Re: Server decryption / signing (was RE: Encrypting RFC822 headers in S/MIME or PGP/MIME messages)

["Bob Jueneman" <BJUENEMAN@novell.com>]

Regarding the need for business access to encrypted communications --
I agree that the need is not strong, and I would hate to have to make the business case for a product that had that as its central justification, but there are valid examples outside of the military/intelligence community.

You might want to look at the key Recovery Alliance's web site www.kra.org for the Business Scenarios report, which addresses some of these needs for business key recovery, even for transitive communications.

Examples include review of outgoing communications by stock brokers to ensure that they are not engaging in insider trading (I believe this is imposed by law), companies who may have a positive duty to investigate a claimed case of sexual harassment, internal investigations of possible fraud or theft of trade secret information, etc.

Completely independent of these scenarios, there may be an additional requirement for server-based encryption of outgoing e-mail to support disconnected operation.

If a user composes an email message on his laptop while on an airplane, he may not have access to the recipient's certificates, and in particular, almost surely does not have access to the current CRLs.  Since the message can't be transmitted until the user reconnects, it may be acceptable and perhaps even desirable to have the server perform the encryption in the recipient's public key, after checking the CRLs, without necessarily making the user wait for all this while he is on a pay phone in the airport.  This doesn't mean that the information goes from the client to the server in the clear -- a symmetric key could easily be used.  

On the other hand, the checking of the certificates could be deferred, and the outgoing mail returned if the certificate has expired or been revoked. This would not require the server to be trusted.  

Obviously most users would probably prefer this option, but in most companies the users don't buy the software does, the IS department does, and their needs may therefore dominate.

Caveat emptor.

Bob

>>> William Ottaway <w.ottaway@eris.dera.gov.uk> 09/29 1:56 AM >>>
At 18:48 28/09/98 +0100, Adam Back wrote:
>
>Bill Ottaway writes:
>> However, organisations want to control the release of messages from their
>> employees.  They want to make sure outgoing messagers do not contain any
>> sensitive information or viruses. If the sender encrypts his mail
>> using the recipients key the organisation can not perform any of
>> these checks.
>
>Snooping outgoing email for sensitive information isn't a general
>commercial requirement.
>
>It is predominantly a government / signals intelligence special
>interest goal.
>
>UK's DERA (Defense Research Agency) / GCHQ designed the CASM protocol
>to allow snooping on sent and received email.
>
>CASM is partly based on server encryption.  Bill works for DERA
>(dera.gov.uk), so I am wondering if he is thinking of CASM in his
>comments, in that some of his arguments are couched in terms of a
>desire for mail snooping, while others were discussing server
>decryption purely in terms of ease of deployment, and adding blanket
>super-encryption, security and forward-secrecy for email that would
>otherwise not be encrypted.
>

No I wasn't thinking of CASM. I was just making a point that certain
organisations will want to be able to check their employees email for one
reason or another, this is not a military/government only issue.

Once companies start signing outgoing mail, which they will do, they are
taking some responsibility for the contents of that message. If that
message contained a virus then they could be sued for damage caused by that
virus. Signing is also a powerful mechanism which can be used in financial
transactions. Joe Blogs might not have the authority to perform financial
transactions, but a rubber seal from his organisation does carry the this
authority. This sort of transaction may need to be encrypted so that other
commercial organisations do not get wind of what you are up to. 

Yes the military and government have sensitive information which they do
not want to be mailed out of their organisations, but so do commercial
organisations (e.g. trade secrets, research, etc). This may not be a
requirement of all commercial companies but it still needs to be taken into
account when considering signing and encrypting messages. 

I would expect all large organisations, military, government or commercial
to require the ability to check employees email and to do
encryption/signing by the organisation.




>(CASM includes a form of GACK involving recomputing seed material, for
>details see:
>
>	http://www.opengroup.org/public/tech/security/pki/cki/ 
>
>)
>
>(As an aside, IMO, CASM is not a very elegant protocol: it has many
>online messages, uses public key crypto where symmetric could acheive
>the same effect with equal security, and has a centralised risk of the
>seed material of the root node of the hierarchy being compromised.)
>
>Shared keys or server encryption copes with multiple recipients
>needing to be able to decrypt messages (the `sales team' scenario).
>
>Server encryption is useful to augment personal key based security,
>and/or to speed deployment of "some" encryption even if not at first
>cut personal key based.
>
>I agree with Bill's comments about reduced PKI overhead of server
>based crypto, and his ease of deployment comments.
>
>Adam

Bill.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA01868 for ietf-smime-bks; Wed, 30 Sep 1998 13:26:00 -0700 (PDT)
Received: from orm-mail20.provo.novell.com (orm-mail20.orem.novell.com [151.155.118.32]) by mail.proper.com (8.8.8/8.8.5) with SMTP id NAA01857; Wed, 30 Sep 1998 13:23:50 -0700 (PDT)
Received: from INET-ORM-Message_Server by orm-mail20.provo.novell.com with Novell_GroupWise; Wed, 30 Sep 1998 14:30:02 -0600
Message-Id: <s612406a.029@orm-mail20.provo.novell.com>
X-Mailer: Novell GroupWise 5.5
Date: Wed, 30 Sep 1998 14:29:51 -0600
From: "Bob Jueneman" <BJUENEMAN@novell.com>
To: <aba@dcs.ex.ac.uk>, <w.ottaway@eris.dera.gov.uk>
Cc: <ietf-open-pgp@imc.org>, <ietf-smime@imc.org>
Subject: Re: Server decryption / signing (was RE: Encrypting RFC822 headers in S/MIME or PGP/MIME messages)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id NAA01858
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Regarding the need for business access to encrypted communications --
I agree that the need is not strong, and I would hate to have to make the business case for a product that had that as its central justification, but there are valid examples outside of the military/intelligence community.

You might want to look at the key Recovery Alliance's web site www.kra.org for the Business Scenarios report, which addresses some of these needs for business key recovery, even for transitive communications.

Examples include review of outgoing communications by stock brokers to ensure that they are not engaging in insider trading (I believe this is imposed by law), companies who may have a positive duty to investigate a claimed case of sexual harassment, internal investigations of possible fraud or theft of trade secret information, etc.

Completely independent of these scenarios, there may be an additional requirement for server-based encryption of outgoing e-mail to support disconnected operation.

If a user composes an email message on his laptop while on an airplane, he may not have access to the recipient's certificates, and in particular, almost surely does not have access to the current CRLs.  Since the message can't be transmitted until the user reconnects, it may be acceptable and perhaps even desirable to have the server perform the encryption in the recipient's public key, after checking the CRLs, without necessarily making the user wait for all this while he is on a pay phone in the airport.  This doesn't mean that the information goes from the client to the server in the clear -- a symmetric key could easily be used.  

On the other hand, the checking of the certificates could be deferred, and the outgoing mail returned if the certificate has expired or been revoked. This would not require the server to be trusted.  

Obviously most users would probably prefer this option, but in most companies the users don't buy the software does, the IS department does, and their needs may therefore dominate.

Caveat emptor.

Bob

>>> William Ottaway <w.ottaway@eris.dera.gov.uk> 09/29 1:56 AM >>>
At 18:48 28/09/98 +0100, Adam Back wrote:
>
>Bill Ottaway writes:
>> However, organisations want to control the release of messages from their
>> employees.  They want to make sure outgoing messagers do not contain any
>> sensitive information or viruses. If the sender encrypts his mail
>> using the recipients key the organisation can not perform any of
>> these checks.
>
>Snooping outgoing email for sensitive information isn't a general
>commercial requirement.
>
>It is predominantly a government / signals intelligence special
>interest goal.
>
>UK's DERA (Defense Research Agency) / GCHQ designed the CASM protocol
>to allow snooping on sent and received email.
>
>CASM is partly based on server encryption.  Bill works for DERA
>(dera.gov.uk), so I am wondering if he is thinking of CASM in his
>comments, in that some of his arguments are couched in terms of a
>desire for mail snooping, while others were discussing server
>decryption purely in terms of ease of deployment, and adding blanket
>super-encryption, security and forward-secrecy for email that would
>otherwise not be encrypted.
>

No I wasn't thinking of CASM. I was just making a point that certain
organisations will want to be able to check their employees email for one
reason or another, this is not a military/government only issue.

Once companies start signing outgoing mail, which they will do, they are
taking some responsibility for the contents of that message. If that
message contained a virus then they could be sued for damage caused by that
virus. Signing is also a powerful mechanism which can be used in financial
transactions. Joe Blogs might not have the authority to perform financial
transactions, but a rubber seal from his organisation does carry the this
authority. This sort of transaction may need to be encrypted so that other
commercial organisations do not get wind of what you are up to. 

Yes the military and government have sensitive information which they do
not want to be mailed out of their organisations, but so do commercial
organisations (e.g. trade secrets, research, etc). This may not be a
requirement of all commercial companies but it still needs to be taken into
account when considering signing and encrypting messages. 

I would expect all large organisations, military, government or commercial
to require the ability to check employees email and to do
encryption/signing by the organisation.




>(CASM includes a form of GACK involving recomputing seed material, for
>details see:
>
>	http://www.opengroup.org/public/tech/security/pki/cki/ 
>
>)
>
>(As an aside, IMO, CASM is not a very elegant protocol: it has many
>online messages, uses public key crypto where symmetric could acheive
>the same effect with equal security, and has a centralised risk of the
>seed material of the root node of the hierarchy being compromised.)
>
>Shared keys or server encryption copes with multiple recipients
>needing to be able to decrypt messages (the `sales team' scenario).
>
>Server encryption is useful to augment personal key based security,
>and/or to speed deployment of "some" encryption even if not at first
>cut personal key based.
>
>I agree with Bill's comments about reduced PKI overhead of server
>based crypto, and his ease of deployment comments.
>
>Adam

Bill.


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA00344 for ietf-smime-bks; Tue, 29 Sep 1998 11:19:48 -0700 (PDT)
Received: from aisle (aisle.tesco.net [194.73.73.167]) by mail.proper.com (8.8.8/8.8.5) with SMTP id LAA00340 for <ietf-smime@imc.org>; Tue, 29 Sep 1998 11:19:45 -0700 (PDT)
Received: from harter [62.172.24.232]  by aisle with smtp (Exim 1.70 #1) id 0zO4T8-0005tG-00; Tue, 29 Sep 1998 19:25:51 +0100
Message-ID: <000c01bdebde$f82b5b60$e818ac3e@harter>
From: "Darren Harter" <Darren.Harter@tesco.net>
To: "Adam Back" <aba@dcs.ex.ac.uk>, <w.ottaway@eris.dera.gov.uk>
Cc: <ietf-smime@imc.org>
Subject: Re: Server decryption / signing (was RE: Encrypting RFC822 headers in S/MIME or PGP/MIME messages)
Date: Tue, 29 Sep 1998 19:25:49 -0000
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Adam,

The references you quote for CASM are extremely out of date.  First,  CASM
does not have anything to do with PKI issues as you URL suggests.  CASM's
sister project CLOUD COVER (members of which play an active part on the PKIX
working group) does that.  Secondly,  the CASM team are actively
participating openly and positively in this working group, and the CASM
architecture is compliant with the current draft specs.  Thirdly, DERA have
had NO involvement with developing the CASM Architecture.  Finally, CASM is
not a protocol. It is an architecture that supports multiple security
protocols and key management schemes in a flexible yet standardised way.

If you require more up to date information regarding CASM or CLOUD COVER, I
suggest you contact CESG direct.  See www.cesg.gov.uk for contact
information.

Regards,

Darren Harter
CASM Applications Development Manager,
CASM Programme Office
CESG
Work: dharter@cesg.gov.uk
Home: darren.harter@bcs.org.uk, or darren.harter@tesco.net, or
darren_harter@hotmail.com


-----Original Message-----
From: Adam Back <aba@dcs.ex.ac.uk>
To: w.ottaway@eris.dera.gov.uk <w.ottaway@eris.dera.gov.uk>
Cc: ietf-open-pgp@imc.org <ietf-open-pgp@imc.org>; ietf-smime@imc.org
<ietf-smime@imc.org>
Date: Monday, September 28, 1998 06:54
Subject: Re: Server decryption / signing (was RE: Encrypting RFC822 headers
in S/MIME or PGP/MIME messages)


>UK's DERA (Defense Research Agency) / GCHQ designed the CASM protocol
>to allow snooping on sent and received email.
>
>CASM is partly based on server encryption.  Bill works for DERA
>(dera.gov.uk), so I am wondering if he is thinking of CASM in his
>comments, in that some of his arguments are couched in terms of a
>desire for mail snooping, while others were discussing server
>decryption purely in terms of ease of deployment, and adding blanket
>super-encryption, security and forward-secrecy for email that would
>otherwise not be encrypted.
>
>(CASM includes a form of GACK involving recomputing seed material, for
>details see:
>
> http://www.opengroup.org/public/tech/security/pki/cki/
>
>)





Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA27105 for ietf-smime-bks; Tue, 29 Sep 1998 00:50:20 -0700 (PDT)
Received: from ns0.eris.dera.gov.uk (ns0.eris.dera.gov.uk [128.98.1.1]) by mail.proper.com (8.8.8/8.8.5) with SMTP id AAA27094 for <ietf-smime@imc.org>; Tue, 29 Sep 1998 00:50:18 -0700 (PDT)
Received: (qmail 9083 invoked from network); 29 Sep 1998 07:57:03 -0000
Received: from unknown (HELO mail-relay.eris.dera.gov.uk) (128.98.2.7) by ns0.eris.dera.gov.uk with SMTP; 29 Sep 1998 07:57:03 -0000
Received: (qmail 3117 invoked from network); 29 Sep 1998 07:57:03 -0000
Received: from wottoway.eris.dera.gov.uk (HELO wottaway.eris.dera.gov.uk) (128.98.10.17) by mail-relay.eris.dera.gov.uk with SMTP; 29 Sep 1998 07:57:03 -0000
Message-Id: <3.0.32.19980929085635.006a2028@mailhost.eris.dera.gov.uk>
X-Sender: wottaway@mailhost.eris.dera.gov.uk
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Tue, 29 Sep 1998 08:56:36 +0100
To: Adam Back <aba@dcs.ex.ac.uk>
From: William Ottaway <w.ottaway@eris.dera.gov.uk>
Subject: Re: Server decryption / signing (was RE: Encrypting RFC822  headers in S/MIME or PGP/MIME messages)
Cc: ietf-open-pgp@imc.org, ietf-smime@imc.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

At 18:48 28/09/98 +0100, Adam Back wrote:
>
>Bill Ottaway writes:
>> However, organisations want to control the release of messages from their
>> employees.  They want to make sure outgoing messagers do not contain any
>> sensitive information or viruses. If the sender encrypts his mail
>> using the recipients key the organisation can not perform any of
>> these checks.
>
>Snooping outgoing email for sensitive information isn't a general
>commercial requirement.
>
>It is predominantly a government / signals intelligence special
>interest goal.
>
>UK's DERA (Defense Research Agency) / GCHQ designed the CASM protocol
>to allow snooping on sent and received email.
>
>CASM is partly based on server encryption.  Bill works for DERA
>(dera.gov.uk), so I am wondering if he is thinking of CASM in his
>comments, in that some of his arguments are couched in terms of a
>desire for mail snooping, while others were discussing server
>decryption purely in terms of ease of deployment, and adding blanket
>super-encryption, security and forward-secrecy for email that would
>otherwise not be encrypted.
>

No I wasn't thinking of CASM. I was just making a point that certain
organisations will want to be able to check their employees email for one
reason or another, this is not a military/government only issue.

Once companies start signing outgoing mail, which they will do, they are
taking some responsibility for the contents of that message. If that
message contained a virus then they could be sued for damage caused by that
virus. Signing is also a powerful mechanism which can be used in financial
transactions. Joe Blogs might not have the authority to perform financial
transactions, but a rubber seal from his organisation does carry the this
authority. This sort of transaction may need to be encrypted so that other
commercial organisations do not get wind of what you are up to. 

Yes the military and government have sensitive information which they do
not want to be mailed out of their organisations, but so do commercial
organisations (e.g. trade secrets, research, etc). This may not be a
requirement of all commercial companies but it still needs to be taken into
account when considering signing and encrypting messages. 

I would expect all large organisations, military, government or commercial
to require the ability to check employees email and to do
encryption/signing by the organisation.




>(CASM includes a form of GACK involving recomputing seed material, for
>details see:
>
>	http://www.opengroup.org/public/tech/security/pki/cki/
>
>)
>
>(As an aside, IMO, CASM is not a very elegant protocol: it has many
>online messages, uses public key crypto where symmetric could acheive
>the same effect with equal security, and has a centralised risk of the
>seed material of the root node of the hierarchy being compromised.)
>
>Shared keys or server encryption copes with multiple recipients
>needing to be able to decrypt messages (the `sales team' scenario).
>
>Server encryption is useful to augment personal key based security,
>and/or to speed deployment of "some" encryption even if not at first
>cut personal key based.
>
>I agree with Bill's comments about reduced PKI overhead of server
>based crypto, and his ease of deployment comments.
>
>Adam

Bill.


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA05203 for ietf-smime-bks; Mon, 28 Sep 1998 10:42:02 -0700 (PDT)
Received: from exeter.ac.uk (hermes.ex.ac.uk [144.173.6.14]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA05199; Mon, 28 Sep 1998 10:41:53 -0700 (PDT)
Received: from dialup18 [144.173.6.218] by hermes via ESMTP (SAA21993); Mon, 28 Sep 1998 18:48:43 +0100 (BST)
Received: (from aba@localhost) by server.eternity.org (8.8.3/8.6.12) id SAA18304; Mon, 28 Sep 1998 18:48:06 +0100
Date: Mon, 28 Sep 1998 18:48:06 +0100
Message-Id: <199809281748.SAA18304@server.eternity.org>
From: Adam Back <aba@dcs.ex.ac.uk>
To: w.ottaway@eris.dera.gov.uk
CC: ietf-open-pgp@imc.org, ietf-smime@imc.org
In-reply-to: <3.0.32.19980928170048.006acda8@mailhost.eris.dera.gov.uk> (message from William Ottaway on Mon, 28 Sep 1998 17:00:48 +0100)
Subject: Re: Server decryption / signing (was RE: Encrypting RFC822 headers in S/MIME or PGP/MIME messages)
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Bill Ottaway writes:
> However, organisations want to control the release of messages from their
> employees.  They want to make sure outgoing messagers do not contain any
> sensitive information or viruses. If the sender encrypts his mail
> using the recipients key the organisation can not perform any of
> these checks.

Snooping outgoing email for sensitive information isn't a general
commercial requirement.

It is predominantly a government / signals intelligence special
interest goal.

UK's DERA (Defense Research Agency) / GCHQ designed the CASM protocol
to allow snooping on sent and received email.

CASM is partly based on server encryption.  Bill works for DERA
(dera.gov.uk), so I am wondering if he is thinking of CASM in his
comments, in that some of his arguments are couched in terms of a
desire for mail snooping, while others were discussing server
decryption purely in terms of ease of deployment, and adding blanket
super-encryption, security and forward-secrecy for email that would
otherwise not be encrypted.

(CASM includes a form of GACK involving recomputing seed material, for
details see:

	http://www.opengroup.org/public/tech/security/pki/cki/

)

(As an aside, IMO, CASM is not a very elegant protocol: it has many
online messages, uses public key crypto where symmetric could acheive
the same effect with equal security, and has a centralised risk of the
seed material of the root node of the hierarchy being compromised.)

Shared keys or server encryption copes with multiple recipients
needing to be able to decrypt messages (the `sales team' scenario).

Server encryption is useful to augment personal key based security,
and/or to speed deployment of "some" encryption even if not at first
cut personal key based.

I agree with Bill's comments about reduced PKI overhead of server
based crypto, and his ease of deployment comments.

Adam


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA04111 for ietf-smime-bks; Mon, 28 Sep 1998 08:54:33 -0700 (PDT)
Received: from ns0.eris.dera.gov.uk (ns0.eris.dera.gov.uk [128.98.1.1]) by mail.proper.com (8.8.8/8.8.5) with SMTP id IAA04104 for <ietf-smime@imc.org>; Mon, 28 Sep 1998 08:54:31 -0700 (PDT)
Received: (qmail 21326 invoked from network); 28 Sep 1998 16:01:16 -0000
Received: from unknown (HELO mail-relay.eris.dera.gov.uk) (128.98.2.7) by ns0.eris.dera.gov.uk with SMTP; 28 Sep 1998 16:01:16 -0000
Received: (qmail 22588 invoked from network); 28 Sep 1998 16:01:16 -0000
Received: from wottoway.eris.dera.gov.uk (HELO wottaway.eris.dera.gov.uk) (128.98.10.17) by mail-relay.eris.dera.gov.uk with SMTP; 28 Sep 1998 16:01:16 -0000
Message-Id: <3.0.32.19980928170048.006acda8@mailhost.eris.dera.gov.uk>
X-Sender: wottaway@mailhost.eris.dera.gov.uk
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Mon, 28 Sep 1998 17:00:48 +0100
To: "William H. Geiger III" <whgiii@invweb.net>, "Blake Ramsdell" <BlakeR@deming.com>
From: William Ottaway <w.ottaway@eris.dera.gov.uk>
Subject: Re: Server decryption / signing (was RE: Encrypting RFC822 headers in S/MIME or PGP/MIME messages)
Cc: "Steve Hole" <steve@esys.ca>, "Ned Freed" <Ned.Freed@innosoft.com>, <ietf-open-pgp@imc.org>, <ietf-smime@imc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

At 16:00 25/09/98 -0500, William H. Geiger III wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>In <01FF24001403D011AD7B00A024BC53C53A7176@cane.deming.com>, on 09/25/98 
>   at 01:47 PM, "Blake Ramsdell" <BlakeR@deming.com> said:
>
>>> -----Original Message-----
>>> From: William H. Geiger III [mailto:whgiii@invweb.net]
>>> Sent: Friday, September 25, 1998 1:22 PM
>>> To: Steve Hole
>>> Cc: Ned Freed; ietf-open-pgp@imc.org; ietf-smime@imc.org
>>> Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
>>> 
>>> In <SIMEON.980918095519.E@gallileo.esys.ca>, on 09/18/98 
>>>    at 10:55 AM, Steve Hole <steve@esys.ca> said:
>>> 
>>> >Also there has been discussion many times in the past of 
>>> having "proxy 
>>> >security handling" for IMAP servers where the IMAP server handles
>>> >decoding encrypted messages on behalf of the client and sending the
>>> >decoded content over an encrypted data connection to the 
>>> client.   Note
>>> >that this is not a  real situation now, but there are lots 
>>> of reasons for
>>> >people to want this  behaviour in the future and it continues to be
>>> >discussed.
>>> 
>>> IMHO this is *not* a good idea.
>>> 
>>> The purpose of using end-to-end encryption is to avoid the 
>>> use of unknown
>>> 3 party systems to relay encrypted data. Decrypting on the server then
>>> re-encrypting via different means devalues the original encryption and
>>> brings unnecessary exposure of the raw data. It would also 
>>> require that
>>> the decryption keys of the recipient be stored on the server adding an
>>> added level of insecurity.
>
>>The originator can encrypt for the server, which will then decrypt the
>>message and send it on to the recipient.  The server does not need to
>>have the recipient's private key -- in fact, the recipient may not have a
>>keypair at all (only the server).  The value of the original encryption
>>is to keep things protected at the message level over the public
>>Internet, and then place the plaintext on the local trusted network. 
>>This allows for organizations to implement message-level security without
>>having to put cryptography on the individual desktops.
>
>I don't like it. It goes against the concepts of end-to-end encryption. If
>I want to send an encrypted message to someone, I want *only* that
>recipient to be able to read that message, not someone down in MIS, not
>some mail clerk, or god knows who else that has access to the local
>network. This is the whole point of end-to-end encryption, I don't have to
>"trust" any network security, all I have to trust is my local security and
>my recipient's local security. While not putting encryption on the users
>desktop may be a selling point to the pointy haired bosses it is a
>downgrade of the encryption protocols and not a direction I would
>recommend.
>
>>> While I have played with "proxy security handling" in the 
>>> past it has been
>>> for out-bound encryption, in-bound signature verification, and policy
>>> enforcement. In-bound decryption & out-bound signing should 
>>> never be done
>>> by anyone but the owner of the private keys.
>
>>The server can have private keys also, and the semantics of the outbound
>>signature is that the server (or organization) signed the message, not
>>the individual.
>
>IMHO this is poor practice. Corporate documents should be signed by the
>author(s) of those documents not some universal company signature. Even
>with corporate entities, one still needs to tie back to individuals in the
>corporation during communications. I may be missing something here, but I
>don't see the value of a generic corporate signature.
>
William,

Have you read draft-ietf-smime-domsec-00.txt?

This contains a section on encryption between servers, and between
individuals and servers. It does not rule out user to user encryption.

I agree with your points on not letting anyone else read your email.
However, organisations want to control the release of messages from their
employees. They want to make sure outgoing messagers do not contain any
sensitive information or viruses. If the sender encrypts his mail using the
recipients key the organisation can not perform any of these checks.

Encrypting and signing using an organisations key rather than an
individuals key reduces the size of the PKI required, and therefore all of
the problems to do with setting up and maintaining a PKI. Plus you are
putting a higher level of credence on the message, its not just coming from
Joe Blogs; its coming from Joe Blogs organisation.

Server to server encryption and signing reduces the cost of buying and
maintaining encryption facilities on the individuals machines. Plus the
burden on the users machine.

You can still tie a message back to the individual by allowing originator
aswell as domain signatures. Infact I recommend the message being signed by
the originator. This gives the organisation the ability to check the
document has not changed, to control who can release messages and a means
of repudination. 

Bill.
________________________________________________________________
William Ottaway,
L323,                        Tel: +44 (0) 1684 894079
DERA Malvern,                Fax: +44 (0) 1684 896113
St. Andrews Road,            email: w.ottaway@eris.dera.gov.uk
Malvern,
Worcs,
WR14 3PS



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA04077 for ietf-smime-bks; Mon, 28 Sep 1998 08:52:18 -0700 (PDT)
Received: from firewall.globeset.com (root@firewall.globeset.com [207.239.133.67]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA04073 for <ietf-smime@imc.org>; Mon, 28 Sep 1998 08:52:13 -0700 (PDT)
Received: from drought.globeset.com (trevor@drought.globeset.com [10.1.192.39]) by firewall.globeset.com (8.9.1a/8.9.1) with ESMTP id KAA20330; Mon, 28 Sep 1998 10:58:56 -0500 (CDT)
Received: (from trevor@localhost) by drought.globeset.com (8.7.6/8.7.3) id KAA28679; Mon, 28 Sep 1998 10:58:56 -0500
From: Trevor Sosebee <trevor@GlobeSet.com>
Date: Mon, 28 Sep 1998 10:58:56 -0500 (CDT)
To: Russ Housley <housley@spyrus.com>
Cc: Trevor Sosebee <trevor@GlobeSet.com>, ietf-smime@imc.org, terence@GlobeSet.com
Subject: Re: AuthenticatedData in CMS
In-Reply-To: <199809281545.IAA02299@spyrus.com>
References: <13817.29486.978819.823635@drought> <199809281545.IAA02299@spyrus.com>
X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs  Lucid
Message-ID: <13839.45374.39196.586726@drought>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Russ,

The scenario I had envisioned here was one in which the sender had no
certificates just an out of band authentication token from the
recipient, but no other information about the recipient.

After multiple emails with Brian Korver, the solution seemed to be to
use AuthenticatedData with the authentication token carried in a
MailListRecipientInfo.

Trevor

Russ Housley writes:
 > Trevor:
 > 
 > Why not use signed-data in this case?
 > 
 > When using a MAC, authentication is lost if the key is disclosed.
 > 
 > Russ
 > 
 > At 02:02 PM 9/11/98 -0500, Trevor Sosebee wrote:
 > >Suppose an entity wants to use an AuthenticatedData structure as a
 > >generic way to carry authenticated data, and does not care who the
 > >recipient is or has no knowledge of the recipient's credentials at the 
 > >time of creation. It seems there should be a way to do this with no
 > >such knowledge, but since RecipientInfos is required to exist and contain
 > >at least one RecipientInfo, there seems to be no way around the problem.
 > >
 > >At the very least could the requirement that RecipientInfos be present 
 > >be relaxed to possibly contain no RecipientInfo?
 > >
 > >Trevor
 > >
 > 


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA04001 for ietf-smime-bks; Mon, 28 Sep 1998 08:40:50 -0700 (PDT)
Received: from spyrus.com (prometheus.spyrus.com [209.66.65.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA03997 for <ietf-smime@imc.org>; Mon, 28 Sep 1998 08:40:49 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id IAA02299; Mon, 28 Sep 1998 08:45:59 -0700 (PDT)
Message-Id: <199809281545.IAA02299@spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta)
Date: Mon, 28 Sep 1998 11:38:32 -0400
To: Trevor Sosebee <trevor@GlobeSet.com>
From: Russ Housley <housley@spyrus.com>
Subject: Re: AuthenticatedData in CMS
Cc: ietf-smime@imc.org, terence@GlobeSet.com
In-Reply-To: <13817.29486.978819.823635@drought>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Trevor:

Why not use signed-data in this case?

When using a MAC, authentication is lost if the key is disclosed.

