diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc3183.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc3183.txt')
-rw-r--r-- | doc/rfc/rfc3183.txt | 1347 |
1 files changed, 1347 insertions, 0 deletions
diff --git a/doc/rfc/rfc3183.txt b/doc/rfc/rfc3183.txt new file mode 100644 index 0000000..4640e68 --- /dev/null +++ b/doc/rfc/rfc3183.txt @@ -0,0 +1,1347 @@ + + + + + + +Network Working Group T. Dean +Request for Comments: 3183 W. Ottaway +Category: Experimental QinetiQ + October 2001 + + + Domain Security Services using S/MIME + +Status of this Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2001). All Rights Reserved. + +Abstract + + This document describes how the S/MIME (Secure/Multipurpose Internet + Mail Extensions) protocol can be processed and generated by a number + of components of a communication system, such as message transfer + agents, guards and gateways to deliver security services. These + services are collectively referred to as 'Domain Security Services'. + +Acknowledgements + + Significant comments were made by Luis Barriga, Greg Colla, Trevor + Freeman, Russ Housley, Dave Kemp, Jim Schaad and Michael Zolotarev. + +1. Introduction + + The S/MIME [1] series of standards define a data encapsulation format + for the provision of a number of security services including data + integrity, confidentiality, and authentication. S/MIME is designed + for use by messaging clients to deliver security services to + distributed messaging applications. + + The mechanisms described in this document are designed to solve a + number of interoperability problems and technical limitations that + arise when different security domains wish to communicate securely, + for example when two domains use incompatible messaging technologies + such as the X.400 series and SMTP/MIME, or when a single domain + wishes to communicate securely with one of its members residing on an + untrusted domain. The scenarios covered by this document are + domain-to-domain, individual-to-domain and domain-to-individual + + + +Dean & Ottaway Experimental [Page 1] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + communications. This document is also applicable to organizations + and enterprises that have internal PKIs which are not accessible by + the outside world, but wish to interoperate securely using the S/MIME + protocol. + + There are many circumstances when it is not desirable or practical to + provide end-to-end (desktop-to-desktop) security services, + particularly between different security domains. An organization + that is considering providing end-to-end security services will + typically have to deal with some if not all of the following issues: + + 1) Heterogeneous message access methods: Users are accessing mail + using mechanisms which re-format messages, such as using Web + browsers. Message reformatting in the Message Store makes end- + to-end encryption and signature validation impossible. + + 2) Message screening and audit: Server-based mechanisms such as + searching for prohibited words or other content, virus scanning, + and audit, are incompatible with end-to-end encryption. + + 3) PKI deployment issues: There may not be any certificate paths + between two organizations. Or an organization may be sensitive + about aspects of its PKI and unwilling to expose them to outside + access. Also, full PKI deployment for all employees, may be + expensive, not necessary or impractical for large organizations. + For any of these reasons, direct end-to-end signature validation + and encryption are impossible. + + 4) Heterogeneous message formats: One organization using X.400 series + protocols wishes to communicate with another using SMTP. Message + reformatting at gateways makes end-to-end encryption and signature + validation impossible. + + This document describes an approach to solving these problems by + providing message security services at the level of a domain or an + organization. This document specifies how these 'domain security + services' can be provided using the S/MIME protocol. Domain security + services may replace or complement mechanisms at the desktop. For + example, a domain may decide to provide desktop-to-desktop signatures + but domain-to-domain encryption services. Or it may allow desktop- + to-desktop services for intra-domain use, but enforce domain-based + services for communication with other domains. + + Domain services can also be used by individual members of a + corporation who are geographically remote and who wish to exchange + encrypted and/or signed messages with their base. + + + + + +Dean & Ottaway Experimental [Page 2] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + Whether or not a domain based service is inherently better or worse + than desktop based solutions is an open question. Some experts + believe that only end-to-end solutions can be truly made secure, + while others believe that the benefits offered by such things as + content checking at domain boundaries offers considerable increase in + practical security for many real systems. The additional service of + allowing signature checking at several points on a communications + path is also an extra benefit in many situations. This debate is + outside the scope of this document. What is offered here is a set of + tools that integrators can tailor in different ways to meet different + needs in different circumstances. + + Message transfer agents (MTAs), guards, firewalls and protocol + translation gateways all provide domain security services. As with + desktop based solutions, these components must be resilient against a + wide variety of attacks intended to subvert the security services. + Therefore, careful consideration should be given to security of these + components, to make sure that their siting and configuration + minimises the possibility of attack. