summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc1848.txt
blob: 2cfe325ec75dba8300635e26ac2a5467d9c90b09 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
Network Working Group                                         S. Crocker
Request For Comments: 1848                               CyberCash, Inc.
Category: Standards Track                                       N. Freed
                                            Innosoft International, Inc.
                                                               J. Galvin
                                                               S. Murphy
                                             Trusted Information Systems
                                                            October 1995


                     MIME Object Security Services

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document defines MIME Object Security Services (MOSS), a
   protocol that uses the multipart/signed and multipart/encrypted
   framework [7] to apply digital signature and encryption services to
   MIME objects.  The services are offered through the use of end-to-end
   cryptography between an originator and a recipient at the application
   layer.  Asymmetric (public key) cryptography is used in support of
   the digital signature service and encryption key management.
   Symmetric (secret key) cryptography is used in support of the
   encryption service.  The procedures are intended to be compatible
   with a wide range of public key management approaches, including both
   ad hoc and certificate-based schemes.  Mechanisms are provided to
   support many public key management approaches.

Table of Contents

   1.  Introduction .............................................    3
   2.  Applying MIME Object Security Services ...................    4
   2.1  Digital Signature Service ...............................    4
   2.1.1  Canonicalization ......................................    5
   2.1.2  Digital Signature Control Information .................    7
   2.1.2.1  Version: ............................................    8
   2.1.2.2  Originator-ID: ......................................    8
   2.1.2.3  MIC-Info: ...........................................    8
   2.1.3  application/moss-signature Content Type Definition ....    9
   2.1.4  Use of multipart/signed Content Type ..................   10
   2.2  Encryption Service ......................................   11



Crocker, et al              Standards Track                     [Page 1]
^L
RFC 1848             MIME Object Security Services          October 1995


   2.2.1  Encryption Control Information ........................   12
   2.2.1.1  DEK-Info: ...........................................   13
   2.2.1.2  Recipient-ID: .......................................   14
   2.2.1.3  Key-Info: ...........................................   14
   2.2.2  application/moss-keys Content Type Definition .........   15
   2.2.3  Use of multipart/encrypted Content Type ...............   16
   3.  Removing MIME Object Security Services ...................   17
   3.1  Digital Signature Service ...............................   18
   3.1.1  Preparation ...........................................   18
   3.1.2  Verification ..........................................   19
   3.1.3  Results ...............................................   19
   3.2  Encryption Service ......................................   20
   3.2.1  Preparation ...........................................   20
   3.2.2  Decryption ............................................   20
   3.2.3  Results ...............................................   21
   4.  Identifying Originators, Recipients, and Their Keys ......   21
   4.1  Name Forms ..............................................   23
   4.1.1  Email Addresses .......................................   23
   4.1.2  Arbitrary Strings .....................................   23
   4.1.3  Distinguished Names ...................................   23
   4.2  Identifiers .............................................   24
   4.2.1  Email Address .........................................   25
   4.2.2  Arbitrary String ......................................   25
   4.2.3  Distinguished Name ....................................   26
   4.2.4  Public Key ............................................   26
   4.2.5  Issuer Name and Serial Number .........................   27
   5.  Key Management Content Types .............................   27
   5.1  application/mosskey-request Content Type Definition .....   28
   5.2  application/mosskey-data Content Type Definition ........   29
   6.  Examples .................................................   31
   6.1  Original Message Prepared for Protection ................   31
   6.2  Sign Text of Original Message ...........................   32
   6.3  Sign Headers and Text of Original Message ...............   32
   6.4  Encrypt Text of a Message ...............................   33
   6.5  Encrypt the Signed Text of a Message ....................   35
   6.6  Protecting Audio Content ................................   37
   6.6.1  Sign Audio Content ....................................   37
   6.6.2  Encrypt Audio Content .................................   37
   7.  Observations .............................................   38
   8.  Comparison of MOSS and PEM Protocols .....................   39
   9.  Security Considerations ..................................   41
   10.  Acknowledgements ........................................   41
   11.  References ..............................................   41
   12.  Authors' Addresses ......................................   43
     Appendix A: Collected Grammar ..............................   44
     Appendix B: Imported Grammar ...............................   47





Crocker, et al              Standards Track                     [Page 2]
^L
RFC 1848             MIME Object Security Services          October 1995


1.  Introduction

   MIME [2], an acronym for "Multipurpose Internet Mail Extensions",
   defines the format of the contents of Internet mail messages and
   provides for multi-part textual and non-textual message bodies.  An
   Internet electronic mail message consists of two parts: the headers
   and the body.  The headers form a collection of field/value pairs
   structured according to STD 11, RFC 822 [1], whilst the body, if
   structured, is defined according to MIME.  MIME does not provide for
   the application of security services.

   PEM [3-6], an acronym for "Privacy Enhanced Mail", defines message
   encryption and message authentication procedures for text-based
   electronic mail messages using a certificate-based key management
   mechanism.  The specifications include several features that are
   easily and more naturally supported by MIME, for example, the
   transfer encoding operation, the Content-Domain header, and the
   support services specified by its Part IV [6].  The specification is
   limited by specifying the application of security services to text
   messages only.

   MOSS is based in large part on the PEM protocol as defined by RFC
   1421.  Many of PEMs features and most of its protocol specification
   are included here.  A comparison of MOSS and PEM may be found in
   Section 8.

   In order to make use of the MOSS services, a user (where user is not
   limited to being a human, e.g., it could be a process or a role) is
   required to have at least one public/private key pair.  The public
   key must be made available to other users with whom secure
   communication is desired.  The private key must not be disclosed to
   any other user.

   An originator's private key is used to digitally sign MIME objects; a
   recipient would use the originator's public key to verify the digital
   signature.  A recipient's public key is used to encrypt the data
   encrypting key that is used to encrypt the MIME object; a recipient
   would use the corresponding private key to decrypt the data
   encrypting key so that the MIME object can be decrypted.

   As long as the private keys are protected from disclosure, i.e., the
   private keys are accessible only to the user to whom they have been
   assigned, the recipient of a digitally signed message will know from
   whom the message was sent and the originator of an encrypted message
   will know that only the intended recipient is able to read it.  For
   assurance, the ownership of the public keys used in verifying digital
   signatures and encrypting messages should be verified.  A stored
   public key should be protected from modification.



Crocker, et al              Standards Track                     [Page 3]
^L
RFC 1848             MIME Object Security Services          October 1995


   The framework defined in [7] provides an embodiment of a MIME object
   and its digital signature or encryption keys.  When used by MOSS the
   framework provides digital signature and encryption services to
   single and multi-part textual and non-textual MIME objects.

2.  Applying MIME Object Security Services

   The application of the MOSS digital signature service requires the
   following components.

   (1)  The data to be signed.

   (2)  The private key of the originator.

   The data to be signed is prepared according to the description below.
   The digital signature is created by generating a hash of the data and
   encrypting the hash value with the private key of the originator.
   The digital signature, some additional ancillary information
   described below, and the data are then embodied in a multipart/signed
   body part.  Finally, the multipart/signed body part may be
   transferred to a recipient or processed further, for example, it may
   be encrypted.

   The application of the MOSS encryption service requires the following
   components.

   (1)  The data to be encrypted.

   (2)  A data encrypting key to encrypt the data.

   (3)  The public key of the recipient.

   The data to be encrypted is prepared according to the description
   below.  The originator creates a data encrypting key and encrypts the
   data.  The recipient's public key is used to encrypt the data
   encrypting key.  The encrypted data, the encrypted data encrypting
   key, and some additional ancillary information described below are
   then embodied in a multipart/encrypted body part, ready to be
   transferred to a recipient or processed further, for example, it may
   be signed.

   The next two sections describe the digital signature and encryption
   services, respectively, in detail.

2.1.  Digital Signature Service

   The MOSS digital signature service is applied to MIME objects,
   specifically a MIME body part.  The MIME body part is created



Crocker, et al              Standards Track                     [Page 4]
^L
RFC 1848             MIME Object Security Services          October 1995


   according to a local convention and then made available to the
   digital signature service.

   The following sequence of steps comprises the application of the
   digital signature service.


   (1)  The body part to be signed must be canonicalized.


   (2)  The digital signature and other control information must be gen-
        erated.


   (3)  The control information must be embodied in an appropriate MIME
        content type.


   (4)  The control information body part and the data body part must be
        embodied in a multipart/signed content type.


   Each of these steps is described below.

2.1.1.  Canonicalization

   The body part must be converted to a canonical form that is uniquely
   and unambiguously representable in at least the environment where the
   digital signature is created and the environment where the digital
   signature will be verified, i.e., the originator and recipient's
   environment, respectively.  This is required in order to ensure that
   both the originator and recipient have the same data with which to
   calculate the digital signature; the originator needs to be able to
   create the digital signature value while the recipient needs to be
   able to compare a re-computed value with the received value.  If the
   canonical form is representable on many different host computers, the
   signed data may be forwarded by recipients to additional recipients,
   who will also be able to verify the original signature.  This service
   is called forwardable authentication.

   The canonicalization transformation is a two step process.  First,
   the body part must be converted to a form that is unambiguously
   representable on as many different host computers as possible.
   Second, the body part must have its line delimiters converted to a
   unique and unambiguous representation.

   The representation chosen to satisfy the first step is 7bit, as
   defined by MIME; the high order bit of each octet of the data to be



Crocker, et al              Standards Track                     [Page 5]
^L
RFC 1848             MIME Object Security Services          October 1995


   signed must be zero.  A MIME body part is comprised of two parts:
   headers and content.  Since the headers of body parts are already
   required to be represented in 7bit, this step does not require
   changes to the headers.  This step requires that if the content is
   not already 7bit then it must be encoded with an appropriate MIME
   content transfer encoding and a Content-Transfer-Encoding: header
   must be added to the headers.  For example, if the content to be
   signed contains 8bit or binary data, the content must be encoded with
   either the quoted-printable or base64 encoding as defined by MIME.