Russ

At 02:02 PM 9/11/98 -0500, Trevor Sosebee wrote:
>Suppose an entity wants to use an AuthenticatedData structure as a
>generic way to carry authenticated data, and does not care who the
>recipient is or has no knowledge of the recipient's credentials at the 
>time of creation. It seems there should be a way to do this with no
>such knowledge, but since RecipientInfos is required to exist and contain
>at least one RecipientInfo, there seems to be no way around the problem.
>
>At the very least could the requirement that RecipientInfos be present 
>be relaxed to possibly contain no RecipientInfo?
>
>Trevor
>



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA02865 for ietf-smime-bks; Mon, 28 Sep 1998 06:12:37 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA02860 for <ietf-smime@imc.org>; Mon, 28 Sep 1998 06:12:34 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id JAA16245 for <ietf-smime@imc.org>; Mon, 28 Sep 1998 09:23:09 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id JAA00651; Mon, 28 Sep 1998 09:21:39 -0400
Date: Mon, 28 Sep 1998 09:21:39 -0400
Message-Id: <199809281321.JAA00651@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: ietf-smime@imc.org
From: jsp@jgvandyke.com (John Pawling)
Subject: 8/26/98 S/MIME WG Minutes
Sender: owner-ietf-smime@imc.org
Precedence: bulk

All,

These are the minutes (revised to include Denis Pinkas' 28 Sep 98
comment) that I sent to minutes@ietf.org.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This message includes the minutes of the IETF S/MIME Working Group
(WG) meeting held on 26 August 1998 in Chicago, IL, USA. These minutes 
were coordinated with the S/MIME WG mail list members.  All briefing 
slides are stored at: ftp://ftp.ietf.org/ietf/smime/.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Introductions - Russ Housley
 
Russ reviewed the agenda.  Nobody objected to the agenda.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MSG Draft Discussion - Blake Ramsdell

Blake stated that the 6 Aug 98 S/MIME v3 Message Specification (MSG)
Internet Draft (I-D) includes the comments submitted to the S/MIME WG mail
list.  He  stated that the application/MIME text was deleted from MSG and
the X.509 references were changed to PKIX references.  When asked if there
were any other comments to the MSG I-D, the room was silent.  When asked how
many people had read the MSG I-D, not many in the room raised their hands.
Blake stated that the MSG I-D has been submitted for last call within the
S/MIME WG and that there are no other changes planned for the MSG I-D. 
 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CERT Draft Discussion - Blake Ramsdell

Blake stated that the 6 Aug 98 S/MIME v3 Certificate Handling (CERT) I-D
includes the comments submitted to the S/MIME WG mail list.  He stated that
the CERT I-D has been submitted for last call within the S/MIME WG.  When
asked how many people had read the CERT I-D, not many in the room raised
their hands.  Blake stated that the X.509 references were changed to PKIX
references.  There was a comment from an attendee that Section 3.2 "Required
Name Attributes" should be deleted because it is redundant to the PKIX X.509
Certificate and CRL Profile (PKIX Part I).  Nobody objected to this change.
There was a comment from an attendee who was concerned that certificates
included in S/MIME messages may divulge sensitive information.  The
consensus of the attendees was that this is a matter to be solved by the
policy of the local organization of the user who is releasing the S/MIME
message.  The group decided that no change is required in the S/MIME I-Ds
regarding this issue.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ESS Draft Discussion - Paul Hoffman

Paul stated that the 5 Aug 98 Enhanced Security Services for SMIME (ESS) I-D
has been submitted for last call within the S/MIME WG.  When asked how many
people had read the ESS I-D, not many in the room raised their hands.  Paul
stated that the EntityIdentifier syntax needs to be added to the ESS I-D
ASN.1 module as noted on the S/MIME WG mail list.  He stated that the S/MIME
ASN.1 modules need to be compiled by various ASN.1 toolkits to determine if
there are any other discrepancies.  Van Dyke and Associates (VDA)
volunteered to compile the ESS and CMS I-D ASN.1 modules using the SNACC
ASN.1 compiler, but others were urged to check the ASN.1 with their own
compilers as well.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CMS Draft Discussion - Russ Housley

Russ presented briefing slides (see ftp://ftp.ietf.org/ietf/smime/)
regarding the open issues related to the June 98 Cryptographic Message
Syntax (CMS) I-D.  Russ stated that the ESS, CERT and MSG I-Ds are dependent
on the CMS I-D; therefore, those I-Ds will not complete WG Last Call until
the CMS I-D completes WG Last Call.  When CMS enters WG Last Call, then all
of the I-Ds will be final after the two-week last call period is complete.
In summary, the WG last call period will simultaneously close for the CMS,
ESS, CERT and MSG I-Ds. 


Slide #1: CMS Document Status:  All CMS sections are complete except for
Section 12 that will document the mandatory algorithms and some optional
algorithms.  The comments received on the mail list have been incorporated
into a CMS draft that has not yet been released to the WG.  A draft of
Section 12 was discussed on the mail list.  The most recent draft is
included in the 22 July message, subject: "CMS Section 12, take 3".  The
completion of Section 12 depends on the Diffie-Hellman (D-H) Key Agreement
Method I-D <draft-ietf-smime-x942-00.txt>.


Slide #2: Message Digest Algorithms: 

SHA-1 is mandatory to implement.  The AlgorithmIdentifier syntax includes an
optional parameters field.  There was some debate regarding whether the
parameters field should be absent or set to an ASN.1 NULL (05 00 hex) when
the SHA-1 OID is populated in the AlgorithmIdentifier syntax.  Eric Rescorla
and Blake pointed out that current implementations encode the field as an
ASN.1 NULL.  The attendees decided that the CMS I-D will state that the
parameters must be encoded as an ASN.1 NULL, but that CMS implementations
should be able to accept either an ASN.1 NULL or absent parameters.  This is
required for compatibility with S/MIME v2.     

MD5 is optional to implement.  The attendees decided that the CMS I-D will
state that the parameters must be encoded as an ASN.1 NULL when the MD5 OID
is populated in the AlgorithmIdentifier syntax.  This is required for
compatibility with S/MIME v2.     


Slide #3: Signature Algorithms:  

DSA-with-SHA1 is mandatory to implement.  The attendees decided that the CMS
I-D will state that the parameters must be absent (not ASN.1 NULL).  This is
required for consistency with PKIX Part I.

RSA-with-SHA1 and RSA-with-MD5 are optional to implement.  With both of
these combinations, the rsaEncryption OID must be used in the signedData
signerInfo signatureAlgorithm.  The digesting algorithm is indicated in the
signedData signerInfo digestAlgorithm.  The attendees decided that the CMS
I-D will state that the parameters must be encoded as an ASN.1 NULL when the
rsaEncryption OID is populated in the AlgorithmIdentifier syntax.  This is
required for compatibility with S/MIME v2.     


Slide #4: Key Management (KM) Algorithms: 

The group discussed which KM algorithms and key encryption algorithms should
be documented in CMS.  The attendees decided that the most important
algorithms to cover are the mandatory-to-implement algorithms.  The
attendees agreed that optional algorithms not already covered in CMS can be
documented in separate I-Ds. 

The proposed Section 12 text states that static D-H (as specified in the D-H
I-D) will be mandatory to implement.  CMS will document how static D-H can
be used to generate a key-encryption key (KEK) for use with Triple DES.  It
will also document how static D-H can be used to generate a KEK for use with
RC2. 

When obtaining the bits of the KEK, the minimal number of bits needed to
form the KEK must be used (a.k.a. key reduction).  There is an open issue
regarding how the minimal number of bits is obtained for RC2.  The group
decided that this issue will be debated on the list.

The group decided that CMS should not discuss the use of D-H to generate
keys for DES.  

The group decided that CMS should specify that at least 512 modulus should
be used.

An attendee asked about key recovery.  Russ stated that this issue has been
thoroughly discussed on the mail list and that discussion identified at
least three ways to implement key recovery without specifying a specific
strategy in CMS. 


Slide #5: Key Management (KM) Algorithms 2:  Mail List Key (MLK) encryption
is optional to implement.  CMS will discuss the use of Triple-DES and RC2 to
be used for MLK purposes.


Slide #6: Key Wrapping Algorithm:  CMS will document a single
mandatory-to-implement key wrapping strategy to be used with key agreement
and MLK (but not key transport).  Jim Schaad asked if an OID should be
defined to identify the wrapping algorithm.  Russ answered that the X9.42
D-H OID used in conjunction with CMS implies the wrapping algorithm.  John
Pawling pointed out that Sec 12.4, 3rd paragraph states: "Triple-DES may be
an exception here; the same identifier is used for both 2-key and 3-key
Triple DES.  This is probably easily handled by always wrapping three keys,
even if the first and third keys match."  John stated that these issues need
to be resolved to avoid interoperability problems. 

Slide #7: Content Encryption Algorithms:  Triple-DES in CBC mode is the
mandatory-to-implement algorithm.  The DES-EDE3-CBC OID will be used.   The
group decided that DES will not be documented in CMS. 


Slide #8: Content Encryption Algorithms 2: The group decided that CMS will
document RC2 in CBC mode as a "should" to implement (rather than "may").
The RC2-CBC OID will be used.

Slide #9: Message Authentication Code (MAC) Algorithms:  The group decided
by a clear majority that HMAC-with-SHA1 will be the mandatory-to-implement
algorithm.  The wording in CMS will be: "If authenticatedData is
implemented, then HMAC-with-SHA1 must be implemented."  The group also
decided that DES MAC will not be included in CMS as an optional algorithm.

Slide #10: Way Forward:  When Section 12 is completed, then CMS will be
ready for last call.  Russ asked if there were any other issues.

1) Denis Pinkas asked if there was a way to verify the "correctness" of a
CMS message.  Dennis considers signature generation time to be a critical
factor in determining whether or not that signature is valid.  If the
signing key is revoked, then the signing time would indicate if the message
signed before or after the revocation date.  John Pawling pointed out that
the MSG I-D already states that the signingTime attribute should always be
included in signed messages.  Denis said that he would send a message to 
the S/MIME WG mail list regarding this topic as a stimulus for further
debate.

2) Denis also was concerned that the serial number in the signer's cert is
not covered by the signedData signerInfo signature, so a different cert
could be substituted for the signer's cert.  Russ stated that the SIGATTR
I-D addresses this issue.

3) Doug Maughn asked about the processing requirements for generating a
countersignature.  It was proposed on the list that the generator of a
countersignature must validate the original signature before generating the
countersignature.  Russ has included that proposal in the CMS draft that he
has not yet published.  He stated that "validate" means verify the signature
value of the CMS signedData, not necessarily validate the signer's cert path.

4) John Linn proposed that text should be added to the Security
Considerations section regarding the use of PKCS #1 v2.  The group agreed
that this was a good idea.  John Linn agreed to provide the text for the
Security Considerations section of CMS.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

X9.42 Draft Discussion - Russ Housley

The D-H Key Agreement Method I-D (a.k.a. D-H I-D) is required before CMS can
progress to WG Last Call.  After the D-H I-D was published to the list, Russ
asked if there were any patents that applied to the D-H variant documented
in the I-D.  Certicom announced on the list that they have applied for a
patent that covers the variant of the D-H algorithm specified in the D-H
I-D.  He proposed two alternatives: 1) CMS and D-H I-Ds could continue to
mandate the current D-H variant; or 2) WG could pursue a different D-H
variant as the mandatory-to-implement KM algorithm to avoid the delay
associated with working out the licensing agreement with Certicom.

Russ presented a slide describing another variant.  The variant currently
documented in D-H I-D is called Static-Static (S-S) D-H.  With S-S D-H, the
originator has a static key and the recipient has a static key both of which
are contained in certificates.  The alternative is called Ephemeral-Static
(E-S) D-H.  With E-S D-H, the recipient has a static key contained in a
certificate, but the originator generates an ephemeral key not contained
within a certificate.  Russ stated that the E-S D-H would need to be
documented and then distributed to determine if there are any patents or
pending patents that apply to the E-S D-H variant.  He stated that the E-S
D-H has some of the same properties as the Open PGP D-H strategy, but not
identical.  Paul Hoffman noted that there have been no patent statements
made regarding the Open PGP D-H strategy. 

Russ presented the following info:

          S-S D-H              |         E-S D-H
-------------------------------|--------------------------------
Pending patent                 | No patents (?)
1 exponentiation per recipient | 2 exponentiations per recipient
Data origin authentication     | No authentication
Shorter certificate            | Longer certificate (p,q,g) 
			       | (about 200 bytes longer)
Originator cert in message     | Originator cert not in message
Common p,q,g parameters        | Use recipient's p,q,g values

The question was asked if q is really required to be transmitted in the CMS
heading.  Russ stated that q should be included so that the existing X9.42
ASN.1 syntax for the p,q,g parameters can be used.  Also, the q value can be
used to validate the p and g values.    

Darren Harter pointed out that there is another option in which the
originator would produce a self-signed E-S D-H cert and include it in the
message.

Tim Dierks from Consensus Development Corporation/Certicom spoke regarding
Certicom's pending patent that they believe covers the X9.42 D-H variant.
Tim stated that Certicom is willing to issue a royalty-free license to
S/MIME and PKIX vendors to use the technology covered by their pending
patent. Tim stated that any applicant must divulge their own patents and
pending patents that would block the implementation of the mandatory
requirements of PKIX or CMS.  Tim stated that Certicom will require that the
applicant issue a royalty-free license to Certicom covering the applicant's
patented technology.   Tim stated that Certicom intends to gain revenue for
use of the technology in "non-S/MIME" cases.

Eric Rescorla pointed out that the S/MIME WG's acceptance of this option
would limit future vendor's options.  He also pointed out that CMS is used
in applications other than S/MIME, so the Certicom's offer does not benefit
all users of CMS.

Paul pointed out that there is not an official definition of "S/MIME", so
the limitation to issue licenses to "S/MIME" vendors is problematic.  Paul
also pointed out that there will probably be future versions of the S/MIME
specifications.  Paul reiterated Eric's statement that CMS is used in
applications other than S/MIME.

Jeff Schiller, the IETF Security Are Co-Director, expressed his desire to
avoid a situation in which licenses must be obtained to implement
mandatory-to-implement features.  He was concerned with the restrictions
placed by Certicom's proposal regarding how CMS is to be used.  Jeff stated
that he had difficulty with the "S/MIME" limitation included in Certicom's
offer because not all CMS implementers would be able to obtain the
royalty-free license.  Jeff stated that he liked the E-S D-H option better
than the S-S D-H option due to technical reasons in addition to the patent
issues.  Jeff stated that he has found that the two exponentiations required
to be calculated for each recipient in the E-S D-H option is acceptable as
far as performance is concerned.

John Pawling pointed out that some vendors are implementing CMS/ESS security
libraries that could be used by "S/MIME" or "non-S/MIME" applications, so
this further complicates the issue.  He pointed out that the E-S option
eliminates the need to validate the originator's KM cert, so a significant
time saving is achieved.  He recommended that the WG should pursue both the
E-S D-H and S-S D-H options in parallel.  Several attendees agreed with this
plan.

Dave Solo pointed out that some environments consist of an "S/MIME"
application on one end of a transaction and a "non-S/MIME" application on
the other end.  Dave also asked if there was an issue with using the E-S D-H
option with forming a pairwise key with yourself.  Russ stated that that
there will not be a problem with that operation.

Tim stated that he would obtain more info from Certicom.  Later in the
meeting after talking with Certicom via telephone, Tim stated that Certicom
agreed to provide royalty-free licenses for all uses of CMS, not just for
use in "S/MIME" applications.  Tim stated that the license would also cover
the use of S-S D-H in future versions of the CMS and PKIX specifications
(not just S/MIME v3). 


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

SIGATTR Draft Discussion - Jim Schaad

Jim used slides for his two presentations.  Jim stated that the 2 July 98
Signing Certificate Attribute Specification (SIGATTR) I-D has been submitted
to the S/MIME WG mail list.  Jim stated that he would incorporate the
comment regarding replacing the IssuerAndSerialNumber field with
IssuerSerial so that Attribute Certificates can be identified.

There was some debate regarding whether the CertID certHash value should be
changed so that it is optional.

Jim asked if the attendees believe that the SIGATTR text should be
incorporated into CMS as a "MAY implement" option.

Paul agreed that the Signing Certificate Attribute should be included as a
"MAY implement" option in CMS.   

Dave Solo stated that he would like an enhancement to be made to the Signing
Certificate Attribute syntax to allow the identification of the complete
cert path of the signer (not just signer's cert).  This enhancement is
required so that the recipient can determine the context of the signer's
signature by examining the cert path of the signer's cert.  This issue
requires further debate on the list.

It was agreed that the SIGATTR text would not be incorporated into CMS until
all issues are resolved.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CERTDIST Draft Discussion - Jim Schaad

Jim stated that the 6 July 98 Certificate Distribution (CERTDIST) I-D has
been submitted to the S/MIME WG mail list.  Jim stated that the open issues
identified include:

1) Lack of content within the published message.  He considers this one
closed and that there will not be a content.  

2) Ability of CA and RA to publishing information on behalf of the user.
Through discussion with others, he has determined that the best solution
requires an extension in the RA's cert.  Issue: Is this overly broad for CAs
to issue?  Jim's current position is that only users can create these messages. 

Issue:  Is the fact that any parent CA could issue this and the fact that a
new Extension is required a problem.  Jim's current position is that the
risks out-weigh the benefits and that only users can create these messages.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DOMSEC Draft Discussion - Bill Ottaway

Bill stated that the 15 July 98 Domain Security Services using S/MIME
(DOMSEC) I-D has been submitted to the S/MIME WG mail list.  When asked how
many people had read the DOMSEC I-D, many in the room raised their hands.
Bill presented the briefing slides stored on ftp://ftp.ietf.org/ietf/smime/.
These slides presented the basic points made in the DOMSEC I-D.  There were
no significant issues raised.  The question was asked from the floor (by
Paul Hoffman) as to the future plans for the document.  Bill said he was
happy to allow the working group to make that decision.  Paul said that the
DOMSEC I-D contained protocol, so it could not be progressed as an
informational document.  Chris Bonatti suggested that the protocol could be
moved into CMS, allowing the document to become informational.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Revocation Info in CMS - Paul Hoffman

Paul proposed that the message originator should be able to include non-CRL
revocation status information in the CMS heading "in case the recipient of
the message cannot (or does not want to) get the status information when
validating the signature, such as if the recipient is not online and no
usable CRLs were included in the SignedData."  For example, an OCSP response
could be included in the CMS heading.  This could be done via a new
attribute or by enhancing the CMS CRL list syntax.  This proposal requires
further debate on the list. 


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Wrap Up - Russ Housley

Russ asked for a straw poll of the attendees regarding which options the WG
should continue to pursue regarding the "mandatory-to-implement" KM issue.
The results are as follows:

1) Pursue S-S D-H option: about 20 hands raised

2) Pursue E-S D-H option: about 50 hands raised

3) Pursue self-signed E-S- D-H option: 0 hands raised

Based on this straw poll, options 1 and 2 will be pursued in parallel.  Russ
will investigate whether there are any patent issues with the E-S D-H
option.    Russ asked Tim Dierks to post further info regarding the Certicom
license offer.

======================================================
John Pawling                         jsp@jgvandyke.com
J.G. Van Dyke & Associates, Inc.     www.jgvandyke.com       
======================================================





Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA02768 for ietf-smime-bks; Mon, 28 Sep 1998 06:03:32 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA02753 for <ietf-smime@imc.org>; Mon, 28 Sep 1998 06:01:55 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id JAA16181; Mon, 28 Sep 1998 09:12:02 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id JAA00371; Mon, 28 Sep 1998 09:10:31 -0400
Date: Mon, 28 Sep 1998 09:10:31 -0400
Message-Id: <199809281310.JAA00371@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Denis Pinkas <Denis.Pinkas@bull.net>, Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
From: jsp@jgvandyke.com (John Pawling)
Subject: Re: 8/26/98 S/MIME WG Minutes
Cc: "ietf-smime@imc.org" <ietf-smime@imc.org>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Denis,

Thank you very much for your feedback.  Russ asked that I submit the minutes
to "minutes@ietf.org".  In the "official" minutes, I plan to change the
sentence "The attendees agreed that wording was sufficient." to "Denis said
that he would send a message to the S/MIME WG mail list regarding this topic
as a stimulus for further debate."

- John Pawling




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA00672 for ietf-smime-bks; Mon, 28 Sep 1998 03:09:19 -0700 (PDT)
Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.20]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id DAA00665 for <ietf-smime@imc.org>; Mon, 28 Sep 1998 03:09:12 -0700 (PDT)
Received: from k2.frcl.bull.fr (k2.frcl.bull.fr [129.182.100.2]) by clbull.frcl.bull.fr (8.8.2/8.8.2) with ESMTP id MAA24286; Mon, 28 Sep 1998 12:16:42 +0200
Received: from bull.net (cloe198.frcl.bull.fr [129.182.109.213]) by k2.frcl.bull.fr (AIX4.2/UCB 8.7/8.7) with ESMTP id MAA10452; Mon, 28 Sep 1998 12:16:52 +0200 (DFT)
Message-ID: <360FE0B0.E4215C45@bull.net>
Date: Mon, 28 Sep 1998 12:17:06 -0700
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull
X-Mailer: Mozilla 4.03 [fr] (Win16; I)
MIME-Version: 1.0
To: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
CC: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: 8/26/98 S/MIME WG Minutes
References: <199809181722.NAA23488@ajsn101.jgvandyke.com> <360BFBEA.41573139@drh-consultancy.demon.co.uk>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Dr Stephen Henson has sent a few comments:

> A few comments.
>
> John Pawling wrote:
> >
> >
> > Slide #3: Signature Algorithms:
> >
> > DSA-with-SHA1 is mandatory to implement.  The attendees decided that the CMS
> > I-D will state that the parameters must be absent (not ASN.1 NULL).  This is
> > required for consistency with PKIX Part I.
> >
>
> I presume it is implied that a NULL parameter should be tolerated. I
> know of some implementations that generate NULL.
>
> >
> > Slide #8: Content Encryption Algorithms 2: The group decided that CMS will
> > document RC2 in CBC mode as a "should" to implement (rather than "may").
> > The RC2-CBC OID will be used.
> >
>
> Will this include the number of bits that may/should be supported as
> well?
>
> >
> > 1) Denis Pinkas asked if there was a way to verify the "correctness" of a
> > CMS message.  Denis considers signature generation time to be a critical
> > factor in determining whether or not that signature is valid.  If the
> > signing key is revoked, then the signing time would indicate if the message
> > signed before or after the revocation date.  John Pawling pointed out that
> > the MSG I-D already states that the signingTime attribute should always be
> > included in signed messages.  The attendees agreed that wording was sufficient.
> >
>
> IMHO this may need an additional comment.

Well, I don't think that "the attendees agreed that wording was sufficient" is the
right wording since I said during the last session in Chicago, that I would
reformulate a message sent on July 15, about :

1) the signature generation time,
2) the identification of the certificate.

The first item is precisely the topic raised by Stephan.

In the original message I was going straight to text replacement proposals with
insufficient explanations. Hereafter more explanations are provided, but, as
advertised, the text will be much longer. :-(

On page 10, the text says “ The input to the signature validation process includes
the result of the message digest calculation process and the signer’s public key”.

There is no information given here on the process by which the signer's public key is
obtained. If a wrong public key or a revoked key is being used, then the end result
of the verification process will be erroneous.

CMS can be used with real time communications or with store and forward environments,
i.e. within or without a S/MIME context. With real time communications, the signer’s
public key is either known from the context or will be extracted from the CMS syntax.
With store and forward environments, it is always be extracted from the CMS syntax.
This is where the danger lies.

It seems natural to use the issuerAndSerialNumber from the SignerInfo. The danger of
using it directly, without any additional control, is mentioned partly (i.e. one half
of it) in the document draft-ietf-smime-sigattr-01.txt [SIGATTR]... but no reference
is made to this document in CMS.

The danger here is to substitute a certificate by another one that would contain the
same public key value, since the issuerAndSerialNumber from the SignerInfo is NOT
part of the signature process. That situation may arise at least in two occasions:
the user has multiple certificates for the same public key from different CAs or a
malicious CA issues a certificate for a different entity while copying the public key
from another certificate. In the first case, a certificate that is different from the
certificate intended to be used by the signer is presented to the verifier, while in
the second case some "bad" CAs, i.e. omitting to perform POP -Proof of Possession of
the private key, cannot be detected. Full details are in [SIGATTR].

Substitutions can be detected by signing a Certificate Identifier.

However this is still insufficient to address the issue. The second part of it has to
do with key compromise. If a key is compromised, then the corresponding certificate
will be revoked. It is important to know if the certificate was revoked or not AT THE
TIME OF THE SIGNATURE. If it is not possible to know the time of the signature, then
unpredictable results may occurs in case of key compromise.

Although  John [Pawling] pointed out that the MSG I-D already states that the
signingTime attribute should always be included in signed messages, CMS can be used
in wider environments and thus people looking at CMS will not necessarily look at the
MSG I-D.

In addition, there are two unsolved problems with this approach:

1) the signingTime attribute alone does NOT solve the issue,
2) the current text of CMS is misleading on this issue. The current text of section
11.3 on page 29 says:

" No requirement is imposed concerning the correctness of the signing time, and
acceptance of a purported signing time is a matter of a recipient's discretion.  It
is expected, however, that some signers, such as time-stamp servers, will be trusted
implicitly."

The signingTime attribute only reflects the time the signer wanted to be included.
The signer may well pre-date that value, ... but more important, if the key of the
signer is compromised then an attacker may also pre-date that value. In such a
situation it cannot be made a difference between a past "honest" signature from the
right signer and a pre-dated "fake" signature from an attacker. This difference is
not important when CMS is used in real time contexts since the latest CRL or
equivalent will be used. However, if CMS is used in non repudiation contexts, then it
is important to be able to settle the dispute. The use of a Time Stamping Server can
then allow to make the difference between "good" and "fake" signatures.

Since CMS will be used in S/MIME environments but also in non-S/MIME environments as
a successor of PKS#7, we have two options either correct the text in the section 5.6
and 11.3 (on page 29) or provide more awareness in the "Security consideration
section" on page 40.

If the first option is chosen, then here is a full text replacement for that section:

" 5.6  Message Signature Validation Process

The input to the signature validation process includes the result of the message
digest calculation process and the signer's public key. It is fairly important to
pick up the right signer's public key, valid at the time the signature was made.

The signer’s public key can be known in advance from the context. In such a case it
may be used directly. When this is not the case, it has to be obtained from the
information present in the CMS message. If the issuerAndSerialNumber from the
SignerInfo is used, then a substitution of certificates containing the same public
key value is possible. If such a substitution is a concern then the threat can be
addressed by making the certificate identifier part of the signature as described in
the Signing Certificate Attribute Specification [SIGATTR]. In such a case the right
public key is contained in the certificate pointed by the signed certificate
identifier.

In order to make sure that this identified certificate is valid, e.g.using CRLs and
ARLs, it is important to know the status of the certificate at the time the signature
was performed.

If no time information is present in the CMS structure, then the assumption should be
that the message has just be signed. In that case the revocation information valid at
the time the verification is performed will be used.

If only the signingTime attribute is present, then no direct assumption can be made
on the time of the signature. If the certificate is not presently revoked and still
valid, then the time included in the signingTime attribute can be taken as the one
placed by the genuine signer and the certificate can be accepted. If the certificate
is presently revoked and/or no more valid, the verifier is at a risk to use
inadequate revocation information unless additional assurance may be obtained about
the time of the signature (see next).

If a counter signature from a trusted time Stamping Authority is used in addition to
the signingTime attribute and if these two time values are "close" enough (e.g. a few
hours) then the assumption should be that the signing time is the time mentioned in
the signingTime attribute. The revocation information that was valid at that signing
time should then be used.

The details of the signature validation depend on the signature algorithm employed.

The recipient may not rely on any message digest values computed by the originator.
If the signedData signerInfo includes signedAttributes, then the content message
digest must be calculated as described in section 5.4.  For the signature to be
valid, the message digest value calculated by the recipient must be the same as the
value of the messageDigest attribute included in the signedAttributes of the
signedData signerInfo."


In order to address the text from section 11.3 on page 29, here is a text
replacement.

" The signing time is only the purported signing time as indicated by the signer. No
further assurance can be given upon the accuracy of that time unless additional
assurance can be obtained through other means, e.g. a counter-signature from a Time
Stamping Server. In particular, it should be noticed that in case of key compromise,
the message can be signed by an attacker that may use a pre-dated time, i.e. a time
in the past when the certificate was not revoked. In such a case, unpredictable
results may occur."

The changes I have provided are rather conservative from the current structure. The
Signing Certificate Attribute Specification [SIGATTR] addresses two topics. One has
to do, as the title indicates it, with Attribute Certificates while the other has to
do with the certificate identifier from the signer. It would/might be better to move
the section relative to the certificate identifier from SIGATTR into CMS since this
is just another VERY "useful attribute" from the section 11.


> For example should the valdity (i.e. expiry) of the signing certificate
> chain use the current time or the signingTime?
>
> The signingTime attribute cannot be trusted in many cases.
>
> If a certificate is revoked due to key compromise an attacker could
> generate a message with a signingTime before it was revoked.
>
> The corollary to this is that if a certificate has been revoked then the
> posession of a signed message with a signingTime before the revokation
> time is not sufficient for nonrepudiation purposes. Some corroboration
> as to the signing time is required: such as a trusted timestamp
> countersignature.

I think that the new text proposal provided hereabove may address your perfectly
valid concern.

> > 3) Doug Maughn asked about the processing requirements for generating a
> > countersignature.  It was proposed on the list that the generator of a
> > countersignature must validate the original signature before generating the
> > countersignature.  Russ has included that proposal in the CMS draft that he
> > has not yet published.  He stated that "validate" means verify the signature
> > value of the CMS signedData, not necessarily validate the signer's cert path.
> >
>
> Does "verify the signature value of the CMS signedData" imply that just
> the digital signature of the signedData is checked or the messageDigest
> value as well, implying that the original content must be checked?
>
> IMHO checking signedData is tolerable but the original content
> verification has very serious implications, as I've mentioned before.
>
> Even so this affects some existing implementations: for example the
> Verisign AuthentiCode timestamper just takes the signedData signature
> and produces a trusted timestamp countersignature from that.

Denis

FYI, follows the original text from July 15.

-----------------------------------------------------------------

Without waiting for a last call for CMS-06, here are my comments:

On page 10, the text says “ The input to the signature validation
process includes the result of the message digest calculation process
and the signer’s public key”. This is not sufficient in order to give
the same and relaible result between two different implementations. The
knowledge of the certificate of the signer as well as the time of the
signature are both important. If there is an ambiguity on one or the
other component then the end-result can be different.

1) About the CertUid of the signer

Unless the unambiguous identifier of the certificate of the signer is
part of the signed attributes, attacks are possible. This is a weakness
of the original PKS-7 document that should be corrected.

This has already be advertised on the PKIX list and explained during the
last meeting in LA. This relates to the POP (Proof of Private key
possession) issue. In other words, using the certificate identifier from
the signer as an additional signed attribute is the only way to make
sure, and at the time the verification is performed, that the user
really has possession of the signing private key, whether or not the CA
has done POP correctly. This protects again a malicious CA that would
"forget" to make POP.

This discussion also relates about the way to uniquely identify a
certificate. From previous E-mail exchanges it has been demonstrated
that in some cases the hash of the issuer public key was a way to
discriminate between synonymous issuer names. Thus the syntax of the
certificate identifier should be extended to optionally support a hash
of the issuer key.

2) About the signature time

Unless the time is securely known (using a time stamp over the CMS
message), the time should be considered to be the time at which the
signer makes the verification. This means that different results may be
obtained since the signer’s certificate may have been revoked since the
signature was produced (see the recent E-mails exchanges on the mailing
list).

In order to care for these cases, the following text is proposed as an
addition after the first sentence of the section 5.6:

 “ The signer’s public key can be known in advance from the context. In
that case it is directly used. When this is not the case, it has to be
obtained from the information present in the message. The CertUid
present in the signed certificate shall be used for that purpose.

In order to make sure that the identified certificate is valid, e.g.
using CRLs and ARLs, it is important to know the status of the
certificate at the time the signature was performed. When that time
cannot be reliably known, then, by default, the current time shall be
used. It should be noticed that this can lead to different results
depending upon the time the validation is performed. When that time is
reliably known, e.g. using a time stamp over the CMS message, then that
time shall be used. It should be noticed that leads to the same result
whatever the time the validation is performed.”

