From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc1114.txt | 1403 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1403 insertions(+) create mode 100644 doc/rfc/rfc1114.txt (limited to 'doc/rfc/rfc1114.txt') diff --git a/doc/rfc/rfc1114.txt b/doc/rfc/rfc1114.txt new file mode 100644 index 0000000..e784e1c --- /dev/null +++ b/doc/rfc/rfc1114.txt @@ -0,0 +1,1403 @@ + + + + + + +Network Working Group S. Kent +Request for Comments: 1114 BBNCC + J. Linn + DEC + IAB Privacy Task Force + August 1989 + + + Privacy Enhancement for Internet Electronic Mail: + Part II -- Certificate-Based Key Management + +STATUS OF THIS MEMO + + This RFC suggests a draft standard elective protocol for the Internet + community, and requests discussion and suggestions for improvements. + Distribution of this memo is unlimited. + +ACKNOWLEDGMENT + + This RFC is the outgrowth of a series of IAB Privacy Task Force + meetings and of internal working papers distributed for those + meetings. We would like to thank the members of the Privacy Task + Force for their comments and contributions at the meetings which led + to the preparation of this RFC: David Balenson, Curt Barker, Matt + Bishop, Morrie Gasser, Russ Housley, Dan Nessett, Mike Padlipsky, Rob + Shirey, and Steve Wilbur. + +Table of Contents + + 1. Executive Summary 2 + 2. Overview of Approach 3 + 3. Architecture 4 + 3.1 Scope and Restrictions 4 + 3.2 Relation to X.509 Architecture 7 + 3.3 Entities' Roles and Responsibilities 7 + 3.3.1 Users and User Agents 8 + 3.3.2 Organizational Notaries 9 + 3.3.3 Certification Authorities 11 + 3.3.3.1 Interoperation Across Certification Hierarchy Boundaries 14 + 3.3.3.2 Certificate Revocation 15 + 3.4 Certificate Definition and Usage 17 + 3.4.1 Contents and Use 17 + 3.4.1.1 Version Number 18 + 3.4.1.2 Serial Number 18 + 3.4.1.3 Subject Name 18 + 3.4.1.4 Issuer Name 19 + 3.4.1.5 Validity Period 19 + 3.4.1.6 Subject Public Component 20 + + + +Kent & Linn [Page 1] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + 3.4.1.7 Certificate Signature 20 + 3.4.2 Validation Conventions 20 + 3.4.3 Relation with X.509 Certificate Specification 22 + NOTES 24 + +1. Executive Summary + + This is one of a series of RFCs defining privacy enhancement + mechanisms for electronic mail transferred using Internet mail + protocols. RFC-1113 (the successor to RFC 1040) prescribes protocol + extensions and processing procedures for RFC-822 mail messages, given + that suitable cryptographic keys are held by originators and + recipients as a necessary precondition. RFC-1115 specifies + algorithms for use in processing privacy-enhanced messages, as called + for in RFC-1113. This RFC defines a supporting key management + architecture and infrastructure, based on public-key certificate + techniques, to provide keying information to message originators and + recipients. A subsequent RFC, the fourth in this series, will + provide detailed specifications, paper and electronic application + forms, etc. for the key management infrastructure described herein. + + The key management architecture described in this RFC is compatible + with the authentication framework described in X.509. The major + contributions of this RFC lie not in the specification of computer + communication protocols or algorithms but rather in procedures and + conventions for the key management infrastructure. This RFC + incorporates numerous conventions to facilitate near term + implementation. Some of these conventions may be superceded in time + as the motivations for them no longer apply, e.g., when X.500 or + similar directory servers become well established. + + The RSA cryptographic algorithm, covered in the U.S. by patents + administered through RSA Data Security, Inc. (hereafter abbreviated + RSADSI) has been selected for use in this key management system. + This algorithm has been selected because it provides all the + necessary algorithmic facilities, is "time tested" and is relatively + efficient to implement in either software or hardware. It is also + the primary algorithm identified (at this time) for use in + international standards where an asymmetric encryption algorithm is + required. Protocol facilities (e.g., algorithm identifiers) exist to + permit use of other asymmetric algorithms if, in the future, it + becomes appropriate to employ a different algorithm for key + management. However, the infrastructure described herein is specific + to use of the RSA algorithm in many respects and thus might be + different if the underlying algorithm were to change. + + Current plans call for RSADSI to act in concert with subscriber + organizations as a "certifying authority" in a fashion described + + + +Kent & Linn [Page 2] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + later in this RFC. RSADSI will offer a service in which it will sign + a certificate which has been generated by a user and vouched for + either by an organization or by a Notary Public. This service will + carry a $25 biennial fee which includes an associated license to use + the RSA algorithm in conjunction with privacy protection of + electronic mail. Users who do not come under the purview of the RSA + patent, e.g., users affiliated with the U.S. government or users + outside of the U.S., may make use of different certifying authorities + and will not require a license from RSADSI. Procedures for + interacting with these other certification authorities, maintenance + and distribution of revoked certificate lists from such authorities, + etc. are outside the scope of this RFC. However, techniques for + validating certificates issued by other authorities are contained + within the RFC to ensure interoperability across the resulting + jurisdictional boundaries. + +2. Overview of Approach + + This RFC defines a key management architecture based on the use of + public-key certificates, in support of the message encipherment and + authentication procedures defined in RFC-1113. In the proposed + architecture, a "certification authority" representing an + organization applies a digital signature to a collection of data + consisting of a user's public component, various information that + serves to identify the user, and the identity of the organization + whose signature is affixed. (Throughout this RFC we have adopted the + terms "private component" and "public component" to refer to the + quantities which are, respectively, kept secret and made publically + available in asymmetric cryptosystems. This convention is adopted to + avoid possible confusion arising from use of the term "secret key" to + refer to either the former quantity or to a key in a symmetric + cryptosystem.) This establishes a binding between these user + credentials, the user's public component and the organization which + vouches for this binding. The resulting signed, data item is called + a certificate. The organization identified as the certifying + authority for the certificate is the "issuer" of that certificate. + + In signing the certificate, the certification authority vouches for + the user's identification, especially as it relates to the user's + affiliation with the organization. The digital signature is affixed + on behalf of that organization and is in a form which can be + recognized by all members of the privacy-enhanced electronic mail + community. Once generated, certificates can be stored in directory + servers, transmitted via unsecure message exchanges, or distributed + via any other means that make certificates easily accessible to + message originators, without regard for the security of the + transmission medium. + + + + +Kent & Linn [Page 3] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + Prior to sending an encrypted message, an originator must acquire a + certificate for each recipient and must validate these certificates. + Briefly, validation is performed by checking the digital signature in + the