      IMPLEMENTORS NOTE: Since the MIME standard explicitly disallows
      nested content transfer encodings, i.e., the content types
      multipart and message may not themselves be encoded, the 7bit
      transformation requires each nested body part to be individually
      encoded in a 7bit representation.  Any valid MIME encoding, e.g.,
      quoted-printable or base64, may be used and, in fact, a different
      encoding may be used on each of the non-7bit body parts.

   Representing all content types in a 7bit format transforms them into
   text-based content types.  However, text-based content types present
   a unique problem.  In particular, the line delimiter used for a
   text-based content type is specific to a local environment; different
   environments use the single character carriage-return (<CR>), the
   single character line-feed (<LF>), or the two character sequence
   "carriage-return line-feed (<CR><LF>)".

   The application of the digital signature service requires that the
   same line delimiter be used by both the originator and the recipient.
   This document specifies that the two character sequence "<CR><LF>"
   must be used as the line delimiter.  Thus, the second step of the
   canonicalization transformation includes the conversion of the local
   line delimiter to the two character sequence "<CR><LF>".

   The conversion to the canonical line delimiter is only required for
   the purposes of computing the digital signature.  Thus, originators
   must apply the line delimiter conversion before computing the digital
   signature but must transfer the data without the line delimiter
   conversion.  Similarly, recipients must apply the line delimiter
   conversion before computing the digital signature.

      NOTE: An originator can not transfer the content with the line
      delimiter conversion intact because the conversion process is not
      idempotent.  In particular, SMTP servers may themselves convert
      the line delimiter to a local line delimiter, prior to the message
      being delivered to the recipient.  Thus, a recipient has no way of
      knowing if the conversion is present or not.  If the recipient
      applies the conversion to a content in which it is already
      present, the resulting content may have two line delimiters



Crocker, et al              Standards Track                     [Page 6]
^L
RFC 1848             MIME Object Security Services          October 1995


      present, which would cause the verification of the signature to
      fail.

      IMPLEMENTORS NOTE: Implementors should be aware that the
      conversion to a 7bit representation is a function that is required
      in a minimally compliant MIME user agent.  Further, the line
      delimiter conversion required here is distinct from the same
      conversion included in that function.  Specifically, the line
      delimiter conversion applied when a body part is converted to a
      7bit representation (transfer encoded) is performed prior to the
      application of the transfer encoding.  The line delimiter
      conversion applied when a body part is signed is performed after
      the body part is converted to 7bit (transfer encoded).  Both line
      delimiter conversions are required.

2.1.2.  Digital Signature Control Information

   The application of the digital signature service generates control
   information which includes the digital signature itself.  The syntax
   of the control information is that of a set of RFC 822 headers,
   except that the folding of header values onto continuation lines is
   explicitly forbidden.  Each header and value pair generated by the
   digital signature service must be output on exactly one line.

   The complete set of headers generated by the digital signature
   service is as follows.

   Version:
      indicates which version of the MOSS protocol the remaining headers
      represent.

   Originator-ID:
      indicates the private key used to create the digital signature and
      the corresponding public key to be used to verify it.

   MIC-Info:
      contains the digital signature value.

   Each invocation of the digital signature service must emit exactly
   one Version: header and at least one pair of Originator-ID: and MIC-
   Info: headers.  The Version: header must always be emitted first.
   The Originator-ID: and MIC-Info: headers are always emitted in pairs
   in the order indicated.  This specification allows an originator to
   generate multiple signatures of the data, presumably with different
   signature algorithms, and to include them all in the control
   information.  The interpretation of the presence of multiple
   signatures is outside the scope of this specification except that a
   MIC-Info: header is always interpreted in the context of the



Crocker, et al              Standards Track                     [Page 7]
^L
RFC 1848             MIME Object Security Services          October 1995


   immediately preceding Originator-ID: header.

2.1.2.1.  Version:

   The version header is defined by the grammar token <version> as
   follows.

      <version>  ::= "Version:" "5" CRLF

   Its value is constant and MOSS implementations compliant with this
   specification must recognize only this value and generate an error if
   any other value is found.

2.1.2.2.  Originator-ID:

   The purpose of the originator header is two-fold: to directly
   identify the public key to be used to verify the digital signature
   and to indirectly identify the user who owns both it and its
   corresponding private key.  Typically, a recipient is less interested
   in the actual public key value, although obviously the recipient
   needs the value to verify the signature, and more interested in
   identifying its owner.  Thus, the originator header may convey either
   or both pieces of information:

      the public key to be used to verify the signature

      the name of the owner and which of the owner's public keys to use
      to verify the signature

   The decision as to what information to place in the value rests
   entirely with the originator.  The suggested value is to include
   both.  Recipients with whom the originator has previously
   communicated will have to verify that the information presented is
   consistent with what is already known.  New recipients will want all
   of the information, which they will need to verify prior to storing
   in their local database.

   The originator header is defined by the grammar token <origid> as
   follows.

      <origid>  ::= "Originator-ID:" <id> CRLF

   The grammar token <id> is defined in Section 4.

2.1.2.3.  MIC-Info:

   The purpose of the Message Integrity Check (MIC) header is to convey
   the digital signature value.  Its value is a comma separated list of



Crocker, et al              Standards Track                     [Page 8]
^L
RFC 1848             MIME Object Security Services          October 1995


   three arguments: the hash (or MIC) algorithm identifier, the
   signature algorithm identifier, and the digital signature.

   The MIC header is defined by the grammar token <micinfo> as follows.

      <micinfo>  ::= "MIC-Info:" <micalgid> "," <ikalgid> ","
                     <asymsignmic> CRLF

   The grammar tokens for the MIC algorithms and identifiers
   (<micalgid>), signature algorithms and identifiers (<ikalgid>), and
   signed MIC formats (<asymsignmic>) are defined by RFC 1423.  They are
   also reprinted in Appendix B.

      IMPLEMENTORS NOTE: RFC 1423 is referenced by the PEM protocol,
      which includes support for symmetric signatures and key
      management.  As a result, some of the grammar tokens defined
      there, for example, <ikalgid>, will include options that are not
      legal for this protocol.  These options must be ignored and have
      not been included in the appendix.

2.1.3.  application/moss-signature Content Type Definition

   (1)  MIME type name: application

   (2)  MIME subtype name: moss-signature

   (3)  Required parameters: none

   (4)  Optional parameters: none

   (5)  Encoding considerations: quoted-printable is always sufficient

   (6)  Security considerations: none

   The "application/moss-signature" content type is used on the second
   body part of an enclosing multipart/signed.  Its content is comprised
   of the digital signature of the data in the first body part of the
   enclosing multipart/signed and other control information required to
   verify that signature, as defined by Section 2.1.2.  The label
   "application/moss-signature" must be used as the value of the
   protocol parameter of the enclosing multipart/signed; the protocol
   parameter must be present.

   Part of the signature verification information will be the Message
   Integrity Check (MIC) algorithm(s) used during the signature creation
   process.  The MIC algorithm(s) identified in this body part must
   match the MIC algorithm(s) identified in the micalg parameter of the
   enclosing multipart/signed.  If it does (they do) not, a user agent



Crocker, et al              Standards Track                     [Page 9]
^L
RFC 1848             MIME Object Security Services          October 1995


   should identify the discrepancy to a user and it may choose to either
   halt or continue processing, giving precedence to the algorithm(s)
   identified in this body part.

   An application/moss-signature body part is constructed as follows:

      Content-Type: application/moss-signature

      <mosssig>

   where the grammar token <mosssig> is defined as follows.

      <mosssig>       ::= <version> ( 1*<origasymflds> )

      <version>       ::= "Version:" "5" CRLF

      <origasymflds>  ::= <origid> <micinfo>

      <origid>        ::= "Originator-ID:" <id> CRLF

      <micinfo>       ::= "MIC-Info:" <micalgid> "," <ikalgid> ","
                          <asymsignmic> CRLF

   The token <id> is defined in Section 4.  All other tokens are defined
   in Section 2.1.2.3.

2.1.4.  Use of multipart/signed Content Type

   The definition of the multipart/signed content type in [7] specifies
   three steps for creating the body part.


   (1)  The body part to be digitally signed is created according to a
        local convention, for example, with a text editor or a mail user
        agent.


   (2)  The body part is prepared for the digital signature service
        according to the protocol parameter, in this case according to
        Section 2.1.1.


   (3)  The prepared body part is digitally signed according to the
        protocol parameter, in this case according to Section 2.1.2.


   The multipart/signed content type is constructed as follows.




Crocker, et al              Standards Track                    [Page 10]
^L
RFC 1848             MIME Object Security Services          October 1995


   (1)  The value of its required parameter "protocol" is set to
        "application/moss-signature".


   (2)  The signed body part becomes its first body part.


   (3)  Its second body part is labeled "application/moss-signature" and
        is filled with the control information generated by the digital
        signature service.


   (4)  The value of its required parameter "micalg" is set to the same
        value used in the MIC-Info: header in the control information.
        If there is more than one MIC-Info: header present the value is
        set to a comma separated list of values from the MIC-Info
        headers.  The interpretation of the order of the list of values
        is outside the scope of this specification.


   A multipart/signed content type with the MOSS protocol might look as
   follows:

      Content-Type: multipart/signed;
        protocol="application/moss-signature";
        micalg="rsa-md5"; boundary="Signed Message"

      --Signed Message
      Content-Type: text/plain

      This is some example text.

      --Signed Message
      Content-Type: application/moss-signature

      Version: 5
      Originator-ID: ID-INFORMATION
      MIC-Info: RSA-MD5,RSA,SIGNATURE-INFORMATION
      --Signed Message--

   where ID-INFORMATION and SIGNATURE-INFORMATION are descriptive of the
   content that would appear in a real body part.

2.2.  Encryption Service

   The MOSS encryption service is applied to MIME objects, specifically
   a MIME body part.  The MIME body part is created according to a local
   convention and then made available to the encryption service.