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [2]. + +2. Overview of Domain Security Services + + This section gives an informal overview of the security services that + are provided by S/MIME between different security domains. These + services are provided by a combination of mechanisms in the sender's + and recipient's domains. + + Later sections describe definitively how these services map onto + elements of the S/MIME protocol. + + The following security mechanisms are specified in this document: + + 1. Domain signature + 2. Review signature + 3. Additional attributes signature + 4. Domain encryption and decryption + + The signature types defined in this document are referred to as + DOMSEC defined signatures. + + + + + + + + +Dean & Ottaway Experimental [Page 3] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + The term 'security domain' as used in this document is defined as a + collection of hardware and personnel operating under a single + security authority and performing a common business function. + Members of a security domain will of necessity share a high degree of + mutual trust, due to their shared aims and objectives. + + A security domain is typically protected from direct outside attack + by physical measures and from indirect (electronic) attack by a + combination of firewalls and guards at network boundaries. The + interface between two security domains is termed a 'security + boundary'. One example of a security domain is an organizational + network ('Intranet'). + +2.1 Domain Signature + + A domain signature is an S/MIME signature generated on behalf of a + set of users in a domain. A domain signature can be used to + authenticate information sent between domains or between a certain + domain and one of its individuals, for example, when two 'Intranets' + are connected using the Internet, or when an Intranet is connected to + a remote user over the Internet. It can be used when two domains + employ incompatible signature schemes internally or when there are no + certification links between their PKIs. In both cases messages from + the originator's domain are signed over the original message and + signature (if present) using an algorithm, key, and certificate which + can be processed by the recipient(s) or the recipient(s) domain. A + domain signature is sometimes referred to as an "organizational + signature". + +2.2 Review Signature + + A third party may review messages before they are forwarded to the + final recipient(s) who may be in the same or a different security + domain. Organizational policy and good security practice often + require that messages be reviewed before they are released to + external recipients. Having reviewed a message, an S/MIME signature + is added to it - a review signature. An agent could check the review + signature at the domain boundary, to ensure that only reviewed + messages are released. + +2.3 Additional Attributes Signature + + A third party can add additional attributes to a signed message. An + S/MIME signature is used for this purpose - an additional attributes + signature. An example of an additional attribute is the 'Equivalent + Label' attribute defined in ESS [3]. + + + + + +Dean & Ottaway Experimental [Page 4] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + +2.4 Domain Encryption and Decryption + + Domain encryption is S/MIME encryption performed on behalf of a + collection of users in a domain. Domain encryption can be used to + protect information between domains, for example, when two + 'Intranets' are connected using the Internet. It can also be used + when end users do not have PKI/encryption capabilities at the + desktop, or when two domains employ incompatible encryption schemes + internally. In the latter case messages from the originator's domain + are encrypted (or re-encrypted) using an algorithm, key, and + certificate which can be decrypted by the recipient(s) or an entity + in their domain. This scheme also applies to protecting information + between a single domain and one of its members when both are + connected using an untrusted network, e.g., the Internet. + +3. Mapping of the Signature Services to the S/MIME Protocol + + This section describes the S/MIME protocol elements that are used to + provide the security services described above. ESS [3] introduces + the concept of triple-wrapped messages that are first signed, then + encrypted, then signed again. This document also uses this concept + of triple-wrapping. In addition, this document also uses the concept + of 'signature encapsulation'. 'Signature encapsulation' denotes a + signed or unsigned message that is wrapped in a signature, this + signature covering both the content and the first (inner) signature, + if present. + + Signature encapsulation MAY be performed on the inner and/or the + outer signature of a triple-wrapped message. + + For example, the originator signs a message which is then + encapsulated with an 'additional attributes' signature. This is then + encrypted. A reviewer then signs this encrypted data, which is then + encapsulated by a domain signature. + + There is a possibility that some policies will require signatures to + be added in a specific order. By only allowing signatures to be + added by encapsulation it is possible to determine the order in which + the signatures have been added. + + A DOMSEC defined signature MAY encapsulate a message in one of the + following ways: + + 1) An unsigned message has an empty signature layer added to it + (i.e., the message is wrapped in a signedData that has a + signerInfos which contains no elements). This is to enable + backward compatibility with S/MIME software that does not have a + DOMSEC capability. Since the signerInfos will contain no signers + + + +Dean & Ottaway Experimental [Page 5] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + the eContentType, within the EncapsulatedContentInfo, MUST be id- + data as described in CMS [5]. However, the eContent field will + contain the unsigned message instead of being left empty as + suggested in section 5.2 in CMS [5]. This is so that when the + DOMSEC defined signature is added, as defined in method 2) below, + the signature will cover the unsigned message. + + 2) Signature Encapsulation is used to wrap the original signed + message with a DOMSEC defined signature. This is so that the + DOMSEC defined signature covers the message and all the previously + added signatures. Also, it is possible to determine that the + DOMSEC defined signature was added after the signatures that are + already there. + +3.1 Naming Conventions and Signature Types + + An entity receiving an S/MIME signed message would normally expect + the signature to be that of the originator of the message. However, + the message security services defined in this document require the + recipient to be able to accept messages signed by other entities + and/or the originator. When other entities sign the message the name + in the certificate will not match the message sender's name. An + S/MIME compliant implementation would normally flag a warning if + there were a mismatch between the name in the