identifier.
+
+4.2.4. Public Key
+
+ The public key identifier has the following syntax.
+
+ <id-publickey> ::= "PK" "," <publickey> [ "," <id-subset> ] CRLF
+
+ <publickey> ::= <encbin>
+ ; a printably encoded, ASN.1 encoded public
+ ; key (as defined by the
+ ; 'SubjectPublicKeyInfo' production specified
+ ; in X.509 [9])
+
+ <id-subset> ::= <id-email> / <id-string> / <id-dname>
+
+ The production SubjectPublicKeyInfo is imported from the X.500
+ Directory from the certificate object. It is currently the best
+ choice for a general purpose public key encoding.
+
+ For example, (line breaks present only to improve readability):
+
+ PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6BekJmG
+ 4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn
+ 0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB
+
+ is a public key identifier without the optional <id-subset>.
+
+ In normal usage, the token <id-subset> is expected to be present. It
+ represents a mechanism by which an identifier (name form and key
+ selector) can be associated with a public key. Recipients of a
+ public key identifier must take care to verify the accuracy of the
+ purported association. If they do not, it may be possible for a
+ malicious originator to assert an identifier that accords the
+
+
+
+Crocker, et al Standards Track [Page 26]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ originator unauthorized privileges. See Section 5.2 for more
+ details.
+
+ For example, (line breaks present only to improve readability):
+
+ PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6BekJmG
+ 4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn
+ 0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,2,galvin@tis.com
+
+ is a public key identifier with the optional <id-subset>.
+
+4.2.5. Issuer Name and Serial Number
+
+ The issuer name and serial number identifier has the following
+ syntax.
+
+ <id-issuer> ::= "IS" "," <dnamestr> "," <serial> CRLF
+
+ <serial> ::= 1*<hexchar>
+ ; hex dump of a certificate serial number
+
+ The <id-issuer> identifier is included for compatibility with the
+ ID-ASymmetric fields defined in [3] (and compatibility with X.500
+ Directory certificates should they become ubiquitously available).
+ Its syntax was chosen such that the older fields are easily converted
+ to this new form by prefixing the old value with "IS" (and replacing
+ the field name of [3] with an appropriate new ID field name). For
+ example, (line breaks present only to improve readability):
+
+ IS,MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3
+ RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZA==,02
+
+ is an issuer name and serial number identifier according to MOSS,
+ while
+
+ MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3
+ RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZA==,02
+
+ is an issuer name and serial number identifier according to PEM.
+
+5. Key Management Content Types
+
+ This document defines two key management content types: one for
+ requesting cryptographic key material and one for sending
+ cryptographic key material. Since MOSS depends only on the existence
+ of public/private key pairs, these content types provide a means for
+ conveying public keys and an assertion as to the identity of the
+ owner. In addition, in order to be compatible with the certificate-
+
+
+
+Crocker, et al Standards Track [Page 27]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ base key management system proposed by RFC 1422, the content types
+ may also be used to convey certificate and certificate revocation
+ list material.
+
+ The functions defined here are based on the exchange of body parts.
+ In particular, a user would send a message containing at least one
+ application/mosskey-request content, as defined below. In response,
+ a user would expect to receive a message containing at least one
+ application/mosskey-data content, as defined below. MIME provides a
+ convenient framework for a user to send several request body parts
+ and to receive several data (response) body parts in one message.
+
+5.1. application/mosskey-request Content Type Definition
+
+ (1) MIME type name: application
+
+ (2) MIME subtype name: mosskey-request
+
+ (3) Required parameters: none
+
+ (4) Optional parameters: none
+
+ (5) Encoding considerations: quoted-printable is always sufficient
+
+ (6) Security Considerations: none
+
+ The content of this body part corresponds to the following
+ production.
+
+ <request> ::= <version>
+ ( <subject> / <issuer> / <certification> )
+
+ <version> ::= "Version:" "5" CRLF
+
+ <subject> ::= "Subject:" <id> CRLF
+
+ <issuer> ::= "Issuer:" <id> CRLF
+
+ <certification> ::= "Certification:" <encbin> CRLF
+
+ A user would use this content type to specify needed cryptographic
+ key information. The message containing this content type might be
+ directed towards an automatic or manual responder, which may be
+ mail-based, depending on the local implementation and environment.
+ The application/mosskey-request content type is an independent body
+ part because it is entirely independent of any other body part.
+
+
+
+
+
+Crocker, et al Standards Track [Page 28]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ If the application/mosskey-request content contains a Certification:
+ field it requests certification of the self-signed certificate in the
+ field value. If the content contains an Issuer: field it requests
+ the Certificate Revocation List (CRL) chain beginning with the CRL of
+ the issuer identified in the field value. If the content contains a
+ Subject: field it requests either the public key of the subject or a
+ certificate chain beginning with the subject identified in the field
+ value, or both if both exist.