Crocker, et al              Standards Track                    [Page 11]
^L
RFC 1848             MIME Object Security Services          October 1995


   The following sequence of steps comprises the application of the
   encryption service.


   (1)  The body part to be encrypted must be in MIME canonical form.


   (2)  The data encrypting key and other control information must be
        generated.


   (3)  The control information must be embodied in an appropriate MIME
        content type.


   (4)  The control information body part and the encrypted data body
        part must be embodied in a multipart/encrypted content type.


   The first step is defined by MIME.  The latter three steps are
   described below.

2.2.1.  Encryption Control Information

   The application of the encryption service generates control
   information which includes the data encrypting key used to encrypt
   the data itself.  The syntax of the control information is that of a
   set of RFC 822 headers, except that the folding of header values onto
   continuation lines is explicitly forbidden.  Each header and value
   pair generated by the encryption service must be output on exactly
   one line.

   First, the originator must retrieve the public key of the recipient.
   The retrieval may be from a local database or from a remote service.
   The acquisition of the recipient's public key is outside the scope of
   the specification, although Section 5 defines one possible mechanism.

   With the public key, the originator encrypts the data encrypting key
   according to the Key-Info: header defined below.  The complete set of
   headers generated by the encryption service is as follows.

   Version:
      indicates which version of the MOSS protocol the remaining headers
      represent and is defined in Section 2.1.2.1.

   DEK-Info:
      indicates the algorithm and mode used to encrypt the data.




Crocker, et al              Standards Track                    [Page 12]
^L
RFC 1848             MIME Object Security Services          October 1995


   Recipient-ID:
      indicates the public key used to encrypt the data encrypting key
      that was used to encrypt the data.

   Key-Info:
      contains data encrypting key encrypted with the recipient's public
      key.

   Each invocation of the encryption service must emit exactly one
   Version: header, exactly one DEK-Info: header, and at least one pair
   of Recipient-ID: and Key-Info: headers.  Headers are always emitted
   in the order indicated.  The Recipient-ID: and Key-Info: headers are
   always emitted in pairs in the order indicated, one pair for each
   recipient of the encrypted data.  A Key-Info: header is always
   interpreted in the context of the immediately preceding Recipient-ID:
   header.

      IMPLEMENTORS NOTE: Implementors should always generate a
      Recipient-ID: and Key-Info header pair representing the originator
      of the encrypted data.  By doing so, if an originator sends a
      message to a recipient that is returned undelivered, the
      originator will be able to decrypt the message and determine an
      appropriate course of action based on its content.  If not, an
      originator will not be able to review the message that was sent.

2.2.1.1.  DEK-Info:

   The purpose of the data encrypting key information header is to
   indicate the algorithm and mode used to encrypt the data, along with
   any cryptographic parameters that may be required, e.g.,
   initialization vectors.  Its value is either a single argument
   indicating the algorithm and mode or a comma separated pair of
   arguments where the second argument carries any cryptographic
   parameters required by the algorithm and mode indicated in the first
   argument.

   The data encrypting key information header is defined by the grammar
   token <dekinfo> as follows.

      <dekinfo>  ::= "DEK-Info" ":" <dekalgid>
                     [ "," <dekparameters> ] CRLF

   The grammar tokens for the encryption algorithm and mode identifier
   (<dekalgid>) and the optional cryptographic parameters
   (<dekparameters>) are defined by RFC 1423.  They are also reprinted
   in Appendix B.





Crocker, et al              Standards Track                    [Page 13]
^L
RFC 1848             MIME Object Security Services          October 1995


2.2.1.2.  Recipient-ID:

   The purpose of the recipient header is to identify the private key
   that must be used to decrypt the data encrypting key that will be
   used to decrypt the data.  Presumably the recipient owns the private
   key and thus is less interested in identifying the owner of the key
   and more interested in the private key value itself.  Nonetheless,
   the recipient header may convey either or both pieces of information:

      the public key corresponding to the private key to be used to
      decrypt the data encrypting key

      the name of the owner and which of the owner's private keys to use
      to decrypt the data encrypting key

   The decision as to what information to place in the value rests
   entirely with the originator.  The suggested choice is to include
   just the public key.  However, some recipients may prefer that
   originators not include their public key.  How this preference is
   conveyed to and managed by the originator is outside the scope of
   this specification.

   The recipient header is defined by the grammar token <recipid> as
   follows.

      <recipid>  ::= "Recipient-ID:" <id> CRLF

   The grammar token <id> is defined in Section 4.

2.2.1.3.  Key-Info:

   The purpose of the key information header is to convey the encrypted
   data encrypting key.  Its value is a comma separated list of two
   arguments: the algorithm and mode identifier in which the data
   encrypting key is encrypted and the encrypted data encrypting key.

   The key information header is defined by the grammar token
   <asymkeyinfo> as follows.

      <asymkeyinfo>  ::= "Key-Info" ":" <ikalgid> "," <asymencdek> CRLF

   The grammar tokens for the encryption algorithm and mode identifier
   (<ikalgid>) and the encrypted data encrypting key format
   (<asymsignmic>) are defined by RFC 1423.  They are also reprinted in
   Appendix B.

      IMPLEMENTORS NOTE: RFC 1423 is referenced by the PEM protocol,
      which includes support for symmetric signatures and key



Crocker, et al              Standards Track                    [Page 14]
^L
RFC 1848             MIME Object Security Services          October 1995


      management.  As a result, some of the grammar tokens defined
      there, for example, <ikalgid>, will include options that are not
      legal for this protocol.  These options must be ignored and have
      not been included in the appendix.

2.2.2.  application/moss-keys Content Type Definition

   (1)  MIME type name: application

   (2)  MIME subtype name: moss-keys

   (3)  Required parameters: none

   (4)  Optional parameters: none

   (5)  Encoding considerations: quoted-printable is always sufficient

   (6)  Security considerations: none

   The "application/moss-keys" content type is used on the first body
   part of an enclosing multipart/encrypted.  Its content is comprised
   of the data encryption key used to encrypt the data in the second
   body part and other control information required to decrypt the data,
   as defined by Section 2.2.1.  The label "application/moss-keys" must
   be used as the value of the protocol parameter of the enclosing
   multipart/encrypted; the protocol parameter must be present.

   An application/moss-keys body part is constructed as follows:

      Content-Type: application/moss-keys

      <mosskeys>

   where the <mosskeys> token is defined as follows.

      <mosskeys>      ::= <version> <dekinfo> 1*<recipasymflds>

      <version>       ::= "Version:" "5" CRLF

      <dekinfo>       ::= "DEK-Info" ":" <dekalgid>
                          [ "," <dekparameters> ] CRLF

      <recipasymflds> ::= <recipid> <asymkeyinfo>

      <recipid>       ::= "Recipient-ID:" <id> CRLF

      <asymkeyinfo>   ::= "Key-Info" ":" <ikalgid> "," <asymencdek> CRLF




Crocker, et al              Standards Track                    [Page 15]
^L
RFC 1848             MIME Object Security Services          October 1995


   The token <id> is defined in Section 4.  The token <version> is
   defined in Section 2.1.2.1.  All other tokens are defined in Section
   2.2.1.3.

2.2.3.  Use of multipart/encrypted Content Type

   The definition of the multipart/encrypted body part in [7] specifies
   three steps for creating the body part.


   (1)  The body part to be encrypted is created according to a local
        convention, for example, with a text editor or a mail user
        agent.


   (2)  The body part is prepared for encryption according to the
        protocol parameter, in this case the body part must be in MIME
        canonical form.


   (3)  The prepared body part is encrypted according to the protocol
        parameter, in this case according to Section 2.2.1.


   The multipart/encrypted content type is constructed as follows.


   (1)  The value of its required parameter "protocol" is set to
        "application/moss-keys".


   (2)  The first body part is labeled "application/moss-keys" and is
        filled with the control information generated by the encryption
        service.


   (3)  The encrypted body part becomes the content of its second body
        part, which is labeled "application/octet-stream".


   A multipart/encrypted content type with the MOSS protocol might look
   as follows:









Crocker, et al              Standards Track                    [Page 16]
^L
RFC 1848             MIME Object Security Services          October 1995


      Content-Type: multipart/encrypted;
        protocol="application/moss-keys";
        boundary="Encrypted Message"

      --Encrypted Message
      Content-Type: application/moss-keys

      Version: 5
      DEK-Info: DES-CBC,DEK-INFORMATION
      Recipient-ID: ID-INFORMATION
      Key-Info: RSA,KEY-INFORMATION

      --Encrypted Message
      Content-Type: application/octet-stream

      ENCRYPTED-DATA
      --Encrypted Message--

   where DEK-INFORMATION, ID-INFORMATION, and KEY-INFORMATION are
   descriptive of the content that would appear in a real body part.

3.  Removing MIME Object Security Services

   The verification of the MOSS digital signature service requires the
   following components.


   (1)  A recipient to verify the digital signature.


   (2)  A multipart/signed body part with two body parts: the signed
        data and the control information.


   (3)  The public key of the originator.


   The signed data and control information of the enclosing
   multipart/signed are prepared according to the description below.
   The digital signature is verified by re-computing the hash of the
   data, decrypting the hash value in the control information with the
   originator's public key, and comparing the two hash values.  If the
   two hash values are equal, the signature is valid.

   The decryption of the MOSS encryption service requires the following
   components.





Crocker, et al              Standards Track                    [Page 17]
^L
RFC 1848             MIME Object Security Services          October 1995


   (1)  A recipient to decrypt the data.


   (2)  A multipart/encrypted body part with two body parts: the
        encrypted data and the control information.


   (3)  The private key of the recipient.


   The encrypted data and control information of the enclosing
   multipart/encrypted are prepared according to the description below.
   The data encrypting key is decrypted with the recipient's private key
   and used to decrypt the data.

   The next two sections describe the digital signature and encryption
   services in detail, respectively.

3.1.  Digital Signature Service

   This section describes the processing steps necessary to verify the
   MOSS digital signature service.  The definition of the
   multipart/signed body part in [7] specifies three steps for receiving
   it.


