1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
|
Network Working Group R. Housley
Request for Comments: 4073 Vigil Security
Category: Standards Track May 2005
Protecting Multiple Contents with the
Cryptographic Message Syntax (CMS)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes a convention for using the Cryptographic
Message Syntax (CMS) to protect a content collection. If desired,
attributes can be associated with the content.
1. Introduction
This document describes a convention for using the Cryptographic
Message Syntax (CMS) [CMS] to protect a content collection. The
content-collection content type is used to transfer one or more
contents, each identified by a content type. If desired, the
content-with-attributes content type can be used to associate
arbitrary attributes with the content.
The convention described in this document is not needed when CMS is
used with MIME [MSG]. MIME multipart [MIME] provides a
straightforward and widely deployed mechanism for carrying more than
one content item, each associated with a MIME type.
However, CMS is not always used with MIME. Sometimes CMS is used in
an exclusively ASN.1 [ASN1] environment. In this case, the content-
collection content type is used to gather more than one content item,
each with an object identifier to specify the content type.
In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as
described in [STDWORDS].
Housley Standards Track [Page 1]
^L
RFC 4073 Protecting Multiple Contents with the CMS May 2005
1.1. Content Collection Example
This section provides one simple example to illustrate the need for
the content-collection content type. Consider an art collector who
wants to sell one of his pieces, an ancient Greek urn called an
amphora. The collector wants to compose a digitally signed offer for
sale. It includes three parts. The first part contains the owner's
offer for sale, including the asking price. The second part contains
a high-quality image of the amphora. The final part contains an
appraisal from a well-respected ceramics expert. The final part is
digitally signed by the expert. Figure 1 illustrates the structure,
and the CMS SignedData content type is used for the two digital
signatures.
+---------------------------------------------------------+
| |
| ContentInfo |
| |
| +-----------------------------------------------------+ |
| | | |
| | SignedData | |
| | | |
| | +-------------------------------------------------+ | |
| | | | | |
| | | ContentCollection | | |
| | | | | |
| | | +-----------+ +-----------+ +-----------------+ | | |
| | | | | | | | | | | |
| | | | Owner's | | Image | | SignedData | | | |
| | | | Offer to | | of the | | | | | |
| | | | Sell the | | Amphora | | +-------------+ | | | |
| | | | Amphora | | | | | | | | | |
| | | | | | | | | Appraisal | | | | |
| | | | | | | | | of Ceramics | | | | |
| | | | | | | | | Expert | | | | |
| | | | | | | | | | | | | |
| | | | | | | | +-------------+ | | | |
| | | | | | | | | | | |
| | | +-----------+ +-----------+ +-----------------+ | | |
| | | | | |
| | +-------------------------------------------------+ | |
| | | |
| +-----------------------------------------------------+ |
| |
+---------------------------------------------------------+
Figure 1. Sample use of the ContentCollection Content Type
Housley Standards Track [Page 2]
^L
RFC 4073 Protecting Multiple Contents with the CMS May 2005
1.2. Content with Attributes Example
This section provides one simple example to illustrate the need for
the content-with-attributes content type. Consider the art collector
from the previous example. Instead of providing a single image of
the amphora, the collector provides several images. To aid potential
buyers, the collector attaches several attributes to each image. The
attributes provide information about the resolution of the image, the
date the image was taken, the photographer, and so on. Figure 2
illustrates the collection of images, showing only two images, each
with three attributes. This entire image content collection could be
carried instead of the single image shown in Figure 1, allowing it to
be covered by the collector's digital signature.
+----------------------------------------------------------+
| |
| ContentCollection |
| |
| +-------------------------+ +-------------------------+ |
| | | | | |
| | ContentWithAttributes | | ContentWithAttributes | |
| | | | | |
| | +---------------------+ | | +---------------------+ | |
| | | | | | | | | |
| | | First Image of | | | | Second Image of | | |
| | | the Amphora | | | | the Amphora | | |
| | | | | | | | | |
| | | | | | | | | |
| | +---------------------+ | | +---------------------+ | |
| | | | | |
| | +---------------+ | | +---------------+ | |
| | | | | | | | | |
| | | Attribute 1 | | | | Attribute 1 | | |
| | | +--+ | | | +--+ | |
| | +-+-------------+ | | | +-+-------------+ | | |
| | | Attribute 2 | | | | Attribute 2 | | |
| | | +--+ | | | +--+ | |
| | +-+--------------+ | | | +-+--------------+ | | |
| | | Attribute 3 | | | | Attribute 3 | | |
| | | | | | | | | |
| | +-----------------+ | | +-----------------+ | |
| | | | | |
| +-------------------------+ +-------------------------+ |
| |
+----------------------------------------------------------+
Figure 2. Sample use of the ContentWithAttributes Content Type
Housley Standards Track [Page 3]
^L
RFC 4073 Protecting Multiple Contents with the CMS May 2005
2. Content Collection Content Type
The content-collection content type is used to transfer a collection
of content items, each identified by a content type. The syntax
accommodates contents with varying levels of protection. For
example, a content collection could include CMS protection content
types as well as unprotected content types. A content collection is
expected to be encapsulated in one or more CMS protecting content
types, but this is not required by this specification.
