Recommendation of advancement of PEM specs
Stephen D Crocker <crocker@tis.com> Sat, 21 November 1992 19:36 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa01456; 21 Nov 92 14:36 EST
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa01449; 21 Nov 92 14:36 EST
Received: from TIS.COM by CNRI.Reston.VA.US id aa10462; 21 Nov 92 14:36 EST
Received: by TIS.COM (4.1/SUN-5.64) id AA05050; Sat, 21 Nov 92 14:21:23 EST
Received: from TIS.COM by TIS.COM (4.1/SUN-5.64) id AA05044; Sat, 21 Nov 92 14:21:21 EST
Message-Id: <9211211921.AA05044@TIS.COM>
To: iesg@nri.reston.va.us
Cc: pem-dev@tis.com, saag@tis.com, crocker@tis.com
Subject: Recommendation of advancement of PEM specs
Date: Sat, 21 Nov 1992 14:21:20 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Stephen D Crocker <crocker@tis.com>
X-Orig-Sender: pem-dev-relay@tis.com
To the IESG: The specifications for Privacy Enhanced Mail (PEM) are ready for advancement to Proposed Standard status. Per our current rules, attached is a description, review and recommendation of the documents. Stephen D. Crocker Area Director for Security Interent Engineering Task Force Recommendation and Analysis of the Specifications for Privacy Enhanced Mail There are four documents in the Privacy Enhancement for Internet Electronic Mail series: draft-ietf-pem-msgproc-02.txt draft-ietf-pem-keymgmt-01.txt draft-ietf-pem-algorithms-02.txt (*) draft-ietf-pem-forms-01.txt (* The revision of draft-ietf-pem-algorithms was sent separately to internet-drafts and should appear in the Internet-Drafts directory shortly. It was also sent to pem-dev.) A technical summary of each of the documents is included below. The working group summary, technical assessment, and document quality paragraphs are the same for all documents and are presented first. WORKING GROUP SUMMARY The PEM specifications originated with the Privacy and Security Research Group. As part of the transition of the specifications from research to standards track documents a working group within the IETF was created, which has met at each IETF since its creation. The documents have been available as an Internet Draft since at least September 1992 and represent the consensus of the working group. TECHNICAL ASSESSMENT The PEM specifications have been under development for almost 6 years. During that time, parts of the specifications have been published, revised and republished, with each new publication including corrections and enhancements commensurate with the experience obtained from implementations and continued deliberations. The specifications have not changed dramatically since March 1992; they are technically sound and consistent with the internet architecture and the anticipated internet security architecture. This protocol opens the door for widespread use of cryptography throughout the Internet which will result in greatly increased security for mail traffic. This protocol is of premier importance in the Internet and will facilitate transition of the Internet to a robust, commercially acceptable medium. The approach chosen in the design of this protocol is to use the public key infrastructure defined in X.509 and encapsulation of messages within the RFC 822 protocol. This approach makes full use of the prior work in the CCITT and ISO community, and it fits cleanly into the existing mail model. There are two difficulties with the approach taken in this design. The articulation of boundaries and parameters is particular to the use of PEM within the RFC 822 mail protocol. MIME includes general facilities for these functions. It would be preferable for this protocol to be aligned with MIME. MIME was not available at the time this protocol was designed, so it is proceeding separately. See below for additional comments on the alignment of MIME and PEM. The certificate infrastructure is large and awkward to bring into existence. It will pay off enormously in this and future protocols because it provides an organized framework for establishing trusted identification and binding of identities to public keys. However, it is not easy to initiate and necessarily slows the deployment and adoption of PEM. Neither of these difficulties affect the soundness of the PEM design. In the current milieu, it is important to deploy this protocol and deal with the difficulties over a period of time. DOCUMENT QUALITY Although each of the PEM specifications has a different editor, they have all cooperated to make the documents fit together as a set. They are well written, easy to understand, and provide enough background material to make them suitable for a security neophyte. At the time of the third publication of the specifications, three independent, interoperable implementations were known to exist. Currently, only two of those are aligned with the current version of the specifications. One minor nit: only the Part III includes a Table of Contents. Part I: Message Encryption and Authentication Procedures (draft-ietf-pem-msgproc-02.txt) -- John