   (1)  The digitally signed body part and the control information body
        part are prepared for processing.


   (2)  The prepared body parts are made available to the digital
        signature verification process.


   (3)  The results of the digital signature verification process are
        made available to the user and processing continues with the
        digitally signed body part, as returned by the digital signature
        verification process.


   Each of these steps is described below.

3.1.1.  Preparation

   The digitally signed body part (the data) and the control information
   body part are separated from the enclosing multipart/signed body
   part.




Crocker, et al              Standards Track                    [Page 18]
^L
RFC 1848             MIME Object Security Services          October 1995


   The control information is prepared by removing any content transfer
   encodings that may be present.

   The digitally signed body part is prepared by leaving the content
   transfer encodings intact and canonicalizing the line delimiters
   according to Step 2 of Section 2.1.1.

3.1.2.  Verification

   First, the recipient must obtain the public key of the originator.
   The public key may be contained in the control information or it may
   be necessary for the recipient to retrieve the public key based on
   information present in the control information.  The retrieval may be
   from a local database or from a remote service.  The acquisition of
   the originator's public key is outside the scope of the
   specification, although Section 5 defines one possible mechanism.

   With the public key, the recipient decrypts the hash value contained
   in the control information.  Then, a new hash value is computed over
   the body part purported to have been digitally signed.

   Finally, the two hash values are compared to determine the accuracy
   of the digital signature.

3.1.3.  Results

   There are two required components of the results of the verification
   process.  The first is an indication as to whether a public key could
   be found that allows the hash values in the previous step to compare
   equal.  Such an indication verifies only that the data received is
   the same data that was digitally signed.

   The second indication identifies the owner of the public key who is
   presumably the holder of the private key that created the digital
   signature.  The indication must include a testament as to the
   accuracy of the owner identification.

   At issue is a recipient knowing who created the digital signature.
   In order for the recipient to know with certainty who digitally
   signed the message, the binding between the owner's name and the
   public key must have been verified by the recipient prior to the
   verification of the digital signature.  The verification of the
   binding may have been completed offline and stored in a trusted,
   local database or, if the owner's name and public key are embodied in
   a certificate, it may be possible to complete it in realtime.  See
   Section 5 for more information.





Crocker, et al              Standards Track                    [Page 19]
^L
RFC 1848             MIME Object Security Services          October 1995


3.2.  Encryption Service

   This section describes the processing steps necessary to decrypt the
   MOSS encryption service.  The definition of the multipart/encrypted
   body part in [7] specifies three steps for receiving it.


   (1)  The encrypted body part and the control information body part
        are prepared for processing.


   (2)  The prepared body parts are made available to the decryption
        process.


   (3)  The results of the decryption process are made available to the
        user and processing continues with the decrypted body part, as
        returned by the decryption process.


   Each of these steps is described below.

3.2.1.  Preparation

   The encrypted body part (the data) and the control information body
   part are separated from the enclosing multipart/encrypted body part.
   The body parts are prepared for the decryption process by removing
   any content transfer encodings that may be present.

3.2.2.  Decryption

   First, the recipient must locate the encrypted data encrypting key in
   the control information.  Each Recipient-ID: header is checked in
   order to see if it identifies the recipient or a public key of the
   recipient.

   If it does, the immediately following Key-Info: header will contain
   the data encrypting key encrypted with the public key of the
   recipient.  The recipient must use the corresponding private key to
   decrypt the data encrypting key.

   The data is decrypted with the data encrypting key.  The decrypted
   data will be a MIME object, a body part, ready to be processed by a
   MIME agent.







Crocker, et al              Standards Track                    [Page 20]
^L
RFC 1848             MIME Object Security Services          October 1995


3.2.3.  Results

   If the recipient is able to locate and decrypt a data encrypting key,
   from the point of view of MOSS the decryption should be considered
   successful.  An indication of the owner of the private key used to
   decrypt the data encrypting key must be made available to the user.

   Ultimately, the success of the decryption is dependent on the ability
   of a MIME agent to continue processing with the decrypted body part.

4.  Identifying Originators, Recipients, and Their Keys

   In the PEM specifications, public keys are required to be embodied in
   certificates, an object that binds each public key with a
   distinguished name.  A distinguished name is a name form that
   identifies the owner of the public key.  The embodiment is issued by
   a certification authority, a role that is expected to be trustworthy
   insofar as the certification authority would have procedures to
   verify the identity of the owner prior to issuing the certificate.

   In MOSS, a user is not required to have a certificate.  The MOSS
   services require that the user have at least one public/private key
   pair.  The MOSS protocol requires the digital signature and
   encryption services to emit Originator-ID: and Recipient-ID: headers,
   as appropriate.  In the discussion above the actual value of these
   headers was omitted, having been relegated to this section.  Although
   the value of each of these headers serves a distinct purpose, for
   simplicity the single grammar token <id> represents the value that
   may be assigned to either header.

   One possible value for the Originator-ID: and Recipient-ID: headers
   is the public key values themselves.  However, while it is true that
   the public keys alone could be exchanged and used by users to
   communicate, the values are, in fact, large and cumbersome.  In
   addition, public keys would appear as a random sequence of characters
   and, as a result, would not be immediately consumable by human users.

      NOTE: It should be pointed out that a feature of being able to
      specify the public key explicitly is that it allows users to
      exchange encrypted, anonymous mail.  In particular, receiving
      users will always know a message comes from the same originating
      user even if the real identity of the originating user is unknown.

   Recognizing that the use of public keys is, in general, unsuitable
   for use by humans, MOSS allows other identifiers in Originator-ID:
   and Recipient-ID: headers.  These other identifiers are comprised of
   two parts: a name form and a key selector.




Crocker, et al              Standards Track                    [Page 21]
^L
RFC 1848             MIME Object Security Services          October 1995


   The name form is chosen and asserted by the user who owns the
   public/private key pair.  Three name forms are specified by this
   document.  The use of a distinguished name is retained for
   compatibility with PEM (and compatibility with the X.500 Directory
   should it become a ubiquitous service).  However, the Internet
   community has a great deal of experience with the use of electronic
   mail addresses as a name form.  Also, arbitrary strings are useful to
   identify the owners of public keys when private name forms are used.
   Hence, email addresses and arbitrary strings are included as name
   forms to increase flexibility.

   Since a user may have more than one public key and may wish to use
   the same name form for each public key, a name form is insufficient
   for uniquely identifying a public key.  A unique "key selector" must
   be assigned to each public key.  The combination of a name form and
   the key selector uniquely identifies a public key.  Throughout this
   document, this combination is called an identifier.  There are 5
   identifiers specified by this document.

      NOTE: In the simplest case, key selectors will be assigned by the
      owners of the public/private key pairs.  This works best when
      users generate their own key pairs for personal use, from which
      they distribute their public key to others asserting by
      declaration that the public key belongs to them.  When the
      assertion that the public key belongs to them is made by a third
      party, for example when a certification authority issues a
      certificate to a user according to [4], the key selector may be
      assigned by that third party.

   The value of the key selector must be unique with respect to the name
   form with which it forms an identifier.  Although the same key
   selector value may be used by more than one name form it must not be
   used for two different keys with the same name form.  When considered
   separately, neither a name form nor a key selector is sufficient for
   identifying the public key to be used.  Either could be used to
   determine a set of public keys that may be tried in turn until the
   desired public key is identified.

   With a public/private key pair for one's self and software that is
   MOSS aware, an originating user may digitally sign arbitrary data and
   send it to one or more recipients.  With the public keys of the
   recipients, a user may encrypt the data so that only the intended
   recipients can decrypt and read it.  With the name forms assigned to
   the public keys, originators and recipients can easily recognize
   their peers in a communication.

   In the next section the 3 name forms are described in detail.
   Following that is the specification of the 5 identifiers.



Crocker, et al              Standards Track                    [Page 22]
^L
RFC 1848             MIME Object Security Services          October 1995


4.1.  Name Forms

   There are 3 name forms specified by this document: email addresses,
   distinguished names, and arbitrary strings.

4.1.1.  Email Addresses

   The email address (grammar token <emailstr>) used must be a valid
   RFC822 address, which is defined in terms of one of the two grammar
   tokens <addr-spec> or <route-addr>.  The grammar for these two tokens
   is included in the Appendix as a convenience; the definitive source
   for these tokens is necessarily RFC822 [1].

      <emailstr>      ::= <addr-spec> / <route-addr>
                          ; an electronic mail address as defined by
                          ; one of these two tokens from RFC822

   For example, the strings "crocker@tis.com", "galvin@tis.com",
   "murphy@tis.com", and "ned@innosoft.com" are all email addresses.

4.1.2.  Arbitrary Strings

   The arbitrary string (grammar token <string>) must have a length of
   at least 1.  There are no other restrictions on the value chosen.

      <string>        ::= ; a non-null sequence of characters

   For example, the string

      the SAAG mailing list maintainer

   is an arbitrary string.

4.1.3.  Distinguished Names

   The distinguished name (grammar token <dnamestr>) must be constructed
   according to the guidelines of the X.500 Directory.  The actual
   syntax of the distinguished name is outside the scope of this
   specification.  However, RFC1422, for example, specifies syntactic
   restrictions based on its choice of a certification hierarchy for
   certificates.

   For the purposes of conveying a distinguished name from an originator
   to a recipient, it must be ASN.1 encoded and then printably encoded
   according to the base64 encoding defined by MIME.