+
+ The Subject: and Issuer: fields each contain a value of type <id>,
+ which is defined in Section 4.
+
+ One possible response to receiving an application/mosskey-request
+ body part is to construct and return an application/mosskey-data body
+ part. When returning public keys, certificate chains, and
+ certificate revocation list chains, if there exists more than one,
+ several application/mosskey-data body parts are to be returned in the
+ reply message, one for each.
+
+5.2. application/mosskey-data Content Type Definition
+
+ The principal objective of this content type is to convey
+ cryptographic keying material from a source to a destination. This
+ might be in response to the receipt of an application/mosskey-request
+ content type or it might be in anticipation of receiving an
+ application/mosskey-request if it is not sent, e.g., it may be
+ combined with a multipart/signed object by an originator to ensure
+ that a recipient has the cryptographic keying material necessary to
+ verify the signature. When combined with other content types, the
+ processing by a recipient is enhanced if the application/mosskey-data
+ content type is positioned in its enclosing content type prior to the
+ content types that will make use of its cryptographic keying
+ material.
+
+ However, no explicit provision is made in this document for
+ determining the authenticity or accuracy of the data being conveyed.
+ In particular, when a public key and its identifier is conveyed,
+ there is nothing to prevent the source or an interloper along the
+ path from the source to the destination from substituting alternate
+ values for either the public key or the identifier.
+
+ It is incumbent upon a recipient to verify the authenticity and
+ accuracy of the data received in this way prior to its use. This
+ problem can be addressed by the use of certificates, since a
+ certification hierarchy is a well-defined mechanism that conveniently
+ supports the automatic verification of the data. Alternatively, the
+ source of the application/mosskey-data body part could digitally sign
+ it. In this way, if the destination believes that a correct source's
+
+
+
+Crocker, et al Standards Track [Page 29]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ public key is available locally and if the destination believes the
+ source would convey accurate data, then the contents of the
+ application/mosskey-data from the source could be believed to be
+ accurate.
+
+ NOTE: Insofar as a certificate represents a mechanism by which a
+ third party vouches for the binding between a name and a public
+ key, the signing of an application/mosskey-data body part is a
+ similar mechanism.
+
+ (1) MIME type name: application
+
+ (2) MIME subtype name: mosskey-data
+
+ (3) Required parameters: none
+
+ (4) Optional parameters: none
+
+ (5) Encoding considerations: quoted-printable is always sufficient.
+
+ (6) Security Considerations: none
+
+ The content of this body part corresponds to the following
+ production.
+
+ <mosskeydata> ::= <version>
+ ( <publickeydata> / <certchain> / <crlchain> )
+
+ <version> ::= "Version:" "5" CRLF
+
+ <publickeydata> ::= "Key:" "PK" "," <publickey> ","
+ <id-subset> CRLF
+
+ <certchain> ::= <cert> *( [ <crl> ] <cert> )
+
+ <crlchain> ::= 1*( <crl> [ <cert> ] )
+
+ <cert> ::= "Certificate:" <encbin> CRLF
+
+ <crl> ::= "CRL:" <encbin> CRLF
+
+ This content type is used to transfer public keys, certificate
+ chains, or Certificate Revocation List (CRL) chains. The information
+ in the body part is entirely independent of any other body part.
+ (Note that the converse is not true: the validity of a protected body
+ part cannot be determined without the proper public keys,
+ certificates, or current CRL information.) As such, the
+ application/mosskey-data content type is an independent body part.
+
+
+
+Crocker, et al Standards Track [Page 30]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ The <publickeydata> production contains exactly one public key. It
+ is used to bind a public key with its corresponding name form and key
+ selector. It is recommended that when responders are returning this
+ information that the enclosing body part be digitally signed by the
+ responder in order to protect the information. The <id-subset> token
+ is defined in Section 4.2.4.
+
+ The <certchain> production contains one certificate chain. A
+ certificate chain starts with the requested certificate and continues
+ with the certificates of subsequent issuers. Each issuer certificate
+ included must have issued the preceding certificate. For each
+ issuer, a CRL may be supplied. A CRL in the chain belongs to the
+ immediately following issuer. Therefore, it potentially contains the
+ immediately preceding certificate.
+
+ The <crlchain> production contains one certificate revocation list
+ chain. The CRLs in the chain begin with the requested CRL and
+ continue with the CRLs of subsequent issuers. The issuer of each CRL
+ is presumed to have issued a certificate for the issuer of the
+ preceding CRL. For each CRL, the issuer's certificate may be
+ supplied. A certificate in the chain must belong to the issuer of
+ the immediately preceding CRL.
+
+ The relationship between a certificate and an immediately preceding
+ CRL is the same in both <certchain> and <crlchain>. In a <certchain>
+ the CRLs are optional. In a <crlchain> the certificates are
+ optional.