certificate and the + message sender's name. (This check prevents a number of types of + masquerade attack.) + + In the case of domain security services, this warning condition + SHOULD be suppressed under certain circumstances. These + circumstances are defined by a naming convention that specifies the + form that the signers name SHOULD adhere to. Adherence to this + naming convention avoids the problems of uncontrolled naming and the + possible masquerade attacks that this would produce. + + As an assistance to implementation, a signed attribute is defined to + be included in the S/MIME signature - the 'signature type' attribute. + On receiving a message containing this attribute, the naming + convention checks are invoked. + + Implementations conforming to this standard MUST support the naming + convention for signature generation and verification. + Implementations conforming to this standard MUST recognize the + signature type attribute for signature verification. Implementations + conforming to this standard MUST support the signature type attribute + for signature generation. + + + + + + +Dean & Ottaway Experimental [Page 6] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + +3.1.1 Naming Conventions + + The following naming conventions are specified for agents generating + signatures specified in this document: + + * For a domain signature, an agent generating this signature MUST be + named 'domain-signing-authority' + + * For a review signature, an agent generating this signature MUST be + named 'review-authority'. + + * For an additional attributes signature, an agent generating this + signature MUST be named 'attribute-authority'. + + This name shall appear as the 'common name (CN)' component of the + subject field in the X.509 certificate. There MUST be only one CN + component present. Additionally, if the certificate contains an RFC + 822 address, this name shall appear in the end entity component of + the address - on the left-hand side of the '@' symbol. + + In the case of a domain signature, an additional naming rule is + defined: the 'name mapping rule'. The name mapping rule states that + for a domain signing authority, the domain part of its name MUST be + the same as, or an ascendant of, the domain name of the message + originator(s) that it is representing. The domain part is defined as + follows: + + * In the case of an X.500 distinguished subject name of an X.509 + certificate, the domain part is the country, organization, + organizational unit, state, and locality components of the + distinguished name. + + * In the case of an RFC 2247 distinguished name, the domain part is + the domain components of the distinguished name. + + * If the certificate contains an RFC 822 address, the domain part is + defined to be the RFC 822 address component on the right-hand side + of the '@' symbol. + + For example, a domain signing authority acting on behalf of John Doe + of the Acme corporation, whose distinguished name is 'cn=John Doe, + ou=marketing,o=acme,c=us' and whose e-mail address is + John.Doe@marketing.acme.com, could have a certificate containing a + distinguished name of + 'cn=domain-signing-authority,o=acme,c=us' and an RFC 822 address of + 'domain-signing-authority@acme.com'. If John Doe has an RFC 2247 + + + + + +Dean & Ottaway Experimental [Page 7] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + defined address of 'cn=John Doe,dc=marketing,dc=acme,dc=us' then an + address of 'cn=domain-signing-authority,dc=acme,dc=us' could be used + to represent the domain signing authority. + + When the X.500 distinguished subject name has consecutive + organizational units and/or localities it is important to understand + the ordering of these values in order to determine if the domain part + of the domain signature is an ascendant. In this case, when parsing + the distinguished subject name from the most significant component + (i.e., country, locality or organization) the parsed organizational + unit or locality is deemed to be the ascendant of consecutive + (unparsed) organizational units or localities. + + When parsing an RFC 2247 subject name from the most significant + component (i.e., the 'dc' entry that represents the country, locality + or organization) the parsed 'dc' entry is deemed to be the ascendant + of consecutive (unparsed) 'dc' entries. + + For example, a domain signing authority acting on behalf of John Doe + of the Acme corporation, whose distinguished name is 'cn=John Doe, + ou=marketing,ou=defence,o=acme,c=us' and whose e-mail address is + John.Doe@marketing.defence.acme.com, could have a certificate + containing a distinguished name of 'cn=domain-signing- + authority,ou=defence,o=acme,c=us' and an RFC 822 address of 'domain- + signing-authority@defence.acme.com'. If John Doe has an RFC 2247 + defined address of 'cn=John + Doe,dc=marketing,dc=defense,dc=acme,dc=us' then the domain signing + authority could have a distinguished name of 'cn=domain-signing- + authority,dc=defence,dc=acme,dc=us'. + + Any message received where the domain part of the domain signing + agent's name does not match, or is not an ascendant of, the + originator's domain name MUST be flagged. + + This naming rule prevents agents from one organization masquerading + as domain signing authorities on behalf of another. For the other + types of signature defined in this document, no such named mapping + rule is defined. + + Implementations conforming to this standard MUST support this name + mapping convention as a minimum. Implementations MAY choose to + supplement this convention with other locally defined conventions. + However, these MUST be agreed between sender and recipient domains + prior to secure exchange of messages. + + On verifying the signature, a receiving agent MUST ensure that the + naming convention has been adhered to. Any message that violates the + convention MUST be flagged. + + + +Dean & Ottaway Experimental [Page 8] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + +3.1.2 Signature Type Attribute + + An S/MIME signed attribute is used to indicate the type of signature. + This should be used in conjunction with the naming conventions + specified in the previous section. When an S/MIME signed message + containing the signature type attribute is received it triggers the + software to verify that the correct naming convention has been used. + + The ASN.1 [4] notation of this attribute is: - + + SignatureType ::= SEQUENCE OF OBJECT IDENTIFIER + + id-sti OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 9 } + + -- signature type identifier + + If present, the SignatureType attribute MUST be a signed attribute, + as defined in [5]. If the SignatureType attribute is absent and + there are no further encapsulated signatures the recipient SHOULD + assume that the signature is that of the message originator. + + All of the signatures defined here are generated and processed as + described in [5]. They are distinguished by the presence of the + following values in the SignatureType signed attribute: + + id-sti-domainSig OBJECT IDENTIFIER ::= { id-sti 2 } + -- domain signature. + + id-sti-addAttribSig OBJECT IDENTIFIER ::= { id-sti 3 } + -- additional attributes signature. + + id-sti-reviewSig OBJECT IDENTIFIER ::= { id-sti 4 } + -- review signature. + + For completeness, an attribute type is also specified for an + originator signature. However, this signature type is optional. It + is defined as follows: + + id-sti-originatorSig OBJECT IDENTIFIER ::= { id-sti 1 } + -- originator's signature. + + All signature types, except the originator type, MUST encapsulate + other signatures. Note a DOMSEC defined signature could be + encapsulating an empty signature as defined in section 3. + + + + + + +Dean & Ottaway Experimental [Page 9] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + A SignerInfo MUST NOT include multiple instances of SignatureType. A + signed attribute representing a SignatureType MAY include multiple + instances of different SignatureType values as an AttributeValue of + attrValues [5], as long as the SignatureType 'additional attributes' + is not present. + + If there is more than one SignerInfo in a signerInfos (i.e., when + different algorithms are used) then the SignatureType attribute in + all the SignerInfos MUST contain the same content. + + The following sections describe the conditions under which each of + these types of signature may be generated, and how they are + processed. + +3.2 Domain Signature Generation and Verification + + A 'domain signature' is a proxy signature generated on a user's + behalf in the user's domain. The signature MUST adhere to the naming + conventions in 3.1.1, including the name mapping convention. A + 'domain signature' on a message authenticates the fact that the + message has been released from that domain. Before signing, a + process generating a 'domain signature' MUST first satisfy itself of + the authenticity of the message originator. This is achieved by one + of two methods. Either the 'originator's signature' is checked, if + S/MIME signatures are used inside a domain. Or if not, some + mechanism external to S/MIME is used, such as the physical address of + the originating client or an authenticated IP link. + + If the originator's authenticity is successfully verified by one of + the above methods and all other signatures present are valid, + including those that have been encrypted, a 'domain signature' can be + added to a message. + + If a 'domain signature' is added and the message is received by a + Mail List Agent (MLA) there is a possibility that the 'domain + signature' will be removed. To stop the 'domain signature' from + being removed the steps in section 5 MUST be followed. + + An entity generating a domain signature MUST do so using a + certificate containing a subject name that follows the naming + convention specified in 3.1.1. + + If the originator's authenticity is not successfully verified or all + the signatures present are not valid, a 'domain signature' MUST NOT + be generated. + + + + + + +Dean & Ottaway Experimental [Page 10] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + On reception, the 'domain signature' SHOULD be used to verify the + authenticity of a message. A check MUST be made to ensure that both + the naming convention and the name mapping convention have been used + as specified in this standard. + + A recipient can assume that successful verification of the domain + signature also authenticates the message originator. + + If there is an originator signature present, the name in that + certificate SHOULD be used to identify the originator. This + information can then be displayed to the recipient. + + If there is no originator signature present, the only assumption that + can be made is the domain the message originated from. + + A domain signer can be assumed to have verified any signatures that + it encapsulates. Therefore, it is not necessary to verify these + signatures before treating the message as authentic. However, this + standard does not preclude a recipient from attempting to verify any + other signatures that are present. + + The 'domain signature' is indicated by the presence of the value id- + sti-domainSig in a 'signature type' signed attribute. + + There MAY be one or more 'domain signature' signatures in an S/MIME + encoding. + +3.3 Additional Attributes Signature Generation and Verification + + The 'additional attributes' signature type indicates that the + SignerInfo contains additional attributes that are associated with + the message. + + All attributes in the applicable SignerInfo MUST be treated as + additional attributes. Successful verification of an 'additional + attributes' signature means only that the attributes are + authentically bound to the message. A recipient MUST NOT assume that + its successful verification also authenticates the message + originator. + + An entity generating an 'additional attributes' signature MUST do so + using a certificate containing a subject name that follows the naming + convention specified in 3.1.1. On reception, a check MUST be made to + ensure that the naming convention has been used. + + + + + + + +Dean & Ottaway Experimental [Page 11] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + A signer MAY include any of the attributes listed in [3] or in this + document when generating an 'additional attributes' signature. The + following attributes have a special meaning, when present in an + 'additional attributes' signature: + + 1) Equivalent Label: label values in this attribute are to be treated + as equivalent to the security label contained in an encapsulated + SignerInfo, if present. + + 2) Security Label: the label value indicates the aggregate + sensitivity of the inner message content plus any encapsulated + signedData and envelopedData containers. The label on the + original data is indicated by the value in the originator's + signature, if present. + + An 'additional attributes' signature is