Crocker, et al              Standards Track                    [Page 23]
^L
RFC 1848             MIME Object Security Services          October 1995


      <dnamestr>      ::= <encbin>
                          ; a printably encoded, ASN.1 encoded
                          ; distinguished name (as defined by the 'Name'
                          ; production specified in X.501 [8])

   For example,

      /Country Name=US
      /State or Province Name=MD
      /Organization Name=Trusted Information Systems
      /Organizational Unit Name=Glenwood
      /Common Name=James M. Galvin/

   is a distinguished name in a user friendly format (line breaks and
   leading spaces present only to improve readability).  When encoded,
   it would appear as follows (line breaks present only to improve
   readability):

      MG0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3RlZCBJ
      bmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZDEYMBYGA1UEAxMP
      SmFtZXMgTS4gR2Fsdmlu

4.2.  Identifiers

   There are 5 types of identifiers specified by this document:

      email address identifiers

      arbitrary string identifiers

      distinguished name identifiers

      the public keys themselves

      issuer name serial number pairs from a certificate

   All of these have approximately the same structure (except issuer
   name and serial number which has 'TYPE, STRING, KEYSEL' for
   historical reasons):

      TYPE, KEYSEL, STRING

   The TYPE field is a literal string chosen from the set "EN", "STR",
   "DN", "PK", and "IS", one for each of the possible identifiers.

   The KEYSEL field is used to distinguish between the multiple public
   keys that may be associated with the name form in the STRING field.
   Its value must be unique with respect to all other key selectors used



Crocker, et al              Standards Track                    [Page 24]
^L
RFC 1848             MIME Object Security Services          October 1995


   with the same name form.  An example would be to use a portion (low-
   order 16 or 32 bits) or all of the actual public key used.

   The STRING field is the name form and has a different syntax
   according to the value of the TYPE field.

   The identifier used in each of the originator and recipient fields is
   described by the following grammar.  The definition of the key
   selector token is included here since it used by several of the
   identifiers below.

      <id>            ::=   <id-email> / <id-string>    / <id-dname>
                          / <id-publickey> / <id-issuer>

      <keysel>        ::= 1*<hexchar>
                          ; hex dump of a non-null sequence of octets

   Each of the identifier name forms is described below.

4.2.1.  Email Address

   The email address identifier has the following syntax.

      <id-email>      ::= "EN"  "," <keysel> "," <emailstr> CRLF

   The syntax of the token <emailstr> is defined in Section 4.1.1.

   For example:

      EN,1,galvin@tis.com

   is an email address identifier.

4.2.2.  Arbitrary String

   The arbitrary string identifier has the following syntax.

      <id-string>     ::= "STR" "," <keysel> "," <string> CRLF

   The syntax of the token <string> is defined in Section 4.1.2.

   For example:

      STR,1,The SAAG mailing list maintainer

   is an arbitrary string identifier.





Crocker, et al              Standards Track                    [Page 25]
^L
RFC 1848             MIME Object Security Services          October 1995


4.2.3.  Distinguished Name

   The distinguished name identifier has the following syntax.

      <id-dname>      ::= "DN"  "," <keysel> "," <dnamestr> CRLF

   The syntax of the token <dnamestr> is defined in Section 4.1.3.

   For example (line breaks present only to improve readability):

      DN,1,MG0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3R
      lZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZDEYMBYGA1U
      EAxMPSmFtZXMgTS4gR2Fsdmlu

   is a distinguished name identifier.

4.2.4.  Public Key

   The public key identifier has the following syntax.

      <id-publickey>  ::= "PK"  "," <publickey> [ "," <id-subset> ] CRLF

      <publickey>     ::= <encbin>
                          ; a printably encoded, ASN.1 encoded public
                          ; key (as defined by the
                          ; 'SubjectPublicKeyInfo' production specified
                          ; in X.509 [9])

      <id-subset>     ::= <id-email> / <id-string> / <id-dname>

   The production SubjectPublicKeyInfo is imported from the X.500
   Directory from the certificate object.  It is currently the best
   choice for a general purpose public key encoding.

   For example, (line breaks present only to improve readability):

      PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6BekJmG
      4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn
      0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB

   is a public key identifier without the optional <id-subset>.

   In normal usage, the token <id-subset> is expected to be present.  It
   represents a mechanism by which an identifier (name form and key
   selector) can be associated with a public key.  Recipients of a
   public key identifier must take care to verify the accuracy of the
   purported association.  If they do not, it may be possible for a
   malicious originator to assert an identifier that accords the



Crocker, et al              Standards Track                    [Page 26]
^L
RFC 1848             MIME Object Security Services          October 1995


   originator unauthorized privileges.  See Section 5.2 for more
   details.

   For example, (line breaks present only to improve readability):

      PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6BekJmG
      4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn
      0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,2,galvin@tis.com

   is a public key identifier with the optional <id-subset>.

4.2.5.  Issuer Name and Serial Number

   The issuer name and serial number identifier has the following
   syntax.

      <id-issuer>     ::= "IS"  "," <dnamestr>  "," <serial> CRLF

      <serial>        ::= 1*<hexchar>
                          ; hex dump of a certificate serial number

   The <id-issuer> identifier is included for compatibility with the
   ID-ASymmetric fields defined in [3] (and compatibility with X.500
   Directory certificates should they become ubiquitously available).
   Its syntax was chosen such that the older fields are easily converted
   to this new form by prefixing the old value with "IS" (and replacing
   the field name of [3] with an appropriate new ID field name).  For
   example, (line breaks present only to improve readability):

      IS,MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3
      RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZA==,02

   is an issuer name and serial number identifier according to MOSS,
   while

      MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDEkMCIGA1UEChMbVHJ1c3
      RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwhHbGVud29vZA==,02

   is an issuer name and serial number identifier according to PEM.

5.  Key Management Content Types

   This document defines two key management content types: one for
   requesting cryptographic key material and one for sending
   cryptographic key material.  Since MOSS depends only on the existence
   of public/private key pairs, these content types provide a means for
   conveying public keys and an assertion as to the identity of the
   owner.  In addition, in order to be compatible with the certificate-



Crocker, et al              Standards Track                    [Page 27]
^L
RFC 1848             MIME Object Security Services          October 1995


   base key management system proposed by RFC 1422, the content types
   may also be used to convey certificate and certificate revocation
   list material.

   The functions defined here are based on the exchange of body parts.
   In particular, a user would send a message containing at least one
   application/mosskey-request content, as defined below.  In response,
   a user would expect to receive a message containing at least one
   application/mosskey-data content, as defined below.  MIME provides a
   convenient framework for a user to send several request body parts
   and to receive several data (response) body parts in one message.

5.1.  application/mosskey-request Content Type Definition

   (1)  MIME type name: application

   (2)  MIME subtype name: mosskey-request

   (3)  Required parameters: none

   (4)  Optional parameters: none

   (5)  Encoding considerations: quoted-printable is always sufficient

   (6)  Security Considerations: none

   The content of this body part corresponds to the following
   production.

      <request>       ::= <version>
                          ( <subject> / <issuer> / <certification> )

      <version>       ::= "Version:" "5" CRLF

      <subject>       ::= "Subject:" <id> CRLF

      <issuer>        ::= "Issuer:" <id> CRLF

      <certification> ::= "Certification:" <encbin> CRLF

   A user would use this content type to specify needed cryptographic
   key information.  The message containing this content type might be
   directed towards an automatic or manual responder, which may be
   mail-based, depending on the local implementation and environment.
   The application/mosskey-request content type is an independent body
   part because it is entirely independent of any other body part.





Crocker, et al              Standards Track                    [Page 28]
^L
RFC 1848             MIME Object Security Services          October 1995


   If the application/mosskey-request content contains a Certification:
   field it requests certification of the self-signed certificate in the
   field value.  If the content contains an Issuer: field it requests
   the Certificate Revocation List (CRL) chain beginning with the CRL of
   the issuer identified in the field value.  If the content contains a
   Subject: field it requests either the public key of the subject or a
   certificate chain beginning with the subject identified in the field
   value, or both if both exist.

   The Subject: and Issuer: fields each contain a value of type <id>,
   which is defined in Section 4.

   One possible response to receiving an application/mosskey-request
   body part is to construct and return an application/mosskey-data body
   part.  When returning public keys, certificate chains, and
   certificate revocation list chains, if there exists more than one,
   several application/mosskey-data body parts are to be returned in the
   reply message, one for each.

5.2.  application/mosskey-data Content Type Definition

   The principal objective of this content type is to convey
   cryptographic keying material from a source to a destination.  This
   might be in response to the receipt of an application/mosskey-request
   content type or it might be in anticipation of receiving an
   application/mosskey-request if it is not sent, e.g., it may be
   combined with a multipart/signed object by an originator to ensure
   that a recipient has the cryptographic keying material necessary to
   verify the signature.  When combined with other content types, the
   processing by a recipient is enhanced if the application/mosskey-data
   content type is positioned in its enclosing content type prior to the
   content types that will make use of its cryptographic keying
   material.

   However, no explicit provision is made in this document for
   determining the authenticity or accuracy of the data being conveyed.
   In particular, when a public key and its identifier is conveyed,
   there is nothing to prevent the source or an interloper along the
   path from the source to the destination from substituting alternate
   values for either the public key or the identifier.

   It is incumbent upon a recipient to verify the authenticity and
   accuracy of the data received in this way prior to its use.  This
   problem can be addressed by the use of certificates, since a
   certification hierarchy is a well-defined mechanism that conveniently
   supports the automatic verification of the data.  Alternatively, the
   source of the application/mosskey-data body part could digitally sign
   it.  In this way, if the destination believes that a correct source's



Crocker, et al              Standards Track                    [Page 29]
^L
RFC 1848             MIME Object Security Services          October 1995


   public key is available locally and if the destination believes the
   source would convey accurate data, then the contents of the
   application/mosskey-data from the source could be believed to be
   accurate.

      NOTE: Insofar as a certificate represents a mechanism by which a
      third party vouches for the binding between a name and a public
      key, the signing of an application/mosskey-data body part is a
      similar mechanism.

   (1)  MIME type name: application

   (2)  MIME subtype name: mosskey-data

   (3)  Required parameters: none

   (4)  Optional parameters: none

   (5)  Encoding considerations: quoted-printable is always sufficient.

   (6)  Security Considerations: none

   The content of this body part corresponds to the following
   production.