The section 11 should be extended to add the "CertUid" as a "usefull"
attribute.

At the last meeting in LA, I explained during the S/MIME session why it
is important to allow for the presence of a CertUid as a signed
attribute. Refer to the slides that I presented. This section should be
expanded to allow that attribute to be included here, otherwise there
would be serious security problems.

Proposed text:

11.X  Certificate Unique Identifier

   The Certificate-Unique-Identifier attribute type specifies
   unambiguously the certificate to be used for verifying the
   signature, when it is not known otherwise from the context.

   A Certificate-Unique-Identifier attribute must have a single
   attribute value.

   The following object identifier identifies the
   Certificate-Unique-Identifier attribute:

      id-certUid OBJECT IDENTIFIER ::= { iso(1) member-body(2)
          XXXX }

   Certificate-Unique-Identifier attribute values have ASN.1 type
   CertUid:

      CertUid ::= CertId

      CertId ::= SEQUENCE {
          issuerAndSerialNumber    IssuerAndSerialNumber,
          hashIssuerPublicKey      HashIssuerPublicKey  OPTIONAL}

   The IssuerAndSerialNumber type identifies a certificate, and
   thereby an entity and a public key, by the name of the certificate
   issuer and an issuer-specific certificate serial number.

   The hashIssuerPublicKey allows to discriminate between two CAs
   that would have the same issuer name. Should that situation happen,
   then the two CAs would have different public keys. The hash of the
   public keys would thus be different.

      HashIssuerPublicKey ::= SEQUENCE {
            hashOid                 ObjectIdentifier,
            hashedIssuerPublicKey   OCTET STRING}


On page 5, there is a sentence stating: “The signer’s certificate may be
included in the SignedData certificates field”. It is not clear why the
whole certificate should be included. The CertUid (or CertID) would be
sufficient. If the full certificate is needed it does not need to be
part of the signed attributes (note that it is not part of the list of
“useful attributes” described in the section 11).

[Text deleted]

Denis


> Steve.
> --
> Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
> For info see homepage at http://www.drh-consultancy.demon.co.uk/
> Email: shenson@drh-consultancy.demon.co.uk
> PGP key: via homepage.





Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA26258 for ietf-smime-bks; Fri, 25 Sep 1998 17:28:43 -0700 (PDT)
Received: from post.mail.demon.net (post-12.mail.demon.net [194.217.242.41]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA26254 for <ietf-smime@imc.org>; Fri, 25 Sep 1998 17:28:41 -0700 (PDT)
Received: from [193.237.150.98] (helo=drh-consultancy.demon.co.uk) by post.mail.demon.net with esmtp (Exim 2.03 #1) id 0zMiKX-0001oZ-00 for ietf-smime@imc.org; Sat, 26 Sep 1998 00:35:21 +0000
Message-ID: <360C3647.CF07A107@drh-consultancy.demon.co.uk>
Date: Sat, 26 Sep 1998 01:33:11 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: 8/26/98 S/MIME WG Minutes
References: <199809181722.NAA23488@ajsn101.jgvandyke.com> <360BFBEA.41573139@drh-consultancy.demon.co.uk>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

I may have misinterpreted things, appologies. I wasn't objecting to the
minutes as such but making comments about the points raised. I couldn't
comment on the minutes: I wasn't there :-)

I'll just expand a little on my comment about tolerating NULL with DSA.
I've now had time to check Netscape Messenger in 4.06. It uses NULL
everywhere including SMIMECapabilities when signing using DSA with SHA1.
This isn't intended as a criticism of the Netscape implementation: it
probably pre-dates the recommendation.

I'll leave mentioning the rest until the other points are raised in due
course.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA25559 for ietf-smime-bks; Fri, 25 Sep 1998 14:36:25 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA25554 for <ietf-smime@imc.org>; Fri, 25 Sep 1998 14:36:24 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id RAA11128; Fri, 25 Sep 1998 17:46:43 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id RAA05588; Fri, 25 Sep 1998 17:45:14 -0400
Date: Fri, 25 Sep 1998 17:45:14 -0400
Message-Id: <199809252145.RAA05588@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>, "ietf-smime@imc.org" <ietf-smime@imc.org>
From: jsp@jgvandyke.com (John Pawling)
Subject: Re: 8/26/98 S/MIME WG Minutes
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Steve,

Thank you very much for your feedback.  My replies are in-line:


At 09:24 PM 9/25/98 +0100, Dr Stephen Henson wrote:
>A few comments.
>
>John Pawling wrote:
>> 
>> 
>> Slide #3: Signature Algorithms:
>> 
>> DSA-with-SHA1 is mandatory to implement.  The attendees decided that the CMS
>> I-D will state that the parameters must be absent (not ASN.1 NULL).  This is
>> required for consistency with PKIX Part I.
>> 
>
>I presume it is implied that a NULL parameter should be tolerated. I
>know of some implementations that generate NULL.


[JSP: In the case of id-dsa-with-sha1, there was no specific discussion
during the meeting of accepting a NULL parameter.  The proposed text for
CMS, Sec 12 regarding id-dsa-with-sha1 includes the following:
   
"12.2.1  DSA

The DSA signature algorithm is defined in FIPS Pub 186 [FIPS 186]. The
algorithm identifier for DSA is:

    id-dsa-with-sha1 OBJECT IDENTIFIER ::=  { iso(1) member-body(2)
        us(840) x9-57 (10040) x9cm(4) 3 }

The AlgorithmIdentifier parameter field must not be present."

In my opinion, if the receiving software is supposed to be tolerant of a
NULL parameter in this case, then that fact should be specificaly stated in
CMS, Sec 12.2.1.  Personally, I believe that a NULL value should be
tolerated, especially since the X9.57 document that defines this OID is
ambiguous regarding this point.

In summary, I believe that you have a valid comment regarding CMS Section
12, but not against the minutes since this issue was not discussed regarding
this specific OID.]



>> 
>> Slide #8: Content Encryption Algorithms 2: The group decided that CMS will
>> document RC2 in CBC mode as a "should" to implement (rather than "may").
>> The RC2-CBC OID will be used.
>> 
>
>Will this include the number of bits that may/should be supported as
>well?


[JSP: There was no specific discussion of this issue during the meeting.
The proposed text for CMS, Sec 12 regarding RCS CBC includes the following:
   
"12.5.3  RC2 CBC

The RC2 algorithm is described in RFC 2268. The algorithm identifier for
RC2 in CBC mode is:

    RC2-CBC OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
        rsadsi(113549) encryptionAlgorithm(3) 2}

For the effective-key-bits (key size) greater than 32 and less than
256, the RC2-CBC algorithm parameters are encoded as:

    RC2-CBC parameter ::=  SEQUENCE {
        rc2ParameterVersion  INTEGER,
        iv                   OCTET STRING (8)}

For the effective-key-bits of 40, 64, and 128, the rc2ParameterVersion
values are 160, 120, 58 respectively. It is very important to note that
these values are not simply the RC2 keylength. Also note that the value 160
must be encoded as two octets (00 A0), because encoding as one octet (A0)
is a negative number in ASN.1."

Does this answer your question???]




>> 
>> 1) Denis Pinkas asked if there was a way to verify the "correctness" of a
>> CMS message.  Dennis considers signature generation time to be a critical
>> factor in determining whether or not that signature is valid.  If the
>> signing key is revoked, then the signing time would indicate if the message
>> signed before or after the revocation date.  John Pawling pointed out that
>> the MSG I-D already states that the signingTime attribute should always be
>> included in signed messages.  The attendees agreed that wording was
sufficient.
>> 
>
>IMHO this may need an additional comment.
>
>For example should the valdity (i.e. expiry) of the signing certificate
>chain use the current time or the signingTime? 
>
>The signingTime attribute cannot be trusted in many cases.
>
>If a certificate is revoked due to key compromise an attacker could
>generate a message with a signingTime before it was revoked.
>
>The corollary to this is that if a certificate has been revoked then the
>posession of a signed message with a signingTime before the revokation
>time is not sufficient for nonrepudiation purposes. Some corroboration
>as to the signing time is required: such as a trusted timestamp
>countersignature. 


[JSP: Were these statements made during the meeting?  I confess that I did
not hear every word said during the meeting and that the tape player that I
used to record the meeting was not sensitive enough to pick up every word
said at the meeting.  The minutes of the meeting are supposed to cover the
events of the meeting.  If these statements were made during the meeting,
then I do not object to their inclusion in the minutes.  The minutes are not
intended to cover every possible point (valid though they may be) regarding
a topic, so if these statements were not made during the meeting, then I
don't believe that they should be included in the minutes.]  



>> 
>> 3) Doug Maughn asked about the processing requirements for generating a
>> countersignature.  It was proposed on the list that the generator of a
>> countersignature must validate the original signature before generating the
>> countersignature.  Russ has included that proposal in the CMS draft that he
>> has not yet published.  He stated that "validate" means verify the signature
>> value of the CMS signedData, not necessarily validate the signer's cert path.
>> 
>
>Does "verify the signature value of the CMS signedData" imply that just
>the digital signature of the signedData is checked or the messageDigest
>value as well, implying that the original content must be checked?


[JSP: This issue was not specifically discussed during the meeting.  I
believe that you have a valid comment regarding CMS, but not against the
minutes.]



>
>IMHO checking signedData is tolerable but the original content
>verification has very serious implications, as I've mentioned before.
>
>Even so this affects some existing implementations: for example the
>Verisign AuthentiCode timestamper just takes the signedData signature
>and produces a trusted timestamp countersignature from that.

[JSP: Recommend that you continue to pursue this point on the list.]


>
>Steve.
>-- 
>Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
>For info see homepage at http://www.drh-consultancy.demon.co.uk/
>Email: shenson@drh-consultancy.demon.co.uk
>PGP key: via homepage.
>
>



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA25448 for ietf-smime-bks; Fri, 25 Sep 1998 14:21:20 -0700 (PDT)
Received: from THOR.INNOSOFT.COM (SYSTEM@THOR.INNOSOFT.COM [192.160.253.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA25438; Fri, 25 Sep 1998 14:21:15 -0700 (PDT)
Received: from INNOSOFT.COM by INNOSOFT.COM (PMDF V5.2-29 #30494) id <01J28006CAZ491WHE6@INNOSOFT.COM>; Fri, 25 Sep 1998 14:27:06 PDT
Date: Fri, 25 Sep 1998 14:22:57 -0700 (PDT)
From: Ned Freed <Ned.Freed@innosoft.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
In-reply-to: "Your message dated Fri, 25 Sep 1998 15:10:52 -0500" <199809252006.QAA21078@domains.invweb.net>
To: "William H. Geiger III" <whgiii@invweb.net>
Cc: Ned Freed <Ned.Freed@innosoft.com>, Graham Klyne <GK@Dial.pipex.com>, ietf-open-pgp@imc.org, ietf-smime@imc.org
Message-id: <01J28696425A91WHE6@INNOSOFT.COM>
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET=US-ASCII
References: <01J25ZVKDGY691VY4C@INNOSOFT.COM>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> > I don't know about message/http, but I suspect it would need its own
> > rules. And it isn't clear this issue exists for HTTP anyhow, or that if
> > it does it should be solved this way.

> I am not aware of a message/http. It is my understanding that if you have
> an e-mail message attachment (with headers) that you should use the
> message/rfc822 and then text/http as a MIME part of the attached message
> (with multipart/mixed or multipart/alternative in the message header).

The concept of "message" is a lot more general than e-mail these days. As
are the uses MIME is put to.

Message/http is the media type for an HTTP message. See RFC2068 for details.

> In general message/rfc822 is to be used to signify that a MIME part is a
> message with headers and that the user should reference the header of that
> message for it's context.

An email message, yes. A message in a more general sense, no.

				Ned


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA25303 for ietf-smime-bks; Fri, 25 Sep 1998 14:06:36 -0700 (PDT)
Received: from domains.invweb.net (root@domains.invweb.net [198.182.196.32]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA25299; Fri, 25 Sep 1998 14:06:34 -0700 (PDT)
Received: from whgiii (dugong35.pcola.gulf.net [205.160.71.98]) by domains.invweb.net (8.9.1/8.9.1) with SMTP id RAA22106; Fri, 25 Sep 1998 17:12:36 -0400
Message-Id: <199809252112.RAA22106@domains.invweb.net>
From: "William H. Geiger III" <whgiii@invweb.net>
Date: Fri, 25 Sep 1998 16:00:40 -0500
To: "Blake Ramsdell" <BlakeR@deming.com>
In-Reply-To: <01FF24001403D011AD7B00A024BC53C53A7176@cane.deming.com>
Cc: "Steve Hole" <steve@esys.ca>, "Ned Freed" <Ned.Freed@innosoft.com>, <ietf-open-pgp@imc.org>, <ietf-smime@imc.org>
Subject: Re: Server decryption / signing (was RE: Encrypting RFC822 headers in S/MIME or PGP/MIME messages)
X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v1.50 b50 
Sender: owner-ietf-smime@imc.org
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

In <01FF24001403D011AD7B00A024BC53C53A7176@cane.deming.com>, on 09/25/98 
   at 01:47 PM, "Blake Ramsdell" <BlakeR@deming.com> said:

>> -----Original Message-----
>> From: William H. Geiger III [mailto:whgiii@invweb.net]
>> Sent: Friday, September 25, 1998 1:22 PM
>> To: Steve Hole
>> Cc: Ned Freed; ietf-open-pgp@imc.org; ietf-smime@imc.org
>> Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
>> 
>> In <SIMEON.980918095519.E@gallileo.esys.ca>, on 09/18/98 
>>    at 10:55 AM, Steve Hole <steve@esys.ca> said:
>> 
>> >Also there has been discussion many times in the past of 
>> having "proxy 
>> >security handling" for IMAP servers where the IMAP server handles
>> >decoding encrypted messages on behalf of the client and sending the
>> >decoded content over an encrypted data connection to the 
>> client.   Note
>> >that this is not a  real situation now, but there are lots 
>> of reasons for
>> >people to want this  behaviour in the future and it continues to be
>> >discussed.
>> 
>> IMHO this is *not* a good idea.
>> 
>> The purpose of using end-to-end encryption is to avoid the 
>> use of unknown
>> 3 party systems to relay encrypted data. Decrypting on the server then
>> re-encrypting via different means devalues the original encryption and
>> brings unnecessary exposure of the raw data. It would also 
>> require that
>> the decryption keys of the recipient be stored on the server adding an
>> added level of insecurity.

>The originator can encrypt for the server, which will then decrypt the
>message and send it on to the recipient.  The server does not need to
>have the recipient's private key -- in fact, the recipient may not have a
>keypair at all (only the server).  The value of the original encryption
>is to keep things protected at the message level over the public
>Internet, and then place the plaintext on the local trusted network. 
>This allows for organizations to implement message-level security without
>having to put cryptography on the individual desktops.

I don't like it. It goes against the concepts of end-to-end encryption. If
I want to send an encrypted message to someone, I want *only* that
recipient to be able to read that message, not someone down in MIS, not
some mail clerk, or god knows who else that has access to the local
network. This is the whole point of end-to-end encryption, I don't have to
"trust" any network security, all I have to trust is my local security and
my recipient's local security. While not putting encryption on the users
desktop may be a selling point to the pointy haired bosses it is a
downgrade of the encryption protocols and not a direction I would
recommend.

>> While I have played with "proxy security handling" in the 
>> past it has been
>> for out-bound encryption, in-bound signature verification, and policy
>> enforcement. In-bound decryption & out-bound signing should 
>> never be done
>> by anyone but the owner of the private keys.

>The server can have private keys also, and the semantics of the outbound
>signature is that the server (or organization) signed the message, not
>the individual.

IMHO this is poor practice. Corporate documents should be signed by the
author(s) of those documents not some universal company signature. Even
with corporate entities, one still needs to tie back to individuals in the
corporation during communications. I may be missing something here, but I
don't see the value of a generic corporate signature.

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
- ---------------------------------------------------------------
 
Tag-O-Matic: Windows?  Homey don't play that!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNgwJTY9Co1n+aLhhAQE96gQAlGhKml9VG7pPUnY+7lDTudU8RN+KFcVF
Ds/LHrL0LEQYQj/y6XZ+ai4Vq4OjLCEQnJTG41qJqUnMhNcNTDR3JbUXyEY4bCta
a4Uw18dOavsbT525YPc+9emOUbl62FAAbjsdnDSLN8ACBwhyD8IuPjDdTloAUTSk
avXbyVsbkX4=
=fkoP
-----END PGP SIGNATURE-----



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA25122 for ietf-smime-bks; Fri, 25 Sep 1998 13:41:15 -0700 (PDT)
Received: from cane.deming.com (cane.deming.com [208.236.41.9] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id NAA25112; Fri, 25 Sep 1998 13:41:07 -0700 (PDT)
Received: from 208.236.41.9 by cane.deming.com with ESMTP (WorldSecure Server SMTP Relay(WSS) v3.2); Fri, 25 Sep 98 13:47:41 -0700
X-Server-Uuid: 1a012586-24e9-11d1-adae-00a024bc53c5
Received: by cane.deming.com with Internet Mail Service (5.5.1960.3) id <TRZ1SYRN>; Fri, 25 Sep 1998 13:47:40 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C53A7176@cane.deming.com>
From: "Blake Ramsdell" <BlakeR@deming.com>
To: "'William H. Geiger III'" <whgiii@invweb.net>, "Steve Hole" <steve@esys.ca>
cc: "Ned Freed" <Ned.Freed@innosoft.com>, <ietf-open-pgp@imc.org>, <ietf-smime@imc.org>
Subject: Server decryption / signing (was RE: Encrypting RFC822 headers in S/MIME or PGP/MIME messages)
Date: Fri, 25 Sep 1998 13:47:39 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
X-WSS-ID: 1A12DEE79923-01-01
Content-Type: text/plain;  charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> -----Original Message-----
> From: William H. Geiger III [mailto:whgiii@invweb.net]
> Sent: Friday, September 25, 1998 1:22 PM
> To: Steve Hole
> Cc: Ned Freed; ietf-open-pgp@imc.org; ietf-smime@imc.org
> Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
> 
> In <SIMEON.980918095519.E@gallileo.esys.ca>, on 09/18/98 
>    at 10:55 AM, Steve Hole <steve@esys.ca> said:
> 
> >Also there has been discussion many times in the past of 
> having "proxy 
> >security handling" for IMAP servers where the IMAP server handles
> >decoding encrypted messages on behalf of the client and sending the
> >decoded content over an encrypted data connection to the 
> client.   Note
> >that this is not a  real situation now, but there are lots 
> of reasons for
> >people to want this  behaviour in the future and it continues to be
> >discussed.
> 
> IMHO this is *not* a good idea.
> 
> The purpose of using end-to-end encryption is to avoid the 
> use of unknown
> 3 party systems to relay encrypted data. Decrypting on the server then
> re-encrypting via different means devalues the original encryption and
> brings unnecessary exposure of the raw data. It would also 
> require that
> the decryption keys of the recipient be stored on the server adding an
> added level of insecurity.

The originator can encrypt for the server, which will then decrypt the
message and send it on to the recipient.  The server does not need to
have the recipient's private key -- in fact, the recipient may not have
a keypair at all (only the server).  The value of the original
encryption is to keep things protected at the message level over the
public Internet, and then place the plaintext on the local trusted
network.  This allows for organizations to implement message-level
security without having to put cryptography on the individual desktops.

> While I have played with "proxy security handling" in the 
> past it has been
> for out-bound encryption, in-bound signature verification, and policy
> enforcement. In-bound decryption & out-bound signing should 
> never be done
> by anyone but the owner of the private keys.

The server can have private keys also, and the semantics of the outbound
signature is that the server (or organization) signed the message, not
the individual.

Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103  Fax +1 425 882 8060



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA24924 for ietf-smime-bks; Fri, 25 Sep 1998 13:20:20 -0700 (PDT)
Received: from post.mail.demon.net (post-12.mail.demon.net [194.217.242.41]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA24920 for <ietf-smime@imc.org>; Fri, 25 Sep 1998 13:20:19 -0700 (PDT)
Received: from [193.237.150.98] (helo=drh-consultancy.demon.co.uk) by post.mail.demon.net with esmtp (Exim 2.03 #1) id 0zMeS9-00051V-00 for ietf-smime@imc.org; Fri, 25 Sep 1998 20:26:58 +0000
Message-ID: <360BFBEA.41573139@drh-consultancy.demon.co.uk>
Date: Fri, 25 Sep 1998 21:24:10 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: 8/26/98 S/MIME WG Minutes
References: <199809181722.NAA23488@ajsn101.jgvandyke.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

A few comments.

John Pawling wrote:
> 
> 
> Slide #3: Signature Algorithms:
> 
> DSA-with-SHA1 is mandatory to implement.  The attendees decided that the CMS
> I-D will state that the parameters must be absent (not ASN.1 NULL).  This is
> required for consistency with PKIX Part I.
> 

I presume it is implied that a NULL parameter should be tolerated. I
know of some implementations that generate NULL.

> 
> Slide #8: Content Encryption Algorithms 2: The group decided that CMS will
> document RC2 in CBC mode as a "should" to implement (rather than "may").
> The RC2-CBC OID will be used.
> 

Will this include the number of bits that may/should be supported as
well?

> 
> 1) Denis Pinkas asked if there was a way to verify the "correctness" of a
> CMS message.  Dennis considers signature generation time to be a critical
> factor in determining whether or not that signature is valid.  If the
> signing key is revoked, then the signing time would indicate if the message
> signed before or after the revocation date.  John Pawling pointed out that
> the MSG I-D already states that the signingTime attribute should always be
> included in signed messages.  The attendees agreed that wording was sufficient.
> 

IMHO this may need an additional comment.

For example should the valdity (i.e. expiry) of the signing certificate
chain use the current time or the signingTime? 

The signingTime attribute cannot be trusted in many cases.

If a certificate is revoked due to key compromise an attacker could
generate a message with a signingTime before it was revoked.

The corollary to this is that if a certificate has been revoked then the
posession of a signed message with a signingTime before the revokation
time is not sufficient for nonrepudiation purposes. Some corroboration
as to the signing time is required: such as a trusted timestamp
countersignature. 

> 
> 3) Doug Maughn asked about the processing requirements for generating a
> countersignature.  It was proposed on the list that the generator of a
> countersignature must validate the original signature before generating the
> countersignature.  Russ has included that proposal in the CMS draft that he
> has not yet published.  He stated that "validate" means verify the signature
> value of the CMS signedData, not necessarily validate the signer's cert path.
> 

Does "verify the signature value of the CMS signedData" imply that just
the digital signature of the signedData is checked or the messageDigest
value as well, implying that the original content must be checked?

IMHO checking signedData is tolerable but the original content
verification has very serious implications, as I've mentioned before.

Even so this affects some existing implementations: for example the
Verisign AuthentiCode timestamper just takes the signedData signature
and produces a trusted timestamp countersignature from that.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA24867 for ietf-smime-bks; Fri, 25 Sep 1998 13:14:47 -0700 (PDT)
Received: from domains.invweb.net (root@domains.invweb.net [198.182.196.32]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA24863; Fri, 25 Sep 1998 13:14:46 -0700 (PDT)
Received: from whgiii (dugong35.pcola.gulf.net [205.160.71.98]) by domains.invweb.net (8.9.1/8.9.1) with SMTP id QAA21333; Fri, 25 Sep 1998 16:20:53 -0400
Message-Id: <199809252020.QAA21333@domains.invweb.net>
From: "William H. Geiger III" <whgiii@invweb.net>
Date: Fri, 25 Sep 1998 15:21:52 -0500
To: Steve Hole <steve@esys.ca>
In-Reply-To: <SIMEON.980918095519.E@gallileo.esys.ca>
Cc: Ned Freed <Ned.Freed@innosoft.com>, ietf-open-pgp@imc.org, ietf-smime@imc.org
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v1.50 b50 
Sender: owner-ietf-smime@imc.org
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

In <SIMEON.980918095519.E@gallileo.esys.ca>, on 09/18/98 
   at 10:55 AM, Steve Hole <steve@esys.ca> said:

>Also there has been discussion many times in the past of having "proxy 
>security handling" for IMAP servers where the IMAP server handles
>decoding encrypted messages on behalf of the client and sending the
>decoded content over an encrypted data connection to the client.   Note
>that this is not a  real situation now, but there are lots of reasons for
>people to want this  behaviour in the future and it continues to be
>discussed.

IMHO this is *not* a good idea.

The purpose of using end-to-end encryption is to avoid the use of unknown
3 party systems to relay encrypted data. Decrypting on the server then
re-encrypting via different means devalues the original encryption and
brings unnecessary exposure of the raw data. It would also require that
the decryption keys of the recipient be stored on the server adding an
added level of insecurity.

While I have played with "proxy security handling" in the past it has been
for out-bound encryption, in-bound signature verification, and policy
enforcement. In-bound decryption & out-bound signing should never be done
by anyone but the owner of the private keys.

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
- ---------------------------------------------------------------
 
Tag-O-Matic: The best way to accelerate Windows is at escape velocity.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNgv9Lo9Co1n+aLhhAQEAHAP9FFdmZZD3I8q8R3UgA1Kurzi/GrTOKVkV
jr6t/lSwokNc08qGjusFeu7TwNQHA/dJ/kc60F0whpO0VtLvDc6dW1GopWwJMFSh
p3JhRcltgBdQ/xm/RUbpvdTsaxd5V0vWYV80QzaYqR3EeUz4jVuSJ5ddei2iVvIh
mrrCPdTaVU8=
=ebIz
-----END PGP SIGNATURE-----



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA24778 for ietf-smime-bks; Fri, 25 Sep 1998 13:00:59 -0700 (PDT)
Received: from domains.invweb.net (root@domains.invweb.net [198.182.196.32]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA24774; Fri, 25 Sep 1998 13:00:56 -0700 (PDT)
Received: from whgiii (dugong35.pcola.gulf.net [205.160.71.98]) by domains.invweb.net (8.9.1/8.9.1) with SMTP id QAA21078; Fri, 25 Sep 1998 16:06:54 -0400
Message-Id: <199809252006.QAA21078@domains.invweb.net>
From: "William H. Geiger III" <whgiii@invweb.net>
Date: Fri, 25 Sep 1998 15:10:52 -0500
To: Ned Freed <Ned.Freed@innosoft.com>
In-Reply-To: <01J25ZVKDGY691VY4C@INNOSOFT.COM>
Cc: Graham Klyne <GK@Dial.pipex.com>, Ned Freed <Ned.Freed@innosoft.com>, ietf-open-pgp@imc.org, ietf-smime@imc.org
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v1.50 b50 
Sender: owner-ietf-smime@imc.org
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

In <01J25ZVKDGY691VY4C@INNOSOFT.COM>, on 09/24/98 
   at 02:18 AM, Ned Freed <Ned.Freed@innosoft.com> said:

>I don't know about message/http, but I suspect it would need its own
>rules. And it isn't clear this issue exists for HTTP anyhow, or that if
>it does it should be solved this way.

I am not aware of a message/http. It is my understanding that if you have
an e-mail message attachment (with headers) that you should use the
message/rfc822 and then text/http as a MIME part of the attached message
(with multipart/mixed or multipart/alternative in the message header).

In general message/rfc822 is to be used to signify that a MIME part is a
message with headers and that the user should reference the header of that
message for it's context.

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
- ---------------------------------------------------------------
 
Tag-O-Matic: My best view from a Window was through OS/2.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNgv56I9Co1n+aLhhAQFtWgP5AYc4VB8+BmNGIDFmrPh8fJ46VOl0a5iU
VZAi1K054hzQvSKO9CxpZUg6QmNazTG0f+GsUo7NriwnfdSd4OjWNgKDsgK/g0Tg
RHsUz6+YexthqXSgQqA1UEv/fcuXSSQY3nhUP3/lmDvy0mFBXB38Bxx2JXPm7Y/V
88XJgeIIrNg=
=qx1V
-----END PGP SIGNATURE-----



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA25698 for ietf-smime-bks; Thu, 24 Sep 1998 14:04:43 -0700 (PDT)
Received: from spyrus.com (prometheus.spyrus.com [209.66.65.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA25694 for <ietf-smime@imc.org>; Thu, 24 Sep 1998 14:04:42 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id OAA15072 for <ietf-smime@imc.org>; Thu, 24 Sep 1998 14:10:46 -0700 (PDT)
Message-Id: <199809242110.OAA15072@spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta)
Date: Thu, 24 Sep 1998 15:38:20 -0400
To: ietf-smime@imc.org
From: Russ Housley <housley@spyrus.com>
Subject: Minutes
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

I have seen no discussion of the minutes posted by John Pawling.  I plan to
submit tomorrow, so if you have comments, please post them now.

Russ



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id BAA17332 for ietf-smime-bks; Thu, 24 Sep 1998 01:00:38 -0700 (PDT)
Received: from THOR.INNOSOFT.COM (SYSTEM@THOR.INNOSOFT.COM [192.160.253.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA17295; Thu, 24 Sep 1998 00:57:27 -0700 (PDT)
Received: from INNOSOFT.COM by INNOSOFT.COM (PMDF V5.2-29 #30494) id <01J25VRIQFXS91VY4C@INNOSOFT.COM>; Thu, 24 Sep 1998 01:03:31 PDT
Date: Thu, 24 Sep 1998 00:18:57 -0700 (PDT)
From: Ned Freed <Ned.Freed@innosoft.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
In-reply-to: "Your message dated Wed, 23 Sep 1998 10:18:05 +0100" <3.0.32.19980923101702.008e8770@pop.dial.pipex.com>
To: Graham Klyne <GK@Dial.pipex.com>
Cc: Ned Freed <Ned.Freed@innosoft.com>, ietf-open-pgp@imc.org, ietf-smime@imc.org
Message-id: <01J25ZVKDGY691VY4C@INNOSOFT.COM>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> But, I think there is still a question whether this "structural handling"
> information is specific to *just* RFC822.  The premise of my suggestion was
> that the structural handling was more widely applicable.  I am toying with
> a view that the handling may be appropriate to 'message/...' types in general.

It certainly doesn't apply to the subtypes delivery-status or
disposition-notification. This alone makes calling it a general message type
parameter inappropriate. It would at most be a parameter specific message
subtypes could call on if needed.

It can apply to message/external-body, although it only applies indirectly
when message/external-body references a message/rfc822 object.

Message/partial already has well defined structural considerations (indeed,
these rules should serve as a starting point for defining how to recombine
message/rfc822 objects) and needs no such parameter. I actually would have
suggested using a single part message/partial for this were it not for my
belief that the reassembly rules are likely to be different in some ways.

The type message/news should never have been defined -- message/rfc822 was
designed to accomodate news messages despite its name -- and in practice is not
used. 

I don't know about message/http, but I suspect it would need its own rules. And
it isn't clear this issue exists for HTTP anyhow, or that if it does it should
be solved this way.