indicated by the presence of + the value id-sti-addAttribSig in a 'signature type' signed attribute. + Other Object Identifiers MUST NOT be included in the sequence of OIDs + if this value is present. + + There MAY be multiple 'additional attributes' signatures in an S/MIME + encoding. + +3.4 Review Signature Generation and Verification + + The review signature indicates that the signer has reviewed the + message. Successful verification of a review signature means only + that the signer has approved the message for onward transmission to + the recipient(s). When the recipient is in another domain, a device + on a domain boundary such as a Mail Guard or firewall may be + configured to check review signatures. A recipient MUST NOT assume + that its successful verification also authenticates the message + originator. + + An entity generating a signed review signature MUST do so using a + certificate containing a subject name that follows the naming + convention specified in 3.1.1. On reception, a check MUST be made to + ensure that the naming convention has been used. + + A review signature is indicated by the presence of the value id-sti- + reviewSig in a 'signature type' signed attribute. + + There MAY be multiple review signatures in an S/MIME encoding. + + + + + + + + +Dean & Ottaway Experimental [Page 12] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + +3.5 Originator Signature + + The 'originator signature' is used to indicate that the signer is the + originator of the message and its contents. It is included in this + document for completeness only. An originator signature is indicated + either by the absence of the signature type attribute, or by the + presence of the value id-sti-originatorSig in a 'signature type' + signed attribute. + +4. Encryption and Decryption + + Message encryption may be performed by a third party on behalf of a + set of originators in a domain. This is referred to as domain + encryption. Message decryption may be performed by a third party on + behalf of a set of recipients in a domain. This is referred to as + domain decryption. The third party that performs these processes is + referred to in this section as a "Domain Confidentiality Authority" + (DCA). Both of these processes are described in this section. + + Messages may be encrypted for decryption by the final recipient + and/or by a DCA in the recipient's domain. The message may also be + encrypted for decryption by a DCA in the originator's domain (e.g., + for content analysis, audit, key word scanning, etc.). The choice of + which of these is actually performed is a system specific issue that + depends on system security policy. It is therefore outside the scope + of this document. These processes of encryption and decryption + processes are shown in the following table. + + -------------------------------------------------------------------- +| | Recipient Decryption | Domain Decryption | +|------------------------|----------------------|--------------------| +| Originator Encryption | Case(a) | Case(b) | +| Domain Encryption | Case(c) | Case(d) | + -------------------------------------------------------------------- + + Case (a), encryption of messages by the originator for decryption by + the final recipient(s), is described in CMS [5]. In cases (c) and + (d), encryption is performed not by the originator but by the DCA in + the originator's domain. In cases (b) and (d), decryption is + performed not by the recipient(s) but by the DCA in the recipient's + domain. + + A client implementation that conforms to this standard MUST support + case (b) for transmission, case (c) for reception and case (a) for + transmission and reception. + + + + + + +Dean & Ottaway Experimental [Page 13] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + A DCA implementation that conforms to this standard MUST support + cases (c) and (d), for transmission, and cases (b) and (d) for + reception. In cases (c) and (d) the 'domain signature' SHOULD be + applied before the encryption. In cases (b) and (d) the message + SHOULD be decrypted before the originators 'domain signature' is + obtained and verified. + + The process of encryption and decryption is documented in CMS [5]. + The only additional requirement introduced by domain encryption and + decryption is for greater flexibility in the management of keys, as + described in the following subsections. As with signatures, a naming + convention and name mapping convention are used to locate the correct + public key. + + The mechanisms described below are applicable both to key agreement + and key transport systems, as documented in CMS [5]. The phrase + 'encryption key' is used as a collective term to cover the key + management keys used by both techniques. + + The mechanisms below are also applicable to individual roving users + who wish to encrypt messages that are sent back to base. + +4.1 Domain Confidentiality Naming Conventions + + A DCA MUST be named 'domain-confidentiality-authority'. This name + MUST appear in the 'common name(CN)' component of the subject field + in the X.509 certificate. Additionally, if the certificate contains + an RFC 822 address, this name MUST appear in the end entity part of + the address, i.e., on the left-hand side of the '@' symbol. + + Along with this naming convention, an additional naming rule is + defined: the 'name mapping rule'. The name mapping rule states that + for a DCA, the domain part of its name MUST be the same as, or an + ascendant of (as defined in section 3.1.1), the domain name of the + set of entities that it represents. The domain part is defined as + follows: + + * In the case of an X.500 distinguished name of an X.509 + certificate, the domain part is the country, organization, + organizational unit, state, and locality components of the + distinguished name. + + * In the case of an RFC 2247 distinguished name, the domain part is + the domain components of the distinguished name. + + * If the certificate contains an RFC 822 address, the domain part is + defined to be the RFC 822 address part on the right-hand side of + the '@' symbol. + + + +Dean & Ottaway Experimental [Page 14] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + For example, a DCA acting on behalf of John Doe of the Acme + corporation, whose distinguished name is 'cn=John Doe,ou=marketing, + o=acme,c=us' and whose e-mail address is John.Doe@marketing.acme.com, + could have a certificate containing a distinguished name of + 