      <mosskeydata>   ::= <version>
                          ( <publickeydata> / <certchain> / <crlchain> )

      <version>       ::= "Version:" "5" CRLF

      <publickeydata> ::= "Key:" "PK" "," <publickey> ","
                          <id-subset> CRLF

      <certchain>     ::= <cert> *( [ <crl> ] <cert> )

      <crlchain>      ::= 1*( <crl> [ <cert> ] )

      <cert>          ::= "Certificate:" <encbin> CRLF

      <crl>           ::= "CRL:" <encbin> CRLF

   This content type is used to transfer public keys, certificate
   chains, or Certificate Revocation List (CRL) chains.  The information
   in the body part is entirely independent of any other body part.
   (Note that the converse is not true: the validity of a protected body
   part cannot be determined without the proper public keys,
   certificates, or current CRL information.)  As such, the
   application/mosskey-data content type is an independent body part.



Crocker, et al              Standards Track                    [Page 30]
^L
RFC 1848             MIME Object Security Services          October 1995


   The <publickeydata> production contains exactly one public key.  It
   is used to bind a public key with its corresponding name form and key
   selector.  It is recommended that when responders are returning this
   information that the enclosing body part be digitally signed by the
   responder in order to protect the information.  The <id-subset> token
   is defined in Section 4.2.4.

   The <certchain> production contains one certificate chain.  A
   certificate chain starts with the requested certificate and continues
   with the certificates of subsequent issuers.  Each issuer certificate
   included must have issued the preceding certificate.  For each
   issuer, a CRL may be supplied.  A CRL in the chain belongs to the
   immediately following issuer.  Therefore, it potentially contains the
   immediately preceding certificate.

   The <crlchain> production contains one certificate revocation list
   chain.  The CRLs in the chain begin with the requested CRL and
   continue with the CRLs of subsequent issuers.  The issuer of each CRL
   is presumed to have issued a certificate for the issuer of the
   preceding CRL.  For each CRL, the issuer's certificate may be
   supplied.  A certificate in the chain must belong to the issuer of
   the immediately preceding CRL.

   The relationship between a certificate and an immediately preceding
   CRL is the same in both <certchain> and <crlchain>.  In a <certchain>
   the CRLs are optional.  In a <crlchain> the certificates are
   optional.

6.  Examples

   Each example is included as a separate section for ease of reference.

6.1.  Original Message Prepared for Protection

   Except as explicitly indicated, the following message is used as the
   message to be protected.

      To: Ned Freed <ned@innosoft.com>
      Subject: Hi Ned!

      How do you like the new MOSS?

      Jim








Crocker, et al              Standards Track                    [Page 31]
^L
RFC 1848             MIME Object Security Services          October 1995


6.2.  Sign Text of Original Message

   When the text of the original message is signed, it will look like
   this, where lines with an ampersand '&' are digitally signed (note
   the use of the public key identifier with the included email name
   identifier, on the lines marked with an asterisk '*'):

        To: Ned Freed <ned@innosoft.com>
        Subject: Hi Ned!
        MIME-Version: 1.0
        Content-Type: multipart/signed;
          protocol="application/moss-signature";
          micalg="rsa-md5"; boundary="Signed Boundary"

        --Signed Boundary
      & Content-Type: text/plain; charset="us-ascii"
      & Content-ID: <21436.785186814.2@tis.com>
      &
      & How do you like the new MOSS?
      &
      & Jim

        --Signed Boundary
        Content-Type: application/moss-signature
        Content-ID: <21436.785186814.1@tis.com>
        Content-Transfer-Encoding: quoted-printable

        Version: 5
      * Originator-ID: PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4f=
      * qQ61aoC1fO6BekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8=
      * KRGJ9wh1HU4TrghGdhn0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,=
      * 2,galvin@tis.com
        MIC-Info: RSA-MD5,RSA,PnEvyFV3sSyTSiGh/HFgWUIFa22jbHoTrFIMVERf=
        MZXUKzFsHbmKtIowJlJR56OoImo+t7WjRfzpMH7MOKgPgzRnTwk0T5dOcP/lfb=
        sOVJjleV7vTe9yoNp2P8mi/hs7

        --Signed Boundary--

6.3.  Sign Headers and Text of Original Message

   If, instead, we choose to protect the headers with the text of the
   original message, it will look like this, where lines with an
   ampersand '&' are encrypted:








Crocker, et al              Standards Track                    [Page 32]
^L
RFC 1848             MIME Object Security Services          October 1995


        To: Ned Freed <ned@innosoft.com>
        Subject: Hi Ned!
        MIME-Version: 1.0
        Content-Type: multipart/signed;
          protocol="application/moss-signature";
          micalg="rsa-md5"; boundary="Signed Boundary"

        --Signed Boundary
      & Content-Type: message/rfc822
      & Content-ID: <21468.785187044.2@tis.com>
      &
      & To:         Ned Freed <ned@innosoft.com>
      & Subject:    Hi Ned!
      &
      &
      & How do you like the new MOSS?
      &
      & Jim

        --Signed Boundary
        Content-Type: application/moss-signature
        Content-ID: <21468.785187044.1@tis.com>
        Content-Transfer-Encoding: quoted-printable

        Version: 5
        Originator-ID: PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4f=
        qQ61aoC1fO6BekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8=
        KRGJ9wh1HU4TrghGdhn0Lw8gG67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,=
        2,galvin@tis.com
        MIC-Info: RSA-MD5,RSA,ctbDBgkYtFW1sisb5w4/Y/p94LftgQ0IrEn3d6WT=
        wjfxFBvAceVWfawsZPLijVKZUYtbIqJmjKtzTJlagBawfA/KhUsvTZdR6Dj+4G=
        d8dBBwMKvqMKTHAUxGXYxwNdbK

        --Signed Boundary--

6.4.  Encrypt Text of a Message

   If we choose to encrypt the text of the following message, that is,
   encrypt the lines marked with asterisk '*':

        To: Jim Galvin <galvin@tis.com>
        Subject: an encrypted message

      * How do you like the new MOSS?
      *
      * Jim





Crocker, et al              Standards Track                    [Page 33]
^L
RFC 1848             MIME Object Security Services          October 1995


   the message would look as follows (note the use of the email name
   identifier, on the line marked with an asterisk '*'):

        To: Jim Galvin <galvin@tis.com>
        Subject: an encrypted message
        MIME-Version: 1.0
        Content-Type: multipart/encrypted;
          protocol="application/moss-keys";
          boundary="Encrypted Boundary"

        --Encrypted Boundary
        Content-Type: application/moss-keys
        Content-ID: <21535.785187667.1@tis.com>
        Content-Transfer-Encoding: quoted-printable

        Version: 5
        DEK-Info: DES-CBC,D488AAAE271C8159
      * Recipient-ID: EN,2,galvin@tis.com
        Key-Info: RSA,ISbC3IR01BrYq2rp493X+Dt7WrVq3V3/U/YXbxOTY5cmiy1/=
        7NvSqqXSK/WZq05lN99RDUQhdNxXI64ePAbFWQ6RGoiCrRs+Dc95oQh7EFEPoT=
        9P6jyzcV1NzZVwfp+u

        --Encrypted Boundary
        Content-Type: application/octet-stream
        Content-Transfer-Encoding: base64

        AfR1WSeyLhy5AtcX0ktUVlbFC1vvcoCjYWy/yYjVj48eqzUVvGTGMsV6MdlynU
        d4jcJgRnQIQvIxm2VRgH8W8MkAlul+RWGu7jnxjp0sNsU562+RZr0f4F3K3n4w
        onUUP265UvvMj23RSTguZ/nl/OxnFM6SzDgV39V/i/RofqI=

        --Encrypted Boundary--




















Crocker, et al              Standards Track                    [Page 34]
^L
RFC 1848             MIME Object Security Services          October 1995


6.5.  Encrypt the Signed Text of a Message

   If, instead, we choose to sign the text before we encrypt it, the
   structure would be as follows, where lines with an asterisk '*' are
   digitally signed and lines with an ampersand '&' are encrypted:

          Content-Type: multipart/encrypted;
            protocol="application/moss-keys";
            boundary="Encrypted Boundary"

          --Encrypted Boundary
          Content-Type: application/moss-keys

          KEY INFORMATION

          --Encrypted Boundary
          Content-Type: application/octet-stream

      &   Content-Type: multipart/signed;
      &     protocol="application/moss-signature";
      &     micalg="rsa-md5"; boundary="Signed Boundary"
      &
      &   --Signed Boundary
      & * Content-Type: text/plain
      & *
      & * How do you like the new MOSS?
      & *
      & * Jim
      &
      &   --Signed Boundary
      &   Content-Type: application/moss-signature
      &
      &   SIGNATURE INFORMATION
      &
      &   --Signed Boundary--

          --Encrypted Boundary--

   where KEY INFORMATION and SIGNATURE INFORMATION are descriptive of
   the actual content that would appear in a real body part.  The actual
   message would be like this:










Crocker, et al              Standards Track                    [Page 35]
^L
RFC 1848             MIME Object Security Services          October 1995


      To: Jim Galvin <galvin@tis.com>
      Subject: an encrypted message
      MIME-Version: 1.0
      Content-Type: multipart/encrypted;
        protocol="application/moss-keys";
        boundary="Encrypted Boundary"

      --Encrypted Boundary
      Content-Type: application/moss-keys
      Content-ID: <21546.785188458.1@tis.com>
      Content-Transfer-Encoding: quoted-printable

      Version: 5
      DEK-Info: DES-CBC,11CC89F8D90F1DFE
      Recipient-ID: EN,2,galvin@tis.com
      Key-Info: RSA,AZTtlEc6xm0vjkvtVUITUh7sz+nOuOwP0tsym6CQozD9IwVIJz=
      Y8+vIfbh5BpR0kS6prq3EGFBFR8gRMUvbgHtEKPD/4ICQ7b6ssZ7FmKhl/cJC5rV=
      jpb4EOUlwOXwRZ

      --Encrypted Boundary
      Content-Type: application/octet-stream
      Content-Transfer-Encoding: base64