And that's the entire list of message types.

As a practical matter this sort of structural concern only exists when there's
a set of "outer" headers which are exposed to transport manipulation and hence
cannot be secured by putting them inside of a security enclosure. Now, this
doesn't mean such things cannot appear at an inner level -- this will happen
when someone wants to include an entire message built this way with its
security wrapper intact within another message.

But this does restrict the reasons for using this scheme.  We only have two
outer message types which transports manipulate at present: message/rfc822
(which also covers News) and message/http. I don't want to get into
message/http at the present time. And that leaves message/rfc822.

> A recent discusion I had concerned the actual handling differences between
> 'application/...' and 'message/...' (with reference in part to proposing
> 'application/MIME' vs 'message/MIME').  One view was that 'message/...'
> indicates handling that is expected to be performed by a message handling
> agent, where 'application/...' suggests some external program;  this seems
> to be consistent with the idea that MIME content-types are used for
> dispatching to a handling module or application.

This is a reasonable view. But it doesn't mean that a message/mime object,
should one be defined, would benefit from this sort of structural handling. If
you want to secure such an object all you have to do is put the whole kit and
kaboodle inside of the security enclosure. I see no justifcation for exposing
part of it outside and having to recombine later. (Yes, I realize that people
have on occasion argued that there's value in confidentiality services that
expose, say, the content-type of of the secured material. However, I remain to
be convinced that this is a good idea, let alone that it should be accomplished
by something similar to this.)

> I feel I may be going over some old ground here, and don't wish to restart
> an old debate, but I would be interested in your view.

See above. Also note that if I'm wrong and there's value in using this
mechanism elsewhere, its definition can easily be borrowed in the definition
of another type or subtype at a later date.

				Ned


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA18424 for ietf-smime-bks; Wed, 23 Sep 1998 02:12:27 -0700 (PDT)
Received: from monsoon.dial.pipex.net (monsoon.dial.pipex.net [158.43.128.69]) by mail.proper.com (8.8.8/8.8.5) with SMTP id CAA18414 for <ietf-smime@imc.org>; Wed, 23 Sep 1998 02:12:26 -0700 (PDT)
Received: (qmail 7809 invoked from network); 23 Sep 1998 09:18:52 -0000
Received: from userp453.uk.uudial.com (HELO GK) (193.149.92.198) by smtp.dial.pipex.com with SMTP; 23 Sep 1998 09:18:52 -0000
Message-Id: <3.0.32.19980923101702.008e8770@pop.dial.pipex.com>
X-Sender: maiw03@pop.dial.pipex.com (Unverified)
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Wed, 23 Sep 1998 10:18:05 +0100
To: Ned Freed <Ned.Freed@innosoft.com>
From: Graham Klyne <GK@Dial.pipex.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
Cc: ietf-open-pgp@imc.org, ietf-smime@imc.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

At 09:32 22/09/98 -0700, Ned Freed wrote:
>> > I personally favor a message/rfc822 parameter, but I can also see a
case for
>> > putting it elsewhere. What do other people think? [...]
>
[...]
>I considered a content-disposition value, but quickly rejected it. My reasons
>include:
>
>(1) This usage is specific to message/rfc822; it doesn't make sense on other
>    content types. Dispositions are supposed to apply regardless of type, and
>    definitely shouldn't be highly type-specific.
>(2) Applications may want to specify a disposition for a message independent
>    of security handling. This results in the one field being used for two
>    things.
>(3) This isn't a disposition per se; it is structural handling information.

I agree -- especially your reason 3 which I realized after my earlier posting.

But, I think there is still a question whether this "structural handling"
information is specific to *just* RFC822.  The premise of my suggestion was
that the structural handling was more widely applicable.  I am toying with
a view that the handling may be appropriate to 'message/...' types in general.

A recent discusion I had concerned the actual handling differences between
'application/...' and 'message/...' (with reference in part to proposing
'application/MIME' vs 'message/MIME').  One view was that 'message/...'
indicates handling that is expected to be performed by a message handling
agent, where 'application/...' suggests some external program;  this seems
to be consistent with the idea that MIME content-types are used for
dispatching to a handling module or application.

I feel I may be going over some old ground here, and don't wish to restart
an old debate, but I would be interested in your view.

#g

------------
Graham Klyne
(GK@ACM.ORG)



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id JAA28381 for ietf-smime-bks; Tue, 22 Sep 1998 09:32:25 -0700 (PDT)
Received: from THOR.INNOSOFT.COM (SYSTEM@THOR.INNOSOFT.COM [192.160.253.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id JAA28367; Tue, 22 Sep 1998 09:30:29 -0700 (PDT)
Received: from INNOSOFT.COM by INNOSOFT.COM (PMDF V5.2-29 #30494) id <01J234TFD88G91VY4C@INNOSOFT.COM>; Tue, 22 Sep 1998 09:36:43 PDT
Date: Tue, 22 Sep 1998 09:32:09 -0700 (PDT)
From: Ned Freed <Ned.Freed@innosoft.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
In-reply-to: "Your message dated Tue, 22 Sep 1998 11:13:53 +0100" <3.0.32.19980922110630.00a27400@pop.dial.pipex.com>
To: Graham Klyne <GK@Dial.pipex.com>
Cc: Ned Freed <Ned.Freed@innosoft.com>, ietf-open-pgp@imc.org, ietf-smime@imc.org
Message-id: <01J23P855LJW91VY4C@INNOSOFT.COM>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> > I personally favor a message/rfc822 parameter, but I can also see a case for
> > putting it elsewhere. What do other people think? If there seems to be
> > consensus that this needs to be on message/rfc822, I'd be happy to write
> > a short draft defining such a parameter.

> It sounds as if this might be a role for content-disposition.  In a
> non-RFC822 environment, one might wish to apply the "promotion" principle
> for content types other than message/rfc822, and to encapsulations other
> than signature/encryption.

I considered a content-disposition value, but quickly rejected it. My reasons
include:

(1) This usage is specific to message/rfc822; it doesn't make sense on other
    content types. Dispositions are supposed to apply regardless of type, and
    definitely shouldn't be highly type-specific.
(2) Applications may want to specify a disposition for a message independent
    of security handling. This results in the one field being used for two
    things.
(3) This isn't a disposition per se; it is structural handling information.

				Ned


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA23857 for ietf-smime-bks; Tue, 22 Sep 1998 03:08:28 -0700 (PDT)
Received: from monsoon.dial.pipex.net (monsoon.dial.pipex.net [158.43.128.69]) by mail.proper.com (8.8.8/8.8.5) with SMTP id DAA23853 for <ietf-smime@imc.org>; Tue, 22 Sep 1998 03:08:26 -0700 (PDT)
Received: (qmail 22537 invoked from network); 22 Sep 1998 10:14:38 -0000
Received: from userl982.uk.uudial.com (HELO GK) (193.149.77.33) by smtp.dial.pipex.com with SMTP; 22 Sep 1998 10:14:38 -0000
Message-Id: <3.0.32.19980922110630.00a27400@pop.dial.pipex.com>
X-Sender: maiw03@pop.dial.pipex.com (Unverified)
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Tue, 22 Sep 1998 11:13:53 +0100
To: Ned Freed <Ned.Freed@innosoft.com>
From: Graham Klyne <GK@Dial.pipex.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
Cc: ietf-open-pgp@imc.org, ietf-smime@imc.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

At 15:47 17/09/98 -0700, Ned Freed wrote:
>> I'd like to see a convention established for interpreting the
>> message/rfc822 type in this way, possibly when accompanied by some
>> other syntax.
>
>I agree that this would be useful functionality -- I've suggested adding
>it several times in the past, but was never able to get much support
>for it.
>
>Its clear that this indicator has to be on the "inside", since you want the
>signature to be able to cover it. This then begs the question of whether
>it should be an attribute of the signature/encryption facility or of the 
>MIME message/rfc822 content.
>
>I personally favor a message/rfc822 parameter, but I can also see a case for
>putting it elsewhere. What do other people think? If there seems to be
>consensus that this needs to be on message/rfc822, I'd be happy to write
>a short draft defining such a parameter.

It sounds as if this might be a role for content-disposition.  In a
non-RFC822 environment, one might wish to apply the "promotion" principle
for content types other than message/rfc822, and to encapsulations other
than signature/encryption.

#g

------------
Graham Klyne
(GK@ACM.ORG)



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA01392 for ietf-smime-bks; Mon, 21 Sep 1998 13:58:00 -0700 (PDT)
Received: from spyrus.com (prometheus.spyrus.com [209.66.65.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA01388 for <ietf-smime@imc.org>; Mon, 21 Sep 1998 13:57:59 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id OAA08769; Mon, 21 Sep 1998 14:03:40 -0700 (PDT)
Message-Id: <199809212103.OAA08769@spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta)
Date: Mon, 21 Sep 1998 16:12:53 -0400
To: "Linn, John" <jlinn@securitydynamics.com>
From: Russ Housley <housley@spyrus.com>
Subject: RE: Proposed CMS security considerations re PKCS #1
Cc: ietf-smime@imc.org
In-Reply-To: <D104150098E6D111B7830000F8D90AE825C930@exna02.securitydyna mics.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

John:

Your suggested changes are incorporated....

Russ


At 10:30 AM 9/18/98 -0400, Linn, John wrote:
>Russ:
>
>Thanks for incorporating the material.  This looks generally good; I'd like
>to suggest two clarifications and fix one typo, embedded below:
>
>> ----------
>> From: 	Russ Housley[SMTP:housley@spyrus.com]
>> Sent: 	Thursday, September 17, 1998 1:42 PM
>> To: 	jlinn@securitydynamics.com
>> Cc: 	ietf-smime@imc.org
>> Subject: 	Re: Proposed CMS security considerations re PKCS #1
>> 
>> John:
>> 
>> Thanks for the contribution.  I made a few chanes to make the words flow
>> with
>> the rest of the Security Considerations section.  PLease let me know if I
>> messed anything up in the process.
>> 
>> Russ
>> 
>> 
>> [inserted in CMS Security considerations]
>> 
>> Users of CMS, particularly those employing CMS to support interactive
>> applications, should be aware that PKCS #1 [RFC 2313] is vulnerable to
>> adaptive
>> chosen ciphertext attacks when applied for encryption purposes.
>> Exploitation
>> of this identified vulnerability, revealing the result of a particular RSA
>> decryption, requires access to an oracle which will respond to a large
>> number
>> of ciphertexts (perhaps hundreds of thousands)
>> 
>Suggest replacing "(perhaps hundreds of thousands)" with "(based on
>currently available results, hundreds of thousands or more)".
>
>> , which are constructed
>> adaptively in response to previously-received replies providing
>> information on
>> the results 
>> 
>Consistent with the second paragraph, I suggest changing "the results" to
>"the successes or failures"; sorry for not already having framed this
>sentence in this fashion. 
>
>> of attempted decryption operations.  As a result, the attack
>> appears significantly less feasible to perpetrate for store-and-forward
>> S/MIME
>> environments than for directly interactive protocols.  Where CMS
>> constructs
>> are
>> applied as an intermediate encryption layer within an interactive
>> request-response communications environment, exploitation could be more
>> feasible.
>> 
>> An updated version of PKCS #1 has been published as an Internet-Draft, and
>> the
>> new document is targeted to become PKCS #1 Version 2.0 and to succeed RFC
>> 2313.  To resolve the adaptive chosen ciphertext vulnerability, the new
>> document specifies and recommends use of Optimal Asymmetric Encryption
>> Padding
>> (OAEP) when RSA encryption is applied to provide secrecy.  Designers of
>> protocols and systems employing CMS for interactive environments should
>> either
>> consider usage of OAEP, or should ensure that information which could
>> reveal
>> the success or failure of attempted PKCS #1 decryption operations
>> in not
>> 
>Typo: "in not" -> "is not".
>
>> provided.  Support for OAEP may be added to a future version of the CMS
>> specification once the PKCS#1 Version 2.0 is stable.
>> 
>--jl
>



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA23384 for ietf-smime-bks; Fri, 18 Sep 1998 10:14:40 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA23380 for <ietf-smime@imc.org>; Fri, 18 Sep 1998 10:14:38 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id NAA07246 for <ietf-smime@imc.org>; Fri, 18 Sep 1998 13:24:12 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id NAA23488; Fri, 18 Sep 1998 13:22:45 -0400
Date: Fri, 18 Sep 1998 13:22:45 -0400
Message-Id: <199809181722.NAA23488@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: ietf-smime@imc.org
From: jsp@jgvandyke.com (John Pawling)
Subject: 8/26/98 S/MIME WG Minutes
Sender: owner-ietf-smime@imc.org
Precedence: bulk

All,

This message includes the minutes of the IETF S/MIME Working Group (WG)
meeting held on 26 August 1998 in Chicago, IL.  These minutes have been
coordinated with the briefing presenters.  All briefing slides are stored
at: ftp://ftp.ietf.org/ietf/smime/.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Introductions - Russ Housley
 
Russ reviewed the agenda.  Nobody objected to the agenda.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MSG Draft Discussion - Blake Ramsdell

Blake stated that the 6 Aug 98 S/MIME v3 Message Specification (MSG)
Internet Draft (I-D) includes the comments submitted to the S/MIME WG mail
list.  He  stated that the application/MIME text was deleted from MSG and
the X.509 references were changed to PKIX references.  When asked if there
were any other comments to the MSG I-D, the room was silent.  When asked how
many people had read the MSG I-D, not many in the room raised their hands.
Blake stated that the MSG I-D has been submitted for last call within the
S/MIME WG and that there are no other changes planned for the MSG I-D. 
 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CERT Draft Discussion - Blake Ramsdell

Blake stated that the 6 Aug 98 S/MIME v3 Certificate Handling (CERT) I-D
includes the comments submitted to the S/MIME WG mail list.  He stated that
the CERT I-D has been submitted for last call within the S/MIME WG.  When
asked how many people had read the CERT I-D, not many in the room raised
their hands.  Blake stated that the X.509 references were changed to PKIX
references.  There was a comment from an attendee that Section 3.2 "Required
Name Attributes" should be deleted because it is redundant to the PKIX X.509
Certificate and CRL Profile (PKIX Part I).  Nobody objected to this change.
There was a comment from an attendee who was concerned that certificates
included in S/MIME messages may divulge sensitive information.  The
consensus of the attendees was that this is a matter to be solved by the
policy of the local organization of the user who is releasing the S/MIME
message.  The group decided that no change is required in the S/MIME I-Ds
regarding this issue.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ESS Draft Discussion - Paul Hoffman

Paul stated that the 5 Aug 98 Enhanced Security Services for SMIME (ESS) I-D
has been submitted for last call within the S/MIME WG.  When asked how many
people had read the ESS I-D, not many in the room raised their hands.  Paul
stated that the EntityIdentifier syntax needs to be added to the ESS I-D
ASN.1 module as noted on the S/MIME WG mail list.  He stated that the S/MIME
ASN.1 modules need to be compiled by various ASN.1 toolkits to determine if
there are any other discrepancies.  Van Dyke and Associates (VDA)
volunteered to compile the ESS and CMS I-D ASN.1 modules using the SNACC
ASN.1 compiler, but others were urged to check the ASN.1 with their own
compilers as well.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CMS Draft Discussion - Russ Housley

Russ presented briefing slides (see ftp://ftp.ietf.org/ietf/smime/)
regarding the open issues related to the June 98 Cryptographic Message
Syntax (CMS) I-D.  Russ stated that the ESS, CERT and MSG I-Ds are dependent
on the CMS I-D; therefore, those I-Ds will not complete WG Last Call until
the CMS I-D completes WG Last Call.  When CMS enters WG Last Call, then all
of the I-Ds will be final after the two-week last call period is complete.
In summary, the WG last call period will simultaneously close for the CMS,
ESS, CERT and MSG I-Ds. 


Slide #1: CMS Document Status:  All CMS sections are complete except for
Section 12 that will document the mandatory algorithms and some optional
algorithms.  The comments received on the mail list have been incorporated
into a CMS draft that has not yet been released to the WG.  A draft of
Section 12 was discussed on the mail list.  The most recent draft is
included in the 22 July message, subject: "CMS Section 12, take 3".  The
completion of Section 12 depends on the Diffie-Hellman (D-H) Key Agreement
Method I-D <draft-ietf-smime-x942-00.txt>.


Slide #2: Message Digest Algorithms: 

SHA-1 is mandatory to implement.  The AlgorithmIdentifier syntax includes an
optional parameters field.  There was some debate regarding whether the
parameters field should be absent or set to an ASN.1 NULL (05 00 hex) when
the SHA-1 OID is populated in the AlgorithmIdentifier syntax.  Eric Rescorla
and Blake pointed out that current implementations encode the field as an
ASN.1 NULL.  The attendees decided that the CMS I-D will state that the
parameters must be encoded as an ASN.1 NULL, but that CMS implementations
should be able to accept either an ASN.1 NULL or absent parameters.  This is
required for compatibility with S/MIME v2.     

MD5 is optional to implement.  The attendees decided that the CMS I-D will
state that the parameters must be encoded as an ASN.1 NULL when the MD5 OID
is populated in the AlgorithmIdentifier syntax.  This is required for
compatibility with S/MIME v2.     


Slide #3: Signature Algorithms:  

DSA-with-SHA1 is mandatory to implement.  The attendees decided that the CMS
I-D will state that the parameters must be absent (not ASN.1 NULL).  This is
required for consistency with PKIX Part I.

RSA-with-SHA1 and RSA-with-MD5 are optional to implement.  With both of
these combinations, the rsaEncryption OID must be used in the signedData
signerInfo signatureAlgorithm.  The digesting algorithm is indicated in the
signedData signerInfo digestAlgorithm.  The attendees decided that the CMS
I-D will state that the parameters must be encoded as an ASN.1 NULL when the
rsaEncryption OID is populated in the AlgorithmIdentifier syntax.  This is
required for compatibility with S/MIME v2.     


Slide #4: Key Management (KM) Algorithms: 

The group discussed which KM algorithms and key encryption algorithms should
be documented in CMS.  The attendees decided that the most important
algorithms to cover are the mandatory-to-implement algorithms.  The
attendees agreed that optional algorithms not already covered in CMS can be
documented in separate I-Ds. 

The proposed Section 12 text states that static D-H (as specified in the D-H
I-D) will be mandatory to implement.  CMS will document how static D-H can
be used to generate a key-encryption key (KEK) for use with Triple DES.  It
will also document how static D-H can be used to generate a KEK for use with
RC2. 

When obtaining the bits of the KEK, the minimal number of bits needed to
form the KEK must be used (a.k.a. key reduction).  There is an open issue
regarding how the minimal number of bits is obtained for RC2.  The group
decided that this issue will be debated on the list.

The group decided that CMS should not discuss the use of D-H to generate
keys for DES.  

The group decided that CMS should specify that at least 512 modulus should
be used.

An attendee asked about key recovery.  Russ stated that this issue has been
thoroughly discussed on the mail list and that discussion identified at
least three ways to implement key recovery without specifying a specific
strategy in CMS. 


Slide #5: Key Management (KM) Algorithms 2:  Mail List Key (MLK) encryption
is optional to implement.  CMS will discuss the use of Triple-DES and RC2 to
be used for MLK purposes.


Slide #6: Key Wrapping Algorithm:  CMS will document a single
mandatory-to-implement key wrapping strategy to be used with key agreement
and MLK (but not key transport).  Jim Schaad asked if an OID should be
defined to identify the wrapping algorithm.  Russ answered that the X9.42
D-H OID used in conjunction with CMS implies the wrapping algorithm.  John
Pawling pointed out that Sec 12.4, 3rd paragraph states: "Triple-DES may be
an exception here; the same identifier is used for both 2-key and 3-key
Triple DES.  This is probably easily handled by always wrapping three keys,
even if the first and third keys match."  John stated that these issues need
to be resolved to avoid interoperability problems. 

Slide #7: Content Encryption Algorithms:  Triple-DES in CBC mode is the
mandatory-to-implement algorithm.  The DES-EDE3-CBC OID will be used.   The
group decided that DES will not be documented in CMS. 


Slide #8: Content Encryption Algorithms 2: The group decided that CMS will
document RC2 in CBC mode as a "should" to implement (rather than "may").
The RC2-CBC OID will be used.

Slide #9: Message Authentication Code (MAC) Algorithms:  The group decided
by a clear majority that HMAC-with-SHA1 will be the mandatory-to-implement
algorithm.  The wording in CMS will be: "If authenticatedData is
implemented, then HMAC-with-SHA1 must be implemented."  The group also
decided that DES MAC will not be included in CMS as an optional algorithm.

Slide #10: Way Forward:  When Section 12 is completed, then CMS will be
ready for last call.  Russ asked if there were any other issues.

1) Denis Pinkas asked if there was a way to verify the "correctness" of a
CMS message.  Dennis considers signature generation time to be a critical
factor in determining whether or not that signature is valid.  If the
signing key is revoked, then the signing time would indicate if the message
signed before or after the revocation date.  John Pawling pointed out that
the MSG I-D already states that the signingTime attribute should always be
included in signed messages.  The attendees agreed that wording was sufficient.

2) Denis also was concerned that the serial number in the signer's cert is
not covered by the signedData signerInfo signature, so a different cert
could be substituted for the signer's cert.  Russ stated that the SIGATTR
I-D addresses this issue.

3) Doug Maughn asked about the processing requirements for generating a
countersignature.  It was proposed on the list that the generator of a
countersignature must validate the original signature before generating the
countersignature.  Russ has included that proposal in the CMS draft that he
has not yet published.  He stated that "validate" means verify the signature
value of the CMS signedData, not necessarily validate the signer's cert path.

4) John Linn proposed that text should be added to the Security
Considerations section regarding the use of PKCS #1 v2.  The group agreed
that this was a good idea.  John Linn agreed to provide the text for the
Security Considerations section of CMS.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

X9.42 Draft Discussion - Russ Housley

The D-H Key Agreement Method I-D (a.k.a. D-H I-D) is required before CMS can
progress to WG Last Call.  After the D-H I-D was published to the list, Russ
asked if there were any patents that applied to the D-H variant documented
in the I-D.  Certicom announced on the list that they have applied for a
patent that covers the variant of the D-H algorithm specified in the D-H
I-D.  He proposed two alternatives: 1) CMS and D-H I-Ds could continue to
mandate the current D-H variant; or 2) WG could pursue a different D-H
variant as the mandatory-to-implement KM algorithm to avoid the delay
associated with working out the licensing agreement with Certicom.

Russ presented a slide describing another variant.  The variant currently
documented in D-H I-D is called Static-Static (S-S) D-H.  With S-S D-H, the
originator has a static key and the recipient has a static key both of which
are contained in certificates.  The alternative is called Ephemeral-Static
(E-S) D-H.  With E-S D-H, the recipient has a static key contained in a
certificate, but the originator generates an ephemeral key not contained
within a certificate.  Russ stated that the E-S D-H would need to be
documented and then distributed to determine if there are any patents or
pending patents that apply to the E-S D-H variant.  He stated that the E-S
D-H has some of the same properties as the Open PGP D-H strategy, but not
identical.  Paul Hoffman noted that there have been no patent statements
made regarding the Open PGP D-H strategy. 

Russ presented the following info:

          S-S D-H              |         E-S D-H
-------------------------------|--------------------------------
Pending patent                 | No patents (?)
1 exponentiation per recipient | 2 exponentiations per recipient
Data origin authentication     | No authentication
Shorter certificate            | Longer certificate (p,q,g) 
			       | (about 200 bytes longer)
Originator cert in message     | Originator cert not in message
Common p,q,g parameters        | Use recipient's p,q,g values

The question was asked if q is really required to be transmitted in the CMS
heading.  Russ stated that q should be included so that the existing X9.42
ASN.1 syntax for the p,q,g parameters can be used.  Also, the q value can be
used to validate the p and g values.    

Darren Harter pointed out that there is another option in which the
originator would produce a self-signed E-S D-H cert and include it in the
message.

Tim Dierks from Consensus Development Corporation/Certicom spoke regarding
Certicom's pending patent that they believe covers the X9.42 D-H variant.
Tim stated that Certicom is willing to issue a royalty-free license to
S/MIME and PKIX vendors to use the technology covered by their pending
patent. Tim stated that any applicant must divulge their own patents and
pending patents that would block the implementation of the mandatory
requirements of PKIX or CMS.  Tim stated that Certicom will require that the
applicant issue a royalty-free license to Certicom covering the applicant's
patented technology.   Tim stated that Certicom intends to gain revenue for
use of the technology in "non-S/MIME" cases.

Eric Rescorla pointed out that the S/MIME WG's acceptance of this option
would limit future vendor's options.  He also pointed out that CMS is used
in applications other than S/MIME, so the Certicom's offer does not benefit
all users of CMS.

Paul pointed out that there is not an official definition of "S/MIME", so
the limitation to issue licenses to "S/MIME" vendors is problematic.  Paul
also pointed out that there will probably be future versions of the S/MIME
specifications.  Paul reiterated Eric's statement that CMS is used in
applications other than S/MIME.

Jeff Schiller, the IETF Security Are Co-Director, expressed his desire to
avoid a situation in which licenses must be obtained to implement
mandatory-to-implement features.  He was concerned with the restrictions
placed by Certicom's proposal regarding how CMS is to be used.  Jeff stated
that he had difficulty with the "S/MIME" limitation included in Certicom's
offer because not all CMS implementers would be able to obtain the
royalty-free license.  Jeff stated that he liked the E-S D-H option better
than the S-S D-H option due to technical reasons in addition to the patent
issues.  Jeff stated that he has found that the two exponentiations required
to be calculated for each recipient in the E-S D-H option is acceptable as
far as performance is concerned.

John Pawling pointed out that some vendors are implementing CMS/ESS security
libraries that could be used by "S/MIME" or "non-S/MIME" applications, so
this further complicates the issue.  He pointed out that the E-S option
eliminates the need to validate the originator's KM cert, so a significant
time saving is achieved.  He recommended that the WG should pursue both the
E-S D-H and S-S D-H options in parallel.  Several attendees agreed with this
plan.

Dave Solo pointed out that some environments consist of an "S/MIME"
application on one end of a transaction and a "non-S/MIME" application on
the other end.  Dave also asked if there was an issue with using the E-S D-H
option with forming a pairwise key with yourself.  Russ stated that that
there will not be a problem with that operation.

Tim stated that he would obtain more info from Certicom.  Later in the
meeting after talking with Certicom via telephone, Tim stated that Certicom
agreed to provide royalty-free licenses for all uses of CMS, not just for
use in "S/MIME" applications.  Tim stated that the license would also cover
the use of S-S D-H in future versions of the CMS and PKIX specifications
(not just S/MIME v3). 


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

SIGATTR Draft Discussion - Jim Schaad

Jim used slides for his two presentations.  Jim stated that the 2 July 98
Signing Certificate Attribute Specification (SIGATTR) I-D has been submitted
to the S/MIME WG mail list.  Jim stated that he would incorporate the
comment regarding replacing the IssuerAndSerialNumber field with
IssuerSerial so that Attribute Certificates can be identified.

There was some debate regarding whether the CertID certHash value should be
changed so that it is optional.

Jim asked if the attendees believe that the SIGATTR text should be
incorporated into CMS as a "MAY implement" option.

Paul agreed that the Signing Certificate Attribute should be included as a
"MAY implement" option in CMS.   

Dave Solo stated that he would like an enhancement to be made to the Signing
Certificate Attribute syntax to allow the identification of the complete
cert path of the signer (not just signer's cert).  This enhancement is
required so that the recipient can determine the context of the signer's
signature by examining the cert path of the signer's cert.  This issue
requires further debate on the list.

It was agreed that the SIGATTR text would not be incorporated into CMS until
all issues are resolved.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CERTDIST Draft Discussion - Jim Schaad

Jim stated that the 6 July 98 Certificate Distribution (CERTDIST) I-D has
been submitted to the S/MIME WG mail list.  Jim stated that the open issues
identified include:

1) Lack of content within the published message.  He considers this one
closed and that there will not be a content.  

2) Ability of CA and RA to publishing information on behalf of the user.
Through discussion with others, he has determined that the best solution
requires an extension in the RA's cert.  Issue: Is this overly broad for CAs
to issue?  Jim's current position is that only users can create these messages. 

Issue:  Is the fact that any parent CA could issue this and the fact that a
new Extension is required a problem.  Jim's current position is that the
risks out-weigh the benefits and that only users can create these messages.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DOMSEC Draft Discussion - Bill Ottaway

Bill stated that the 15 July 98 Domain Security Services using S/MIME
(DOMSEC) I-D has been submitted to the S/MIME WG mail list.  When asked how
many people had read the DOMSEC I-D, many in the room raised their hands.
Bill presented the briefing slides stored on ftp://ftp.ietf.org/ietf/smime/.
These slides presented the basic points made in the DOMSEC I-D.  There were
no significant issues raised.  The question was asked from the floor (by
Paul Hoffman) as to the future plans for the document.  Bill said he was
happy to allow the working group to make that decision.  Paul said that the
DOMSEC I-D contained protocol, so it could not be progressed as an
informational document.  Chris Bonatti suggested that the protocol could be
moved into CMS, allowing the document to become informational.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Revocation Info in CMS - Paul Hoffman

Paul proposed that the message originator should be able to include non-CRL
revocation status information in the CMS heading "in case the recipient of
the message cannot (or does not want to) get the status information when
validating the signature, such as if the recipient is not online and no
usable CRLs were included in the SignedData."  For example, an OCSP response
could be included in the CMS heading.  This could be done via a new
attribute or by enhancing the CMS CRL list syntax.  This proposal requires
further debate on the list. 


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Wrap Up - Russ Housley

Russ asked for a straw poll of the attendees regarding which options the WG
should continue to pursue regarding the "mandatory-to-implement" KM issue.
The results are as follows:

1) Pursue S-S D-H option: about 20 hands raised

2) Pursue E-S D-H option: about 50 hands raised

3) Pursue self-signed E-S- D-H option: 0 hands raised

Based on this straw poll, options 1 and 2 will be pursued in parallel.  Russ
will investigate whether there are any patent issues with the E-S D-H
option.    Russ asked Tim Dierks to post further info regarding the Certicom
license offer.