'cn=domain-confidentiality-authority,o=acme,c=us' and an e-mail + address of 'domain-confidentiality-authority@acme.com'. If John Doe + has an RFC 2247 defined address of 'cn=John Doe,dc=marketing, + dc=defense,dc=acme,dc=us' then the domain signing authority could + have a distinguished name of + 'cn=domain-signing-authority,dc=defence,dc=acme,dc=us'. The key + associated with this certificate would be used for encrypting + messages for John Doe. + + Any message received where the domain part of the domain encrypting + agents name does not match, or is not an ascendant of, the domain + name of the entities it represents MUST be flagged. + + This naming rule prevents messages being encrypted for the wrong + domain decryption agent. + + Implementations conforming to this standard MUST support this name + mapping convention as a minimum. Implementations may choose to + supplement this convention with other locally defined conventions. + However, these MUST be agreed between sender and recipient domains + prior to sending any messages. + +4.2 Key Management for DCA Encryption + + At the sender's domain, DCA encryption is achieved using the + recipient DCA's certificate or the end recipient's certificate. For + this, the encrypting process must be able to correctly locate the + certificate for the corresponding DCA in the recipient's domain or + the one corresponding to the end recipient. Having located the + correct certificate, the encryption process is then performed and + additional information required for decryption is conveyed to the + recipient in the recipientInfo field as specified in CMS [5]. A DCA + encryption agent MUST be named according to the naming convention + specified in section 4.1. This is so that the corresponding + certificate can be found. + + No specific method for locating the certificate to the corresponding + DCA in the recipient's domain or the one corresponding to the end + recipient is mandated in this document. An implementation may choose + to access a local certificate store to locate the correct + certificate. Alternatively, a X.500 or LDAP directory may be used in + one of the following ways: + + + + + +Dean & Ottaway Experimental [Page 15] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + 1. The directory may store the DCA certificate in the recipient's + directory entry. When the user certificate attribute is + requested, this certificate is returned. + + 2. The encrypting agent maps the recipient's name to the DCA name in + the manner specified in 4.1. The user certificate attribute + associated with this directory entry is then obtained. + + This document does not mandate either of these processes. Whichever + one is used, the name mapping conventions must be adhered to, in + order to maintain confidentiality. + + Having located the correct certificate, the encryption process is + then performed. A recipientInfo for the DCA or end recipient is then + generated, as described in CMS [5]. + + DCA encryption may be performed for decryption by the end recipient + and/or by a DCA. End recipient decryption is described in CMS [5]. + DCA decryption is described in section 4.3. + +4.3 Key Management for DCA Decryption + + DCA decryption uses a private-key belonging to the DCA and the + necessary information conveyed in the DCA's recipientInfo field. + + It should be noted that domain decryption can be performed on + messages encrypted by the originator and/or by a DCA in the + originator's domain. In the first case, the encryption process is + described in CMS [5]; in the second case, the encryption process is + described in 4.2. + +5. Applying a Domain Signature when Mail List Agents are Present. + + It is possible that a message leaving a DOMSEC domain may encounter a + Mail List Agent (MLA) before it reaches the final recipient. There + is a possibility that this would result in the 'domain signature' + being stripped off the message. We do not want a MLA to remove the + 'domain signature'. Therefore, the 'domain signature' must be + applied to the message in such a way that will prevent a MLA from + removing it. + + A MLA will search a message for the "outer" signedData layer, as + defined in ESS [3] section 4.2, and strip off all signedData layers + that encapsulate this "outer" signedData layer. Where this "outer" + signedData layer is found will depend on whether the message contains + a mlExpansionHistory attribute or an envelopedData layer. + + + + + +Dean & Ottaway Experimental [Page 16] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + There is a possibility that a message leaving a DOMSEC domain has + already been processed by a MLA, in which case a 'mlExpansionHistory' + attribute will be present within the message. + + There is a possibility that the message will contain an envelopedData + layer. This will be the case when the message has been encrypted + within the domain for the domain's "Domain Confidentiality + Authority", see section 4.0, and, possibly, the final recipient. + + How the 'domain signature' is applied will depend on what is already + present within the message. Before the 'domain signature' can be + applied the message MUST be searched for the "outer" signedData + layer, this search is complete when one of the following is found: - + + - The "outer" signedData layer that includes an + mlExpansionHistory attribute or encapsulates an envelopedData + object. + - An envelopedData layer. + - The original content (that is, a layer that is neither + envelopedData nor signedData). + + If a signedData layer containing a mlExpansionHistory attribute has + been found then: - + + 1) Strip off the signedData layer (after remembering the included + signedAttributes). + + 2) Search the rest of the message until an envelopedData layer or + the original content is found. + + 3) a) If an envelopedData layer has been found then: - + + - Strip off all the signedData layers down to the + envelopedData layer. + - Locate the RecipientInfo for the local DCA and use the + information it contains to obtain the message key. + - Decrypt the encryptedContent using the message key. + - Encapsulate the decrypted message with a 'domain + signature' + - If local policy requires the message to be encrypted + using S/MIME encryption before leaving the domain then + encapsulate the 'domain signature' with an envelopedData + layer containing RecipientInfo structures for each of the + recipients and an originatorInfo value built from + information describing this DCA. + + + + + + +Dean & Ottaway