certificate, using the public component of the issuer whose + private component was used to sign the certificate. The issuer's + public component is made available via some out of band means + (described later) or is itself distributed in a certificate to which + this validation procedure is applied recursively. + + Once a certificate for a recipient is validated, the public component + contained in the certificate is extracted and used to encrypt the + data encryption key (DEK) that is used to encrypt the message itself. + + The resulting encrypted DEK is incorporated into the X-Key-Info field + of the message header. Upon receipt of an encrypted message, a + recipient employs his secret component to decrypt this field, + extracting the DEK, and then uses this DEK to decrypt the message. + + In order to provide message integrity and data origin authentication, + the originator generates a message integrity code (MIC), signs + (encrypts) the MIC using the secret component of his public-key pair, + and includes the resulting value in the message header in the X-MIC- + Info field. The certificate of the originator is also included in + the header in the X-Certificate field as described in RFC-1113, in + order to facilitate validation in the absence of ubiquitous directory + services. Upon receipt of a privacy enhanced message, a recipient + validates the originator's certificate, extracts the public component + from the certificate, and uses that value to recover (decrypt) the + MIC. The recovered MIC is compared against the locally calculated + MIC to verify the integrity and data origin authenticity of the + message. + +3. Architecture + +3.1 Scope and Restrictions + + The architecture described below is intended to provide a basis for + managing public-key cryptosystem values in support of privacy + enhanced electronic mail (see RFC-1113) in the Internet environment. + The architecture describes procedures for ordering certificates from + issuers, for generating and distributing certificates, and for "hot + listing" of revoked certificates. Concurrent with the issuance of + this RFC, RFC 1040 has been updated and reissued as RFC-1113 to + describe the syntax and semantics of new or revised header fields + used to transfer certificates, represent the DEK and MIC in this + public-key context, and to segregate algorithm definitions into a + separate RFC to facilitate the addition of other algorithms in the + future. This RFC focuses on the management aspects of certificate- + + + +Kent & Linn [Page 4] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + based, public-key cryptography for privacy enhanced mail while RFC- + 1113 addresses representation and processing aspects of such mail, + including changes required by this key management technology. + + The proposed architecture imposes conventions for certification paths + which are not strictly required by the X.509 recommendation nor by + the technology itself. The decision to impose these conventions is + based in part on constraints imposed by the status of the RSA + cryptosystem within the U.S. as a patented algorithm, and in part on + the need for an organization to assume operational responsibility for + certificate management in the current (minimal) directory system + infrastructure for electronic mail. Over time, we anticipate that + some of these constraints, e.g., directory service availability, will + change and the procedures specified in the RFC will be reviewed and + modified as appropriate. + + At this time, we propose a system in which user certificates + represent the leaves in a shallow (usually two tier) certification + hierarchy (tree). Organizations which act as issuers are represented + by certificates higher in the tree. This convention minimizes the + complexity of validating user certificates by limiting the length of + "certification paths" and by making very explicit the relationship + between a certificate issuer and a user. Note that only + organizations may act as issuers in the proposed architecture; a user + certificate may not appear in a certification path, except as the + terminal node in the path. These conventions result in a + certification hierarchy which is a compatible subset of that + permitted under X.509, with respect to both syntax and semantics. + + The RFC proposes that RSADSI act as a "co-issuer" of certificates on + behalf of most organizations. This can be effected in a fashion + which is "transparent" so that the organizations appear to be the + issuers with regard to certificate formats and validation procedures. + This is effected by having RSADSI generate and hold the secret + components used to sign certificates on behalf of organizations. The + motivation for RSADSI's role in certificate signing is twofold. + First, it simplifies accounting controls in support of licensing, + ensuring that RSADSI is paid for each certificate. Second, it + contributes to the overall integrity of the system by establishing a + uniform, high level of protection for the private-components used to + sign certificates. If an organization were to sign certificates + directly on behalf of its affiliated users, the organization would + have to establish very stringent security and accounting mechanisms + and enter into (elaborate) legal agreements with RSADSI in order to + provide a comparable level of assurance. Requests by organizations + to perform direct certificate signing will be considered on a case- + by-case basis, but organizations are strongly urged to make use of + the facilities proposed by this RFC. + + + +Kent & Linn [Page 5] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + Note that the risks associated with disclosure of an organization's + secret component are different from those associated with disclosure + of a user's secret component. The former component is used only to + sign certificates, never to encrypt message traffic. Thus the + exposure of an organization's secret component could result in the + generation of forged certificates for users affiliated with that + organization, but it would not affect privacy-enhanced messages which + are protected using legitimate certificates. Also note that any + certificates generated as a result of such a disclosure are readily + traceable to the issuing authority which holds this component, e.g., + RSADSI, due to the non-repudiation feature of the digital signature. + The certificate registration and signing procedures established in + this RFC would provide non-repudiable evidence of disclosure of an + organization's secret component by RSADSI. Thus this RFC advocates + use of RSADSI as a co-issuer for certificates until such time as + technical security mechanisms are available to provide a similar, + system-wide level of assurance for (distributed) certificate signing + by organizations. + + We identify two classes of exceptions to this certificate signing + paradigm. First, the RSA algorithm is patented only within the U.S., + and thus it is very likely that certificate signing by issuers will + arise outside of the U.S., independent of RSADSI. Second, the + research that led to the RSA algorithm was sponsored by the National + Science Foundation, and thus the U.S. government retains royalty-free + license rights to the algorithm. Thus the U.S. government may + establish a certificate generation facilities for its affiliated + users. A number of the procedures described in this document apply + only to the use of RSADSI as a certificate co-issuer; all other + certificate generation practices lie outside the scope of this RFC. + + This RFC specifies procedures by which users order certificates + either directly from RSADSI or via a representative in an + organization with which the user holds some affiliation (e.g., the + user's employer or educational institution). Syntactic provisions + are made which allow a recipient to determine, to some granularity, + which