      ZvWvtosDzRBXJzkDFFRb9Qjrgm2nDWg3zotJ3ZpExpWUG/aRJ7Vwd+PWkSfrDPJ5
      2V/wkxwMrum6xJHZonrtyd0AvaztvriMm2zXTefzwpGG1i5zK47PBqreLA3HDTK2
      U6B13vzpE8wMSVefzaCTSpXRSCh08ceVEZrIYS53/CKZV2/Sga71pGNlux8MsJpY
      Lwdj5Q3NKocg1LMngMo8yrMAe+avMjfOnhui49Xon1Gft+N5XDH/+wI9qxI9fkQv
      NZVDlWIhCYEkxd5ke549tLkJjEqHQbgJW5C+K/uxdiD2dBt+nRCXcuO0Px3yKRyY
      g/9BgTf36padSHuv48xBg5YaqaEWpEzLI0Qd31vAyP23rqiPhfBn6sjhQ2KrWhiF
      2l3TV8kQsIGHHZUkaUbqkXJe6PEdWWhwsqCFPDdkpjzQRrTuJH6xleNUFg+CG1V+
      tL4IgMjQqm3KVojRXx8bG2auVN89NfwFswmoq4fXTrh3xyVS1VgxjKkcYI8SVVmk
      YjCxVviJP3zO2UzBvCoMfADtBVBz1njYETtVGDO97uT39MqL85uEgiF4E5TkOj/m
      04+88G0/vvN/RISKJiFQJ3FyVIB/ShX9Dixl8WCx3rxwN5g2QFLiyQVulzuNhimS
      D4ZxEo7smcTsAXUjwSLRtdjmTTutw2GmFESUaIrY81NcpQJRPNAvF0IkN6ddwL4q
      vzUS99vjQp15g9FUv82lHtHwhM18a9GokVG8xYOjBBsn9anp9abh4Tp/c/vpbunQ
      UqnpV29rF4wj+8OwUOMi9ymGabBXAjw7DhNH2RdRVr1upQO896OX81VWB0LsA0cp
      +ymxhTrEI+wCHcrsNMoRK/7zAeuAi0f1t9bN594EFlLoIrBnKEa1/OUAhMT7kG1f
      NkSRnc8BZswIoPyRetsTurQfD40nsVHvNwE9Jz7wbBo00gd6blPADOUYFxfW5zu6
      ubygBqJiKPM4II2fCdNj7CptfQcoRTeguKMVPLVmFg/EINuWBFm10GqlYT7p4zhf
      zysV/3r5LVZ1E8armTCRJ2GoYG5h+SKcytaQ0IT8S2nLPCZl1hzdajsrqHFe8omQ

      --Encrypted Boundary--









Crocker, et al              Standards Track                    [Page 36]
^L
RFC 1848             MIME Object Security Services          October 1995


6.6.  Protecting Audio Content

   In addition to text, the MOSS services as defined here will protect
   arbitrary body parts, for example, the following audio body part:

      Content-Type: audio/basic

      AUDIO DATA HERE

6.6.1.  Sign Audio Content

   When signed an audio content would appear as follows, where lines
   with an ampersand '&' are digitally signed:

        Content-Type: multipart/signed;
          protocol="application/moss-signature";
          micalg="rsa-md5"; boundary="Signed Boundary"

        --Signed Boundary
      & Content-Type: audio/basic
      & Content-Transfer-Encoding: base64
      &
      & base64(AUDIO-DATA-HERE)

        --Signed Boundary
        Content-Type: application/moss-signature

        SIGNATURE-INFORMATION-HERE

        --Signed Boundary--

   where AUDIO-DATA-HERE and SIGNATURE-INFORMATION-HERE are descriptive
   of the content that would appear in a real body part.

6.6.2.  Encrypt Audio Content

   When encrypted an audio content would appear as follows, where lines
   with an ampersand '&' are encrypted:













Crocker, et al              Standards Track                    [Page 37]
^L
RFC 1848             MIME Object Security Services          October 1995


        Content-Type: multipart/encrypted;
          protocol="application/moss-keys";
          boundary="Encrypted Boundary"

        --Encrypted Boundary
        Content-Type: application/moss-keys

        KEY-INFORMATION-HERE

        --Encrypted Boundary
        Content-Type: application/octet-stream
        Content-Transfer-Encoding: base64

      & Content-Type: audio/basic
      &
      & base64(encrypted(AUDIO-DATA-HERE))

        --Encrypted Boundary--

   where KEY-INFORMATION-HERE and AUDIO-DATA-HERE are descriptive of the
   content that would appear in a real body part.

7.  Observations

   The use of MIME and the framework defined by [7] exhibits several
   properties:


   (1)  It allows arbitrary content types to be protected, not just the
        body of an RFC822 message.


   (2)  It allows a message to contain several body parts which may or
        may not be protected.


   (3)  It allows the components of a multipart or message content to be
        protected with different services.


   The use of a MIME-capable user agent makes complex nesting of
   protected message body parts much easier.  For example, the user can
   separately sign and encrypt a message.  This allows complete
   separation of the confidentiality security service from the digital
   signature security service.  That is, different key pairs could be
   used for the different services and could be protected separately.





Crocker, et al              Standards Track                    [Page 38]
^L
RFC 1848             MIME Object Security Services          October 1995


   This is useful for at least two reasons.  First, some public key
   algorithms do not support both digital signatures and encryption; two
   key pairs would be required in this case.  Second, an employee's
   company could be given access to the (private) decryption key but not
   the (private) signature key, thereby granting the company the ability
   to decrypt messages addressed to the employee in emergencies without
   also granting the company the ability to sign messages as the
   employee.

8.  Comparison of MOSS and PEM Protocols

   MOSS differs from PEM in the following ways.


   (1)  When using PEM, users are required to have certificates.  When
        using MOSS, users need only have a public/private key pair.


   (2)  MOSS broadens the allowable name forms that users may use to
        identify their public keys, including arbitrary strings, email
        addresses, or distinguished names.


   (3)  PEM currently only supports text-based electronic mail messages
        and the message text is required to be represented by the ASCII
        character set with "<CR><LF>" line delimiters.  These
        restrictions no longer apply.


   (4)  The PEM specification currently requires that encryption
        services be applied only to message bodies that have been
        signed.  By providing for each of the services separately, they
        may be applied in any order according to the needs of the
        requesting application.


   (5)  MIME includes transfer encoding operations to ensure the
        unmodified transfer of body parts.  Therefore, unlike PEM, MOSS
        does not need to include these functions.


   (6)  PEM specifies a Proc-Type: header field to identify the type of
        processing that was performed on the message.  This
        functionality is subsumed by the MIME Content-Type: headers.
        The Proc-Type: header also includes a decimal number that is
        used to distinguish among incompatible encapsulated header field
        interpretations which may arise as changes are made to the PEM
        standard.  This functionality is replaced by the Version: header



Crocker, et al              Standards Track                    [Page 39]
^L
RFC 1848             MIME Object Security Services          October 1995


        specified in this document.


   (7)  PEM specifies a Content-Domain: header, the purpose of which is
        to describe the type of the content which is represented within
        a PEM message's encapsulated text.  This functionality is
        subsumed by the MIME Content-Type: headers.


   (8)  The PEM specifications include a document that defines new types
        of PEM messages, specified by unique values used in the Proc-
        Type: header, to be used to request certificate and certificate
        revocation list information.  This functionality is subsumed by
        two new content types specified in this document:
        application/mosskey- request and application/mosskey-data.


   (9)  The header fields having to do with certificates (Originator-
        Certificate: and Issuer-Certificate:) and CRLs (CRL:) are
        relegated for use only in the application/mosskey-data and
        application/mosskey-request content types and are no longer
        allowed in the header portion of a PEM signed or encrypted
        message.  This separates key management services from the
        digital signature and encryption services.


   (10) The grammar specified here explicitly separates the header
        fields that may appear for the encryption and signature security
        services.  It is the intent of this document to specify a
        precise expression of the allowed header fields; there is no
        intent to disallow the functionality of combinations of
        encryption and signature security found in [3].


   (11) With the separation of the encryption and signature security
        services, there is no need for a MIC-Info: field in the headers
        associated with an encrypted message.


   (12) In [3], when asymmetric key management is used, an Originator-ID
        field is required in order to identify the private key used to
        sign the MIC argument in the MIC-Info: field.  Because no MIC-
        Info: field is associated with the encryption security service
        under asymmetric key management, there is no requirement in that
        case to include an Originator-ID field.


   (13) The protocol specified here explicitly excludes symmetric key



Crocker, et al              Standards Track                    [Page 40]
^L
RFC 1848             MIME Object Security Services          October 1995


        management.


   (14) This document requires all data that is to be digitally signed
        to be represented in 7bit form.


9.  Security Considerations

   This entire document is about security.

10.  Acknowledgements

   David H. Crocker suggested the use of a multipart structure for the
   MIME and PEM interaction, which has evolved into the MOSS protocol.

   The MOSS protocol is a direct descendant of the PEM protocol.  The
   authors gratefully acknowledge the editors of those specification,
   especially John Linn and Steve Kent.  This work would not have been
   possible had it not been for all of the PEM developers, users, and
   interested persons who are always present on the PEM developers
   mailing list and at PEM working group meetings at IETF meetings,
   especially, Amanda Walker, Bob Juenemann, Steve Dusse, Jeff Thomson,
   and Rhys Weatherly.

11.  References

   [1] Crocker, D., "Standard for the Format of ARPA Internet Text
       Messages", STD 11, RFC 822, University of Delaware, August 1982.

   [2] Borenstein, N., and N. Freed, "MIME (Multipurpose Internet Mail
       Extension) Part One: Mechanisms for Specifying and Describing the
       Format of Internet Message Bodies", RFC 1521, Bellcore and
       Innosoft, September 1993.

   [3] Linn, J., "Privacy Enhancement for Internet Electronic Mail: Part
       I: Message Encryption and Authentication Procedures", RFC 1421,
       IAB IRTF PSRG, IETF PEM WG, February 1993.