Experimental [Page 17] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + If local policy does not require the message to be + encrypted using S/MIME encryption but there is an + envelopedData at a lower level within the message then + the 'domain signature' MUST be encapsulated by an + envelopedData as described above. + + An example when it may not be local policy to require + S/MIME encryption is when there is a link crypto present. + + b) If an envelopedData layer has not been found then: - + + - Encapsulate the new message with a 'domain signature'. + + 4) Encapsulate the new message in a signedData layer, adding the + signedAttributes from the signedData layer that contained the + mlExpansionHistory attribute. + + If no signedData layer containing a mlExpansionHistory attribute has + been found but an envelopedData has been found then: - + + 1) Strip off all the signedData layers down to the envelopedData + layer. + 2) Locate the RecipientInfo for the local DCA and use the + information it contains to obtain the message key. + 3) Decrypt the encryptedContent using the message key. + 4) Encapsulate the decrypted message with a 'domain signature' + 5) If local policy requires the message to be encrypted before + leaving the domain then encapsulate the 'domain signature' with + an envelopedData layer containing RecipientInfo structures for + each of the recipients and an originatorInfo value built from + information describing this DCA. + + If local policy does not require the message to be encrypted + using S/MIME encryption but there is an envelopedData at a + lower level within the message then the 'domain signature' MUST + be encapsulated by an envelopedData as described above. + + If no signedData layer containing a mlExpansionHistory attribute has + been found and no envelopedData has been found then: - + + 1) Encapsulate the message in a 'domain signature'. + +5.1 Examples of Rule Processing + + The following examples help explain the above rules. All of the + signedData objects are valid and none of them are a domain signature. + If a signedData object was a domain signature then it would not be + necessary to validate any further signedData objects. + + + +Dean & Ottaway Experimental [Page 18] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + 1) A message (S1 (Original Content)) (where S = signedData) in which + the signedData does not include an mlExpansionHistory attribute is + to have a 'domain signature' applied. The signedData, S1, is + verified. No "outer" signedData is found, after searching for one + as defined above, since the original content is found, nor is an + envelopedData or a mlExpansionHistory attribute found. A new + signedData layer, S2, is created that contains a 'domain + signature', resulting in the following message sent out of the + domain (S2 (S1 (Original Content))). + + 2) A message (S3 (S2 (S1 (Original Content))) in which none of the + signedData layers includes an mlExpansionHistory attribute is to + have a 'domain signature' applied. The signedData objects S1, S2 + and S3 are verified. There is not an original, "outer" signedData + layer since the original content is found, nor is an envelopedData + or a mlExpansionHistory attribute found. A new signedData layer, + S4, is created that contains a 'domain signature', resulting in + the following message sent out of the domain (S4 (S3 (S2 (S1 + (Original Content))). + + 3) A message (E1 (S1 (Original Content))) (where E = envelopedData) + in which S1 does not include a mlExpansionHistory attribute is to + have a 'domain signature' applied. There is not an original, + received "outer" signedData layer since the envelopedData, E1, is + found at the outer layer. The encryptedContent is decrypted. The + signedData, S1, is verified. The decrypted content is wrapped in + a new signedData layer, S2, which contains a 'domain signature'. + If local policy requires the message to be encrypted, using S/MIME + encryption, before it leaves the domain then this new message is + wrapped in an envelopedData layer, E2, resulting in the following + message sent out of the domain (E2 (S2 (S1 (Original Content)))), + else the message is not wrapped in an envelopedData layer + resulting in the following message (S2 (S1 (Original Content))) + being sent. + + 4) A message (S2 (E1 (S1 (Original Content)))) in which S2 includes a + mlExpansionHistory attribute is to have a 'domain signature' + applied. The signedData object S2 is verified. The + mlExpansionHistory attribute is found in S2, so S2 is the "outer" + signedData. The signed attributes in S2 are remembered for later + inclusion in the new outer signedData that is applied to the + message. S2 is stripped off and the message is decrypted. The + signedData object S1 is verified. The decrypted message is + wrapped in a signedData layer, S3, which contains a 'domain + signature'. If local policy requires the message to be encrypted, + using S/MIME encryption, before it leaves the domain then this new + message is wrapped in an envelopedData layer, E2. A new + signedData layer, S4, is then wrapped around the envelopedData, + + + +Dean & Ottaway Experimental [Page 19] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + E2, resulting in the following message sent out of the domain (S4 + (E2 (S3 (S1 (Original Content))))). If local policy does not + require the message to be encrypted, using S/MIME encryption, + before it leaves the domain then the message is not wrapped in an + envelopedData layer but is wrapped in a new signedData layer, S4, + resulting in the following message sent out of the domain (S4 (S3 + (S1 (Original Content). The signedData S4, in both cases, + contains the signed attributes from S2. + + 5) A message (S3 (S2 (E1 (S1 (Original Content))))) in which none of + the signedData layers include a mlExpansionHistory attribute is to + have a 'domain signature' applied. The signedData objects S3 and + S2 are verified. When the envelopedData E1 is found the + signedData objects S3 and S2 are stripped off. The + encryptedContent is decrypted. The signedData object S1 is + verified. The decrypted content is wrapped in a new signedData + layer, S4, which contains a 'domain signature'. If local policy + requires the message to be encrypted, using S/MIME encryption, + before it leaves the domain then this new message is wrapped in an + envelopedData layer, E2, resulting in the following message sent + out of the domain (E2 (S4 (S1 (Original Content)))), else the + message