======================================================
John Pawling                         jsp@jgvandyke.com

J.G. Van Dyke & Associates, Inc.     www.jgvandyke.com       
======================================================




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA22628 for ietf-smime-bks; Fri, 18 Sep 1998 08:49:27 -0700 (PDT)
Received: from rembrandt.esys.ca (0@rembrandt.esys.ca [198.161.92.18]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA22624; Fri, 18 Sep 1998 08:49:25 -0700 (PDT)
Received: from gallileo.esys.ca (gallileo.esys.ca [198.161.92.85]) by rembrandt.esys.ca (2.0.4/SMS 2.0.4) with ESMTP id JAA24473; Fri, 18 Sep 1998 09:55:26 -0600
From: Steve Hole <steve@esys.ca>
Date: Fri, 18 Sep 1998 09:55:19 -0600
To: Ned Freed <Ned.Freed@innosoft.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
Cc: ietf-open-pgp@imc.org, ietf-smime@imc.org
In-Reply-To: <01J1X2W43N0691VY4C@INNOSOFT.COM>
References: <01J1X2W43N0691VY4C@INNOSOFT.COM> "Your message dated Thu, 17 Sep 1998 12:14:46 -0700" <199809171914.MAA01954@hal.sb.rain.org>
Message-ID: <SIMEON.980918095519.E@gallileo.esys.ca>
X-Mailer: Simeon for Win32 Version Mercury a8+ Build (13)
MIME-Version: 1.0
Content-Type: Multipart/signed; BOUNDARY=Part9809180955.F; protocol="application/pgp-signature"; micalg=pgp-sha1
Sender: owner-ietf-smime@imc.org
Precedence: bulk

--Part9809180955.F
Content-Type: Text/PLAIN; CHARSET=US-ASCII


On Thu, 17 Sep 1998 15:47:36 -0700 (PDT) Ned Freed <Ned.Freed@innosoft.com>
wrote:

> I personally favor a message/rfc822 parameter, but I can also see a case for
> putting it elsewhere. What do other people think? If there seems to be
> consensus that this needs to be on message/rfc822, I'd be happy to write
> a short draft defining such a parameter.

So do I.   There are some reasonably complex interplays between cached and 
displayed structures in the presence of security - especially in an IMAP4 mail 
client.   Clients that cache MIME structures will often do things like cache
overlays for security multiparts so that their UI code doesn't have to know
anything about security -- that is all handled at the MIME abstraction level.
Also there has been discussion many times in the past of having "proxy 
security handling" for IMAP servers where the IMAP server handles decoding
encrypted messages on behalf of the client and sending the decoded content
over an encrypted data connection to the client.   Note that this is not a 
real situation now, but there are lots of reasons for people to want this 
behaviour in the future and it continues to be discussed.

The message/rfc822 solution would work transparently in the cases described 
above.   If the parameter is attached to the security multiparts then it is
possible that it will be occluded or lost by an MUA in the act of removing 
the security.   Putting it at the message/rfc822 level means that it will
always be exposed to UI code and the UI can decide how to "cook" the display
to show the right thing. 

Cheers. 

---  
Steve Hole                           
The Esys Corporation
Mailto:Steve.Hole@esys.ca  
Phone:403-424-4922

--Part9809180955.F
Content-Type: Application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.1.1 (C) 1997 Pretty Good Privacy, Inc. (Diffie-Helman/DSS-only version)

iQA/AwUBNgKCa9i5Jj9Fn5KMEQL9TQCeMIoS1oWmLI78DdHpMmI7RwP4XfAAn0XW
R/tXWkOISSxo7q9czbLITPPZ
=gcCK
-----END PGP SIGNATURE-----

--Part9809180955.F--


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA22114 for ietf-smime-bks; Fri, 18 Sep 1998 07:51:27 -0700 (PDT)
Received: from ns0.eris.dera.gov.uk (ns0.eris.dera.gov.uk [128.98.1.1]) by mail.proper.com (8.8.8/8.8.5) with SMTP id HAA22108 for <ietf-smime@imc.org>; Fri, 18 Sep 1998 07:51:26 -0700 (PDT)
Received: (qmail 4218 invoked from network); 18 Sep 1998 14:57:25 -0000
Received: from unknown (HELO mail-relay.eris.dera.gov.uk) (128.98.2.7) by ns0.eris.dera.gov.uk with SMTP; 18 Sep 1998 14:57:25 -0000
Received: (qmail 18570 invoked from network); 18 Sep 1998 14:57:20 -0000
Received: from tdean.eris.dera.gov.uk (HELO tdean) (128.98.10.5) by mail-relay.eris.dera.gov.uk with SMTP; 18 Sep 1998 14:57:20 -0000
Received: by localhost with Microsoft MAPI; Fri, 18 Sep 1998 15:48:41 +0100
Message-ID: <01BDE31B.CF4FFD70.t.dean@eris.dera.gov.uk>
From: Tim Dean <t.dean@eris.dera.gov.uk>
Reply-To: "t.dean@eris.dera.gov.uk" <t.dean@eris.dera.gov.uk>
To: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>, "'Russ Housley'" <housley@spyrus.com>
Cc: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: RE: Countersignature Attribute
Date: Fri, 18 Sep 1998 15:48:40 +0100
Organization: DERA
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Steve et al,

>Maybe something more explicit could be included? For example an
>additional signed attribute in the countersignature to indicate that the
>original content had been examined?

You are right: the decision of whether or not to check signatures on 
countersigning obviously depends on the reason for adding the countersignature. 
 Therefore, I support your suggestion.  One possibility would be to move the 
signature type attribute definition from draft-ietf-smime-domsec-00.txt into 
CMS.  Some additional text would be needed in CMS which says that for each 
value of this attribute, it must be stated whether or not the original 
signature was checked.

Thoughts?

____________________________________
Tim Dean
DERA
E-mail: t.dean@eris.dera.gov.uk
Web: http://www.dera.gov.uk/
____________________________________


----------
From: 	Russ Housley[SMTP:housley@spyrus.com]
Sent: 	Friday, September 18, 1998 1:32 AM
To: 	Dr Stephen Henson
Cc: 	ietf-smime@imc.org
Subject: 	Re: Countersignature Attribute

Steve:

How do you know that the signature value being counter-signed has anything
to do with the content if you skip this step?

I agree that the signer cert path does not need to be validated to ensure
that the appropraite binding...

Russ

At 10:55 PM 9/15/98 +0100, Dr Stephen Henson wrote:
>Russ Housley wrote:
>>
>>      The fact that a countersignature is computed on a signature value
>>      means that the countersigning process need not know the original
>>      content input to the signing process.  This might have efficiency
>>      advantages, but it also has security disadvantages.  Therefore,
>>      countersigners must validate the signature value prior to signing
>>      it.  This validation requires processing of the original content.
>>
>
>I respectfully disagree that it should be made mandatory for a
>countersigner to process the original content. IMHO it should depend on
>the purpose of the countersignature which is itself related to the
>policy of the signing authority.
>
>In particular take the example of a trusted timestamp. The purpose of
>such a countersignature is simply to state that a a given signature
>existed at a given time. It says absolutely nothing about the content
>being signed. It has a definite and valuable purpose for nonrepudiation.
>
>It can for example show that a document was signed during the validity
>period of the signer's certificate and is thus useful fot archiving
>purposes and others related to software publishing.
>
>In for example a large and confidential document a client would simply
>pass its digital signature to the timestamper. If the content needs to
>be analysed then large amounts of possibly confidential data would need
>to be passed to the timestamper. This is undesirable both in terms of
>security and increased load on the countersigner.
>
>Of course if the countersignature is to have some additional value then
>having access to the content does become important.
>
>Steve.
>--
>Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
>For info see homepage at http://www.drh-consultancy.demon.co.uk/
>Email: shenson@drh-consultancy.demon.co.uk
>PGP key: via homepage.
>



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA21942 for ietf-smime-bks; Fri, 18 Sep 1998 07:23:18 -0700 (PDT)
Received: from tholian.securitydynamics.com (tholian.securid.com [204.167.112.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id HAA21938 for <ietf-smime@imc.org>; Fri, 18 Sep 1998 07:23:17 -0700 (PDT)
Received: from mail.securitydynamics.com by tholian.securitydynamics.com via smtpd (for imc.org [206.184.129.134]) with SMTP; 18 Sep 1998 14:28:38 UT
Received: by securitydynamics.com (8.7.6/8.7.3) with ESMTP id KAA25882; Fri, 18 Sep 1998 10:34:25 -0400 (EDT)
Received: by exna01.securitydynamics.com with Internet Mail Service (5.0.1460.8) id <RT690ZS6>; Fri, 18 Sep 1998 10:32:30 -0400
Message-ID: <D104150098E6D111B7830000F8D90AE825C930@exna02.securitydynamics.com>
From: "Linn, John" <jlinn@securitydynamics.com>
To: "Linn, John" <jlinn@securitydynamics.com>, "'Russ Housley'" <housley@spyrus.com>
Cc: ietf-smime@imc.org
Subject: RE: Proposed CMS security considerations re PKCS #1
Date: Fri, 18 Sep 1998 10:30:10 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1460.8)
Content-Type: text/plain
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Russ:

Thanks for incorporating the material.  This looks generally good; I'd like
to suggest two clarifications and fix one typo, embedded below:

> ----------
> From: 	Russ Housley[SMTP:housley@spyrus.com]
> Sent: 	Thursday, September 17, 1998 1:42 PM
> To: 	jlinn@securitydynamics.com
> Cc: 	ietf-smime@imc.org
> Subject: 	Re: Proposed CMS security considerations re PKCS #1
> 
> John:
> 
> Thanks for the contribution.  I made a few chanes to make the words flow
> with
> the rest of the Security Considerations section.  PLease let me know if I
> messed anything up in the process.
> 
> Russ
> 
> 
> [inserted in CMS Security considerations]
> 
> Users of CMS, particularly those employing CMS to support interactive
> applications, should be aware that PKCS #1 [RFC 2313] is vulnerable to
> adaptive
> chosen ciphertext attacks when applied for encryption purposes.
> Exploitation
> of this identified vulnerability, revealing the result of a particular RSA
> decryption, requires access to an oracle which will respond to a large
> number
> of ciphertexts (perhaps hundreds of thousands)
> 
Suggest replacing "(perhaps hundreds of thousands)" with "(based on
currently available results, hundreds of thousands or more)".

> , which are constructed
> adaptively in response to previously-received replies providing
> information on
> the results 
> 
Consistent with the second paragraph, I suggest changing "the results" to
"the successes or failures"; sorry for not already having framed this
sentence in this fashion. 

> of attempted decryption operations.  As a result, the attack
> appears significantly less feasible to perpetrate for store-and-forward
> S/MIME
> environments than for directly interactive protocols.  Where CMS
> constructs
> are
> applied as an intermediate encryption layer within an interactive
> request-response communications environment, exploitation could be more
> feasible.
> 
> An updated version of PKCS #1 has been published as an Internet-Draft, and
> the
> new document is targeted to become PKCS #1 Version 2.0 and to succeed RFC
> 2313.  To resolve the adaptive chosen ciphertext vulnerability, the new
> document specifies and recommends use of Optimal Asymmetric Encryption
> Padding
> (OAEP) when RSA encryption is applied to provide secrecy.  Designers of
> protocols and systems employing CMS for interactive environments should
> either
> consider usage of OAEP, or should ensure that information which could
> reveal
> the success or failure of attempted PKCS #1 decryption operations
> in not
> 
Typo: "in not" -> "is not".

> provided.  Support for OAEP may be added to a future version of the CMS
> specification once the PKCS#1 Version 2.0 is stable.
> 
--jl



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA21632 for ietf-smime-bks; Fri, 18 Sep 1998 06:33:48 -0700 (PDT)
Received: from spyrus.com (prometheus.spyrus.com [209.66.65.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA21628 for <ietf-smime@imc.org>; Fri, 18 Sep 1998 06:33:47 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id GAA13183; Fri, 18 Sep 1998 06:39:14 -0700 (PDT)
Message-Id: <4.1.0.52.19980917134006.009a37e0@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta)
Date: Thu, 17 Sep 1998 13:42:55 -0400
To: jlinn@securitydynamics.com
From: Russ Housley <housley@spyrus.com>
Subject: Re: Proposed CMS security considerations re PKCS #1
Cc: ietf-smime@imc.org
In-Reply-To: <D104150098E6D111B7830000F8D90AE825C8F8@exna02.securitydyna mics.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

John:

Thanks for the contribution.  I made a few chanes to make the words flow with
the rest of the Security Considerations section.  PLease let me know if I
messed anything up in the process.

Russ


[inserted in CMS Security considerations]

Users of CMS, particularly those employing CMS to support interactive
applications, should be aware that PKCS #1 [RFC 2313] is vulnerable to
adaptive
chosen ciphertext attacks when applied for encryption purposes.  Exploitation
of this identified vulnerability, revealing the result of a particular RSA
decryption, requires access to an oracle which will respond to a large number
of ciphertexts (perhaps hundreds of thousands), which are constructed
adaptively in response to previously-received replies providing information on
the results of attempted decryption operations.  As a result, the attack
appears significantly less feasible to perpetrate for store-and-forward S/MIME
environments than for directly interactive protocols.  Where CMS constructs
are
applied as an intermediate encryption layer within an interactive
request-response communications environment, exploitation could be more
feasible.

An updated version of PKCS #1 has been published as an Internet-Draft, and the
new document is targeted to become PKCS #1 Version 2.0 and to succeed RFC
2313.  To resolve the adaptive chosen ciphertext vulnerability, the new
document specifies and recommends use of Optimal Asymmetric Encryption Padding
(OAEP) when RSA encryption is applied to provide secrecy.  Designers of
protocols and systems employing CMS for interactive environments should either
consider usage of OAEP, or should ensure that information which could reveal
the success or failure of attempted PKCS #1 decryption operations in not
provided.  Support for OAEP may be added to a future version of the CMS
specification once the PKCS#1 Version 2.0 is stable.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA21624 for ietf-smime-bks; Fri, 18 Sep 1998 06:33:44 -0700 (PDT)
Received: from spyrus.com (prometheus.spyrus.com [209.66.65.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA21620 for <ietf-smime@imc.org>; Fri, 18 Sep 1998 06:33:43 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id GAA13179; Fri, 18 Sep 1998 06:39:10 -0700 (PDT)
Message-Id: <4.1.0.52.19980917125908.009d41a0@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta)
Date: Thu, 17 Sep 1998 13:01:28 -0400
To: pgut001@cs.aucKland.ac.nz
From: Russ Housley <housley@spyrus.com>
Subject: Re: ASN.1-SIZE floating
Cc: ietf-smime@imc.org
In-Reply-To: <90589616615256@cs26.cs.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Peter:

I would like to support multiple name forms.  RFC 822 Addresses and X.500
Distinguished names both have uses.

I can agree to limiting to maximun number of GeneralNames in the sequence
to some small number, but not one.  Perhaps eight is a reasonable number.

Russ


At 09:49 AM 9/16/98 +0000, Peter Gutmann wrote:
>jsp@jgvandyke.com (John Pawling) writes:
> 
>>MLReceiptPolicy ::= CHOICE {
>>  none [0] NULL,
>>  insteadOf [1] SEQUENCE SIZE (1..64) OF GeneralNames,
>>  inAdditionTo [2] SEQUENCE SIZE (1..64) OF GeneralNames }
> 
>Since GeneralNames is already a SEQUENCE SIZE (1...someone-elses-MAX) OF 
>GeneralName, shouldn't these fields be GeneralName (without the 's')?  
>Alternatively, just use GeneralNames (without the SEQUENCE OF), since it's 
>already defined elsewhere.  This problem (using GeneralNames instead of 
>GeneralName) occurs in various other places as well...
> 
>While I'm commenting on MLReceiptPolicy, the tagging on the NULL isn't 
>necessary, since it's distinct from the two SEQUENCEs - all you need is [0] 
>and [1] to distinguish the SEQUENCEs.
> 
>Peter.
> 
>


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA21160 for ietf-smime-bks; Fri, 18 Sep 1998 05:20:45 -0700 (PDT)
Received: from internal.mail.demon.net (internal.mail.demon.net [193.195.224.3]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA21154; Fri, 18 Sep 1998 05:20:41 -0700 (PDT)
Received: from pillar.turnpike.com (pillar.turnpike.com [194.70.55.2]) by internal.mail.demon.net with SMTP id NAA17018; Fri, 18 Sep 1998 13:26:37 +0100 (BST)
Message-ID: <e+dmZGAiDlA2IA45@turnpike.com>
Date: Fri, 18 Sep 1998 13:24:02 +0100
To: ietf-open-pgp@imc.org, ietf-smime@imc.org
From: Ian Bell <ianbell@turnpike.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
References: <hmnp$QAJ5NA2IA$d@turnpike.com> <01J1WTASZMX291VY4C@INNOSOFT.COM>
In-Reply-To: <01J1WTASZMX291VY4C@INNOSOFT.COM>
MIME-Version: 1.0
X-Mailer: Turnpike (32) Version 4.00  <U2yaxlNz9mbtXQDcM+J3SutElj>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

In article <01J1WTASZMX291VY4C@INNOSOFT.COM>, Ned Freed
<Ned.Freed@innosoft.com> writes
>> (Apologies if this has been done to death in the past - I can imagine
>> Ned sighing about protracted discussions prior to RFC1847 - but I
>> couldn't find any discussion in the archives)
>
>> RFC2311 (SMIME) and RFC1847 (upon which PGP/MIME has been based) only
>> allow MIME headers to be protected by the encryption process. Was there
>> any discussion during the preparation of RFC1847 about the possibility /
>> desirability / feasibility of allowing general RFC822 headers to be
>> included in the encrypted part of the message?
>
>There were extensive discussions of this. I probably have several hundred
>messages archived on this topic, and there were also WG discussions and several
>private meetings where the design team covered this area exhaustively.
>

Thought as much :-)

>And all these activities are the rule, not the exception. And it is far more
>likely to happen to fields it makes sense to sign, such as subject, to/cc/bcc,
>comments, etc. than to any others.

I was just thinking of encryption, but of course a scheme that covers
signing headers as well as encrypting them is so much the better.

>
>> Could (and should) any replacements for RFC2015 and RFC2311 be amended
>> to allow RFC822 headers to be sent encrypted, and for the decryption
>> process to swap any encrypted headers found with the corresponding
>> headers in the actual message?
>
>There is no need to do this. All you need to do is use MIME encapsulation
>to put the real headers into the body of the message.
>

My problem with that was that the intent of encapsulation would not be
clear. However, putting a parameter on the message/rfc822 to make it
clear seems to solve the problem completely.

Later, you wrote:

>Its clear that this indicator has to be on the "inside", since you want the
>signature to be able to cover it. This then begs the question of whether
>it should be an attribute of the signature/encryption facility or of the 
>MIME message/rfc822 content.

Putting the parameter at the encryption header level announces that
there are hidden headers that will be substituted, though maybe that's
too minor a security breach to worry about.

A parameter at the message/rfc822 header level would in one extension
cover signed, encrypted, encrypted-then-signed and encrypted-and-signed
messages, and would even allow messages to be resent without using
Resent- headers if anyone has a use for that!

>
>-- I've suggested adding
>it several times in the past, but was never able to get much support
>for it.
>

Hopefully this thread will have demonstrated sufficient support.

-- 
Ian Bell                                           T U R N P I K E  Ltd


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA08468 for ietf-smime-bks; Thu, 17 Sep 1998 22:55:57 -0700 (PDT)
Received: from THOR.INNOSOFT.COM (SYSTEM@THOR.INNOSOFT.COM [192.160.253.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA08263; Thu, 17 Sep 1998 22:54:15 -0700 (PDT)
Received: from INNOSOFT.COM by INNOSOFT.COM (PMDF V5.2-29 #30494) id <01J1WQYUGKK091VY4C@INNOSOFT.COM>; Thu, 17 Sep 1998 22:59:08 PDT
Date: Thu, 17 Sep 1998 22:55:50 -0700 (PDT)
From: Ned Freed <Ned.Freed@innosoft.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
In-reply-to: "Your message dated Thu, 17 Sep 1998 17:20:09 -0700" <v04101908b227569e6d17@[129.46.172.254]>
To: "John  W. Noerenberg" <jwn2@qualcomm.com>
Cc: Ned Freed <Ned.Freed@innosoft.com>, Hal Finney <hal@rain.org>, ietf-open-pgp@imc.org, ietf-smime@imc.org
Message-id: <01J1XHS9XPOM91VY4C@INNOSOFT.COM>
MIME-version: 1.0
Content-type: text/plain; format=flowed; charset=us-ascii
References: <199809171914.MAA01954@hal.sb.rain.org> <01J1X2W43N0691VY4C@INNOSOFT.COM>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> > Its clear that this indicator has to be on the "inside", since you want the
> > signature to be able to cover it. This then begs the question of whether
> > it should be an attribute of the signature/encryption facility or of the
> > MIME message/rfc822 content.

> Putting the indicator the header exposes information about the message --
> the decrypted contents of the message is supposed to replace the headers of
> the message.  Keeping it inside doesn't reveal this.

The header indicator would be on the _inner_ header, not the outer one.
This is no more revealing than anything else that's "inside".

> > I personally favor a message/rfc822 parameter, but I can also see a case for
> > putting it elsewhere. What do other people think? If there seems to be
> > consensus that this needs to be on message/rfc822, I'd be happy to write
> > a short draft defining such a parameter.

> Maybe only the truly paranoid care about this, but it does violate a
> security principle.  Putting it inside the ciphertext probably complicates
> the MUA's job, but I don't think it's a particularly daunting complication.

I'm talking about putting it inside the ciphertext (assuming encyption
is used, of course).

Amusingly enough, we've had objections in the past from security experts saying
that putting the MIME labelling of the encrypted content inside the encryption
is a Bad Thing. (Of course this didn't result in any changes.) So much for
agreement in principle ;-)

				Ned


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA06262 for ietf-smime-bks; Thu, 17 Sep 1998 22:27:53 -0700 (PDT)
Received: from out1.ibm.net (out1.ibm.net [165.87.194.252]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA06256; Thu, 17 Sep 1998 22:27:51 -0700 (PDT)
Received: from anonymous (slip129-37-235-151.ca.us.ibm.net [129.37.235.151]) by out1.ibm.net (8.8.5/8.6.9) with ESMTP id FAA08378; Fri, 18 Sep 1998 05:33:51 GMT
Message-Id: <199809180533.FAA08378@out1.ibm.net>
From: "Tom Phinney" <tom.phinney@ibm.net>
To: <ietf-open-pgp@imc.org>, <ietf-smime@imc.org>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
Date: Thu, 17 Sep 1998 22:33:07 -0700
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1155
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

From: kazu@iijlab.net

> > Could (and should) any replacements for RFC2015 and RFC2311 be
amended
> > to allow RFC822 headers to be sent encrypted, and for the
decryption
> > process to swap any encrypted headers found with the corresponding
> > headers in the actual message?
>
> To my best knowledge, there is a non-official scheme to do this. Here
> is an example:
>
> X-PGP-Sig: 2.6.3ia Subject,From,X-Mailer
>        
iQCVAwUBM84wngE7m572a9utAQETEgQAwcL38QVdZbkHuW4Mblmje17deuI85R1j
>        
4yGiDlb1enRDSUyGiLCmk8YphNDiLdKKlMV3Z0opzREUW9Q+sb8fr5s1QXMJhvXs
>        
7hi7s4+V00rjgbqbqXVNiajKiKfVxd7JTRfe0UIZuOljnURP1ZCMlSRD1rDoCEAg
>         1vunQv6QYj4=
>         =hvn0
>
> This is a header field to be stored in a header, mixed with fields to
> be proteced such as Subject, From, and X-Mailer.
>
> If you are interested, I will ack the author to explain his
> experiences.


Of course, there's already a mature technology which uses PGP to 
encapsulate message headers and contents, which replace the original 
message headers and contents after decryption.  It's used in the Type 1

Cypherpunk remailers.  :-)

I'm not proposing that you should use this; it doesn't seem
appropriate.  
But it is worth studying as a reference technology which achieves the 
privacy goals being discussed her.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id VAA03073 for ietf-smime-bks; Thu, 17 Sep 1998 21:55:48 -0700 (PDT)
Received: from mgo.iij.ad.jp (root@mgo.iij.ad.jp [202.232.15.6]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id VAA03069; Thu, 17 Sep 1998 21:55:46 -0700 (PDT)
Received: from ns.iij.ad.jp (root@ns.iij.ad.jp [192.168.2.8]) by mgo.iij.ad.jp (8.8.8/MGO1.0) with ESMTP id OAA27879; Fri, 18 Sep 1998 14:01:08 +0900 (JST)
Received: from fs.iij.ad.jp (root@fs.iij.ad.jp [192.168.2.9]) by ns.iij.ad.jp (8.8.5/3.5Wpl7) with ESMTP id OAA07769; Fri, 18 Sep 1998 14:01:07 +0900 (JST)
Received: from localhost (mine.iij.ad.jp [192.168.4.209]) by fs.iij.ad.jp (8.8.5/3.5Wpl7) with ESMTP id OAA22374; Fri, 18 Sep 1998 14:01:07 +0900 (JST)
To: ianbell@turnpike.com
Cc: ietf-open-pgp@imc.org, ietf-smime@imc.org
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
From: Kazu Yamamoto (=?iso-2022-jp?B?GyRCOzNLXE9CSScbKEI=?=) <kazu@iijlab.net>
In-Reply-To: Your message of "Thu, 17 Sep 1998 11:02:49 +0100" <hmnp$QAJ5NA2IA$d@turnpike.com>
References: <hmnp$QAJ5NA2IA$d@turnpike.com>
X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <19980918130021C.kazu@iijlab.net>
Date: Fri, 18 Sep 1998 13:00:21 +0900
X-Dispatcher: imput version 980905(IM100)
Lines: 28
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Ian,

From: Ian Bell <ianbell@turnpike.com>
Subject: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
Date: Thu, 17 Sep 1998 11:02:49 +0100

> Could (and should) any replacements for RFC2015 and RFC2311 be amended
> to allow RFC822 headers to be sent encrypted, and for the decryption
> process to swap any encrypted headers found with the corresponding
> headers in the actual message?

To my best knowledge, there is a non-official scheme to do this. Here
is an example:

X-PGP-Sig: 2.6.3ia Subject,From,X-Mailer
        iQCVAwUBM84wngE7m572a9utAQETEgQAwcL38QVdZbkHuW4Mblmje17deuI85R1j
        4yGiDlb1enRDSUyGiLCmk8YphNDiLdKKlMV3Z0opzREUW9Q+sb8fr5s1QXMJhvXs
        7hi7s4+V00rjgbqbqXVNiajKiKfVxd7JTRfe0UIZuOljnURP1ZCMlSRD1rDoCEAg
        1vunQv6QYj4=
        =hvn0

This is a header field to be stored in a header, mixed with fields to
be proteced such as Subject, From, and X-Mailer.

If you are interested, I will ack the author to explain his
experiences.

--Kazu


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA28033 for ietf-smime-bks; Thu, 17 Sep 1998 18:46:58 -0700 (PDT)
Received: from candle.brasslantern.com (schaefer@zagzig.zanshin.com [206.155.48.241]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id SAA28029; Thu, 17 Sep 1998 18:46:52 -0700 (PDT)
Received: (from schaefer@localhost) by candle.brasslantern.com (8.8.5/8.8.5) id SAA02549; Thu, 17 Sep 1998 18:51:45 -0700
From: "Bart Schaefer" <schaefer@brasslantern.com>
Message-Id: <980917185145.ZM2548@candle.brasslantern.com>
Date: Thu, 17 Sep 1998 18:51:45 -0700
In-Reply-To: <v04101908b227569e6d17@[129.46.172.254]>
Comments: In reply to "John  W. Noerenberg" <jwn2@qualcomm.com> "Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages" (Sep 17,  5:20pm)
References: "Your message dated Thu  17 Sep 1998 12:14:46 -0700" <199809171914.MAA01954@hal.sb.rain.org>  <v04101908b227569e6d17@[129.46.172.254]>
X-Mailer: Z-Mail (4.0b.820 20aug96)
To: "John  W. Noerenberg" <jwn2@qualcomm.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
Cc: ietf-open-pgp@imc.org, ietf-smime@imc.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-smime@imc.org
Precedence: bulk

On Sep 17,  5:20pm, John  W. Noerenberg wrote:
} Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
}
} At 3:47 PM -0700 9/17/98, Ned Freed wrote:
} >Its clear that this indicator has to be on the "inside", since you want the
} >signature to be able to cover it. This then begs the question of whether
} >it should be an attribute of the signature/encryption facility or of the
} >MIME message/rfc822 content.
} 
} Putting the indicator the header exposes information about the message -- 
} the decrypted contents of the message is supposed to replace the headers of 
} the message.  Keeping it inside doesn't reveal this.

I think you misunderstand, John.  I believe the suggested format is for
the outer message to specify an encrypted Content-Type, and then for the
encrypted content to be a message/rfc822 with a parameter specifying that
its headers should replace the enclosing message's headers only after the
inner message is successfully decrypted.

This hides the parameter (indeed, it hides the entire nested message/rfc822
structure) inside the ciphertext, but allows a sufficiently clever UA to
present the contained message in place of the top-level message.

-- 
Bart Schaefer                                 Brass Lantern Enterprises
http://www.well.com/user/barts              http://www.brasslantern.com


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA27543 for ietf-smime-bks; Thu, 17 Sep 1998 17:22:29 -0700 (PDT)
Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.174.16]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA27539; Thu, 17 Sep 1998 17:22:28 -0700 (PDT)
Received: from [129.46.172.254] (jnoerenberg-mac.qualcomm.com [129.46.172.254]) by mage.qualcomm.com (8.8.5/1.4/8.7.2/1.14) with ESMTP id RAA24259; Thu, 17 Sep 1998 17:27:12 -0700 (PDT)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Sender: jwn2@mage.qualcomm.com
Message-Id: <v04101908b227569e6d17@[129.46.172.254]>
In-Reply-To: <01J1X2W43N0691VY4C@INNOSOFT.COM>
References: "Your message dated Thu, 17 Sep 1998 12:14:46 -0700" <199809171914.MAA01954@hal.sb.rain.org>
X-Mailer: Eudora [Macintosh version 4.1b25-10.98]
X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2  09E8 9480 645A 8857
X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8
Date: Thu, 17 Sep 1998 17:20:09 -0700
To: Ned Freed <Ned.Freed@innosoft.com>
From: "John  W. Noerenberg" <jwn2@qualcomm.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
Cc: Hal Finney <hal@rain.org>, ietf-open-pgp@imc.org, ietf-smime@imc.org
Sender: owner-ietf-smime@imc.org
Precedence: bulk

At 3:47 PM -0700 9/17/98, Ned Freed wrote:
>Its clear that this indicator has to be on the "inside", since you want the
>signature to be able to cover it. This then begs the question of whether
>it should be an attribute of the signature/encryption facility or of the
>MIME message/rfc822 content.

Putting the indicator the header exposes information about the message -- 
the decrypted contents of the message is supposed to replace the headers of 
the message.  Keeping it inside doesn't reveal this.

>I personally favor a message/rfc822 parameter, but I can also see a case for
>putting it elsewhere. What do other people think? If there seems to be
>consensus that this needs to be on message/rfc822, I'd be happy to write
>a short draft defining such a parameter.