+
+6. Examples
+
+ Each example is included as a separate section for ease of reference.
+
+6.1. Original Message Prepared for Protection
+
+ Except as explicitly indicated, the following message is used as the
+ message to be protected.
+
+ To: Ned Freed <ned@innosoft.com>
+ Subject: Hi Ned!
+
+ How do you like the new MOSS?
+
+ Jim
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 31]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+6.2. Sign Text of Original Message
+
+ When the text of the original message is signed, it will look like
+ this, where lines with an ampersand '&' are digitally signed (note
+ the use of the public key identifier with the included email name
+ identifier, on the lines marked with an asterisk '*'):
+
+ To: Ned Freed <ned@innosoft.com>
+ Subject: Hi Ned!
+ MIME-Version: 1.0
+ Content-Type: multipart/signed;
+ protocol="application/moss-signature";
+ micalg="rsa-md5"; boundary="Signed Boundary"
+
+ --Signed Boundary
+ & Content-Type: text/plain; charset="us-ascii"
+ & Content-ID: <21436.785186814.2@tis.com>
+ &
+ & How do you like the new MOSS?
+ &
+ & Jim
+
+ --Signed Boundary
+ Content-Type: application/moss-signature
+ Content-ID: <21436.785186814.1@tis.com>
+ Content-Transfer-Encoding: quoted-printable
+
+ Version: 5
+ * Originator-ID: PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4f=
+ * qQ61aoC1fO6BekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8=
+ * KRGJ9wh1HU4TrghGdhn0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,=
+ * 2,galvin@tis.com
+ MIC-Info: RSA-MD5,RSA,PnEvyFV3sSyTSiGh/HFgWUIFa22jbHoTrFIMVERf=
+ MZXUKzFsHbmKtIowJlJR56OoImo+t7WjRfzpMH7MOKgPgzRnTwk0T5dOcP/lfb=
+ sOVJjleV7vTe9yoNp2P8mi/hs7
+
+ --Signed Boundary--
+
+6.3. Sign Headers and Text of Original Message
+
+ If, instead, we choose to protect the headers with the text of the
+ original message, it will look like this, where lines with an
+ ampersand '&' are encrypted:
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 32]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ To: Ned Freed <ned@innosoft.com>
+ Subject: Hi Ned!
+ MIME-Version: 1.0
+ Content-Type: multipart/signed;
+ protocol="application/moss-signature";
+ micalg="rsa-md5"; boundary="Signed Boundary"
+
+ --Signed Boundary
+ & Content-Type: message/rfc822
+ & Content-ID: <21468.785187044.2@tis.com>
+ &
+ & To: Ned Freed <ned@innosoft.com>
+ & Subject: Hi Ned!
+ &
+ &
+ & How do you like the new MOSS?
+ &
+ & Jim
+
+ --Signed Boundary
+ Content-Type: application/moss-signature
+ Content-ID: <21468.785187044.1@tis.com>
+ Content-Transfer-Encoding: quoted-printable
+
+ Version: 5
+ Originator-ID: PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4f=
+ qQ61aoC1fO6BekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8=
+ KRGJ9wh1HU4TrghGdhn0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,=
+ 2,galvin@tis.com
+ MIC-Info: RSA-MD5,RSA,ctbDBgkYtFW1sisb5w4/Y/p94LftgQ0IrEn3d6WT=
+ wjfxFBvAceVWfawsZPLijVKZUYtbIqJmjKtzTJlagBawfA/KhUsvTZdR6Dj+4G=
+ d8dBBwMKvqMKTHAUxGXYxwNdbK
+
+ --Signed Boundary--
+
+6.4. Encrypt Text of a Message
+
+ If we choose to encrypt the text of the following message, that is,
+ encrypt the lines marked with asterisk '*':
+
+ To: Jim Galvin <galvin@tis.com>
+ Subject: an encrypted message
+
+ * How do you like the new MOSS?