identifying information contained in the certificate is vouched + for by the certificate issuer. In particular, organizations will + usually be vouching for the affiliation of a user with that + organization and perhaps a user's role within the organization, in + addition to the user's name. In other circumstances, as discussed in + section 3.3.3, a certificate may indicate that an issuer vouches only + for the user's name, implying that any other identifying information + contained in the certificate may not have been validated by the + issuer. These semantics are beyond the scope of X.509, but are not + incompatible with that recommendation. + + The key management architecture described in this RFC has been + + + +Kent & Linn [Page 6] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + designed to support privacy enhanced mail as defined in this RFC, + RFC-1113, and their successors. Note that this infrastructure also + supports X.400 mail security facilities (as per X.411) and thus paves + the way for transition to the OSI/CCITT Message Handling System + paradigm in the Internet in the future. The certificate issued to a + user for the $25 biennial fee will grant to the user identified by + that certificate a license from RSADSI to employ the RSA algorithm + for certificate validation and for encryption and decryption + operations in this electronic mail context. No use of the algorithm + outside the scope defined in this RFC is authorized by this license + as of this time. Expansion of the license to other Internet security + applications is possible but not yet authorized. The license granted + by this fee does not authorize the sale of software or hardware + incorporating the RSA algorithm; it is an end-user license, not a + developer's license. + +3.2 Relation to X.509 Architecture + + CCITT 1988 Recommendation X.509, "The Directory - Authentication + Framework", defines a framework for authentication of entities + involved in a distributed directory service. Strong authentication, + as defined in X.509, is accomplished with the use of public-key + cryptosystems. Unforgeable certificates are generated by + certification authorities; these authorities may be organized + hierarchically, though such organization is not required by X.509. + There is no implied mapping between a certification hierarchy and the + naming hierarchy imposed by directory system naming attributes. The + public-key certificate approach defined in X.509 has also been + adopted in CCITT 1988 X.411 in support of the message handling + application. + + This RFC interprets the X.509 certificate mechanism to serve the + needs of privacy-enhanced mail in the Internet environment. The + certification hierarchy proposed in this RFC in support of privacy + enhanced mail is intentionally a subset of that allowed under X.509. + In large part constraints have been levied in order to simplify + certificate validation in the absence of a widely available, user- + level directory service. The certification hierarchy proposed here + also embodies semantics which are not explicitly addressed by X.509, + but which are consistent with X.509 precepts. The additional + semantic constraints have been adopted to explicitly address + questions of issuer "authority" which we feel are not well defined in + X.509. + +3.3 Entities' Roles and Responsibilities + + One way to explain the architecture proposed by this RFC is to + examine the various roles which are defined for various entities in + + + +Kent & Linn [Page 7] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + the architecture and to describe what is required of each entity in + order for the proposed system to work properly. The following + sections identify three different types of entities within this + architecture: users and user agents, organizational notaries, and + certification authorities. For each class of entity we describe the + (electronic and paper) procedures which the entity must execute as + part of the architecture and what responsibilities the entity assumes + as a function of its role in the architecture. Note that the + infrastructure described here applies to the situation wherein RSADSI + acts as a co-issuer of certificates, sharing the role of + certification authority as described later. Other certifying + authority arrangements may employ different procedures and are not + addressed by this RFC. + +3.3.1 Users and User Agents + + The term User Agent (UA) is taken from CCITT X.400 Message Handling + Systems (MHS) Recommendations, which define it as follows: "In the + context of message handling, the functional object, a component of + MHS, by means of which a single direct user engages in message + handling." UAs exchange messages by calling on a supporting Message + Transfer Service (MTS). + + A UA process supporting privacy-enhanced mail processing must protect + the private component of its associated entity (ordinarily, a human + user) from disclosure. We anticipate that a user will employ + ancillary software (not otherwise associated with the UA) to generate + his public/private component pair and to compute the (one-way) + message hash required by the registration procedure. The public + component, along with information that identifies the user, will be + transferred to an organizational notary (see below) for inclusion in + an order to an issuer. The process of generating public and private + components is a local matter, but we anticipate Internet-wide + distribution of software suitable for component-pair generation to + facilitate the process. The mechanisms used to transfer the public + component and the user identification information must preserve the + integrity of both quantities and bind the two during this transfer. + + This proposal establishes two ways in which a user may order a + certificate, i.e., through the user's affiliation with an + organization or directly through RSADSI. In either case, a user will + be required to send a paper order to RSADSI on a form described in a + subsequent RFC and containing the following information: + + 1. Distinguished Name elements (e.g., full legal name, + organization name, etc.) + + 2. Postal address + + + +Kent & Linn [Page 8] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + 3. Internet electronic mail address + + 4. A message hash function, binding the above information to the + user's public component + + Note that the user's public component is NOT transmitted via this + paper path. In part the rationale here is that the public component + consists of many (>100) digits and thus is prone to error if it is + copied to and from a piece of paper. Instead, a message hash is + computed on the identifying information and the public component and + this (smaller) message hash value is transmitted along with the + identifying information. Thus the public component is transferred + only via an electronic path, as described below. + + If the user is not affiliated with an organization which has + established its own "electronic notary" capability (an organization + notary or "ON" as discussed in the next section), then this paper + registration form must be notarized by a Notary Public. If the user + is affiliated with an organization which has established one or more + ONs, the paper registration form need not carry the endorsement of a + Notary Public. Concurrent with the paper registration, the user must + send the information outlined above, plus his public component, + either to his ON, or directly to RSADSI if no appropriate ON is + available to the user. Direct transmission to RSADSI of this + information will be via electronic mail, using a representation + described in a subsequent RFC. The paper registration must be + accompanied by a check or money order for $25 or an organization may + establish some other billing arrangement with RSADSI. The maximum + (and default) lifetime of a