The following object identifier names the content collection content
type:
id-ct-contentCollection OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs9(9) smime(16) ct(1) 19 }
The content-collection content has the following syntax:
ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo
The ContentCollection contains a sequence of ContentInfo, one for
each content in the collection. The ContentInfo structure is defined
in CMS. The contentType object identifier within the ContentInfo
indicates the type of the associated content. Implementations of
this specification SHOULD be prepared to handle object identifiers
for the SignedData, EncryptedData, EnvelopedData, and
AuthenticatedData content types, as specified in [CMS].
Implementations of this specification SHOULD also be prepared to
handle the object identifier for the CompressedData content type as
specified in [COMPRESS].
3. Content-with-Attributes Content Type
The content-with-attributes content type is used to transfer a single
content, which is identified by a content type, and a collection of
attributes associated with that content. The syntax accommodates an
arbitrary number of attributes; however, there must be at least one
attribute.
The following object identifier names the content-with-attributes
content type:
id-ct-contentWithAttrs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs9(9) smime(16) ct(1) 20 }
Housley Standards Track [Page 4]
^L
RFC 4073 Protecting Multiple Contents with the CMS May 2005
The content-with-attributes content has the following syntax:
ContentWithAttributes ::= SEQUENCE {
content ContentInfo,
attrs SEQUENCE SIZE (1..MAX) OF Attribute }
The ContentWithAttributes contains a sequence of a single ContentInfo
item followed by a sequence of attributes. The ContentInfo structure
is defined in CMS. The contentType object identifier within the
ContentInfo indicates the type of the content. The Attribute
structure was originally defined in X.501 [X501], and the definition
is repeated in CMS.
4. Security Considerations
The content-collection content type is used to transfer one or more
contents, each identified by a content type. The syntax accommodates
contents with varying levels of protection. For example, a content
collection could include CMS protection content types as well as
unprotected content types. A content collection is expected to be
encapsulated in one or more CMS protecting content types, but this is
not required by this specification. As a result, implementations
MUST be prepared to handle multiple levels of encapsulation.
The security considerations discussed in [CMS] are relevant when CMS
is used to protect more than one content by making use of the content
collection content type or content with attributes content type.
5. References
5.1. Normative References
[ASN1] CCITT. Recommendation X.208: Specification of Abstract
Syntax Notation One (ASN.1). 1988.
[COMPRESS] Gutmann, P., "Compressed Data Content Type for
Cryptographic Message Syntax (CMS)", RFC 3274, June 2002.
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
3852, July 2004.
[STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Housley Standards Track [Page 5]
^L
RFC 4073 Protecting Multiple Contents with the CMS May 2005
5.2. Informative References
[MIME] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, November 1996.
[MSG] Ramsdell, B., "Secure/Multipurpose Internet Mail
Extensions (S/MIME) Version 3.1 Message Specification",
RFC 3851, July 2004.
[X501] CCITT. Recommendation X.501: The Directory -- Models.
1988.
Housley Standards Track [Page 6]
^L
RFC 4073 Protecting Multiple Contents with the CMS May 2005
Appendix A: ASN.1 Module
The ASN.1 module contained in this appendix defines the structures
that are needed to implement this specification. It is expected to
be used in conjunction with the ASN.1 modules in [CMS] and
[COMPRESS].
ContentCollectionModule
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) 26 }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
Attribute, ContentInfo
FROM CryptographicMessageSyntax2004 -- [CMS]
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2001(14) };
-- Content Collection Content Type and Object Identifier
id-ct-contentCollection OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs9(9) smime(16) ct(1) 19 }
ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo
-- Content With Attributes Content Type and Object Identifier
id-ct-contentWithAttrs OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs9(9) smime(16) ct(1) 20 }
ContentWithAttributes ::= SEQUENCE {
content ContentInfo,
attrs SEQUENCE SIZE (1..MAX) OF Attribute }
END
Housley Standards Track [Page 7]
^L
RFC 4073 Protecting Multiple Contents with the CMS May 2005
Author's Address
Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USA
EMail: housley@vigilsec.com
Housley Standards Track [Page 8]
^L
RFC 4073 Protecting Multiple Contents with the CMS May 2005
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Housley Standards Track [Page 9]
^L
|