   [4] Kent, S., "Privacy Enhancement for Internet Electronic Mail: Part
       II: Certificate-Based Key Management", RFC 1422, BBN
       Communications, February 1993.

   [5] Balenson, D., "Privacy Enhancement for Internet Electronic Mail:
       Part III: Algorithms, Modes, and Identifiers", RFC 1423, Trusted
       Information Systems, February 1993.





Crocker, et al              Standards Track                    [Page 41]
^L
RFC 1848             MIME Object Security Services          October 1995


   [6] Kaliski, B., "Privacy Enhancement for Internet Electronic Mail:
       Part IV: Key Certification and Related Services", RFC 1424, RSA
       Laboratories, February 1993.

   [7] Galvin, J., Murphy, S., Crocker, S., and N. Freed, "Security
       Multiparts for MIME: Multipart/Signed and Multipart/Encrypted",
       RFC 1847, Trusted Information Systems and Innosoft, September
       1995.

   [8] The Directory -- Models.  X.501, 1988.  Developed in
       collaboration, and technically aligned, with ISO 9594-2.

   [9] The Directory -- Authentication Framework.  X.509, 1988.
       Developed in collaboration, and technically aligned, with ISO
       9594-8.




































Crocker, et al              Standards Track                    [Page 42]
^L
RFC 1848             MIME Object Security Services          October 1995


12.  Authors' Addresses

   Steve Crocker
   CyberCash, Inc.
   2086 Hunters Crest Way
   Vienna, VA 22181

   Phone: +1 703 620 1222
   Fax: +1 703 391 2651
   EMail:  crocker@cybercash.com


   James M. Galvin
   Trusted Information Systems
   3060 Washington Road
   Glenwood, MD  21738

   Phone: +1 301 854 6889
   Fax: +1 301 854 5363
   EMail:  galvin@tis.com


   Sandra Murphy
   Trusted Information Systems
   3060 Washington Road
   Glenwood, MD  21738

   Phone: +1 301 854 6889
   Fax: +1 301 854 5363
   EMail:  murphy@tis.com


   Ned Freed
   Innosoft International, Inc.
   1050 East Garvey Avenue South
   West Covina, CA 91790

   Phone: +1 818 919 3600
   Fax: +1 818 919 3614
   EMail:  ned@innosoft.com











Crocker, et al              Standards Track                    [Page 43]
^L
RFC 1848             MIME Object Security Services          October 1995


Appendix A: Collected Grammar

   The version of the grammar in this document is as follows:

      <version>       ::= "Version:" "5" CRLF


   The following grammar tokens are used throughout this specification:

      <encbin>        ::= 1*<encbingrp>

      <encbingrp>     ::= 4*4<encbinchar>

      <encbinchar>    ::= <ALPHA> / <DIGIT> / "+" / "/" / "="

      <hexchar>       ::= <DIGIT> / "A" / "B" / "C" / "D" / "E" / "F"
                          ; no lower case


   The content of an application/moss-signature body part is as follows:

      <mosssig>       ::= <version> ( 1*<origasymflds> )

      <version>       ::= "Version:" "5" CRLF

      <origasymflds>  ::= <origid> <micinfo>

      <origid>        ::= "Originator-ID:" <id> CRLF

      <micinfo>       ::= "MIC-Info:" <micalgid> "," <ikalgid> ","
                          <asymsignmic> CRLF


   The content of an application/moss-keys body part is as follows:

      <mosskeys>      ::= <version> <dekinfo> 1*<recipasymflds>

      <version>       ::= "Version:" "5" CRLF

      <dekinfo>       ::= "DEK-Info" ":" <dekalgid>
                          [ "," <dekparameters> ] CRLF

      <recipasymflds> ::= <recipid> <asymkeyinfo>

      <recipid>       ::= "Recipient-ID:" <id> CRLF

      <asymkeyinfo>   ::= "Key-Info" ":" <ikalgid> "," <asymencdek> CRLF




Crocker, et al              Standards Track                    [Page 44]
^L
RFC 1848             MIME Object Security Services          October 1995


   Identifiers are defined as follows:

      <id>            ::= <id-subset> / <id-publickey> / <id-issuer>

      <id-subset>     ::= <id-email> / <id-string> / <id-dname>

      <id-email>      ::= "EN"  "," <keysel> "," <emailstr> CRLF

      <id-string>     ::= "STR" "," <keysel> "," <string> CRLF

      <id-dname>      ::= "DN"  "," <keysel> "," <dnamestr> CRLF

      <id-publickey>  ::= "PK"  "," <publickey> [ "," <id-subset> ] CRLF

      <id-issuer>     ::= "IS"  "," <dnamestr>  "," <serial> CRLF

      <keysel>        ::= 1*<hexchar>
                          ; hex dump of a non-null sequence of octets

      <emailstr>      ::= <addr-spec> / <route-addr>
                          ; an electronic mail address as defined by
                          ; these two tokens from RFC822

      <string>        ::= ; a non-null sequence of characters

      <dnamestr>      ::= <encbin>
                          ; a printably encoded, ASN.1 encoded
                          ; distinguished name (as defined by the 'Name'
                          ; production specified in X.501 [8])

      <publickey>     ::= <encbin>
                          ; a printably encoded, ASN.1 encoded public
                          ; key (as defined by the
                          ; 'SubjectPublicKeyInfo' production specified
                          ; in X.509 [9])

      <serial>        ::= 1*<hexchar>
                          ; hex dump of a certificate serial number


   The content of an application/mosskey-request body part is as
   follows:

      <request>       ::= <version>
                          ( <subject> / <issuer> / <certification> )

      <version>       ::= "Version:" "5" CRLF




Crocker, et al              Standards Track                    [Page 45]
^L
RFC 1848             MIME Object Security Services          October 1995


      <subject>       ::= "Subject:" <id> CRLF

      <issuer>        ::= "Issuer:" <id> CRLF

      <certification> ::= "Certification:" <encbin> CRLF


   The content of an application/mosskey-data body part is as follows:

      <mosskeydata>   ::= <version>
                          ( <publickeydata> / <certchain> / <crlchain> )

      <version>       ::= "Version:" "5" CRLF

      <publickeydata> ::= "Key:" "PK" "," <publickey> ","
                          <id-subset> CRLF

      <certchain>     ::= <cert> *( [ <crl> ] <cert> )

      <crlchain>      ::= 1*( <crl> [ <cert> ] )

      <cert>          ::= "Certificate:" <encbin> CRLF

      <crl>           ::= "CRL:" <encbin> CRLF



























Crocker, et al              Standards Track                    [Page 46]
^L
RFC 1848             MIME Object Security Services          October 1995


Appendix B: Imported Grammar

   Options normally present in the grammar reprinted here which are
   illegal in MOSS are excluded in this reprinting, for the convenience
   of the reader.

   The following productions are taken from [5].  The grammar presented
   in [5] remains the authoritative source for these productions; they
   are repeated here for the convenience of the reader.

      <dekalgid>         ::= "DES-CBC"
      <ikalgid>          ::= "RSA"
      <micalgid>         ::= "RSA-MD2" / "RSA-MD5"

      <dekparameters>    ::= <DESCBCparameters>
      <DESCBCparameters> ::= <IV>
      <IV>               ::= <hexchar16>
      <hexchar16>        ::= 16*16<hexchar>

      <asymsignmic>      ::= <RSAsignmic>
      <RSAsignmic>       ::= <encbin>

      <asymencdek>       ::= <RSAencdek>
      <RSAencdek>        ::= <encbin>

   The following productions are taken from [1].  The grammar presented
   in [1] remains the authoritative source for these productions; they
   are repeated here for the convenience of the reader.

      <route-addr>    ::= "<" [ <route> ] <addr-spec> ">"

      <route>         ::=  1# ( "@" <domain> ) ":" ; path-relative


      <addr-spec>     ::= <local-part> "@" <domain>; global address

      <local-part>    ::= <word> *( "." <word> )   ; uninterpreted
                                                   ; case-preserved

      <domain>        ::= <sub-domain> *( "." <sub-domain> )

      <sub-domain>    ::= <domain-ref> / <domain-literal>

      <domain-ref>    ::= <atom>                   ; symbolic
                                                   ; reference

      <domain-literal>::= "[" *( <dtext> / <quoted-pair> ) "]"




Crocker, et al              Standards Track                    [Page 47]
^L
RFC 1848             MIME Object Security Services          October 1995


      <dtext>         ::= <any CHAR excluding "[", "]",
                          "\" & <CR>, & including
                          linear-white-space>
                                                   ; => may be folded


      <word>          ::= <atom> / <quoted-string>

      <quoted-string> ::= """ *( <qtext> / <quoted-pair> ) """

      <qtext>         ::= (any <CHAR> excepting """, "\", and CR,
                           and including <linear-white-space>)

      <quoted-pair>   ::= "\" <CHAR>               ; may quote any
                                                   ; char

      <linear-white-space> ::= 1*( [ CRLF ] <LWSP-char> )
                                                   ; semantics = SPACE
                                                   ; CRLF => folding

      <LWSP-char>     ::= SPACE / HTAB             ; semantics = SPACE


      <atom>          ::= 1*(any <CHAR>
                          except <specials>, SPACE and <CTL>s)

      <CHAR>          ::= <any ASCII character>

      <CTL>           ::= <any ASCII control character and DEL>

      <specials>      ::= "(" / ")" / "<" / ">" / "@"
                          /  "," / ";" / ":" / "\" / <">
                          /  "." / "[" / "]"
                                                   ; Must be in quoted-
                                                   ; string, to use
                                                   ;  within a word.

      <ALPHA>         ::= <any ASCII alphabetic character>
                                                   ; (101-132, 65.-90.)
                                                   ; (141-172, 97.-122.)

      <DIGIT>         ::= <any ASCII decimal digit>; (60-71, 48.-57.)









Crocker, et al              Standards Track                    [Page 48]
^L