+ *
+ * Jim
+
+
+
+
+
+Crocker, et al Standards Track [Page 33]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ the message would look as follows (note the use of the email name
+ identifier, on the line marked with an asterisk '*'):
+
+ To: Jim Galvin <galvin@tis.com>
+ Subject: an encrypted message
+ MIME-Version: 1.0
+ Content-Type: multipart/encrypted;
+ protocol="application/moss-keys";
+ boundary="Encrypted Boundary"
+
+ --Encrypted Boundary
+ Content-Type: application/moss-keys
+ Content-ID: <21535.785187667.1@tis.com>
+ Content-Transfer-Encoding: quoted-printable
+
+ Version: 5
+ DEK-Info: DES-CBC,D488AAAE271C8159
+ * Recipient-ID: EN,2,galvin@tis.com
+ Key-Info: RSA,ISbC3IR01BrYq2rp493X+Dt7WrVq3V3/U/YXbxOTY5cmiy1/=
+ 7NvSqqXSK/WZq05lN99RDUQhdNxXI64ePAbFWQ6RGoiCrRs+Dc95oQh7EFEPoT=
+ 9P6jyzcV1NzZVwfp+u
+
+ --Encrypted Boundary
+ Content-Type: application/octet-stream
+ Content-Transfer-Encoding: base64
+
+ AfR1WSeyLhy5AtcX0ktUVlbFC1vvcoCjYWy/yYjVj48eqzUVvGTGMsV6MdlynU
+ d4jcJgRnQIQvIxm2VRgH8W8MkAlul+RWGu7jnxjp0sNsU562+RZr0f4F3K3n4w
+ onUUP265UvvMj23RSTguZ/nl/OxnFM6SzDgV39V/i/RofqI=
+
+ --Encrypted Boundary--
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 34]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+6.5. Encrypt the Signed Text of a Message
+
+ If, instead, we choose to sign the text before we encrypt it, the
+ structure would be as follows, where lines with an asterisk '*' are
+ digitally signed and lines with an ampersand '&' are encrypted:
+
+ Content-Type: multipart/encrypted;
+ protocol="application/moss-keys";
+ boundary="Encrypted Boundary"
+
+ --Encrypted Boundary
+ Content-Type: application/moss-keys
+
+ KEY INFORMATION
+
+ --Encrypted Boundary
+ Content-Type: application/octet-stream
+
+ & Content-Type: multipart/signed;
+ & protocol="application/moss-signature";
+ & micalg="rsa-md5"; boundary="Signed Boundary"
+ &
+ & --Signed Boundary
+ & * Content-Type: text/plain
+ & *
+ & * How do you like the new MOSS?
+ & *
+ & * Jim
+ &
+ & --Signed Boundary
+ & Content-Type: application/moss-signature
+ &
+ & SIGNATURE INFORMATION
+ &
+ & --Signed Boundary--
+
+ --Encrypted Boundary--
+
+ where KEY INFORMATION and SIGNATURE INFORMATION are descriptive of
+ the actual content that would appear in a real body part. The actual
+ message would be like this:
+
+
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 35]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ To: Jim Galvin <galvin@tis.com>
+ Subject: an encrypted message
+ MIME-Version: 1.0
+ Content-Type: multipart/encrypted;
+ protocol="application/moss-keys";
+ boundary="Encrypted Boundary"
+
+ --Encrypted Boundary
+ Content-Type: application/moss-keys
+ Content-ID: <21546.785188458.1@tis.com>
+ Content-Transfer-Encoding: quoted-printable
+
+ Version: 5
+ DEK-Info: DES-CBC,11CC89F8D90F1DFE
+ Recipient-ID: EN,2,galvin@tis.com
+ Key-Info: RSA,AZTtlEc6xm0vjkvtVUITUh7sz+nOuOwP0tsym6CQozD9IwVIJz=
+ Y8+vIfbh5BpR0kS6prq3EGFBFR8gRMUvbgHtEKPD/4ICQ7b6ssZ7FmKhl/cJC5rV=
+ jpb4EOUlwOXwRZ
+
+ --Encrypted Boundary
+ Content-Type: application/octet-stream
+ Content-Transfer-Encoding: base64
+
+ ZvWvtosDzRBXJzkDFFRb9Qjrgm2nDWg3zotJ3ZpExpWUG/aRJ7Vwd+PWkSfrDPJ5
+ 2V/wkxwMrum6xJHZonrtyd0AvaztvriMm2zXTefzwpGG1i5zK47PBqreLA3HDTK2
+ U6B13vzpE8wMSVefzaCTSpXRSCh08ceVEZrIYS53/CKZV2/Sga71pGNlux8MsJpY
+ Lwdj5Q3NKocg1LMngMo8yrMAe+avMjfOnhui49Xon1Gft+N5XDH/+wI9qxI9fkQv
+ NZVDlWIhCYEkxd5ke549tLkJjEqHQbgJW5C+K/uxdiD2dBt+nRCXcuO0Px3yKRyY
+ g/9BgTf36padSHuv48xBg5YaqaEWpEzLI0Qd31vAyP23rqiPhfBn6sjhQ2KrWhiF
+ 2l3TV8kQsIGHHZUkaUbqkXJe6PEdWWhwsqCFPDdkpjzQRrTuJH6xleNUFg+CG1V+
+ tL4IgMjQqm3KVojRXx8bG2auVN89NfwFswmoq4fXTrh3xyVS1VgxjKkcYI8SVVmk
+ YjCxVviJP3zO2UzBvCoMfADtBVBz1njYETtVGDO97uT39MqL85uEgiF4E5TkOj/m
+ 04+88G0/vvN/RISKJiFQJ3FyVIB/ShX9Dixl8WCx3rxwN5g2QFLiyQVulzuNhimS
+ D4ZxEo7smcTsAXUjwSLRtdjmTTutw2GmFESUaIrY81NcpQJRPNAvF0IkN6ddwL4q
+ vzUS99vjQp15g9FUv82lHtHwhM18a9GokVG8xYOjBBsn9anp9abh4Tp/c/vpbunQ
+ UqnpV29rF4wj+8OwUOMi9ymGabBXAjw7DhNH2RdRVr1upQO896OX81VWB0LsA0cp
+ +ymxhTrEI+wCHcrsNMoRK/7zAeuAi0f1t9bN594EFlLoIrBnKEa1/OUAhMT7kG1f