Maybe only the truly paranoid care about this, but it does violate a 
security principle.  Putting it inside the ciphertext probably complicates 
the MUA's job, but I don't think it's a particularly daunting complication.

john noerenberg
jwn2@qualcomm.com
  ----------------------------------------------------------------------
  --if we are to be saved, it will not be by Romans but by saints.
  -- Thomas Cahill, "how the Irish Saved Civilization", 1995
  ----------------------------------------------------------------------


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA27149 for ietf-smime-bks; Thu, 17 Sep 1998 16:38:01 -0700 (PDT)
Received: from aum.proper.com (ip200.proper.com [165.227.249.200]) by mail.proper.com (8.8.8/8.8.5) with SMTP id QAA27130; Thu, 17 Sep 1998 16:36:19 -0700 (PDT)
Message-Id: <199809172336.QAA27130@mail.proper.com>
X-Sender: phoffman@mail.imc.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Thu, 17 Sep 1998 16:41:48 -0700
To: ietf-open-pgp@imc.org, ietf-smime@imc.org
From: Paul Hoffman / IMC <phoffman@imc.org>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
In-Reply-To: <01J1X2W43N0691VY4C@INNOSOFT.COM>
References: <"Your message dated Thu, 17 Sep 1998 12:14:46 -0700" <199809171914.MAA01954@hal.sb.rain.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

At 03:47 PM 9/17/98 -0700, Ned Freed wrote:
>I personally favor a message/rfc822 parameter, but I can also see a case for
>putting it elsewhere. What do other people think? If there seems to be
>consensus that this needs to be on message/rfc822, I'd be happy to write
>a short draft defining such a parameter.

Given that OpenPGP is about to go to IESG last call in days, and S/MIME is
in it's last throes, and that the two groups are sure to do things
differently :-), I think a message/rfc822 parameter would be best.

--Paul Hoffman, Director
--Internet Mail Consortium


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA26894 for ietf-smime-bks; Thu, 17 Sep 1998 16:11:09 -0700 (PDT)
Received: from candle.brasslantern.com (schaefer@zagzig.zanshin.com [206.155.48.241]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA26890; Thu, 17 Sep 1998 16:11:00 -0700 (PDT)
Received: (from schaefer@localhost) by candle.brasslantern.com (8.8.5/8.8.5) id QAA02063; Thu, 17 Sep 1998 16:16:44 -0700
From: "Bart Schaefer" <schaefer@brasslantern.com>
Message-Id: <980917161644.ZM2062@candle.brasslantern.com>
Date: Thu, 17 Sep 1998 16:16:44 -0700
In-Reply-To: <01J1X2W43N0691VY4C@INNOSOFT.COM>
Comments: In reply to Ned Freed <Ned.Freed@innosoft.com> "Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages" (Sep 17,  3:47pm)
References: <01J1X2W43N0691VY4C@INNOSOFT.COM>
X-Mailer: Z-Mail Lite (5.0.0 30July97)
To: Ned Freed <Ned.Freed@innosoft.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
Cc: ietf-open-pgp@imc.org, ietf-smime@imc.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-smime@imc.org
Precedence: bulk

On Sep 17,  3:47pm, Ned Freed wrote:
> Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
> > I'd like to see a convention established for interpreting the
> > message/rfc822 type in this way, possibly when accompanied by some
> > other syntax.
> 
> I personally favor a message/rfc822 parameter, but I can also see a case for
> putting it elsewhere. What do other people think? If there seems to be
> consensus that this needs to be on message/rfc822, I'd be happy to write
> a short draft defining such a parameter.

I think such a parameter would be useful in other situations besides
signed message content, so I support defining it in message/rfc822 rather
than in the signature.

If you do write a draft, please make mention of the interpretation of
this parameter when the message/rfc822 is included by reference via
message/external-body.

-- 
Bart Schaefer                                                   Zanshin
http://www.well.com/user/barts                   http://www.zanshin.com


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA26711 for ietf-smime-bks; Thu, 17 Sep 1998 15:49:07 -0700 (PDT)
Received: from THOR.INNOSOFT.COM (SYSTEM@THOR.INNOSOFT.COM [192.160.253.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA26691; Thu, 17 Sep 1998 15:47:22 -0700 (PDT)
Received: from INNOSOFT.COM by INNOSOFT.COM (PMDF V5.2-29 #30494) id <01J1WQYUGKK091VY4C@INNOSOFT.COM>; Thu, 17 Sep 1998 15:52:20 PDT
Date: Thu, 17 Sep 1998 15:47:36 -0700 (PDT)
From: Ned Freed <Ned.Freed@innosoft.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
In-reply-to: "Your message dated Thu, 17 Sep 1998 12:14:46 -0700" <199809171914.MAA01954@hal.sb.rain.org>
To: Hal Finney <hal@rain.org>
Cc: ietf-open-pgp@imc.org, ietf-smime@imc.org
Message-id: <01J1X2W43N0691VY4C@INNOSOFT.COM>
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> I'd like to see a convention established for interpreting the
> message/rfc822 type in this way, possibly when accompanied by some
> other syntax.

I agree that this would be useful functionality -- I've suggested adding
it several times in the past, but was never able to get much support
for it.

Its clear that this indicator has to be on the "inside", since you want the
signature to be able to cover it. This then begs the question of whether
it should be an attribute of the signature/encryption facility or of the 
MIME message/rfc822 content.

I personally favor a message/rfc822 parameter, but I can also see a case for
putting it elsewhere. What do other people think? If there seems to be
consensus that this needs to be on message/rfc822, I'd be happy to write
a short draft defining such a parameter.

				Ned


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA25744 for ietf-smime-bks; Thu, 17 Sep 1998 13:37:19 -0700 (PDT)
Received: from coyote.rain.org (root@coyote.rain.org [198.68.144.2]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA25717; Thu, 17 Sep 1998 13:33:47 -0700 (PDT)
Received: from hal.sb.rain.org (hal.sb.rain.org [198.68.144.57]) by coyote.rain.org (8.9.1/8.9.1) with ESMTP id NAA24579; Thu, 17 Sep 1998 13:37:11 -0700 (PDT)
Received: (from hal@localhost) by hal.sb.rain.org (8.7.4/8.7.3) id MAA01954; Thu, 17 Sep 1998 12:14:46 -0700
Date: Thu, 17 Sep 1998 12:14:46 -0700
From: Hal Finney <hal@rain.org>
Message-Id: <199809171914.MAA01954@hal.sb.rain.org>
To: ietf-open-pgp@imc.org, ietf-smime@imc.org
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Ian Bell writes:

> It would be good if there were an interoperable way of making the
> stored, decrypted message reflect the message the author would have
> liked to send in the first place. It would be particularly nice if the
> author could transmit the intended subject of a message when this may be
> too sensitive to put in the open message headers.

The Subject header would be one which would benefit most from encryption.
Subjects leak information about message contents.  Used carelessly, they
may expose the meaning of the message, or at least indicate which messages
contain sensitive information that might be targetted by an attacker.

However, replacing the Subject header only when the message is stored
for later reference misses another possible benefit.  Many archived
messages are never even referred to again.

What would be even better would be if the user's mail software decrypted
all messages in the incoming mailbox and "promoted" message/rfc822
headers up to the message header level.  Then the encrypted message
subjects could be displayed before the messages are read.  Busy email
users often use Subject headers to prioritize their mail handling.
But to make use of this capability, decrypted Subject headers must be
presented by the mail software beforehand.

I'd like to see a convention established for interpreting the
message/rfc822 type in this way, possibly when accompanied by some
other syntax.

Hal


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA24500 for ietf-smime-bks; Thu, 17 Sep 1998 11:14:28 -0700 (PDT)
Received: from THOR.INNOSOFT.COM (SYSTEM@THOR.INNOSOFT.COM [192.160.253.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA24462; Thu, 17 Sep 1998 11:12:29 -0700 (PDT)
Received: from INNOSOFT.COM by INNOSOFT.COM (PMDF V5.2-29 #30494) id <01J1WQYUGKK091VY4C@INNOSOFT.COM>; Thu, 17 Sep 1998 11:17:51 PDT
Date: Thu, 17 Sep 1998 11:04:15 -0700 (PDT)
From: Ned Freed <Ned.Freed@innosoft.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
In-reply-to: "Your message dated Thu, 17 Sep 1998 11:02:49 +0100" <hmnp$QAJ5NA2IA$d@turnpike.com>
To: Ian Bell <ianbell@turnpike.com>
Cc: ietf-open-pgp@imc.org, ietf-smime@imc.org
Message-id: <01J1WTASZMX291VY4C@INNOSOFT.COM>
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> (Apologies if this has been done to death in the past - I can imagine
> Ned sighing about protracted discussions prior to RFC1847 - but I
> couldn't find any discussion in the archives)

> RFC2311 (SMIME) and RFC1847 (upon which PGP/MIME has been based) only
> allow MIME headers to be protected by the encryption process. Was there
> any discussion during the preparation of RFC1847 about the possibility /
> desirability / feasibility of allowing general RFC822 headers to be
> included in the encrypted part of the message?

There were extensive discussions of this. I probably have several hundred
messages archived on this topic, and there were also WG discussions and several
private meetings where the design team covered this area exhaustively.

The basic conclusion was (and is) that this dog doesn't hunt and cannot be made
to hunt. The problem is that message headers are routinely rewritten by
intervening MTAs as messages are transferred via SMTP. They are refolded,
reordered, addresses are converted from one form to another, encoded
words are added or removed, entire fields are added or deleted.

And all these activities are the rule, not the exception. And it is far more
likely to happen to fields it makes sense to sign, such as subject, to/cc/bcc,
comments, etc. than to any others.

In short, if you want to keep the transports from modifying things, you cannot
put them in the primary header. You either have to put them in the body. And
given this, MIME provides the obvious means to do this if that's what you're
after -- nested messages.

> The most obvious candidates for headers to be encrypted along with the
> MIME headers would be Subject: and Disposition-Notification-To: (the
> subject the sender may have intended to use may be too sensitive to use
> as the subject of the open message: the sender may want any MDN to be
> sent only when the message is decrypted), though cases could probably be
> made for just about any RFC822 header.

> Could (and should) any replacements for RFC2015 and RFC2311 be amended
> to allow RFC822 headers to be sent encrypted, and for the decryption
> process to swap any encrypted headers found with the corresponding
> headers in the actual message?

There is no need to do this. All you need to do is use MIME encapsulation
to put the real headers into the body of the message.

One thing that would be nice is if there was a way to say in the signature
information that the inner message is actually supposed to replace the outer
container message. (This could also be done as a parameter to message/rfc822
if need be, although there are arguments for doing it in the signature.

There is one other thing that is missing, however, and that is a means of
encapsulating the entire message including the envelope. There are many
applications where the envelope itself is sensitive and needs end-to-end
protection.

And there is a proposal on the table to deal with this:
draft-freed-bsmtp-02.txt. This defines envelope encapsulation and the semantics
that necessarily follow from doing it.

> As availability of encryption software becomes more widespread, many
> end-users may find SMIME/PGP most useful as simply a transport security
> mechanism rather than a way of securely storing messages. In any case,
> MUAs implementing PGP or S/MIME probably already allow the user to save
> the decrypted version of a message.

Sure.

> It would be good if there were an interoperable way of making the
> stored, decrypted message reflect the message the author would have
> liked to send in the first place. It would be particularly nice if the
> author could transmit the intended subject of a message when this may be
> too sensitive to put in the open message headers.

See above.

				Ned


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA22947 for ietf-smime-bks; Thu, 17 Sep 1998 08:12:19 -0700 (PDT)
Received: from dylithium.adga.ca (dylithium.adga.ca [207.112.67.34]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA22942 for <ietf-smime@imc.org>; Thu, 17 Sep 1998 08:12:14 -0700 (PDT)
Received: from xfile ([207.112.70.165]) by dylithium.adga.ca (980427.SGI.8.8.8/8.8.8-ajr) with SMTP id LAA20410; Thu, 17 Sep 1998 11:17:04 -0400 (EDT)
Message-Id: <3.0.1.32.19980917111448.00951690@adga.ca>
X-Sender: frousseau@adga.ca
X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
Date: Thu, 17 Sep 1998 11:14:48 -0400
To: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
From: Francois Rousseau <f.rousseau@adga.ca>
Subject: Re: Countersignature Attribute
Cc: ietf-smime@imc.org
In-Reply-To: <36010EE7.8F19415F@drh-consultancy.demon.co.uk>
References: <199809152047.NAA14205@spyrus.com> <4.1.0.52.19980916162924.009d31a0@mail.spyrus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Steve wrote:
>
>Maybe something more explicit could be included? For example an
>additional signed attribute in the countersignature to indicate that the
>original content had been examined?
>
If I am not mistaken, the EDI assurance segments from ANSI X12.58 contains
such a parameter (i.e. Domain_of_Computation_of_Assurance_Digest) to
indicate the scope of the digital signature.

Francois Rousseau


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA22234 for ietf-smime-bks; Thu, 17 Sep 1998 06:27:01 -0700 (PDT)
Received: from post.mail.demon.net (post-12.mail.demon.net [194.217.242.41]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id GAA22230 for <ietf-smime@imc.org>; Thu, 17 Sep 1998 06:27:00 -0700 (PDT)
Received: from [193.237.150.98] (helo=drh-consultancy.demon.co.uk) by post.mail.demon.net with esmtp (Exim 2.03 #1) id 0zJeB3-0001eH-00; Thu, 17 Sep 1998 13:32:53 +0000
Message-ID: <36010EE7.8F19415F@drh-consultancy.demon.co.uk>
Date: Thu, 17 Sep 1998 14:30:15 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: Russ Housley <housley@spyrus.com>
CC: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: Countersignature Attribute
References: <199809152047.NAA14205@spyrus.com> <4.1.0.52.19980916162924.009d31a0@mail.spyrus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Russ Housley wrote:
> 
> Steve:
> 
> How do you know that the signature value being counter-signed has anything
> to do with the content if you skip this step?
> 

You don't: they could just be getting random data countersigned that
isn't the signature to anything. 

If the client can't verify the original signature they can't rely on the
countersignature. At best it could see that the digital signature being
countersigned is a signature of "something" though not what it referred
to. It may or may not refer to some valid content.

A similar case could arise even if the countersigner does verify the
original content and it was for example corrupted in transit. In this
case the client could make the conclusion that some content was
countersigned they would just have no idea what it was.

IMHO the only real difference between the two is that without content
verification an arbitrary digest could be countersigned whereas with
content verification it would have to be a digest to some known content.

I'm not sure what additional tricks could be played with content
verification but without chain verification: since bogus certificate
chains with arbitrary public keys could be included.

In the case of a timestamp none of this matters. 

IMHO there are serious practical, security and privacy issues involved
if content has to always be examined by the countersigner, particularly
in the case of a timestamping authority.

In this case the countersigning certificate may well (should?) contain
appropriate extensions to indicate that it is a timestamping authority.

Maybe something more explicit could be included? For example an
additional signed attribute in the countersignature to indicate that the
original content had been examined?

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA21948 for ietf-smime-bks; Thu, 17 Sep 1998 05:36:59 -0700 (PDT)
Received: from internal.mail.demon.net (internal.mail.demon.net [193.195.224.3]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA21944; Thu, 17 Sep 1998 05:36:57 -0700 (PDT)
Received: from pillar.turnpike.com (pillar.turnpike.com [194.70.55.2]) by internal.mail.demon.net with SMTP id NAA01244; Thu, 17 Sep 1998 13:42:48 +0100 (BST)
Message-ID: <T7B1YJARNQA2IApE@turnpike.com>
Date: Thu, 17 Sep 1998 13:40:49 +0100
To: ietf-open-pgp@imc.org, ietf-smime@imc.org
From: Ian Bell <ianbell@turnpike.com>
Subject: Re: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
References: <199809171101.EAA21438@mail.proper.com>
In-Reply-To: <199809171101.EAA21438@mail.proper.com>
MIME-Version: 1.0
X-Mailer: Turnpike (32) Version 4.00  <U2yaxlNz9mbtXQDcM+J3SutElj>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

In article <199809171101.EAA21438@mail.proper.com>, Lindsay Mathieson
<lindsay@powerup.com.au> writes
>
>>RFC2311 (SMIME) and RFC1847 (upon which PGP/MIME has been based) only
>>allow MIME headers to be protected by the encryption process. Was there
>>any discussion during the preparation of RFC1847 about the possibility
>>/ desirability / feasibility of allowing general RFC822 headers to
>>be included in the encrypted part of the message?
>
>Its quite acceptable to generate your message as a message/rfc822 mime type
>and encrypt the entire body.

I had considered that (and had intended to mention it), but using
message/rfc822 doesn't quite give the same effect. In fact it wouldn't
work at all in the case of the Disposition-Notification-To header unless
the RFCs were modified.

The MIME headers within the encrypted body _replace_ the MIME headers in
the header of the message actually received, whereas the headers within
a message/rfc822 body don't. It would not be clear to the receiving MUA
whether the message/rfc822 were to be regarded as a forwarded message or
to be regarded as the original, fully encrypted, message.

Allowing RFC822 headers to be encrypted alongside the MIME headers would
unambiguously indicate that those headers were intended to be part of
the original message.

-- 
Ian Bell                                           T U R N P I K E  Ltd


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA21637 for ietf-smime-bks; Thu, 17 Sep 1998 04:45:33 -0700 (PDT)
Received: from atlas.arc.nasa.gov (atlas.arc.nasa.gov [198.123.9.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA21633 for <ietf-smime@imc.org>; Thu, 17 Sep 1998 04:45:32 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com (207-172-112-203.s203.tnt4.ann.erols.com [207.172.112.203]) by atlas.arc.nasa.gov (8.8.5/8.7.3/arc) with SMTP id EAA03804; Thu, 17 Sep 1998 04:51:24 -0700 (PDT)
Message-Id: <4.1.0.52.19980916162924.009d31a0@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta)
Date: Thu, 17 Sep 1998 20:32:05 -0400
To: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
From: Russ Housley <housley@spyrus.com>
Subject: Re: Countersignature Attribute
Cc: "ietf-smime@imc.org" <ietf-smime@imc.org>
In-Reply-To: <35FEE244.AF9D1474@drh-consultancy.demon.co.uk>
References: <199809152047.NAA14205@spyrus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Steve:

How do you know that the signature value being counter-signed has anything
to do with the content if you skip this step?

I agree that the signer cert path does not need to be validated to ensure
that the appropraite binding...

Russ

At 10:55 PM 9/15/98 +0100, Dr Stephen Henson wrote:
>Russ Housley wrote:
>> 
>>      The fact that a countersignature is computed on a signature value
>>      means that the countersigning process need not know the original
>>      content input to the signing process.  This might have efficiency
>>      advantages, but it also has security disadvantages.  Therefore,
>>      countersigners must validate the signature value prior to signing
>>      it.  This validation requires processing of the original content.
>> 
>
>I respectfully disagree that it should be made mandatory for a
>countersigner to process the original content. IMHO it should depend on
>the purpose of the countersignature which is itself related to the
>policy of the signing authority.
>
>In particular take the example of a trusted timestamp. The purpose of
>such a countersignature is simply to state that a a given signature
>existed at a given time. It says absolutely nothing about the content
>being signed. It has a definite and valuable purpose for nonrepudiation.
>
>It can for example show that a document was signed during the validity
>period of the signer's certificate and is thus useful fot archiving
>purposes and others related to software publishing.
>
>In for example a large and confidential document a client would simply
>pass its digital signature to the timestamper. If the content needs to
>be analysed then large amounts of possibly confidential data would need
>to be passed to the timestamper. This is undesirable both in terms of
>security and increased load on the countersigner.
>
>Of course if the countersignature is to have some additional value then
>having access to the content does become important.
>
>Steve.
>-- 
>Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
>For info see homepage at http://www.drh-consultancy.demon.co.uk/
>Email: shenson@drh-consultancy.demon.co.uk
>PGP key: via homepage.
>


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA19312 for ietf-smime-bks; Thu, 17 Sep 1998 02:59:33 -0700 (PDT)
Received: from internal.mail.demon.net (internal.mail.demon.net [193.195.224.3]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA19308; Thu, 17 Sep 1998 02:59:31 -0700 (PDT)
Received: from pillar.turnpike.com (pillar.turnpike.com [194.70.55.2]) by internal.mail.demon.net with SMTP id LAA21050; Thu, 17 Sep 1998 11:05:16 +0100 (BST)
Message-ID: <hmnp$QAJ5NA2IA$d@turnpike.com>
Date: Thu, 17 Sep 1998 11:02:49 +0100
To: ietf-open-pgp@imc.org, ietf-smime@imc.org
From: Ian Bell <ianbell@turnpike.com>
Subject: Encrypting RFC822 headers in S/MIME or PGP/MIME messages
MIME-Version: 1.0
X-Mailer: Turnpike (32) Version 4.00  <U2yaxlNz9mbtXQDcM+J3SutElj>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

(Apologies if this has been done to death in the past - I can imagine
Ned sighing about protracted discussions prior to RFC1847 - but I
couldn't find any discussion in the archives)

RFC2311 (SMIME) and RFC1847 (upon which PGP/MIME has been based) only
allow MIME headers to be protected by the encryption process. Was there
any discussion during the preparation of RFC1847 about the possibility /
desirability / feasibility of allowing general RFC822 headers to be
included in the encrypted part of the message?

The most obvious candidates for headers to be encrypted along with the
MIME headers would be Subject: and Disposition-Notification-To: (the
subject the sender may have intended to use may be too sensitive to use
as the subject of the open message: the sender may want any MDN to be
sent only when the message is decrypted), though cases could probably be
made for just about any RFC822 header.

Could (and should) any replacements for RFC2015 and RFC2311 be amended
to allow RFC822 headers to be sent encrypted, and for the decryption
process to swap any encrypted headers found with the corresponding
headers in the actual message?


As availability of encryption software becomes more widespread, many
end-users may find SMIME/PGP most useful as simply a transport security
mechanism rather than a way of securely storing messages. In any case,
MUAs implementing PGP or S/MIME probably already allow the user to save
the decrypted version of a message.

It would be good if there were an interoperable way of making the
stored, decrypted message reflect the message the author would have
liked to send in the first place. It would be particularly nice if the
author could transmit the intended subject of a message when this may be
too sensitive to put in the open message headers.

-- 
Ian Bell                                           T U R N P I K E  Ltd


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA25311 for ietf-smime-bks; Wed, 16 Sep 1998 12:23:38 -0700 (PDT)
Received: from dfssl.exchange.microsoft.com ([131.107.88.59]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA25307 for <ietf-smime@imc.org>; Wed, 16 Sep 1998 12:23:34 -0700 (PDT)
Received: by dfssl.exchange.microsoft.com with Internet Mail Service (5.5.2232.9) id <RBDL7S68>; Wed, 16 Sep 1998 12:29:27 -0700
Message-ID: <2FBF98FC7852CF11912A000000000001091266F0@DINO>
From: "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com>
To: "'Dr Stephen Henson'" <shenson@drh-consultancy.demon.co.uk>
Cc: ietf-smime@imc.org
Subject: RE: Countersignature Attribute
Date: Wed, 16 Sep 1998 12:28:48 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2232.9)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

At Steve's suggestion I looked through the CAPI code which has shipped on NT
and found the following.  (Please not this is not used by any of the mail
products today but exists in public APIs).

1.  There may be multiple counter signature attributes in the
unauthencticated attributes (no enforement otherwise and no implicit relying
on one attribute in the code).

2.  There may be multiple counter signature values within a single
attribute.

jim

-----Original Message-----
From: Dr Stephen Henson [mailto:shenson@drh-consultancy.demon.co.uk]
Sent: Tuesday, September 15, 1998 3:03 PM
To: Jim Schaad (Exchange)
Cc: ietf-smime@imc.org
Subject: Re: Countersignature Attribute


Jim Schaad (Exchange) wrote:
> 
> I don't know about other products, but Outlook and OE tooke the approach
of
> ignoring countersignatures.
> 

Jim, 

I seem to recall there are functions in MS CryptoAPI for adding
countersignatures. I haven't used them myself but can you comment on
whether multiple countersignatures can be added and if so what format it
uses?

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA21067 for ietf-smime-bks; Wed, 16 Sep 1998 08:29:16 -0700 (PDT)
Received: from ns0.eris.dera.gov.uk (ns0.eris.dera.gov.uk [128.98.1.1]) by mail.proper.com (8.8.8/8.8.5) with SMTP id IAA21063 for <ietf-smime@imc.org>; Wed, 16 Sep 1998 08:29:14 -0700 (PDT)
Received: (qmail 7243 invoked from network); 16 Sep 1998 15:35:01 -0000
Received: from unknown (HELO mail-relay.eris.dera.gov.uk) (128.98.2.7) by ns0.eris.dera.gov.uk with SMTP; 16 Sep 1998 15:35:01 -0000
Received: (qmail 6788 invoked from network); 16 Sep 1998 15:34:57 -0000
Received: from wottoway.eris.dera.gov.uk (HELO wottaway.eris.dera.gov.uk) (128.98.10.17) by mail-relay.eris.dera.gov.uk with SMTP; 16 Sep 1998 15:34:57 -0000
Message-Id: <3.0.32.19980916163419.00806540@mailhost.eris.dera.gov.uk>
X-Sender: wottaway@mailhost.eris.dera.gov.uk
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Wed, 16 Sep 1998 16:34:19 +0100
To: ietf-smime@imc.org
From: William Ottaway <wottaway@mailhost.eris.dera.gov.uk>
Subject: Has anyone sent me mail during 4 sept 98 to 14 sept 98
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Hi all,

Due to my data disk getting trashed when I arrived back from holiday I have
lost all email sent to me from 4th Sept 1998 to 14th Sept 1998. If any of
you have sent email directly to me during this period can you please resend
it. I'll get email sent to the list from the archive.

Cheers in advance.

Bill
________________________________________________________________
William Ottaway,
L323,                        Tel: +44 (0) 1684 894079
DERA Malvern,                Fax: +44 (0) 1684 896113
St. Andrews Road,            email: w.ottaway@eris.dera.gov.uk
Malvern,
Worcs,
WR14 3PS



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA20949 for ietf-smime-bks; Wed, 16 Sep 1998 08:16:55 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA20945 for <ietf-smime@imc.org>; Wed, 16 Sep 1998 08:16:54 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id LAA24540 for <ietf-smime@imc.org>; Wed, 16 Sep 1998 11:26:22 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id LAA00723; Wed, 16 Sep 1998 11:24:55 -0400
Date: Wed, 16 Sep 1998 11:24:55 -0400
Message-Id: <199809161524.LAA00723@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: ietf-smime@imc.org
From: jsp@jgvandyke.com (John Pawling)
Subject: RE: Countersignature Attribute
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Russ (and friends),

I have two comments to your proposal:

1) I believe that Stephen Hanson's comments should be addressed.  In an
earlier message exchange regarding countersignatures, the recommendation was
to allow a countersigner to calculate the contersignature without requiring
validation of the original signature.  Paul Hoffman recommended that the
following text be added to CMS (except that I corrected his last sentence
based on Bill Ottaway's comment):

A countersignature can be created without the countersigner knowing the
original content. The recipient who is validating the countersignature has
no way of knowing if the signature that was countersigned is valid without
checking that signature as well. Thus, a recipient who can validate a
countersignature but cannot validate the original signature must not infer
that the content that was signed has not been modified, and must not infer
that the countersigner actually had access to the content.


2) Your proposal states that there can be multiple countersignature
attributes in a signerInfo UnsignedAttributes SET OF Attributes.  I am not
strongly opposed to your proposal, but the countersignature would be the
only attribute type for which multiple instances would be permitted.  This
may be confusing to the implementors since all of the other attribute types
are limited to 0 or 1 instances.  I believe that it would be beneficial to
state a rule limiting the number of countersignature attributes to 0 or 1.
This would be consistent with the processing rules for all of the other
attributes. 

- John Pawling




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA19134 for ietf-smime-bks; Wed, 16 Sep 1998 05:43:52 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA19130 for <ietf-smime@imc.org>; Wed, 16 Sep 1998 05:43:51 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id IAA23547 for <ietf-smime@imc.org>; Wed, 16 Sep 1998 08:53:18 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id IAA28588; Wed, 16 Sep 1998 08:51:53 -0400
Date: Wed, 16 Sep 1998 08:51:53 -0400
Message-Id: <199809161251.IAA28588@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: ietf-smime@imc.org
From: jsp@jgvandyke.com (John Pawling)
Subject: Re: ASN.1-SIZE floating
Sender: owner-ietf-smime@imc.org
Precedence: bulk

All,

Darren is correct, the MLReceiptPolicy insteadOf and inAdditionTo fields
must each be a SEQUENCE OF GeneralNames (not GeneralName) in order for
S/MIME to provide functionality that is equivalent to MSP and ACP120.  Each
GeneralNames represents an entity to which the S/MIME message recipient
should send a signed receipt, if appropriate.  To represent an entity's
O/RName in which both the ORAddress and DN are present, the GeneralNames
SEQUENCE will contain one GeneralName with the entity's x400Address present
followed by another GeneralName with the entity's directoryName present.

================================
John Pawling, jsp@jgvandyke.com                             
J.G. Van Dyke & Associates, Inc.   
www.jgvandyke.com         
================================





Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id XAA04651 for ietf-smime-bks; Tue, 15 Sep 1998 23:01:53 -0700 (PDT)
Received: from access.itsec.gov.uk (access.itsec.gov.uk [193.195.170.254]) by mail.proper.com (8.8.8/8.8.5) with SMTP id XAA04643 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 23:01:50 -0700 (PDT)
Received: by access.itsec.gov.uk; id AA22431; Wed, 16 Sep 98 06:56:52 BST
Received: from ingress.itsec.dmz(192.168.1.250) by access.itsec.gov.uk via smap (3.2) id xma022423; Wed, 16 Sep 98 06:56:50 +0100
Received: by ingress.itsec.dmz; id AA17036; Wed, 16 Sep 98 06:57:59 BST
Received: from sleepy.itsec.lepernet(10.10.10.25) by ingress.itsec.dmz via smap (3.2) id xma017024; Wed, 16 Sep 98 06:57:48 +0100
Received: from CESG-Message_Server by cesg.gov.uk with Novell_GroupWise; Wed, 16 Sep 1998 06:57:54 +0100
Message-Id: <s5ff6172.010@cesg.gov.uk>
X-Mailer: Novell GroupWise 5.2
Date: Wed, 16 Sep 1998 07:03:51 +0100
From: "Darren Harter" <dharter@cesg.gov.uk>
To: pgut001@cs.aucKland.ac.nz, ietf-smime@imc.org
Subject: Re: ASN.1-SIZE floating
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id XAA04647
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Peter,

The use of GeneralNames originates from this field's use in MSP.  Originally ORName was used, and when the MSP implementors board discussed replacing ORName with GeneralName, I suggested that GeneralNames be used instead for the following reason.

ORName is (IIRC) a SEQUENCE of an OPTIONAL Name and an OPTIONAL ORAddress.  Whereas GeneralName is a simple CHOICE that includes Name and ORAddress as options.