certificate ordered through this process + is two years. + + The transmission of ID information and public component from a user + to his ON is a local matter, but we expect electronic mail will also + be the preferred approach in many circumstances and we anticipate + general distribution of software to support this process. Note that + it is the responsibility of the user and his organization to ensure + the integrity of this transfer by some means deemed adequately secure + for the local computing and communication environment. There is no + requirement for secrecy in conjunction with this information + transfer, but the integrity of the information must be ensured. + +3.3.2 Organizational Notaries + + An organizational notary is an individual who acts as a clearinghouse + for certificate orders originating within an administrative domain + such as a corporation or a university. An ON represents an + organization or organizational unit (in X.500 naming terms), and is + assumed to have some independence from the users on whose behalf + + + +Kent & Linn [Page 9] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + certificates are ordered. An ON will be restricted through + mechanisms implemented by the issuing authority, e.g., RSADSI, to + ordering certificates properly associated with the domain of that ON. + For example, an ON for BBN should not be able to order certificates + for users affiliated with MIT or MITRE, nor vice versa. Similarly, + if a corporation such as BBN were to establish ONs on a per- + subsidiary basis (corresponding to organization units in X.500 naming + parlance), then an ON for the BBN Communications subsidiary should + not be allowed to order a certificate for a user who claims + affiliation with the BBN Software Products subsidiary. + + It can be assumed that the set of ONs changes relatively slowly and + that the number of ONs is relatively small in comparison with the + number of users. Thus a more extensive, higher assurance process may + reasonably be associated with ON accreditation than with per-user + certificate ordering. Restrictions on the range of information which + an ON is authorized to certify are established as part of this more + elaborate registration process. The procedures by which + organizations and organizational units are established in the RSADSI + database, and by which ONs are registered, will be described in a + subsequent RFC. + + An ON is responsible for establishing the correctness and integrity + of information incorporated in an order, and will generally vouch for + (certify) the accuracy of identity information at a granularity finer + than that provided by a Notary Public. We do not believe that it is + feasible to enforce uniform standards for the user certification + process across all ONs, but we anticipate that organizations will + endeavor to maintain high standards in this process in recognition of + the "visibility" associated with the identification data contained in + certificates. An ON also may constrain the validity period of an + ordered certificate, restricting it to less than the default two year + interval imposed by the RSADSI license agreement. + + An ON participates in the certificate ordering process by accepting + and validating identification information from a user and forwarding + this information to RSADSI. The ON accepts the electronic ordering + information described above (Distinguished Name elements, mailing + address, public component, and message hash computed on all of this + data) from a user. (The representation for user-to-ON transmission + of this data is a local matter, but we anticipate that the encoding + specified for ON-to-RSADSI representation of this data will often be + employed.) The ON sends an integrity-protected (as described in + RFC-1113) electronic message to RSADSI, vouching for the correctness + of the binding between the public component and the identification + data. Thus, to support this function, each ON will hold a + certificate as an individual user within the organization which he + represents. RSADSI will maintain a database which identifies the + + + +Kent & Linn [Page 10] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + users who also act as ONs and the database will specify constraints + on credentials which each ON is authorized to certify. The + electronic mail representation for a user's certificate data in an ON + message to RSADSI will be specified in a subsequent RFC. + +3.3.3 Certification Authorities + + In X.509 the term "certification authority" is defined as "an + authority trusted by one or more users to create and assign + certificates". This alternate expansion for the acronym "CA" is + roughly equivalent to that contemplated as a "central authority" in + RFC-1040 and RFC-1113. The only difference is that in X.509 there is + no requirement that a CA be a distinguished entity or that a CA serve + a large number of users, as envisioned in these RFCs. Rather, any + user who holds a certificate can, in the X.509 context, act as a CA + for any other user. As noted above, we have chosen to restrict the + role of CA in this electronic mail environment to organizational + entities, to simplify the certificate validation process, to impose + semantics which support organizational affiliation as a basis for + certification, and to facilitate license accountability. + + In the proposed architecture, individuals who are affiliated with + (registered) organizations will go through the process described + above, in which they forward their certificate information to their + ON for certification. The ON will, based on local procedures, verify + the accuracy of the user's credentials and forward this information + to RSADSI using privacy-enhanced mail to ensure the integrity and + authenticity of the information. RSADSI will carry out the actual + certificate generation process on behalf of the organization + represented by the ON. Recall that it is the identity of the + organization which the ON represents, not the ON's identity, which + appears in the issuer field of the user certificate. Therefore it is + the private component of the organization, not the ON, which is used + to sign the user certificate. + + In order to carry out this procedure RSADSI will serve as the + repository for the private components associated with certificates + representing organizations or organizational units (but not + individuals). In effect the role of CA will be shared between the + organizational notaries and RSADSI. This shared role will not be + visible in the syntax of the certificates issued under this + arrangement nor is it apparent from the validation procedure one + applies to these certificates. In this sense, the role of RSADSI as + the actual signer of certificates on behalf of organizations is + transparent to this aspect of system operation. + + If an organization were to carry out the certificate signing process + locally, and thus hold the private component associated with its + + + +Kent & Linn [Page 11] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + organization certificate, it would need to contact RSADSI to discuss + security safeguards, special legal agreements, etc. A number of + requirements would be imposed on an organization if such an approach + were persued. The organization would be required to execute + additional legal instruments with RSADSI, e.g., to ensure proper + accounting for certificates generated by the organization. Special + software will be required to support the certificate signing process, + distinct from the software required for an ON. Stringent procedural, + physical, personnel and computer security safeguards would be + required to support this process, to maintain a relatively high level + of security for the system as a whole. Thus, at this time, it is not + recommended that organizations pursue this approach although local + certificate generation is not expressly precluded by the proposed + architecture. + + RSADSI has offered to operate a service in which it serves as a CA + for users who are not affiliated with any organization or who are + affiliated with an organization which has not opted to establish an + organizational notary. To distinguish certificates issued to such + "non-affiliated" users the distinguished string "Notary" will appear + as the organizational unit name of the issuer of the certificate. + This convention will be employed throughout the system. Thus not + only RSADSI but any other organization which elects to provide this + type of service to non-affiliated users may do so in a standard + fashion. Hence a corporation might issue a certificate with the + "Notary" designation to students hired for the summer, to + differentiate them from full-time employees. At least in the case of + RSADSI, the standards for verifying user credentials that carry this + designation will be well known and widely recognized (e.g., Notary + Public endorsement). + + To illustrate this convention, consider the following examples. + Employees of RSADSI will hold certificates which indicate "RSADSI" as + the organization in both the issuer field and the subject field, + perhaps with no organizational unit specified. Certificates obtained + directly from RSADSI, by user's who are not affiliated with any ON, + will also indicate "RSADSI" as the organization and will specify + "Notary" as an organizational unit in the issuer field. However, + these latter certificates will carry some other designation for + organization (and, optionally, organizational unit) in the subject + field. Moreover, an organization designated in the subject field for + such a certificate will not match any for which RSADSI has an ON + registered (to avoid possible confusion). + + In all cases described above, when a certificate is generated RSADSI + will send a paper reply to the ordering user, including two message + hash functions: + + + + +Kent & Linn [Page 12] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + 1. a message hash computed on the user's identifying information + and public component (and sent to RSADSI in the registration + process), to guarantee its integrity across the ordering + process, and + + 2. a message hash computed on the public component of RSADSI, to + provide independent authentication for this public component + which is transmitted to the user via email (see below). + + RSADSI will send to the user via electronic mail (not privacy + enhanced) a copy of his certificate, a copy of the organization + certificate identified in the issuer field of the user's certificate, + and the public component used to validate certificates signed by + RSADSI. The "issuer" certificate is included to simplify the + validation process in the absence of a user-level directory system; + its distribution via this procedure will probably be phased out in + the future. Thus, as described in RFC-1113, the originator of a + message is encouraged, though not required, to include his + certificate, and that of its issuer, in the privacy enhanced message + header (X-Issuer-Certificate) to ensure that each recipient can + process the message using only the information contained in this + header. The organization (organizational unit) identified in the + subject field of the issuer certificate should correspond to that + which the user claims affiliation (as declared in the subject field + of his certificate). If there is no appropriate correspondence + between these fields, recipients ought to be suspicious of the + implied certification path. This relationship should hold except in + the case of "non-affiliated" users for whom the "Notary" convention + is employed. + + In contrast, the issuer field of the issuer's certificate will + specify "RSADSI" as the organization, i.e., RSADSI will certify all + organizational certificates. This convention allows a recipient to + validate any originator's certificate (within the RSADSI + certification hierarchy) in just two steps. Even if an organization + establishes a certification hierarchy involving organizational units, + certificates corresponding to each unit can be certified both by + RSADSI and by the organizational entity immediately superior to the + unit in the hierarchy, so as to preserve this short certification + path feature. First, the public component of RSADSI is employed to + validate the issuer's certificate. Then the issuer's public + component is extracted from that certificate and is used to validate + the originator's certificate. The recipient then extracts the + originator's public component for use in processing the X-Mic-Info + field of the message (see and RFC-1113). + + The electronic representation used for transmission of the data items + described above (between an ON and RSADSI) will be contained in a + + + +Kent & Linn [Page 13] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + subsequent RFC. To verify that the registration process has been + successfully completed and to prepare for exchange of privacy- + enhanced electronic mail, the user should perform the following + steps: + + 1. extract the RSADSI public component, the issuer's certificate + and the user's certificate from the message + + 2. compute the message hash on the RSADSI public component and + compare the result to the corresponding message hash that was + included in the paper receipt + + 3. use the RSADSI public component to validate the signature on + the issuer's certificate (RSADSI will be the issuer of this + certificate) + + 4. extract the organization public component from the validated + issuer's certificate and use this public component to + validate the user certificate + + 5. extract the identification information and public component + from the user's certificate, compute the message hash on it + and compare the result to the corresponding message hash + value transmitted via the paper receipt + + For a user whose order was processed via an ON, successful completion + of these steps demonstrates that the certificate issued to him + matches that which he requested and which was certified by his ON. + It also demonstrates that he possesses the (correct) public component + for RSADSI and for the issuer of his certificate. For a user whose + order was placed directly with RSADSI, this process demonstrates that + his certificate order was properly processed by RSADSI and that he + possesses the valid issuer certificate for the RSADSI Notary. The + user can use the RSADSI public component to validate organizational + certificates for organizations other than his own. He can employ the + public component associated with his own organization to validate + certificates issued to other users in his organization. + +3.3.3.1 Interoperation Across Certification Hierarchy Boundaries + + In order to accommodate interoperation with other certification + authorities, e.g., foreign or U.S. government CAs, two conventions + will be adopted. First, all certifying authorities must agree to + "cross-certify" one another, i.e., each must be willing to sign a + certificate in which the issuer is that certifying authority and the + subject is another certifying authority. Thus, RSADSI might generate + a certificate in which it is identified as the issuer and a + certifying authority for the U.S. government is indentified as the + + + +Kent & Linn [Page 14] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + subject. Conversely, that U.S. government certifying authority would + generate a certificate in which it is the issuer and RSADSI is the + subject. This cross-certification of certificates for "top-level" + CAs establishes a basis for "lower level" (e.g., organization and + user) certificate validation across the hierarchy boundaries. This + avoids the need for users in one certification hierarchy to engage in + some "out-of-band" procedure to acquire a public-key for use in + validating certificates from a different certification hierarchy. + + The second convention is that more than one X-Issuer-Certificate + field may appear in a privacy-enhanced mail header. Multiple issuer + certificates can be included so that a recipient can more easily + validate an originator's certificate when originator and recipient + are not part of a common CA hierarchy. Thus, for example, if an + originator served by the RSADSI certification hierarchy sends a + message to a recipient served by a U.S. government hierarchy, the + originator could (optionally) include an X-Issuer-Certificate field + containing a certificate issued by the U.S. government CA for RSADSI. + In this fashion the recipient could employ his public component for + the U.S. government CA to validate this certificate for RSADSI, from + which he would extract the RSADSI public component to validate the + certificate for the originator's organization, from which he would + extract the public component required to validate the originator's + certificate. Thus, more steps can be required to validate + certificates when certification hierarchy boundaries are crossed, but + the same basic procedure is employed. Remember that caching of + certificates by UAs can significantly reduce the effort required to + process messages and so these examples should be viewed as "worse + case" scenarios. + +3.3.3.2 Certificate Revocation + + X.509 states that it is a CA's responsibility to maintain: + + 1. a time-stamped list of the certificates it issued which have + been revoked + + 2. a time-stamped list of revoked certificates representing + other CAs + + There are two primary reasons for a CA to revoke a certificate, i.e., + suspected compromise of a secret component (invalidating the + corresponding public component) or change of user affiliation + (invalidating the Distinguished Name). As described in X.509, "hot + listing" is one means of propagating information relative to + certificate revocation, though it is not a perfect mechanism. In + particular, an X.509 Revoked Certificate List (RCL) indicates only + the age of the information contained in it; it does not provide any + + + +Kent & Linn [Page 15] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + basis for determining if the list is the most current RCL available + from a given CA. To help address this concern, the proposed + architecture establishes a format for an RCL in which not only the + date of issue, but also the next scheduled date of issue is + specified. This is a deviation from the format specified in X.509. + + Adopting this convention, when the next scheduled issue date arrives + a CA must issue a new RCL, even if there are no changes in the list + of entries. In this fashion each CA can independently establish and + advertise the frequency with which RCLs are issued by that CA. Note + that this does not preclude RCL issuance on a more frequent basis, + e.g., in case of some emergency, but no Internet-wide mechanisms are + architected for alerting users that such an unscheduled issuance has + taken place. This scheduled RCL issuance convention allows users + (UAs) to determine whether a given RCL is "out of date," a facility + not available from the standard RCL format. + + A recent (draft) version of the X.509 recommendation calls for each + RCL to contain the serial numbers of certificates which have been + revoked by the CA administering that list, i.e., the CA that is + identified as the issuer for the corresponding revoked certificates. + Upon receipt of a RCL, a UA should compare the entries against any + cached certificate information, deleting cache entries which match + RCL entries. (Recall that the certificate serial numbers are unique + only for each issuer, so care must be exercised in effecting this + cache search.) The UA should also retain the RCL to screen incoming + messages to detect use of revoked certificates carried in these + message headers. More specific details for processing RCL are beyond + the scope of this RFC as they are a function of local certificate + management techniques. + + In the architecture defined by this RFC, a RCL will be maintained for + each CA (organization or organizational unit), signed using the + private component of that organization (and thus verifiable using the + public component of that organization as extracted from its + certificate). The RSADSI Notary organizational unit is included in + this collection of RCLs. CAs operated under the auspices of the U.S. + government or foreign CAs are requested to provide RCLs conforming to + these conventions, at least until such time as X.509 RCLs provide + equivalent functionality, in support of interoperability with the + Internet community. An additional, "top level" RCL, will be + maintained by RSAD-SI, and should be maintained by other "top level" + CAs, for revoked organizational certificates. + + The hot listing procedure (expect for this top level RCL) will be + effected by having an ON from each organization transmit to RSADSI a + list of the serial numbers of users within his organization, to be + hot listed. This list will be transmitted using privacy-enhanced + + + +Kent & Linn [Page 16] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + mail to ensure authenticity and integrity and will employ + representation conventions to be provided in a subsequent RFC. + RSADSI will format the RCL, sign it using the private component of + the organization, and transmit it to the ON for dissemination, using + a representation defined in a subsequent RFC. Means for + dissemination of RCLs, both within the administrative domain of a CA + and across domain boundaries, are not specified by this proposal. + However, it is anticipated that each hot list will also be available + via network information center databases, directory servers, etc. + + The following ASN.1 syntax, derived from X.509, defines the format of + RCLs for use in the Internet privacy enhanced email environment. See + the ASN.1 definition of certificates (later in this RFC or in X.509, + Annex G) for comparison. + + revokedCertificateList ::= SIGNED SEQUENCE { + signature AlgorithmIdentifier, + issuer Name, + list SEQUENCE RCLEntry, + lastUpdate UTCTime, + nextUpdate UTCTime} + + RCLEntry ::= SEQUENCE { + subject CertificateSerialNumber, + revocationDate UTCTime} + +3.4 Certificate Definition and Usage + +3.4.1 Contents and Use + + A certificate contains the following contents: + + 1. version + + 2. serial number + + 3. certificate signature (and associated algorithm identifier) + + 4. issuer name + + 5. validity period + + 6. subject name + + 7. subject public component (and associated algorithm identifier) + + This section discusses the interpretation and use of each of these + certificate elements. + + + +Kent & Linn [Page 17] + +RFC 1114 Mail Privacy: Key Management August 1989 + + +3.4.1.1 Version Number + + The version number field is intended to facilitate orderly changes in + certificate formats over time. The initial version number for + certificates is zero (0). + +3.4.1.2 Serial Number + + The serial number field provides a short form, unique identifier for + each certificate generated by an issuer. The serial number is used + in RCLs to identify revoked certificates instead of including entire + certificates. Thus each certificate generated by an issuer must + contain a unique serial number. It is suggested that these numbers + be issued as a compact, monotonic increasing sequence. + +3.4.1.3 Subject Name + + A certificate provides a representation of its subject's identity and + organizational affiliation in the form of a Distinguished Name. The + fundamental binding ensured by the privacy enhancement mechanisms is + that between public-key and the user identity. CCITT Recommendation + X.500 defines the concept of Distinguished