+ NkSRnc8BZswIoPyRetsTurQfD40nsVHvNwE9Jz7wbBo00gd6blPADOUYFxfW5zu6
+ ubygBqJiKPM4II2fCdNj7CptfQcoRTeguKMVPLVmFg/EINuWBFm10GqlYT7p4zhf
+ zysV/3r5LVZ1E8armTCRJ2GoYG5h+SKcytaQ0IT8S2nLPCZl1hzdajsrqHFe8omQ
+
+ --Encrypted Boundary--
+
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 36]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+6.6. Protecting Audio Content
+
+ In addition to text, the MOSS services as defined here will protect
+ arbitrary body parts, for example, the following audio body part:
+
+ Content-Type: audio/basic
+
+ AUDIO DATA HERE
+
+6.6.1. Sign Audio Content
+
+ When signed an audio content would appear as follows, where lines
+ with an ampersand '&' are digitally signed:
+
+ Content-Type: multipart/signed;
+ protocol="application/moss-signature";
+ micalg="rsa-md5"; boundary="Signed Boundary"
+
+ --Signed Boundary
+ & Content-Type: audio/basic
+ & Content-Transfer-Encoding: base64
+ &
+ & base64(AUDIO-DATA-HERE)
+
+ --Signed Boundary
+ Content-Type: application/moss-signature
+
+ SIGNATURE-INFORMATION-HERE
+
+ --Signed Boundary--
+
+ where AUDIO-DATA-HERE and SIGNATURE-INFORMATION-HERE are descriptive
+ of the content that would appear in a real body part.
+
+6.6.2. Encrypt Audio Content
+
+ When encrypted an audio content would appear as follows, where lines
+ with an ampersand '&' are encrypted:
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 37]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ Content-Type: multipart/encrypted;
+ protocol="application/moss-keys";
+ boundary="Encrypted Boundary"
+
+ --Encrypted Boundary
+ Content-Type: application/moss-keys
+
+ KEY-INFORMATION-HERE
+
+ --Encrypted Boundary
+ Content-Type: application/octet-stream
+ Content-Transfer-Encoding: base64
+
+ & Content-Type: audio/basic
+ &
+ & base64(encrypted(AUDIO-DATA-HERE))
+
+ --Encrypted Boundary--
+
+ where KEY-INFORMATION-HERE and AUDIO-DATA-HERE are descriptive of the
+ content that would appear in a real body part.
+
+7. Observations
+
+ The use of MIME and the framework defined by [7] exhibits several
+ properties:
+
+
+ (1) It allows arbitrary content types to be protected, not just the
+ body of an RFC822 message.
+
+
+ (2) It allows a message to contain several body parts which may or
+ may not be protected.
+
+
+ (3) It allows the components of a multipart or message content to be
+ protected with different services.
+
+
+ The use of a MIME-capable user agent makes complex nesting of
+ protected message body parts much easier. For example, the user can
+ separately sign and encrypt a message. This allows complete
+ separation of the confidentiality security service from the digital
+ signature security service. That is, different key pairs could be
+ used for the different services and could be protected separately.
+
+
+
+
+
+Crocker, et al Standards Track [Page 38]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ This is useful for at least two reasons. First, some public key
+ algorithms do not support both digital signatures and encryption; two
+ key pairs would be required in this case. Second, an employee's
+ company could be given access to the (private) decryption key but not
+ the (private) signature key, thereby granting the company the ability
+ to decrypt messages addressed to the employee in emergencies without
+ also granting the company the ability to sign messages as the
+ employee.
+
+8. Comparison of MOSS and PEM Protocols
+
+ MOSS differs from PEM in the following ways.
+
+
+ (1) When using PEM, users are required to have certificates. When
+ using MOSS, users need only have a public/private key pair.
+
+
+ (2) MOSS broadens the allowable name forms that users may use to
+ identify their public keys, including arbitrary strings, email
+ addresses, or distinguished names.
+
+
+ (3) PEM currently only supports text-based electronic mail messages
+ and the message text is required to be represented by the ASCII
+ character set with "<CR><LF>" line delimiters. These
+ restrictions no longer apply.