This meant that an existing application that relied on both optional elements of the ORName would not be able to work with GeneralName. The only way to allow these applications to work would be to use GeneralNames.

So all occurences of ORName in MSP were replaced with GeneralNames.  Clearly the bits on the wire changed due to the tags in the GeneralName CHOICE, but the semantics for previous ORName functionality were retained.

I agree with you that for S/MIME in the pure Internet community GeneralName should be acceptable, but CMS and ESS go way beyond S/MIME.  They are being implemented in X.400 environments and full support for ORName fields is therefore necessary, IMO.

Darren

Darren Harter
CASM Programme Office
CESG
dharter@cesg.gov.uk

>>> Peter Gutmann <pgut001@cs.aucKland.ac.nz> 09/16/98 09:49am >>>
Since GeneralNames is already a SEQUENCE SIZE (1...someone-elses-MAX) OF 
GeneralName, shouldn't these fields be GeneralName (without the 's')?  
Alternatively, just use GeneralNames (without the SEQUENCE OF), since it's 
already defined elsewhere.  This problem (using GeneralNames instead of 
GeneralName) occurs in various other places as well...
 
While I'm commenting on MLReceiptPolicy, the tagging on the NULL isn't 
necessary, since it's distinct from the two SEQUENCEs - all you need is [0] 
and [1] to distinguish the SEQUENCEs.
 
Peter.
 




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA23058 for ietf-smime-bks; Tue, 15 Sep 1998 20:14:03 -0700 (PDT)
Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id UAA23054 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 20:13:50 -0700 (PDT)
Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id PAA11612 for <ietf-smime@imc.org>; Wed, 16 Sep 1998 15:19:30 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <90591597017692>; Wed, 16 Sep 1998 15:19:30 (NZST)
From: pgut001@cs.aucKland.ac.nz (Peter Gutmann)
To: ietf-smime@imc.org
Subject: Re: Countersignature Attribute
Reply-To: pgut001@cs.aucKland.ac.nz
X-Charge-To: pgut001
X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz
Date: Wed, 16 Sep 1998 15:19:30 (NZST)
Message-ID: <90591597017692@cs26.cs.auckland.ac.nz>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Russ Housley <housley@spyrus.com> writes:
 
>A countersignature attribute can have multiple attribute values.  The syntax 
>is defined as a SET OF AttributeValue, and there must be one or more 
>instances of AttributeValue present.
>
>The UnsignedAttributes syntax is defined as a SET OF Attributes.  The 
>UnsignedAttributes in a signerInfo may include multiple instances of the 
>countersignature attribute.
 
The problem with this is that it leads to ambiguous interpretations of how to 
encode the countersignature (one attribute, one or more values; multiple 
attributes, single value; multiple attributes, multiple values).  The nice 
thing about John's proposal (one attribute, one or more values) is that it's a 
canonical encoding - there's no way individual implementors can misinterpret 
it to produce something different from what everyone else is doing.  Given 
that countersignatures seem to be unused by anyone (or at least anyone who's 
replied so far), using John's more rigorous definition wouldn't seem to cause 
any problems.
 
Peter.
 



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA15005 for ietf-smime-bks; Tue, 15 Sep 1998 16:12:36 -0700 (PDT)
Received: from cane.deming.com (cane.deming.com [208.236.41.9] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id QAA15001 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 16:12:34 -0700 (PDT)
Received: from 208.236.41.9 by cane.deming.com with ESMTP (WorldSecure Server SMTP Relay(WSS) v3.0.1); Tue, 15 Sep 98 16:18:23 -0700
X-Server-Uuid: 1a012586-24e9-11d1-adae-00a024bc53c5
Received: by cane.deming.com with Internet Mail Service (5.5.1960.3) id <S6KG5JB9>; Tue, 15 Sep 1998 16:18:23 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C53A712F@cane.deming.com>
From: "Blake Ramsdell" <BlakeR@deming.com>
To: "'Jim Schaad (Exchange)'" <jimsch@EXCHANGE.MICROSOFT.com>, "'Russ Housley'" <housley@spyrus.com>, <jsp@jgvandyke.com>
cc: <pgut001@cs.aucKland.ac.nz>, <ietf-smime@imc.org>
Subject: RE: Countersignature Attribute
Date: Tue, 15 Sep 1998 16:18:19 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
X-WSS-ID: 19E02A3514386-01-01
Content-Type: text/plain;  charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> -----Original Message-----
> From: Jim Schaad (Exchange) [mailto:jimsch@EXCHANGE.MICROSOFT.com]
> Sent: Tuesday, September 15, 1998 2:41 PM
> To: 'Russ Housley'; jsp@jgvandyke.com
> Cc: pgut001@cs.aucKland.ac.nz; ietf-smime@imc.org
> Subject: RE: Countersignature Attribute
> 
> I don't know about other products, but Outlook and OE tooke 
> the approach of
> ignoring countersignatures.

Mmm.  Boy.  We ignore them also.  They weren't profiled at all in v2.

Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103  Fax +1 425 882 8060


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA14270 for ietf-smime-bks; Tue, 15 Sep 1998 14:59:04 -0700 (PDT)
Received: from post.mail.demon.net (post-20.mail.demon.net [194.217.242.27]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA14266 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 14:59:03 -0700 (PDT)
Received: from [193.237.150.98] (helo=drh-consultancy.demon.co.uk) by post.mail.demon.net with esmtp (Exim 2.02 #1) id 0zJ3DQ-00025l-00; Tue, 15 Sep 1998 22:04:52 +0000
Message-ID: <35FEE412.FF8D5A73@drh-consultancy.demon.co.uk>
Date: Tue, 15 Sep 1998 23:02:58 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com>
CC: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: Countersignature Attribute
References: <2FBF98FC7852CF11912A000000000001091266ED@DINO>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Jim Schaad (Exchange) wrote:
> 
> I don't know about other products, but Outlook and OE tooke the approach of
> ignoring countersignatures.
> 

Jim, 

I seem to recall there are functions in MS CryptoAPI for adding
countersignatures. I haven't used them myself but can you comment on
whether multiple countersignatures can be added and if so what format it
uses?

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA14235 for ietf-smime-bks; Tue, 15 Sep 1998 14:53:08 -0700 (PDT)
Received: from post.mail.demon.net (post-20.mail.demon.net [194.217.242.27]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA14231 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 14:53:07 -0700 (PDT)
Received: from [193.237.150.98] (helo=drh-consultancy.demon.co.uk) by post.mail.demon.net with esmtp (Exim 2.02 #1) id 0zJ37g-0001gD-00 for ietf-smime@imc.org; Tue, 15 Sep 1998 21:58:56 +0000
Message-ID: <35FEE244.AF9D1474@drh-consultancy.demon.co.uk>
Date: Tue, 15 Sep 1998 22:55:16 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: Countersignature Attribute
References: <199809152047.NAA14205@spyrus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Russ Housley wrote:
> 
>      The fact that a countersignature is computed on a signature value
>      means that the countersigning process need not know the original
>      content input to the signing process.  This might have efficiency
>      advantages, but it also has security disadvantages.  Therefore,
>      countersigners must validate the signature value prior to signing
>      it.  This validation requires processing of the original content.
> 

I respectfully disagree that it should be made mandatory for a
countersigner to process the original content. IMHO it should depend on
the purpose of the countersignature which is itself related to the
policy of the signing authority.

In particular take the example of a trusted timestamp. The purpose of
such a countersignature is simply to state that a a given signature
existed at a given time. It says absolutely nothing about the content
being signed. It has a definite and valuable purpose for nonrepudiation.

It can for example show that a document was signed during the validity
period of the signer's certificate and is thus useful fot archiving
purposes and others related to software publishing.

In for example a large and confidential document a client would simply
pass its digital signature to the timestamper. If the content needs to
be analysed then large amounts of possibly confidential data would need
to be passed to the timestamper. This is undesirable both in terms of
security and increased load on the countersigner.

Of course if the countersignature is to have some additional value then
having access to the content does become important.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA14180 for ietf-smime-bks; Tue, 15 Sep 1998 14:43:41 -0700 (PDT)
Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA14176 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 14:43:39 -0700 (PDT)
Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id JAA18696 for <ietf-smime@imc.org>; Wed, 16 Sep 1998 09:49:26 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <90589616615256>; Wed, 16 Sep 1998 09:49:26 (NZST)
From: pgut001@cs.aucKland.ac.nz (Peter Gutmann)
To: ietf-smime@imc.org
Subject: Re: ASN.1-SIZE floating
Reply-To: pgut001@cs.aucKland.ac.nz
X-Charge-To: pgut001
X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz
Date: Wed, 16 Sep 1998 09:49:26 (NZST)
Message-ID: <90589616615256@cs26.cs.auckland.ac.nz>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

jsp@jgvandyke.com (John Pawling) writes:
 
>MLReceiptPolicy ::= CHOICE {
>  none [0] NULL,
>  insteadOf [1] SEQUENCE SIZE (1..64) OF GeneralNames,
>  inAdditionTo [2] SEQUENCE SIZE (1..64) OF GeneralNames }
 
Since GeneralNames is already a SEQUENCE SIZE (1...someone-elses-MAX) OF 
GeneralName, shouldn't these fields be GeneralName (without the 's')?  
Alternatively, just use GeneralNames (without the SEQUENCE OF), since it's 
already defined elsewhere.  This problem (using GeneralNames instead of 
GeneralName) occurs in various other places as well...
 
While I'm commenting on MLReceiptPolicy, the tagging on the NULL isn't 
necessary, since it's distinct from the two SEQUENCEs - all you need is [0] 
and [1] to distinguish the SEQUENCEs.
 
Peter.
 



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA14126 for ietf-smime-bks; Tue, 15 Sep 1998 14:35:46 -0700 (PDT)
Received: from dfssl.exchange.microsoft.com ([131.107.88.59]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA14122 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 14:35:45 -0700 (PDT)
Received: by dfssl.exchange.microsoft.com with Internet Mail Service (5.5.2232.9) id <RBDL72W6>; Tue, 15 Sep 1998 14:41:26 -0700
Message-ID: <2FBF98FC7852CF11912A000000000001091266ED@DINO>
From: "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com>
To: "'Russ Housley'" <housley@spyrus.com>, jsp@jgvandyke.com
Cc: pgut001@cs.aucKland.ac.nz, ietf-smime@imc.org
Subject: RE: Countersignature Attribute
Date: Tue, 15 Sep 1998 14:41:01 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2232.9)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id OAA14123
Sender: owner-ietf-smime@imc.org
Precedence: bulk

I don't know about other products, but Outlook and OE tooke the approach of
ignoring countersignatures.
 
jim
 

-----Original Message-----
From: Russ Housley [mailto:housley@spyrus.com]
Sent: Tuesday, September 15, 1998 1:40 PM
To: jsp@jgvandyke.com
Cc: pgut001@cs.aucKland.ac.nz; ietf-smime@imc.org
Subject: Re: Countersignature Attribute


John:

Prior to getting this note, I took a stab at revisions to the same section
of text.  I do not know how S/MIME v2 implementations handle
countersignatures, but I took the opposite approach that you did.  I was
trying to ensure that current implemntations would all conform.

Here is what I wrote:


A countersignature attribute can have multiple attribute values.  The syntax
is defined as a SET OF AttributeValue, and there must be one or more
instances of AttributeValue present.



The UnsignedAttributes syntax is defined as a SET OF Attributes.  The
UnsignedAttributes in a signerInfo may include multiple instances of the
countersignature attribute.



The fact that a countersignature is computed on a signature value means that
the countersigning process need not know the original content input to the
signing process.  This might have efficiency advantages, but it also has
security disadvantages.  Therefore, countersigners must validate the
signature value prior to signing it.  This validation requires processing of
the original content.



A countersignature, since it has type SignerInfo, can itself contain a
countersignature attribute.  Thus it is possible to construct arbitrarily
long series of countersignatures.





Russ


At 11:56 AM 9/15/98 -0400, John Pawling wrote:
>Peter (and friends),
>
>I agree with your recommendation.  This results in a change to my comment
to
>CMS-06 to read as follows:
>
>5) Sec 11.4, Countersignature: Please change as follows:
>
>OLD: "A countersignature attribute can have multiple attribute values."
>
>NEW: "The UnsignedAttributes syntax is defined as a SET OF Attribute.  
>The UnsignedAttributes in a signerInfo MUST NOT include multiple 
>instances of the countersignature attribute.  The Attribute syntax defines 
>attrValues as a SET OF AttributeValue.  A countersignature attribute 
>MAY include one or more instances of AttributeValue.  There MUST NOT 
>be zero instances of AttributeValue present in the attrValues SET
>OF AttributeValue."
>
>Does anybody disagree with this recommendation???
>
>- John Pawling
>




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA13789 for ietf-smime-bks; Tue, 15 Sep 1998 13:43:48 -0700 (PDT)
Received: from spyrus.com (prometheus.spyrus.com [209.66.65.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA13785 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 13:43:47 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id NAA14205; Tue, 15 Sep 1998 13:47:46 -0700 (PDT)
Message-Id: <199809152047.NAA14205@spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta)
Date: Tue, 15 Sep 1998 16:39:56 -0400
To: jsp@jgvandyke.com (John Pawling)
From: Russ Housley <housley@spyrus.com>
Subject: Re: Countersignature Attribute
Cc: pgut001@cs.aucKland.ac.nz, ietf-smime@imc.org
In-Reply-To: <199809151556.LAA21042@ajsn101.jgvandyke.com>
Mime-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

<html>
John:<br>
<br>
Prior to getting this note, I took a stab at revisions to the same
section of text.&nbsp; I do not know how S/MIME v2 implementations handle
countersignatures, but I took the opposite approach that you did.&nbsp; I
was trying to ensure that current implemntations would all conform.<br>
<br>
Here is what I wrote:<br>
<font face="Courier New, Courier">
<dl>
<dd>A countersignature attribute can have multiple attribute
values.&nbsp; The syntax is defined as a SET OF AttributeValue, and there
must be one or more instances of AttributeValue present.<br>
<br>

<dd>The UnsignedAttributes syntax is defined as a SET OF
Attributes.&nbsp; The UnsignedAttributes in a signerInfo may include
multiple instances of the countersignature attribute.<br>
<br>

<dd>The fact that a countersignature is computed on a signature value
means that the countersigning process need not know the original content
input to the signing process.&nbsp; This might have efficiency
advantages, but it also has security disadvantages.&nbsp; Therefore,
countersigners must validate the signature value prior to signing
it.&nbsp; This validation requires processing of the original
content.<br>
<br>

<dd>A countersignature, since it has type SignerInfo, can itself contain
a countersignature attribute.&nbsp; Thus it is possible to construct
arbitrarily long series of countersignatures.<br>
<br>
<br>
<br>
</font>
</dl>Russ<br>
<br>
<br>
At 11:56 AM 9/15/98 -0400, John Pawling wrote:<br>
&gt;Peter (and friends),<br>
&gt;<br>
&gt;I agree with your recommendation.&nbsp; This results in a change to
my comment to<br>
&gt;CMS-06 to read as follows:<br>
&gt;<br>
&gt;5) Sec 11.4, Countersignature: Please change as follows:<br>
&gt;<br>
&gt;OLD: &quot;A countersignature attribute can have multiple attribute
values.&quot;<br>
&gt;<br>
&gt;NEW: &quot;The UnsignedAttributes syntax is defined as a SET OF
Attribute.&nbsp; <br>
&gt;The UnsignedAttributes in a signerInfo MUST NOT include multiple
<br>
&gt;instances of the countersignature attribute.&nbsp; The Attribute
syntax defines <br>
&gt;attrValues as a SET OF AttributeValue.&nbsp; A countersignature
attribute <br>
&gt;MAY include one or more instances of AttributeValue.&nbsp; There MUST
NOT <br>
&gt;be zero instances of AttributeValue present in the attrValues
SET<br>
&gt;OF AttributeValue.&quot;<br>
&gt;<br>
&gt;Does anybody disagree with this recommendation???<br>
&gt;<br>
&gt;- John Pawling<br>
&gt;<br>
</html>



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA12863 for ietf-smime-bks; Tue, 15 Sep 1998 11:21:14 -0700 (PDT)
Received: from aum.proper.com (ip200.proper.com [165.227.249.200]) by mail.proper.com (8.8.8/8.8.5) with SMTP id LAA12859 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 11:21:13 -0700 (PDT)
Message-Id: <199809151821.LAA12859@mail.proper.com>
X-Sender: phoffman@mail.imc.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Tue, 15 Sep 1998 11:26:35 -0700
To: ietf-smime@imc.org
From: Paul Hoffman / IMC <phoffman@imc.org>
Subject: Re: ASN.1-SIZE floating
In-Reply-To: <199809151814.OAA22999@ajsn101.jgvandyke.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

>I believe the intent of using MAX as a size limit is to encourage dynamic
>allocation of these fields.  If the group decides that setting hard-coded
>max values is more advantageous than using MAX, then I would recommend the
>following limits (these are guestimates of upper limits; the guessing part
>is the disadvantage of setting hard-coded maximiums):

As long as everyone remembers that the lengths on UTF8Strings are the
number of UTF8 characters, not the number of bytes that those characters
take up, I'm happy with these replacements.

--Paul Hoffman, Director
--Internet Mail Consortium


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA12756 for ietf-smime-bks; Tue, 15 Sep 1998 11:06:23 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA12752 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 11:06:22 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id OAA19994; Tue, 15 Sep 1998 14:15:45 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id OAA22999; Tue, 15 Sep 1998 14:14:18 -0400
Date: Tue, 15 Sep 1998 14:14:18 -0400
Message-Id: <199809151814.OAA22999@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: "Darren Harter" <Darren.Harter@tesco.net>, <ietf-smime@imc.org>
From: jsp@jgvandyke.com (John Pawling)
Subject: Re: ASN.1-SIZE floating
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Darren (and friends),

I believe the intent of using MAX as a size limit is to encourage dynamic
allocation of these fields.  If the group decides that setting hard-coded
max values is more advantageous than using MAX, then I would recommend the
following limits (these are guestimates of upper limits; the guessing part
is the disadvantage of setting hard-coded maximiums):


ContentHints ::= SEQUENCE {
  contentDescription UTF8String SIZE (1..128) OPTIONAL,
  contentType ContentType }


ESSPrivacyMark ::= CHOICE {
    pString      PrintableString SIZE (1..ub-privacy-mark-length),
    utf8String   UTF8String SIZE (1..128)
}


MLReceiptPolicy ::= CHOICE {
  none [0] NULL,
  insteadOf [1] SEQUENCE SIZE (1..64) OF GeneralNames,
  inAdditionTo [2] SEQUENCE SIZE (1..64) OF GeneralNames }

- John Pawling



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA12631 for ietf-smime-bks; Tue, 15 Sep 1998 10:51:41 -0700 (PDT)
Received: from trolley (trolly.tesco.net [194.73.73.166] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id KAA12627 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 10:51:39 -0700 (PDT)
Received: from harter [62.172.24.86]  by trolley with smtp (Exim 1.70 #1) id 0zIzL1-0002E8-00; Tue, 15 Sep 1998 18:56:27 +0100
Message-ID: <001101bde0d9$94ae0700$5618ac3e@harter>
From: "Darren Harter" <Darren.Harter@tesco.net>
To: <ietf-smime@imc.org>, "John Pawling" <jsp@jgvandyke.com>
Subject: Re: ASN.1-SIZE floating
Date: Tue, 15 Sep 1998 18:49:32 -0000
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Please see embedded comments....


-----Original Message-----
From: John Pawling <jsp@jgvandyke.com>
To: ietf-smime@imc.org <ietf-smime@imc.org>
Date: Monday, September 14, 1998 10:40
Subject: Re: ASN.1-SIZE floating


>I disagree with Bengt's assignment of 4 to 'MAX' in ESS.  This value is
much


I agree, John.


>
>I believe that ESS should remain as is so that it can provide sufficient
>flexibility to support a variety of user organization requirements.


Perhaps we could compromise with a statement that MUSTs a minimum MAX for
ESS compliance.

Darren




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA11186 for ietf-smime-bks; Tue, 15 Sep 1998 08:48:49 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id IAA11177 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 08:48:48 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id LAA19040; Tue, 15 Sep 1998 11:58:11 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id LAA21042; Tue, 15 Sep 1998 11:56:44 -0400
Date: Tue, 15 Sep 1998 11:56:44 -0400
Message-Id: <199809151556.LAA21042@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: pgut001@cs.aucKland.ac.nz, ietf-smime@imc.org
From: jsp@jgvandyke.com (John Pawling)
Subject: Re: Countersignature Attribute
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Peter (and friends),

I agree with your recommendation.  This results in a change to my comment to
CMS-06 to read as follows:

5) Sec 11.4, Countersignature: Please change as follows:

OLD: "A countersignature attribute can have multiple attribute values."

NEW: "The UnsignedAttributes syntax is defined as a SET OF Attribute.  
The UnsignedAttributes in a signerInfo MUST NOT include multiple 
instances of the countersignature attribute.  The Attribute syntax defines 
attrValues as a SET OF AttributeValue.  A countersignature attribute 
MAY include one or more instances of AttributeValue.  There MUST NOT 
be zero instances of AttributeValue present in the attrValues SET
OF AttributeValue."

Does anybody disagree with this recommendation???

- John Pawling



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id WAA23251 for ietf-smime-bks; Mon, 14 Sep 1998 22:51:16 -0700 (PDT)
Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id WAA23237 for <ietf-smime@imc.org>; Mon, 14 Sep 1998 22:51:10 -0700 (PDT)
Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id RAA01136 for <ietf-smime@imc.org>; Tue, 15 Sep 1998 17:56:53 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <90583901215494>; Tue, 15 Sep 1998 17:56:52 (NZST)
From: pgut001@cs.aucKland.ac.nz (Peter Gutmann)
To: ietf-smime@imc.org
Subject: Re: Countersignature Attribute
Reply-To: pgut001@cs.aucKland.ac.nz
X-Charge-To: pgut001
X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz
Date: Tue, 15 Sep 1998 17:56:52 (NZST)
Message-ID: <90583901215494@cs26.cs.auckland.ac.nz>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

<HTML><PRE>
 
jsp@jgvandyke.com (John Pawling) writes:
 
>I agree with Russ that there are multiple interpretations of the original
>PKCS#7 v1.5 text regarding Countersignature attributes:
 
I've gone through this in the past as well, the relevant definitions are:
 
  {Un}SignedAttributes ::= SET SIZE (1...MAX) OF Attribute
  Attribute ::= SEQUENCE { ..., SET OF AttributeValue }
  CounterSignature ::= SignerInfo
 
Applying this to the following:
 
>1) There can be multiple Countersignature attributes present in a signerInfo,
>but each Countersignature attribute can only contain a single instance of the
>signerInfo syntax.
 
>2) There can only be one Countersignature attribute present in a signerInfo,
>but that single Countersignature attribute can contain multiple instances of
>the signerInfo syntax.
 
>3) There can be multiple Countersignature attributes present in a signerInfo
>and each Countersignature attribute can contain multiple instances of the
>signerInfo syntax.
 
It looks like both (1) and (2) are out, given that you have SET's OF all over
the place.  Also CMS section 11.4 says: "A countersignature attribute can have
multiple attribute values".  Following the ASN.1 definition, it would appear
(3) is correct, but this seems overly general... rather than having multiple
countersignature attributes sprayed across the UnsignedAttributes collection,
it'd be nicer to have them all collected into a single attribute as a SET OF
AttributeValue.  Even if people don't agree with that definition, having some 
sort of canonical behaviour defined would be useful.
 
>CMS definitely needs to be clarified regarding this issue.  It needs to
>specify one of the above.  I will re-iterate Russ' request for input from the
>S/MIME v2 vendors.  Did anybody implement countersignatures??  If so, were
>there any implementors' agreements regarding this issue??  Will any of these
>options break existing implementations??
 
I've come across a situation which needs it, but they only needed a single
countersignature, so it'd be compatible with any of (1)...(3).
 
>Note: I deleted all of the HTML characters included in Russ' original message:
 
</PRE>
<META HTTP-EQUIV="Content-Type:text/html"> <SCRIPT>
function X() {var Text = "HTML is not acceptable for use in " +
"mail so your browser will stop."; alert(Text); parent.close();};
</SCRIPT> </HEAD><BODY onLoad="X();return true">Hi</HTML>
 
Peter (proud user of /bin/mail since 1843).
 



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA12165 for ietf-smime-bks; Mon, 14 Sep 1998 15:01:59 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id PAA12161 for <ietf-smime@imc.org>; Mon, 14 Sep 1998 15:01:58 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id SAA15467 for <ietf-smime@imc.org>; Mon, 14 Sep 1998 18:11:14 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id SAA12801; Mon, 14 Sep 1998 18:09:48 -0400
Date: Mon, 14 Sep 1998 18:09:48 -0400
Message-Id: <199809142209.SAA12801@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: ietf-smime@imc.org
From: jsp@jgvandyke.com (John Pawling)
Subject: Re: Countersignature Attribute
Sender: owner-ietf-smime@imc.org
Precedence: bulk

All,

I agree with Russ that there are multiple interpretations of the original
PKCS#7 v1.5 text regarding Countersignature attributes:

1) There can be multiple Countersignature attributes present in a
signerInfo, but each Countersignature attribute can only contain a single
instance of the signerInfo syntax. 

2) There can only be one Countersignature attribute present in a signerInfo,
but that single Countersignature attribute can contain multiple instances of
the signerInfo syntax. 

3) There can be multiple Countersignature attributes present in a signerInfo
and each Countersignature attribute can contain multiple instances of the
signerInfo syntax. 

CMS definitely needs to be clarified regarding this issue.  It needs to
specify one of the above.  I will re-iterate Russ' request for input from
the S/MIME v2 vendors.  Did anybody implement countersignatures??  If so,
were there any implementors' agreements regarding this issue??  Will any of
these options break existing implementations??

================================
John Pawling, jsp@jgvandyke.com                             
J.G. Van Dyke & Associates, Inc.   
www.jgvandyke.com         
================================


Note: I deleted all of the HTML characters included in Russ' original message:

At 10:37 AM 8/28/98 -0400, Russ Housley wrote:
>S/MIME Implementors:
>
>See the comment from John Pawling below.
>
>I agree that the text is not clear.  Looking back at the
>original PKCS#7 v1.5 text, there is no insight to be found. So, I
>would like to hear from implementors, especially S/MIME v2
>implementors. How is this handled?
><
>Another interpreation of the PKCS#7 v1.5 text is:
>
>A countersignature attribute can have multiple attribute
>values. The syntax is defined as a SET OF AttributeValue, and there
>must be one or more instances of AttributeValue present.
>
>
>The UnsignedAttributes syntax is defined as a SET OF
>Attributes. The UnsignedAttributes in a signerInfo may include
>multiple instances of the countersignature attribute.
>
>
>Russ
>
>At 10:39 AM 8/4/98 -0400, John Pawling wrote:
>
>5) Sec 11.4, Countersignature: Please change as follows:
>
>OLD: "A countersignature attribute can have multiple attribute values."
>
>NEW: "The UnsignedAttributes syntax is defined as a SET OF Attributes.  
>The UnsignedAttributes in a signerInfo MAY include multiple instances 
>of the countersignature attribute.  The Attribute syntax defines 
>attrValues as a SET OF AttributeValue.  A countersignature attribute 
>MUST only include a single instance of AttributeValue. There MUST NOT 
>be zero or multiple instances of AttributeValue present in the 
>attrValues SET OF AttributeValue."
>



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA11815 for ietf-smime-bks; Mon, 14 Sep 1998 14:22:39 -0700 (PDT)
Received: from apollo.jgvandyke.com (apollo.jgvandyke.com [158.189.10.100]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA11811 for <ietf-smime@imc.org>; Mon, 14 Sep 1998 14:22:37 -0700 (PDT)
Received: from ajsn101.jgvandyke.com (ajsn101.jgvandyke.com [158.189.2.101]) by apollo.jgvandyke.com (8.8.8/8.8.8) with SMTP id RAA15216 for <ietf-smime@imc.org>; Mon, 14 Sep 1998 17:31:57 -0400 (EDT)
Received: from ajpc81 by ajsn101.jgvandyke.com (SMI-8.6/SMI-SVR4) id RAA12472; Mon, 14 Sep 1998 17:30:31 -0400
Date: Mon, 14 Sep 1998 17:30:31 -0400
Message-Id: <199809142130.RAA12472@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: ietf-smime@imc.org
From: jsp@jgvandyke.com (John Pawling)
Subject: Re: ASN.1-SIZE floating
Sender: owner-ietf-smime@imc.org
Precedence: bulk

All,

I disagree with Bengt's assignment of 4 to 'MAX' in ESS.  This value is much
too low.  The following are the ASN.1 syntaxes in ESS that include 'MAX'.  


ContentHints ::= SEQUENCE {
  contentDescription UTF8String SIZE (1..MAX) OPTIONAL,
  contentType ContentType }


ESSPrivacyMark ::= CHOICE {
    pString      PrintableString SIZE (1..ub-privacy-mark-length),
    utf8String   UTF8String SIZE (1..MAX)
}


MLReceiptPolicy ::= CHOICE {
  none [0] NULL,
  insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames,
  inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames }


I believe that ESS should remain as is so that it can provide sufficient
flexibility to support a variety of user organization requirements.  

================================
John Pawling, jsp@jgvandyke.com                             
J.G. Van Dyke & Associates, Inc.   
www.jgvandyke.com         
================================



At 08:59 AM 8/31/98 +0100, Bengt.Ackzell@postbox.mil.se wrote:
>Comments on draft-ietf-smime-ess-07.txt
>
>Clause 2.9
>Using the SIZE constraints (1..MAX), where the implementor can chose MAX
will course interoperability problems. Nor only due to possible loss of
attributes, but to the fact that an implementation design with a lower MAX
than received, should reject the message as a protocol violation. 
>We shall assign a fixed number to MAX. 
>4 is a reasonable value, since I by this has to propose a figure.
>



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA10869 for ietf-smime-bks; Sun, 13 Sep 1998 05:23:22 -0700 (PDT)
Received: from post.mail.demon.net (post-12.mail.demon.net [194.217.242.41]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA10865 for <ietf-smime@imc.org>; Sun, 13 Sep 1998 05:23:20 -0700 (PDT)
Received: from [193.237.150.98] (helo=drh-consultancy.demon.co.uk) by post.mail.demon.net with esmtp (Exim 2.02 #1) id 0zIBGr-0006aJ-00 for ietf-smime@imc.org; Sun, 13 Sep 1998 12:28:50 +0000
Message-ID: <35FBB8B6.A4EA0D7D@drh-consultancy.demon.co.uk>
Date: Sun, 13 Sep 1998 13:21:10 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: RC2 keylength strawpoll
References: <2FBF98FC7852CF11912A000000000001091266DC@DINO>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Jim Schaad (Exchange) wrote:
> 
> Couple of issues to be addressed here:
> 
> 1.  Under seperate mail I sent in my vote but I did want to explain my
> reasoning as well.  I think we need to work with X/8 bytes of key for two
> reasons.  First, I don't believe that adding the additional bytes of data
> adds any more value to the key size.  Secondly, we are seting a precident
> for any new algorithms that come along with simliar features.  Making this a
> fixed size means that all new algorithms would have a fixed size even if
> they allow for variable length input, making the data size correspond to the
> key size is better in my judgement for all algorithms of this style.  