Name. + + Version 2 of the U.S. Government Open Systems Interconnection Profile + (GOSIP) specifies maximum sizes for O/R Name attributes. Since most + of these attributes also appear in Distinguished Names, we have + adopted the O/R Name attribute size constraints specified in GOSIP + and noted below. Using these size constraints yields a maximum + Distinguished Name length (exclusive of ASN encoding) of two-hundred + fifty-nine (259) characters, based on the required and optional + attributes described below for subject names. The following + attributes are required in subject Distinguished Names for purposes + of this RFC: + + 1. Country Name in standard encoding (e.g., the two-character + Printable String "US" assigned by ISO 3166 as the identifier + for the United States of America, the string "GB" assigned as + the identifier for the United Kingdom, or the string "NQ" + assigned as the identifier for Dronning Maud Land). Maximum + ASCII character length of three (3). + + 2. Organizational Name (e.g., the Printable String "Bolt Beranek + and Newman, Inc."). Maximum ASCII character length of + sixty-four (64). + + 3. Personal Name (e.g., the X.402/X.411 structured Printable + String encoding for the name John Linn). Maximum ASCII + character length of sixty-four (64). + + + +Kent & Linn [Page 18] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + The following attributes are optional in subject Distinguished Names + for purposes of this RFC: + + 1. Organizational Unit Name(s) (e.g., the Printable String "BBN + Communications Corporation") A hierarchy of up to four + organizational unit names may be provided; the least + significant member of the hierarchy is represented first. + Each of these attributes has a maximum ASCII character length of + thirty-two (32), for a total of one-hundred and twenty-eight + (128) characters if all four are present. + +3.4.1.4 Issuer Name + + A certificate provides a representation of its issuer's identity, in + the form of a Distinguished Name. The issuer identification is + needed in order to determine the appropriate issuer public component + to use in performing certificate validation. The following + attributes are required in issuer Distinguished Names for purposes of + this RFC: + + 1. Country Name (e.g., encoding for "US") + + 2. Organizational Name + + The following attributes are optional in issuer Distinguished Names + for purposes of this RFC: + + 1. Organizational Unit Name(s). (A hierarchy of up to four + organizational unit names may be provided; the least significant + member of the hierarchy is represented first.) If the + issuer is vouching for the user identity in the Notary capacity + described above, then exactly one instance of this field + must be present and it must consist of the string "Notary". + + As noted earlier, only organizations are allowed as issuers in the + proposed authentication hierarchy. Hence the Distinguished Name for + an issuer should always be that of an organization, not a user, and + thus no Personal Name field may be included in the Distinguished Name + of an issuer. + +3.4.1.5 Validity Period + + A certificate carries a pair of time specifiers, indicating the start + and end of the time period over which a certificate is intended to be + used. No message should ever be prepared for transmission with a + non-current certificate, but recipients should be prepared to receive + messages processed using recently-expired certificates. This fact + results from the unpredictable (and sometimes substantial) + + + +Kent & Linn [Page 19] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + transmission delay of the staged-delivery electronic mail + environment. The default and maximum validity period for + certificates issued in this system will be two years. + +3.4.1.6 Subject Public Component + + A certificate carries the public component of its associated entity, + as well as an indication of the algorithm with which the public + component is to be used. For purposes of this RFC, the algorithm + identifier will indicate use of the RSA algorithm, as specified in + RFC-1115. Note that in this context, a user's public component is + actually the modulus employed in RSA algorithm calculations. A + "universal" (public) exponent is employed in conjunction with the + modulus to complete the system. Two choices of exponents are + recommended for use in this context and are described in section + 3.4.3. Modulus size will be permitted to vary between 320 and 632 + bits. + +3.4.1.7 Certificate Signature + + A certificate carries a signature algorithm identifier and a + signature, applied to the certificate by its issuer. The signature + is validated by the user of a certificate, in order to determine that + the integrity of its contents have not been compromised subsequent to + generation by a CA. An encrypted, one-way hash will be employed as + the signature algorithm. Hash functions suitable for use in this + context are notoriously difficult to design and tend to be + computationally intensive. Initially we have adopted a hash function + developed by RSADSI and which exhibits performance roughly equivalent + to the DES (in software). This same function has been selected for + use in other contexts in this system where a hash function (message + hash algorithm) is required, e.g., MIC for multicast messages. In + the future we expect other one-way hash functions will be added to + the list of algorithms designated for this purpose. + +3.4.2 Validation Conventions + + Validating a certificate involves verifying that the signature + affixed to the certificate is valid, i.e., that the hash value + computed on the certificate contents matches the value that results + from decrypting the signature field using the public component of the + issuer. In order to perform this operation the user must possess the + public component of the issuer, either via some integrity-assured + channel, or by extracting it from another (validated) certificate. + In the proposed architecture this recursive operation is terminated + quickly by adopting the convention that RSADSI will certify the + certificates of all organizations or organizational units which act + as issuers for end users. (Additional validation steps may be + + + +Kent & Linn [Page 20] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + required for certificates issued by other CAs as described in section + 3.3.3.1.) + + Certification means that RSADSI will sign certificates in which the + subject is the organization or organizational unit and for which + RSADSI is the issuer, thus implying that RSADSI vouches for the + credentials of the subject. This is an appropriate construct since + each ON representing an organization or organizational unit must have + registered with RSADSI via a procedure more rigorous than individual + user registration. This does not preclude an organizational unit + from also holding a certificate in which the "parent" organization + (or organizational unit) is the issuer. Both certificates are + appropriate and permitted in the X.509 framework. However, in order + to facilitate the validation process in an environment where user- + level directory services are generally not available, we will (at + this time) adopt this certification convention. + + The public component needed to validate certificates signed by RSADSI + (in its role as a CA for issuers) is transmitted to each user as part + of the registration process (using electronic mail with independent, + postal confirmation via a message hash). Thus a user will be able to + validate any user certificate (from the RSADSI hierarchy) in at most + two steps. Consider the situation in which a user receives a privacy + enhanced message from an originator with whom the recipient has never + previously corresponded. Based on the certification convention + described above, the recipient can use the RSADSI