+
+
+ (4) The PEM specification currently requires that encryption
+ services be applied only to message bodies that have been
+ signed. By providing for each of the services separately, they
+ may be applied in any order according to the needs of the
+ requesting application.
+
+
+ (5) MIME includes transfer encoding operations to ensure the
+ unmodified transfer of body parts. Therefore, unlike PEM, MOSS
+ does not need to include these functions.
+
+
+ (6) PEM specifies a Proc-Type: header field to identify the type of
+ processing that was performed on the message. This
+ functionality is subsumed by the MIME Content-Type: headers.
+ The Proc-Type: header also includes a decimal number that is
+ used to distinguish among incompatible encapsulated header field
+ interpretations which may arise as changes are made to the PEM
+ standard. This functionality is replaced by the Version: header
+
+
+
+Crocker, et al Standards Track [Page 39]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ specified in this document.
+
+
+ (7) PEM specifies a Content-Domain: header, the purpose of which is
+ to describe the type of the content which is represented within
+ a PEM message's encapsulated text. This functionality is
+ subsumed by the MIME Content-Type: headers.
+
+
+ (8) The PEM specifications include a document that defines new types
+ of PEM messages, specified by unique values used in the Proc-
+ Type: header, to be used to request certificate and certificate
+ revocation list information. This functionality is subsumed by
+ two new content types specified in this document:
+ application/mosskey- request and application/mosskey-data.
+
+
+ (9) The header fields having to do with certificates (Originator-
+ Certificate: and Issuer-Certificate:) and CRLs (CRL:) are
+ relegated for use only in the application/mosskey-data and
+ application/mosskey-request content types and are no longer
+ allowed in the header portion of a PEM signed or encrypted
+ message. This separates key management services from the
+ digital signature and encryption services.
+
+
+ (10) The grammar specified here explicitly separates the header
+ fields that may appear for the encryption and signature security
+ services. It is the intent of this document to specify a
+ precise expression of the allowed header fields; there is no
+ intent to disallow the functionality of combinations of
+ encryption and signature security found in [3].
+
+
+ (11) With the separation of the encryption and signature security
+ services, there is no need for a MIC-Info: field in the headers
+ associated with an encrypted message.
+
+
+ (12) In [3], when asymmetric key management is used, an Originator-ID
+ field is required in order to identify the private key used to
+ sign the MIC argument in the MIC-Info: field. Because no MIC-
+ Info: field is associated with the encryption security service
+ under asymmetric key management, there is no requirement in that
+ case to include an Originator-ID field.
+
+
+ (13) The protocol specified here explicitly excludes symmetric key
+
+
+
+Crocker, et al Standards Track [Page 40]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ management.
+
+
+ (14) This document requires all data that is to be digitally signed
+ to be represented in 7bit form.
+
+
+9. Security Considerations
+
+ This entire document is about security.
+
+10. Acknowledgements
+
+ David H. Crocker suggested the use of a multipart structure for the
+ MIME and PEM interaction, which has evolved into the MOSS protocol.
+
+ The MOSS protocol is a direct descendant of the PEM protocol. The
+ authors gratefully acknowledge the editors of those specification,
+ especially John Linn and Steve Kent. This work would not have been
+ possible had it not been for all of the PEM developers, users, and
+ interested persons who are always present on the PEM developers
+ mailing list and at PEM working group meetings at IETF meetings,
+ especially, Amanda Walker, Bob Juenemann, Steve Dusse, Jeff Thomson,
+ and Rhys Weatherly.
+
+11. References
+
+ [1] Crocker, D., "Standard for the Format of ARPA Internet Text
+ Messages", STD 11, RFC 822, University of Delaware, August 1982.
+
+ [2] Borenstein, N., and N. Freed, "MIME (Multipurpose Internet Mail
+ Extension) Part One: Mechanisms for Specifying and Describing the
+ Format of Internet Message Bodies", RFC 1521, Bellcore and
+ Innosoft, September 1993.
+
+ [3] Linn, J., "Privacy Enhancement for Internet Electronic Mail: Part
+ I: Message Encryption and Authentication Procedures", RFC 1421,
+ IAB IRTF PSRG, IETF PEM WG, February 1993.
+
+ [4] Kent, S., "Privacy Enhancement for Internet Electronic Mail: Part
+ II: Certificate-Based Key Management", RFC 1422, BBN
+ Communications, February 1993.
+
+ [5] Balenson, D., "Privacy Enhancement for Internet Electronic Mail:
+ Part III: Algorithms, Modes, and Identifiers", RFC 1423, Trusted
+ Information Systems, February 1993.
+
+
+
+
+
+Crocker, et al Standards Track [Page 41]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ [6] Kaliski, B., "Privacy Enhancement for Internet Electronic Mail:
+ Part IV: Key Certification and Related Services", RFC 1424, RSA
+ Laboratories, February 1993.