Linn, Editor This document defines message encryption and authentication procedures, in order to provide privacy-enhanced mail (PEM) services for electronic mail transfer in the Internet. It is intended to become one member of a related set of four RFCs. The procedures defined are intended to be compatible with a wide range of key management approaches, including both symmetric (secret-key) and asymmetric (public-key) approaches for encryption of data encrypting keys. Use of symmetric cryptography for message text encryption and/or integrity check computation is anticipated. Other documents specify supporting key management mechanisms based on the use of public-key certificates; algorithms, modes, and associated identifiers; and details of paper and electronic formats and procedures for the key management infrastructure being established in support of these services. Privacy enhancement services (confidentiality, authentication, message integrity assurance, and non-repudiation of origin) are offered through the use of end-to-end cryptography between originator and recipient processes at or above the User Agent level. No special processing requirements are imposed on the Message Transfer System at endpoints or at intermediate relay sites. This approach allows privacy enhancement facilities to be incorporated selectively on a site-by-site or user-by-user basis without impact on other Internet entities. Interoperability among heterogeneous components and mail transport facilities is supported. The current specification's scope is confined to PEM processing procedures for the RFC-822 textual mail environment. Integration of PEM capabilities with MIME and possibly other mail environments is anticipated, but the specifications are yet to be worked out. In partial anticipation of such integration, the header "Content-Domain" with value "RFC822" is included as a hook. See below for additional discussion. Part II: Certificate-Based Key Management (draft-ietf-pem-keymgmt-o1.txt) -- Stephen Kent, Editor This document defines a supporting key management architecture and infrastructure, based on public-key certificate techniques, to provide keying information to message originators and recipients. It is intended to be one member of a related set of four RFCs. The key management architecture described is compatible with the authentication framework described in CCITT 1988 X.509. This document goes beyond X.509 by establishing procedures and conventions for a key management infrastructure for use with Privacy Enhanced Mail (PEM) and with other protocols, from both the TCP/IP and OSI suites, in the future. The motivations for establishing these procedures and conventions (as opposed to relying only on the very general framework outlined in X.509) are explained in the document. The infrastructure specified in this document establishes a single root for all certification within the Internet, the Internet Policy Registration Authority (IPRA). The IPRA establishes global policies, described in this document, which apply to all certification effected under this hierarchy. Beneath IPRA root are Policy Certification Authorities (PCAs), each of which establishes and publishes (in the form of an informational RFC) its policies for registration of users or organizations. Each PCA is certified by the IPRA. Below PCAs, Certification Authorities (CAs) will be established to certify users and subordinate organizational entities (e.g., departments, offices, subsidiaries, etc.). Initially, the majority of users are expected to be registered via organizational affiliation, consistent with current practices for how most user mailboxes are provided. Some CAs are expected to provide certification for residential users in support of users who wish to register independent of any organizational affiliation. For users who wish anonymity while taking advantage of PEM privacy facilities, one or more PCAs are expected to be established with policies that allow for registration of users, under subordinate CAs, who do not wish to disclose their identities. Part III: Algorithms, Modes, and Identifiers (draft-ietf-pem-algorithms-02.txt) -- David Balenson, Editor This document provides definitions, formats, references, and citations for cryptographic algorithms, usage modes, and associated identifiers and parameters used in support of Privacy Enhanced Mail. It is intended to become one member of a related set of four RFCs. It is organized into four primary sections, dealing with message encryption algorithms, message integrity check algorithms, symmetric key management algorithms, and asymmetric key management algorithms (including both asymmetric encryption and asymmetric signature algorithms). Some parts of this material are cited by other documents and it is anticipated that some of the material herein may be changed, added, or replaced without affecting the citing documents. Part IV: Key Certification and Related Services (draft-ietf-pem-forms-01.txt) -- Burt Kaliski, Editor This document describes three types of service in support of Internet Privacy Enhanced Mail: key certification, certificate revocation list (CRL) storage, and CRL retrieval. It is intended to be one member of a related set of four RFCs. The services described are among those required of a Certification Authority. Each involves an electronic mail request message and an electronic mail reply message. The request may be either a privacy enhanced mail message or a message with a new syntax defined in this document. The new syntax has a different process type, thereby distinguishing it from ordinary privacy enhanced mail messages. The reply is either a privacy enhanced mail message or an ordinary unstructured message. Replies that are privacy enhanced messages can be processed like any other privacy enhanced message, so that the new certificate or the retrieved CRLs can be inserted into the requester's database during normal privacy enhanced mail processing. Certification authorities may also require non-electronic forms of the request and may return non-electronic replies. It is expected that descriptions of such forms, which are outside the scope of this document, will be available through a Certification Authority's "information" service. FUTURE DEVELOPMENTS Integration of MIME and PEM As noted above, it is desirable for MIME and PEM to be integrated. Although there is great pressure to integrate these as quickly as possible, there is even greater pressure to bring PEM out as quickly as possible. The clear consensus is to move these specifications forward now. In the future, proposals and trial implementations for merged MIME-with-PEM systems will be developed, and the resulting specifications may appear on the standards track in short order. Compatibility between these specifications and any new specifications will be of obvious concern. Preliminary analysis indicates that translation between PEM into MIME-with-PEM will be trivial. In my opinion, translation from MIME-with-PEM to PEM is also expected to be straightforward as long as the MIME-with-PEM messages contain only plain text, message and multipart content types. Alternative Algorithms Part III of these specifications define the use of the RSA, DES, MD2 and MD5 algorithms. The U.S. government is actively developing an alternative suite of algorithms which it intends to standardize. Many U.S. government agencies feel it will be necessary to use these algorithms and not to use the algorithms defined in Part III of this specification. As a separate but related matter, the U.S. government, along with other members of CoCom, prohibit the general export of software containing certain forms of cryptography. In particular, software containing DES for encryption is not generally exportable. Although software can be developed separately in some countries to avoid the export issue, a more general solution is to use a set of algorithms which are exportable. Export permission has been granted for various symmetric algorithms which are weaker than DES and for the use RSA with limits on the key size. Of particular note, the Software Publishers Association has reached agreement with the U.S. government for general export of software containing RC2 and RC4 with 40 bit keys and RSA with a limit of 512 bit keys when RSA is used for key exchange. (There is no limit when RSA is used only for signature and integrity.) RC2 and RC4 are symmetric key encryption algorithms developed by RSADSI and available under license. The U.S. government is now providing expedited processing of license requests for software that meets these terms. The pressure to use these alternative algorithms poses a challenge for our community and our standards process. The introduction of new algorithm requires substantial vetting to make sure it is technically sound. No complete methods exist for proving the soundness of a cryptographic algorithm, so this is necessarily a tedious and artful process. Moreover, the use of multiple algorithms within the same environment poses substantial compatibility problems. For these reasons, it is desirable to set a high threshold before admitting any additional algorithms onto the standards track. At the same time, the pressures to incorporate additional algorithms are already evident. Completely ignoring or prohibiting the use of alternative algorithms will not be a successful strategy. The Part III specification speaks to the issue of incorporation of additional algorithms into the standard and says such incorporation will be accomplished by issuing a successor document. Part III specification also addresses the interim development process by suggesting that alternative algorithms may be documented in Experimental or Prototype RFCs prior to adoption into the standard. As experience is gained, these protocols may be considered for incorporation into the standard.
- Recommendation of advancement of PEM specs Stephen D Crocker