public component to + validate the issuer's certificate contained in the X-Issuer- + Certificate field. (We recommend that, initially, the originator + include his organization's certificate in this optional field so that + the recipient need not access a server or cache for this public + component.) Using the issuer's public component (extracted from this + certificate), the recipient can validate the originator's certificate + contained in the X-Certificate field of the header. + + Having performed this certificate validation process, the recipient + can extract the originator's public component and use it to decrypt + the content of the X-MIC-Info field and thus verify the data origin + authenticity and integrity of the message. Of course, + implementations of privacy enhanced mail should cache validated + public components (acquired from incoming mail or via the message + from a user registration process) to speed up this process. If a + message arrives from an originator whose public component is held in + the recipient's cache, the recipient can immediately employ that + public component without the need for the certificate validation + process described here. Also note that the arithmetic required for + certificate validation is considerably faster than that involved in + digitally signing a certificate, so as to minimize the computational + burden on users. + + + +Kent & Linn [Page 21] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + A separate issue associated with validation of certificates is a + semantic one, i.e., is the entity identified in the issuer field + appropriate to vouch for the identifying information in the subject + field. This is a topic outside the scope of X.509, but one which + must be addressed in any viable system. The hierarchy proposed in + this RFC is designed to address this issue. In most cases a user + will claim, as part of his identifying information, affiliation with + some organization and that organization will have the means and + responsibility for verifying this identifying information. In such + circumstances one should expect an obvious relationship between the + Distinguished Name components in the issuer and subject fields. + + For example, if the subject field of a certificate identified an + individual as affiliated with the "Widget Systems Division" + (Organizational Unit Name) of "Compudigicorp" (Organizational Name), + one would expect the issuer field to specify "Compudigicorp" as the + Organizational Name and, if an Organizational Unit Name were present, + it should be "Widget Systems Division." If the issuer's certificate + indicated "Compudigicorp" as the subject (with no Organizational Unit + specified), then the issuer should be "RSADSI." If the issuer's + certificate indicated "Widget Systems Division" as Organizational + Unit and "Compudigicorp" as Organization in the subject field, then + the issuer could be either "RSADSI" (due to the direct certification + convention described earlier) or "Compudigicorp" (if the organization + elected to distribute this intermediate level certificate). In the + later case, the certificate path would involve an additional step + using the certificate in which "Compudigicorp" is the subject and + "RSADSI" is the issuer. One should be suspicious if the validation + path does not indicate a subset relationship for the subject and + issuer Distinguished Names in the certification path, expect where + cross-certification is employed to cross CA boundaries. + + It is a local matter whether the message system presents a human user + with the certification path used to validate a certificate associated + with incoming, privacy-enhanced mail. We note that a visual display + of the Distinguished Names involved in that path is one means of + providing the user with the necessary information. We recommend, + however, that certificate validation software incorporate checks and + alert the user whenever the expected certification path relationships + are not present. The rationale here is that regular display of + certification path data will likely be ignored by users, whereas + automated checking with a warning provision is a more effective means + of alerting users to possible certification path anomalies. We urge + developers to provide facilities of this sort. + +3.4.3 Relation with X.509 Certificate Specification + + An X.509 certificate can be viewed as two components: contents and an + + + +Kent & Linn [Page 22] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + encrypted hash. The encrypted hash is formed and processed as + follows: + + 1. X, the hash, is computed as a function of the certificate + contents + + 2. the hash is signed by raising X to the power e (modulo n) + + 3. the hash's signature is validated by raising the result of + step 2 to the power d (modulo n), yielding X, which is + compared with the result computed as a function of certificate + contents. + + Annex C to X.509 suggests the use of Fermat number F4 (65537 decimal, + 1 + 2 **16 ) as a fixed value for e which allows relatively efficient + authentication processing, i.e., at most seventeen (17) + multiplications are required to effect exponentiation). As an + alternative one can employ three (3) as the value for e, yielding + even faster exponentiation, but some precautions must be observed + (see RFC-1115). Users of the algorithm select values for d (a secret + quantity) and n (a non-secret quantity) given this fixed value for e. + As noted earlier, this RFC proposes that either three (3) or F4 be + employed as universal encryption exponents, with the choice specified + in the algorithm identifier. In particular, use of an exponent value + of three (3) for certificate validation is encouraged, to permit + rapid certificate validation. Given these conventions, a user's + public component, and thus the quantity represented in his + certificate, is actually the modulus (n) employed in this computation + (and in the computations used to protect the DEK and MSGHASH, as + described in RFC-1113). A user's private component is the exponent + (d) cited above. + + The X.509 certificate format is defined (in X.509, Annex G) by the + following ASN.1 syntax: + + Certificate ::= SIGNED SEQUENCE{ + version [0] Version DEFAULT v1988, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo} + + Version ::= INTEGER {v1988(0)} + + CertificateSerialNumber ::= INTEGER + + + + +Kent & Linn [Page 23] + +RFC 1114 Mail Privacy: Key Management August 1989 + + + Validity ::= SEQUENCE{ + notBefore UTCTime, + notAfter UTCTime} + + SubjectPublicKeyInfo ::= SEQUENCE{ + algorithm AlgorithmIdentifier, + subjectPublicKey BIT STRING} + + + AlgorithmIdentifier ::= SEQUENCE{ + algorithm OBJECT IDENTIFIER, + parameters ANY DEFINED BY algorithm OPTIONAL} + + All components of this structure are well defined by ASN.1 syntax + defined in the 1988 X.400 and X.500 Series Recommendations, except + for the AlgorithmIdentifier. An algorithm identifier for RSA is + contained in Annex H of X.509 but is unofficial. RFC-1115 will + provide detailed syntax and values for this field. + +NOTES: + + [1] CCITT Recommendation X.411 (1988), "Message Handling Systems: + Message Transfer System: Abstract Service Definition and + Procedures". + + [2] CCITT Recommendation X.509 (1988), "The Directory Authentication + Framework". + + + + + + + + + + + + + + + + + + + + + + + + +Kent & Linn [Page 24] + +RFC 1114 Mail Privacy: Key Management August 1989 + + +Authors' Addresses + + Steve Kent + BBN Communications + 50 Moulton Street + Cambridge, MA 02138 + + Phone: (617) 873-3988 + + EMail: kent@BBN.COM + + + John Linn + Secure Systems + Digital Equipment Corporation + 85 Swanson Road, BXB1-2/D04 + Boxborough, MA 01719-1326 + + Phone: 508-264-5491 + + EMail: Linn@ultra.enet.dec.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Kent & Linn [Page 25] + \ No newline at end of file -- cgit v1.2.3