is not wrapped in an envelopedData layer resulting in the + following message (S4 (S1 (Original Content))) being sent. + + 6) A message (S3 (S2 (E1 (S1 (Original Content))))) in which S3 + includes a mlExpansionHistory attribute is to have a 'domain + signature' applied. The signedData objects S3 and S2 are + verified. The mlExpansionHistory attribute is found in S3, so S3 + is the "outer" signedData. The signed attributes in S3 are + remembered for later inclusion in the new outer signedData that + is applied to the message. The signedData object S3 is stripped + off. When the envelopedData layer, E1, is found the signedData + object S2 is stripped off. The encryptedContent is decrypted. + The signedData object S1 is verified. The decrypted content is + wrapped in a new signedData layer, S4, which contains a 'domain + signature'. If local policy requires the message to be encrypted, + using S/MIME encryption, before it leaves the domain then this new + message is wrapped in an envelopedData layer, E2. A new + signedData layer, S5, is then wrapped around the envelopedData, + E2, resulting in the following message sent out of the domain (S5 + (E2 (S4 (S1 (Original Content))))). If local policy does not + require the message to be encrypted, using S/MIME encryption, + before it leaves the domain then the message is not wrapped in an + envelopedData layer but is wrapped in a new signedData layer, S5, + resulting in the following message sent out of the domain (S5 (S4 + (S1 (Original Content). The signedData S5, in both cases, + contains the signed attributes from S3. + + + + +Dean & Ottaway Experimental [Page 20] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + 7) A message (S3 (E2 (S2 (E1 (S1 (Original Content)))))) in which S3 + does not include a mlExpansionHistory attribute is to have a + 'domain signature' applied. The signedData object S3 is verified. + When the envelopedData E2 is found the signedData object S3 is + stripped off. The encryptedContent is decrypted. The signedData + object S2 is verified, the envelopedData E1 is decrypted and the + signedData object S1 is verified. The signedData object S2 is + wrapped in a new signedData layer S4, which contains a 'domain + signature'. Since there is an envelopedData E1 lower down in the + message, the new message is wrapped in an envelopedData layer, E3, + resulting in the following message sent out of the domain (E3 (S4 + (S2 (E1 (S1 (Original Content)))))). + +6. Security Considerations + + This specification relies on the existence of several well known + names, such as domain-confidentiality-authority. Organizations must + take care with these names, even if they do not support DOMSEC, so + that certificates issued in these names are only issued to legitimate + entities. If this is not true then an individual could get a + certificate associated with domain-confidentiality-authority@acme.com + and as a result might be able to read messages the a DOMSEC client + intended for others. + + Implementations MUST protect all private keys. Compromise of the + signer's private key permits masquerade. + + Similarly, compromise of the content-encryption key may result in + disclosure of the encrypted content. + + Compromise of key material is regarded as an even more serious issue + for domain security services than for an S/MIME client. This is + because compromise of the private key may in turn compromise the + security of a whole domain. Therefore, great care should be used + when considering its protection. + + Domain encryption alone is not secure and should be used in + conjunction with a domain signature to avoid a masquerade attack, + where an attacker that has obtained a DCA certificate can fake a + message to that domain pretending to be another domain. + + When an encrypted DOMSEC message is sent to an end user in such a way + that the message is decrypted by the end users DCA the message will + be in plain text and therefore confidentiality could be compromised. + + + + + + + +Dean & Ottaway Experimental [Page 21] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + + If the recipient's DCA is compromised then the recipient can not + guarantee the integrity of the message. Furthermore, even if the + recipient's DCA correctly verifies a message's signatures, then a + message could be undetectably modified, when there are no signatures + on a message that the recipient can verify. + +7. DOMSEC ASN.1 Module + + DOMSECSyntax + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) domsec(10) } + + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + + -- EXPORTS All + -- The types and values defined in this module are exported for + -- use in the other ASN.1 modules. Other applications may use + -- them for their own purposes. + + SignatureType ::= SEQUENCE OF OBJECT IDENTIFIER + + id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 16 } + + id-sti OBJECT IDENTIFIER ::= { id-smime 9 } -- signature type + identifier + + -- Signature Type Identifiers + + id-sti-originatorSig OBJECT IDENTIFIER ::= { id-sti 1 } + id-sti-domainSig OBJECT IDENTIFIER ::= { id-sti 2 } + id-sti-addAttribSig OBJECT IDENTIFIER ::= { id-sti 3 } + id-sti-reviewSig OBJECT IDENTIFIER ::= { id-sti 4 } + + END -- of DOMSECSyntax + + + + + + + + + + + + + + + +Dean & Ottaway Experimental [Page 22] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + +8. References + + [1] Ramsdell, B., "S/MIME Version 3 Message Specification", RFC 2633, + June 1999. + + [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [3] Hoffman, P., "Enhanced Security Services for S/MIME", RFC 2634, + June 1999. + + [4] International Telecommunications Union, Recommendation X.208, + "Open systems interconnection: specification of Abstract Syntax + Notation (ASN.1)", CCITT Blue Book, 1989. + + [5] Housley, R., "Cryptographic Message Syntax", RFC 2630, June 1999. + +9. Authors' Addresses + + Tim Dean + QinetiQ + St. Andrews Road + Malvern + Worcs + WR14 3PS + + Phone: +44 (0) 1684 894239 + Fax: +44 (0) 1684 896660 + EMail: tbdean@QinetiQ.com + + William Ottaway + QinetiQ + St. Andrews Road + Malvern + Worcs + WR14 3PS + + Phone: +44 (0) 1684 894079 + Fax: +44 (0) 1684 896660 + EMail: wjottaway@QinetiQ.com + + + + + + + + + + + +Dean & Ottaway Experimental [Page 23] + +RFC 3183 Domain Security Services using S/MIME October 2001 + + +10. Full Copyright Statement + + Copyright (C) The Internet Society (2001). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Dean & Ottaway Experimental [Page 24] + |