+
+ [7] Galvin, J., Murphy, S., Crocker, S., and N. Freed, "Security
+ Multiparts for MIME: Multipart/Signed and Multipart/Encrypted",
+ RFC 1847, Trusted Information Systems and Innosoft, September
+ 1995.
+
+ [8] The Directory -- Models. X.501, 1988. Developed in
+ collaboration, and technically aligned, with ISO 9594-2.
+
+ [9] The Directory -- Authentication Framework. X.509, 1988.
+ Developed in collaboration, and technically aligned, with ISO
+ 9594-8.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 42]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+12. Authors' Addresses
+
+ Steve Crocker
+ CyberCash, Inc.
+ 2086 Hunters Crest Way
+ Vienna, VA 22181
+
+ Phone: +1 703 620 1222
+ Fax: +1 703 391 2651
+ EMail: crocker@cybercash.com
+
+
+ James M. Galvin
+ Trusted Information Systems
+ 3060 Washington Road
+ Glenwood, MD 21738
+
+ Phone: +1 301 854 6889
+ Fax: +1 301 854 5363
+ EMail: galvin@tis.com
+
+
+ Sandra Murphy
+ Trusted Information Systems
+ 3060 Washington Road
+ Glenwood, MD 21738
+
+ Phone: +1 301 854 6889
+ Fax: +1 301 854 5363
+ EMail: murphy@tis.com
+
+
+ Ned Freed
+ Innosoft International, Inc.
+ 1050 East Garvey Avenue South
+ West Covina, CA 91790
+
+ Phone: +1 818 919 3600
+ Fax: +1 818 919 3614
+ EMail: ned@innosoft.com
+
+
+
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 43]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+Appendix A: Collected Grammar
+
+ The version of the grammar in this document is as follows:
+
+ <version> ::= "Version:" "5" CRLF
+
+
+ The following grammar tokens are used throughout this specification:
+
+ <encbin> ::= 1*<encbingrp>
+
+ <encbingrp> ::= 4*4<encbinchar>
+
+ <encbinchar> ::= <ALPHA> / <DIGIT> / "+" / "/" / "="
+
+ <hexchar> ::= <DIGIT> / "A" / "B" / "C" / "D" / "E" / "F"
+ ; no lower case
+
+
+ The content of an application/moss-signature body part is as follows:
+
+ <mosssig> ::= <version> ( 1*<origasymflds> )
+
+ <version> ::= "Version:" "5" CRLF
+
+ <origasymflds> ::= <origid> <micinfo>
+
+ <origid> ::= "Originator-ID:" <id> CRLF
+
+ <micinfo> ::= "MIC-Info:" <micalgid> "," <ikalgid> ","
+ <asymsignmic> CRLF
+
+
+ The content of an application/moss-keys body part is as follows:
+
+ <mosskeys> ::= <version> <dekinfo> 1*<recipasymflds>
+
+ <version> ::= "Version:" "5" CRLF
+
+ <dekinfo> ::= "DEK-Info" ":" <dekalgid>
+ [ "," <dekparameters> ] CRLF
+
+ <recipasymflds> ::= <recipid> <asymkeyinfo>
+
+ <recipid> ::= "Recipient-ID:" <id> CRLF
+
+ <asymkeyinfo> ::= "Key-Info" ":" <ikalgid> "," <asymencdek> CRLF
+
+
+
+
+Crocker, et al Standards Track [Page 44]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ Identifiers are defined as follows:
+
+ <id> ::= <id-subset> / <id-publickey> / <id-issuer>
+
+ <id-subset> ::= <id-email> / <id-string> / <id-dname>
+
+ <id-email> ::= "EN" "," <keysel> "," <emailstr> CRLF
+
+ <id-string> ::= "STR" "," <keysel> "," <string> CRLF
+
+ <id-dname> ::= "DN" "," <keysel> "," <dnamestr> CRLF
+
+ <id-publickey> ::= "PK" "," <publickey> [ "," <id-subset> ] CRLF
+
+ <id-issuer> ::= "IS" "," <dnamestr> "," <serial> CRLF
+
+ <keysel> ::= 1*<hexchar>
+ ; hex dump of a non-null sequence of octets
+
+ <emailstr> ::= <addr-spec> / <route-addr>
+ ; an electronic mail address as defined by
+ ; these two tokens from RFC822
+
+ <string> ::= ; a non-null sequence of characters
+
+ <dnamestr> ::= <encbin>
+ ; a printably encoded, ASN.1 encoded
+ ; distinguished name (as defined by the 'Name'
+ ; production specified in X.501 [8])
+
+ <publickey> ::= <encbin>
+ ; a printably encoded, ASN.1 encoded public
+ ; key (as defined by the
+ ; 'SubjectPublicKeyInfo' production specified
+ ; in X.509 [9])
+
+ <serial> ::= 1*<hexchar>
+ ; hex dump of a certificate serial number
+
+
+ The content of an application/mosskey-request body part is as
+ follows:
+
+ <request> ::= <version>
+ ( <subject> / <issuer> / <certification> )
+
+ <version> ::= "Version:" "5" CRLF
+
+
+
+
+Crocker, et al Standards Track [Page 45]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ <subject> ::= "Subject:" <id> CRLF
+
+ <issuer> ::= "Issuer:" <id> CRLF
+
+ <certification> ::= "Certification:" <encbin> CRLF
+
+
+ The content of an application/mosskey-data body part is as follows:
+
+ <mosskeydata> ::= <version>
+ ( <publickeydata> / <certchain> / <crlchain> )
+
+ <version> ::= "Version:" "5" CRLF
+
+ <publickeydata> ::= "Key:" "PK" "," <publickey> ","
+ <id-subset> CRLF
+
+ <certchain> ::= <cert> *( [ <crl> ] <cert> )
+
+ <crlchain> ::= 1*( <crl> [ <cert> ] )
+
+ <cert> ::= "Certificate:" <encbin> CRLF
+
+ <crl> ::= "CRL:" <encbin> CRLF
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 46]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+Appendix B: Imported Grammar
+
+ Options normally present in the grammar reprinted here which are
+ illegal in MOSS are excluded in this reprinting, for the convenience
+ of the reader.
+
+ The following productions are taken from [5]. The grammar presented
+ in [5] remains the authoritative source for these productions; they
+ are repeated here for the convenience of the reader.
+
+ <dekalgid> ::= "DES-CBC"
+ <ikalgid> ::= "RSA"
+ <micalgid> ::= "RSA-MD2" / "RSA-MD5"
+
+ <dekparameters> ::= <DESCBCparameters>
+ <DESCBCparameters> ::= <IV>
+ <IV> ::= <hexchar16>
+ <hexchar16> ::= 16*16<hexchar>
+
+ <asymsignmic> ::= <RSAsignmic>
+ <RSAsignmic> ::= <encbin>
+
+ <asymencdek> ::= <RSAencdek>
+ <RSAencdek> ::= <encbin>
+
+ The following productions are taken from [1]. The grammar presented
+ in [1] remains the authoritative source for these productions; they
+ are repeated here for the convenience of the reader.
+
+ <route-addr> ::= "<" [ <route> ] <addr-spec> ">"
+
+ <route> ::= 1# ( "@" <domain> ) ":" ; path-relative
+
+
+ <addr-spec> ::= <local-part> "@" <domain>; global address
+
+ <local-part> ::= <word> *( "." <word> ) ; uninterpreted
+ ; case-preserved
+
+ <domain> ::= <sub-domain> *( "." <sub-domain> )
+
+ <sub-domain> ::= <domain-ref> / <domain-literal>
+
+ <domain-ref> ::= <atom> ; symbolic
+ ; reference
+
+ <domain-literal>::= "[" *( <dtext> / <quoted-pair> ) "]"
+
+
+
+
+Crocker, et al Standards Track [Page 47]
+
+RFC 1848 MIME Object Security Services October 1995
+
+
+ <dtext> ::= <any CHAR excluding "[", "]",
+ "\" & <CR>, & including
+ linear-white-space>
+ ; => may be folded
+
+
+ <word> ::= <atom> / <quoted-string>
+
+ <quoted-string> ::= """ *( <qtext> / <quoted-pair> ) """
+
+ <qtext> ::= (any <CHAR> excepting """, "\", and CR,
+ and including <linear-white-space>)
+
+ <quoted-pair> ::= "\" <CHAR> ; may quote any
+ ; char
+
+ <linear-white-space> ::= 1*( [ CRLF ] <LWSP-char> )
+ ; semantics = SPACE
+ ; CRLF => folding
+
+ <LWSP-char> ::= SPACE / HTAB ; semantics = SPACE
+
+
+ <atom> ::= 1*(any <CHAR>
+ except <specials>, SPACE and <CTL>s)
+
+ <CHAR> ::= <any ASCII character>
+
+ <CTL> ::= <any ASCII control character and DEL>
+
+ <specials> ::= "(" / ")" / "<" / ">" / "@"
+ / "," / ";" / ":" / "\" / <">
+ / "." / "[" / "]"
+ ; Must be in quoted-
+ ; string, to use
+ ; within a word.
+
+ <ALPHA> ::= <any ASCII alphabetic character>
+ ; (101-132, 65.-90.)
+ ; (141-172, 97.-122.)
+
+ <DIGIT> ::= <any ASCII decimal digit>; (60-71, 48.-57.)
+
+
+
+
+
+
+
+
+
+Crocker, et al Standards Track [Page 48]
+