As I understand it the poll is only for the case of RC2 because there is
some ambiguity. It would be hoped that a new algorithm would not have
such ambiguity and would either define the keysize in terms of the
effective length or better still have an AlgortighmIdentifier which
allows all the parameters to be explicitly stated.

> 
> 2.  I completely agree with Blake that what current products do is
> completely irrelavent.  This is a new key transport mechisism from what is
> currently offered today in any existing product.  I do know that the product
> Blake works for does generate fixed length RC2 for content encryption while
> both Microsoft products use input length == key length for the same purpose.
> Additionally both products accept either method for decryption.  This  means
> that both products have the ability to work in EITHER manner.
> 

Well I wouldn't say completely irrelevant. There is the issue of using
DH and RSA together. 

This is all associated with whether the poll should (or needs to) apply
to the MEK as well as the KEK which is itself connected with the
suggested key wrapping modifications.

If the MEK is to be affected then this implies that already existing 
code will need to be modified. In that case it could be argued that
whatever is the more common current practice should be adopted.

I don't to agree with that because the key wrapping standard is also
"new" it should be modified to allow the length of the MEK to be
determined rather than existing code.

> 3.  Padding on the key wrapping algorithm.  I have a possible worry about
> using the RSA #1 padding method.  Since all of our data is going to be of a
> fixed length (the same padding for all wrapped triple DES keys for example),
> is it possible that we are making an attack easier on the key wrapping
> algorithm by using the standard RSA #1 padding technique rather than the
> originally prosposed random padding?

I assume we are talking about the same thing here (block padding as in
CMS 6.3 or therabouts). Is there any specific attack you are referring
to? There are lots of ways to substitute garbage for the MEK that will
only be noticed when the message is decrypted, e.g. copy from another
message.

IMHO the wrapping spec should allow the keylength to be determined for
the reasons mentioned above. PKCS padding was only a simple suggestion
that would involve miminal modification. There are lots of alternatives,
such as including a length argument in either the wrapped structure or
the outer ASN1 or use an ASN1 structure to wrap the key and checksums in
the first place.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA07439 for ietf-smime-bks; Sat, 12 Sep 1998 20:57:58 -0700 (PDT)
Received: from dfssl.exchange.microsoft.com ([131.107.88.59]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id UAA07435 for <ietf-smime@imc.org>; Sat, 12 Sep 1998 20:57:58 -0700 (PDT)
Received: by dfssl.exchange.microsoft.com with Internet Mail Service (5.5.2232.9) id <RBDL6RQ6>; Sat, 12 Sep 1998 21:03:13 -0700
Message-ID: <2FBF98FC7852CF11912A000000000001091266DC@DINO>
From: "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com>
To: ietf-smime@imc.org
Subject: RE: RC2 keylength strawpoll
Date: Sat, 12 Sep 1998 21:01:24 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2232.9)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Couple of issues to be addressed here:

1.  Under seperate mail I sent in my vote but I did want to explain my
reasoning as well.  I think we need to work with X/8 bytes of key for two
reasons.  First, I don't believe that adding the additional bytes of data
adds any more value to the key size.  Secondly, we are seting a precident
for any new algorithms that come along with simliar features.  Making this a
fixed size means that all new algorithms would have a fixed size even if
they allow for variable length input, making the data size correspond to the
key size is better in my judgement for all algorithms of this style.  The
input for the key should be the same length as the key itself is.  There is
no possible "better security" or the argument about how long the key is
needs to be re-defined in terms of the input to the key.

2.  I completely agree with Blake that what current products do is
completely irrelavent.  This is a new key transport mechisism from what is
currently offered today in any existing product.  I do know that the product
Blake works for does generate fixed length RC2 for content encryption while
both Microsoft products use input length == key length for the same purpose.
Additionally both products accept either method for decryption.  This  means
that both products have the ability to work in EITHER manner.  

3.  Padding on the key wrapping algorithm.  I have a possible worry about
using the RSA #1 padding method.  Since all of our data is going to be of a
fixed length (the same padding for all wrapped triple DES keys for example),
is it possible that we are making an attack easier on the key wrapping
algorithm by using the standard RSA #1 padding technique rather than the
originally prosposed random padding?

jim schaad


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id TAA07138 for ietf-smime-bks; Sat, 12 Sep 1998 19:31:59 -0700 (PDT)
Received: from dfssl.exchange.microsoft.com ([131.107.88.59]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id TAA07134 for <ietf-smime@imc.org>; Sat, 12 Sep 1998 19:31:58 -0700 (PDT)
Received: by dfssl.exchange.microsoft.com with Internet Mail Service (5.5.2232.9) id <RBDL6RKZ>; Sat, 12 Sep 1998 19:37:11 -0700
Message-ID: <2FBF98FC7852CF11912A000000000001091266DB@DINO>
From: "Jim Schaad (Exchange)" <jimsch@EXCHANGE.MICROSOFT.com>
To: "Ietf-Smime (E-mail)" <ietf-smime@imc.org>
Subject: OPTION 1: RC2 Key Length X/8
Date: Sat, 12 Sep 1998 19:37:00 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2232.9)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@imc.org
Precedence: bulk


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA23894 for ietf-smime-bks; Fri, 11 Sep 1998 12:43:32 -0700 (PDT)
Received: from terisa-bh.terisa.com (terisa-bh.terisa.COM [205.226.38.66]) by mail.proper.com (8.8.8/8.8.5) with SMTP id MAA23890 for <ietf-smime@imc.org>; Fri, 11 Sep 1998 12:43:31 -0700 (PDT)
Received: (from uucp@localhost) by terisa-bh.terisa.com (8.6.12/8.6.11) id MAA23447; Fri, 11 Sep 1998 12:48:55 -0700
Received: from itech.terisa.com by terisa-bh.terisa.com via smap (3.2) id xma023436; Fri, 11 Sep 98 12:48:27 -0700
Received: from dv8 (dv8.terisa.COM [205.226.39.41]) by itech.terisa.com (8.8.5/8.6.4) with ESMTP id MAA26922; Fri, 11 Sep 1998 12:48:30 -0700 (PDT)
From: Brian Korver <briank@terisa.com>
Received: (briank@localhost) by dv8 (SMI-8.6/8.6.4) id MAA24836; Fri, 11 Sep 1998 12:48:29 -0700
Message-Id: <199809111948.MAA24836@dv8>
Subject: Re: AuthenticatedData in CMS
To: trevor@GlobeSet.com (Trevor Sosebee)
Date: Fri, 11 Sep 1998 12:48:29 -0700 (PDT)
Cc: ietf-smime@imc.org, terence@GlobeSet.com
In-Reply-To: <13817.29486.978819.823635@drought> from "Trevor Sosebee" at Sep 11, 98 02:02:22 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Trevor Sosebee writes:
> 
> Suppose an entity wants to use an AuthenticatedData structure as a
> generic way to carry authenticated data, and does not care who the
> recipient is or has no knowledge of the recipient's credentials at the 
> time of creation. It seems there should be a way to do this with no
> such knowledge, but since RecipientInfos is required to exist and contain
> at least one RecipientInfo, there seems to be no way around the problem.
> 
> At the very least could the requirement that RecipientInfos be present 
> be relaxed to possibly contain no RecipientInfo?
> 
> Trevor
 
Trevor,

Rather than identify the recipient, why not just identify the key?
(use RecipientIdentifier.subjectKeyIdentifier)

RecipientInfos must be present because that's where the key that
is used for the MAC is (encrypted).

brian
briank@terisa.com


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA23605 for ietf-smime-bks; Fri, 11 Sep 1998 11:56:56 -0700 (PDT)
Received: from firewall.globeset.com (root@firewall.globeset.com [207.239.133.67]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id LAA23601 for <ietf-smime@imc.org>; Fri, 11 Sep 1998 11:56:55 -0700 (PDT)
Received: from drought.globeset.com (trevor@drought.globeset.com [10.1.192.39]) by firewall.globeset.com (8.9.0/8.9.0) with ESMTP id OAA13039; Fri, 11 Sep 1998 14:02:23 -0500 (CDT)
Received: (from trevor@localhost) by drought.globeset.com (8.7.6/8.7.3) id OAA07596; Fri, 11 Sep 1998 14:02:22 -0500
From: Trevor Sosebee <trevor@GlobeSet.com>
Date: Fri, 11 Sep 1998 14:02:22 -0500 (CDT)
To: ietf-smime@imc.org
CC: terence@GlobeSet.com
Subject: AuthenticatedData in CMS
X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs  Lucid
Message-ID: <13817.29486.978819.823635@drought>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Suppose an entity wants to use an AuthenticatedData structure as a
generic way to carry authenticated data, and does not care who the
recipient is or has no knowledge of the recipient's credentials at the 
time of creation. It seems there should be a way to do this with no
such knowledge, but since RecipientInfos is required to exist and contain
at least one RecipientInfo, there seems to be no way around the problem.

At the very least could the requirement that RecipientInfos be present 
be relaxed to possibly contain no RecipientInfo?

Trevor



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id GAA21384 for ietf-smime-bks; Thu, 10 Sep 1998 06:06:59 -0700 (PDT)
Received: from gatekeeper.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by mail.proper.com (8.8.8/8.8.5) with SMTP id GAA21380 for <ietf-smime@imc.org>; Thu, 10 Sep 1998 06:06:58 -0700 (PDT)
Received: 	id JAA15705; Thu, 10 Sep 1998 09:10:29 -0400
Received: by gateway id <S2S6X7S8>; Thu, 10 Sep 1998 09:07:26 -0400
Message-ID: <D789F71F24B4D111955D00A0C99B4F500139AFE6@sothmxs01.entrust.com>
From: Robert Zuccherato <robert.zuccherato@entrust.com>
To: ietf-smime@imc.org, "'Tim Dierks'" <timd@consensus.com>
Subject: RE: Certicom X9.42 proposal
Date: Thu, 10 Sep 1998 09:07:21 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Tim;

I have a couple of questions about your proposed patent license.

The field of use is listed as "CMS and PKIX".  What does this really mean?
For example, if someone built this technique into their product to meet
these standards, and it also meets other standards (such as ANSI X9.42),
would this be violating?  Perhaps a better wording would be something like
"public key validation techniques as described in PKIX and CMS".

You also say that this license is for implementing mandatory technologies.
However draft-ietf-smime-x942-00.txt lists public key validation (the
technique in question) as being a SHOULD.  It doesn't appear to be
mandatory.  Will this license only apply if public key validation is made
mandatory?  I would think that this license should apply whether or not the
techniques are mandatory.

Thanks,

	Robert Zuccherato.

> ----------
> From: 	Tim Dierks[SMTP:timd@consensus.com]
> Sent: 	Saturday, September 05, 1998 11:37 PM
> To: 	ietf-smime@imc.org
> Subject: 	Certicom X9.42 proposal
> 
> Recap:
> 
> The current S/MIME draft specifies a Diffie-Hellman mode from the ANSI
> X9.42
> draft which uses an additional parameter, q, to protect against an attack
> known as the "small subgroup attack". Certicom has a patent pending which
> we
> believe will cover this mechanism. At the WG meeting in Chicago, we
> offered
> to grant a royalty-free license to this patent and any other granted or
> pending patents which would cover S/MIME.
> 
> The working group is also considering a technical alternative which is an
> Elgamal variant. We do not believe we have any patent coverage on this
> alternative. We don't have any preference as to what mechanism the working
> group should choose: we just want to make it possible for the group to
> implement whatever its choice is without cost.
> 
> Our proposed patent license would involve:
>   - No licensing cost and royalty-free.
>   - Field of use is CMS and PKIX.
>   - Would grant rights to all issued and pending patents which are
> required
> to
>     implement mandatory technologies in current CMS and PKIX
> specifications.
>   - Licensing party would have to confer on Certicom the same rights for
> their
>     similar patents. (Free license for those which block CMS & PKIX.)
>   - To license, you just need to sign the license and send it to us; we
> will
> sign
>     and return it, but your license is good starting when you submit it to
> Certicom.
> 
> I've got a lawyer working on the language now and I hope to have an update
> within a week.
> 
>  - Tim Dierks
>    tdierks@certicom.com
> 


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA26862 for ietf-smime-bks; Tue, 8 Sep 1998 14:57:06 -0700 (PDT)
Received: from spyrus.com (prometheus.spyrus.com [209.66.65.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA26858 for <ietf-smime@imc.org>; Tue, 8 Sep 1998 14:57:06 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id PAA24436 for <ietf-smime@imc.org>; Tue, 8 Sep 1998 15:01:48 -0700 (PDT)
Message-Id: <4.1.0.52.19980908175213.00927ca0@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta)
Date: Tue, 08 Sep 1998 17:52:37 -0400
To: ietf-smime@imc.org
From: Russ Housley <housley@spyrus.com>
Subject: OPTION 2: RC2 Key Length Fixed
In-Reply-To: <199808312236.PAA04106@speedy.rtfm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA22252 for ietf-smime-bks; Tue, 8 Sep 1998 07:18:34 -0700 (PDT)
Received: from spyrus.com (prometheus.spyrus.com [209.66.65.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA22245 for <ietf-smime@imc.org>; Tue, 8 Sep 1998 07:18:33 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id HAA17510 for <ietf-smime@imc.org>; Tue, 8 Sep 1998 07:23:07 -0700 (PDT)
Message-Id: <4.1.0.44.19980828103151.009dc8f0@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta)
Date: Fri, 28 Aug 1998 10:37:57 -0400
To: ietf-smime@imc.org
From: Russ Housley <housley@spyrus.com>
Subject: Countersignature Attribute
In-Reply-To: <199808041439.KAA03535@ajsn101.jgvandyke.com>
Mime-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

<html>
S/MIME Implementors:<br>
<br>
See the comment from John Pawling below.<br>
<br>
I agree that the&nbsp; the text is not clear.&nbsp; Looking back at the
original PKCS#7 v1.5 text, there is no insight to be found.&nbsp; So, I
would like to hear from implementors, especially S/MIME v2
implementors.&nbsp; How is this handled?<br>
<br>
Another interpreation of the PKCS#7 v1.5 text is:<br>

<dl>
<dd>A countersignature attribute can have multiple attribute
values.&nbsp; The syntax is defined as a SET OF AttributeValue, and there
must be one or more instances of AttributeValue present.<br>
<br>

<dd>The UnsignedAttributes syntax is defined as a SET OF
Attributes.&nbsp; The UnsignedAttributes in a signerInfo may include
multiple instances of the countersignature attribute.<br>
<br>

</dl>Russ<br>
<br>
<br>
At 10:39 AM 8/4/98 -0400, John Pawling wrote:<br>
&gt;[snip]<br>
&gt;5) Sec 11.4, Countersignature: Please change as follows:<br>
&gt;<br>
&gt;OLD: &quot;A countersignature attribute can have multiple attribute
values.&quot;<br>
&gt;<br>
&gt;NEW: &quot;The UnsignedAttributes syntax is defined as a SET OF
Attributes.&nbsp; <br>
&gt;The UnsignedAttributes in a signerInfo MAY include multiple instances
<br>
&gt;of the countersignature attribute.&nbsp; The Attribute syntax defines
<br>
&gt;attrValues as a SET OF AttributeValue.&nbsp; A countersignature
attribute <br>
&gt;MUST only include a single instance of AttributeValue. There MUST NOT
<br>
&gt;be zero or multiple instances of AttributeValue present in the <br>
&gt;attrValues SET OF AttributeValue.&quot;<br>
&gt;[snip]<br>
</html>



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA22246 for ietf-smime-bks; Tue, 8 Sep 1998 07:18:33 -0700 (PDT)
Received: from spyrus.com (prometheus.spyrus.com [209.66.65.49]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id HAA22241 for <ietf-smime@imc.org>; Tue, 8 Sep 1998 07:18:32 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com ([209.172.119.101]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id HAA17520 for <ietf-smime@imc.org>; Tue, 8 Sep 1998 07:23:11 -0700 (PDT)
Message-Id: <4.1.0.44.19980828105218.009c6860@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta)
Date: Fri, 28 Aug 1998 10:53:49 -0400
To: ietf-smime@imc.org
From: Russ Housley <housley@spyrus.com>
Subject: Slides used at session
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Presentors:

Please send me powerpoint slides of your presentations. 

Blake and Paul need not send empty files.

Russ


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA04893 for ietf-smime-bks; Mon, 7 Sep 1998 04:24:53 -0700 (PDT)
Received: from dokka.maxware.no (dokka.maxware.no [195.139.236.69]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id EAA04889 for <ietf-smime@imc.org>; Mon, 7 Sep 1998 04:24:49 -0700 (PDT)
Received: from alden ([10.128.1.82]) by dokka.maxware.no (8.8.5/8.8.5) with SMTP id NAA07626; Mon, 7 Sep 1998 13:23:04 +0200
Message-Id: <3.0.2.32.19980907133108.01497de0@dokka.maxware.no>
X-Sender: hta@dokka.maxware.no
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32)
Date: Mon, 07 Sep 1998 13:31:08 +0200
To: ietf-smime@imc.org, ietf-mixer@innosoft.com
From: Harald Tveit Alvestrand <Harald.Alvestrand@maxware.no>
Subject: Gatewaying of S/MIME objects between X.400 and SMTP?
Cc: smime-mixer@alvestrand.no
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Hi,

over the last few months I've occasionally run into people who have a
need to codify how to move S/MIME signed and/or encrypted objects between
X.400 users and SMTP/Internet Mail users.

There appears to be largely two schools of thought:

- Make Internet Mail the "primary domain of definition", and use
  encapsulation as described in MIXER to move stuff into X.400.
  This is possibly the only thing that works for "multipart/signed",
  but requires MIME smarts at the recipient end.

- Make CMS the "primary domain of definition", and choose whatever
  representation is most suitable for the native email system.
  This would be the S/MIME format in SMTP, and probably an FTAM or
  bilaterally-defined body part in X.400.
  This may work fine for encrypted S/MIME, and there's anecdotal
  evidence that some people are using it already.

If there's sufficient interest, and the answer isn't blindingly obvious
to all, we might think of working out an RFC that recommends how to do this.

I believe this is not something that is of wide enough interest to the
two mailing lists I'm targeting for discussion there, so I've created
a special mailing list for this subject.

To join: Send "subscribe" in the BODY of a message to

   smime-mixer-REQUEST@alvestrand.no

to subscribe to this list.
Archives will be at http://www.alvestrand.no/archives/smime-mixer/ when
something is actually sent to the list.

Welcome!

               Harald T. Alvestrand

-- 
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id UAA23719 for ietf-smime-bks; Sat, 5 Sep 1998 20:32:41 -0700 (PDT)
Received: from consensus.com (mail.consensus.com [157.22.240.7]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id UAA23715 for <ietf-smime@imc.org>; Sat, 5 Sep 1998 20:32:40 -0700 (PDT)
Received: from  (38.185.137.2) by consensus.com with SMTP (Eudora Internet Mail Server 1.2); Sat, 5 Sep 1998 20:42:34 -0700
From: "Tim Dierks" <timd@consensus.com>
To: <ietf-smime@imc.org>
Subject: Certicom X9.42 proposal
Date: Sat, 5 Sep 1998 20:37:33 -0700
Message-ID: <003801bdd947$aecdcbf0$75fe169d@LocalHost>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2232.26
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Recap:

The current S/MIME draft specifies a Diffie-Hellman mode from the ANSI X9.42
draft which uses an additional parameter, q, to protect against an attack
known as the "small subgroup attack". Certicom has a patent pending which we
believe will cover this mechanism. At the WG meeting in Chicago, we offered
to grant a royalty-free license to this patent and any other granted or
pending patents which would cover S/MIME.

The working group is also considering a technical alternative which is an
Elgamal variant. We do not believe we have any patent coverage on this
alternative. We don't have any preference as to what mechanism the working
group should choose: we just want to make it possible for the group to
implement whatever its choice is without cost.

Our proposed patent license would involve:
  - No licensing cost and royalty-free.
  - Field of use is CMS and PKIX.
  - Would grant rights to all issued and pending patents which are required
to
    implement mandatory technologies in current CMS and PKIX specifications.
  - Licensing party would have to confer on Certicom the same rights for
their
    similar patents. (Free license for those which block CMS & PKIX.)
  - To license, you just need to sign the license and send it to us; we will
sign
    and return it, but your license is good starting when you submit it to
Certicom.

I've got a lawyer working on the language now and I hope to have an update
within a week.

 - Tim Dierks
   tdierks@certicom.com



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id MAA07418 for ietf-smime-bks; Thu, 3 Sep 1998 12:50:55 -0700 (PDT)
Received: from inetgw.fs.lmco.com (inetgw.fs.lmco.com [204.177.125.1]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA07414 for <ietf-smime@imc.org>; Thu, 3 Sep 1998 12:50:54 -0700 (PDT)
Received: (from mail@localhost) by inetgw.fs.lmco.com (AIX4.2/UCB 8.7/8.7) id PAA29358 for <ietf-smime@imc.org>; Thu, 3 Sep 1998 15:55:35 -0400 (EDT)
Received: from dmsman.man.fs.lmco.com(158.187.195.16) by inetgw.fs.lmco.com via smap (V2.0) id xma061752; Thu, 3 Sep 98 15:54:59 -0400
Received: by dmsman.man.fs.lmco.com with Internet Mail Service (5.5.2232.9) id <SGQC3ABY>; Thu, 3 Sep 1998 15:54:16 -0400
Message-ID: <E1F508DF1910D1118BCB000083B11B7F46B2DF@dmsman.man.fs.lmco.com>
From: "Rogers III, Edward B." <ed.rogers@lmco.com>
To: ietf-smime@imc.org
Subject: OPTION 2: RC2 Key Length Fixed
Date: Thu, 3 Sep 1998 15:54:15 -0400 
Importance: low
X-Priority: 5
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2232.9)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@imc.org
Precedence: bulk


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA26673 for ietf-smime-bks; Thu, 3 Sep 1998 00:04:30 -0700 (PDT)
Received: from marcellus.cost.se (marcellus.cost.se [195.100.88.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA26669 for <ietf-smime@imc.org>; Thu, 3 Sep 1998 00:04:27 -0700 (PDT)
Received: from wallace ([10.0.0.12]) by marcellus.cost.se (8.8.5/8.7.5) with SMTP id JAA09466; Thu, 3 Sep 1998 09:06:12 +0200 (MET DST)
Message-Id: <3.0.5.32.19980903090748.00a72b70@mail.cost.se>
X-Sender: psi@mail.cost.se
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 03 Sep 1998 09:07:48 +0200
To: ietf-smime@imc.org
From: Peter Siklosi <psi@cost.se>
Subject: OPTION 1: RC2 Key Length X/8
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA01195 for ietf-smime-bks; Wed, 2 Sep 1998 18:07:08 -0700 (PDT)
Received: from ORM-BBWEB.orem.novell.com (orm-bbweb.orem.novell.com [151.155.134.147]) by mail.proper.com (8.8.8/8.8.5) with SMTP id SAA01191 for <ietf-smime@imc.org>; Wed, 2 Sep 1998 18:07:07 -0700 (PDT)
Received: from GATEWAYS-Message_Server by ORM-BBWEB.orem.novell.com with Novell_GroupWise; Wed, 02 Sep 1998 19:11:23 -0600
Message-Id: <s5ed985b.099@ORM-BBWEB.orem.novell.com>
X-Mailer: Novell GroupWise 5.5
Date: Wed, 02 Sep 1998 19:11:00 -0600
From: "Bob Jueneman" <BJUENEMAN@novell.com>
To: <ietf-smime@imc.org>, <jlinn@securitydynamics.com>
Subject: Re: Proposed CMS security considerations re PKCS #1
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id SAA01192
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Good solution, John.

Bob

>>> "Linn, John" <jlinn@securitydynamics.com> 09/02 11:45 AM >>>
At last week's S/MIME WG session, I accepted an action per Russ' suggestion
to propose text for the security considerations section of CMS dealing with
the PKCS #1 vulnerability issue.  I've attached a proposal; if the PKCS #1
V2 document makes it to Informational RFC before the WG Last-Call on CMS
closes, I'd hope to update the citation correspondingly.  Comments?

--John Linn, RSA Laboratories

[insert in CMS Security considerations]

Users of CMS, particularly those employing CMS to support interactive
applications, should be aware that PKCS #1 as documented in RFC-2313 is
vulnerable to adaptive chosen ciphertext attacks when applied for encryption
purposes. Exploitation of the identified vulnerability, revealing the result
of a particular RSA decryption, requires access to an oracle which will
respond to a large number (e.g., hundreds of thousands) of ciphertexts,
which are constructed adaptively in response to previously-received replies
providing information on the results of attempted decryptions. As a result,
the attack appears significantly less feasible to perpetrate for
store-and-forward S/MIME environments than for directly interactive
protocols.  Where CMS constructs are applied as an intermediate layer within
an interactive request-response communications environment, exploitation
could be more feasible. 

A revised version of PKCS #1, targeted to become PKCS #1 V2.0 and to succeed
RFC-2313, has been published as an Internet-Draft, and specifies and
recommends use of Optimal Asymmetric Encryption Padding (OAEP) when RSA
encryption is applied for secrecy purposes in order to resolve this
vulnerability.  Designers of systems employing CMS within interactive
environments should either consider usage of this revised padding (which may
become a candidate for citation in a future version of the CMS
specification), or should ensure that their applications do not return
information which could reveal the success or failure of attempted PKCS #1
decryption operations. 





Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA27249 for ietf-smime-bks; Wed, 2 Sep 1998 10:39:41 -0700 (PDT)
Received: from tholian.securid.com (tholian.securid.com [204.167.112.129]) by mail.proper.com (8.8.8/8.8.5) with SMTP id KAA27245 for <ietf-smime@imc.org>; Wed, 2 Sep 1998 10:39:40 -0700 (PDT)
Received: from mail.securid.com by tholian.securid.com via smtpd (for imc.org [206.184.129.134]) with SMTP; 2 Sep 1998 17:53:11 UT
Received: by securitydynamics.com (8.7.6/8.7.3) with ESMTP id NAA24552 for <ietf-smime@imc.org>; Wed, 2 Sep 1998 13:49:52 -0400 (EDT)
Received: by exna01.securitydynamics.com with Internet Mail Service (5.0.1460.8) id <RT6989R6>; Wed, 2 Sep 1998 13:48:03 -0400
Message-ID: <D104150098E6D111B7830000F8D90AE825C8F8@exna02.securitydynamics.com>
From: "Linn, John" <jlinn@securitydynamics.com>
To: "'ietf-smime@imc.org'" <ietf-smime@imc.org>
Subject: Proposed CMS security considerations re PKCS #1
Date: Wed, 2 Sep 1998 13:45:40 -0400 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1460.8)
Content-Type: text/plain
Sender: owner-ietf-smime@imc.org
Precedence: bulk

At last week's S/MIME WG session, I accepted an action per Russ' suggestion
to propose text for the security considerations section of CMS dealing with
the PKCS #1 vulnerability issue.  I've attached a proposal; if the PKCS #1
V2 document makes it to Informational RFC before the WG Last-Call on CMS
closes, I'd hope to update the citation correspondingly.  Comments?

--John Linn, RSA Laboratories

[insert in CMS Security considerations]

Users of CMS, particularly those employing CMS to support interactive
applications, should be aware that PKCS #1 as documented in RFC-2313 is
vulnerable to adaptive chosen ciphertext attacks when applied for encryption
purposes. Exploitation of the identified vulnerability, revealing the result
of a particular RSA decryption, requires access to an oracle which will
respond to a large number (e.g., hundreds of thousands) of ciphertexts,
which are constructed adaptively in response to previously-received replies
providing information on the results of attempted decryptions. As a result,
the attack appears significantly less feasible to perpetrate for
store-and-forward S/MIME environments than for directly interactive
protocols.  Where CMS constructs are applied as an intermediate layer within
an interactive request-response communications environment, exploitation
could be more feasible. 

A revised version of PKCS #1, targeted to become PKCS #1 V2.0 and to succeed
RFC-2313, has been published as an Internet-Draft, and specifies and
recommends use of Optimal Asymmetric Encryption Padding (OAEP) when RSA
encryption is applied for secrecy purposes in order to resolve this
vulnerability.  Designers of systems employing CMS within interactive
environments should either consider usage of this revised padding (which may
become a candidate for citation in a future version of the CMS
specification), or should ensure that their applications do not return
information which could reveal the success or failure of attempted PKCS #1
decryption operations. 




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA22885 for ietf-smime-bks; Tue, 1 Sep 1998 16:13:03 -0700 (PDT)
Received: from post.mail.demon.net (post-11.mail.demon.net [194.217.242.40]) by mail.proper.com (8.8.8/8.8.5) with SMTP id QAA22881 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 16:13:02 -0700 (PDT)
Received: from (drh-consultancy.demon.co.uk) [193.237.150.98]  by post.mail.demon.net with esmtp (Exim 1.82 #2) id 0zDzg0-0004IN-00; Tue, 1 Sep 1998 23:17:28 +0000
Message-ID: <35EC8056.10E05824@drh-consultancy.demon.co.uk>
Date: Wed, 02 Sep 1998 00:16:38 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: Blake Ramsdell <blake.ramsdell@worldtalk.com>
CC: ietf-smime@imc.org
Subject: Re: RC2 keylength strawpoll
References: <01FF24001403D011AD7B00A024BC53C53A7063@cane.deming.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Blake Ramsdell wrote:
> 
> Just so we're clear, my understanding is that the MEK works fine in both
> DH and RSA right now as-is.  The only question is regarding the KEK
> which is not used in RSA, and is the only thing that is currently
> ambiguous due to the mechanism by which those keys are generated.
> 
> The use of the current RC2 MEK mechanism should work fine in both DH and
> RSA environments, as well as a mix of the two.
> 

Unfortunately the current key wrapping spec says:

"5. Generate the number of pad octets necessary to make the
    result a multiple of the key-encryption algorithm block
    size, then append them to the result."

Which doesn't allow the MEK key length to be determined unambiguously.
Well at least the way I read it it doesn't anway.

> > The only problem here (which may be due to my missing the latest key
> > wrapping spec) is that the key wrapping spec doesn't allow
> > the length of
> > the "packaged" wrapped key to be unambiguously determined (except
> > through trial and error): my suggestion (in another message)
> > about using
> > PKCS padding would fix that though.
> 
> Shouldn't it just be regular ol' block padding?  You're using a
> symmetric block cipher to protect the data.  I think that for RC2 this
> is an 8 byte block, so the "eight bytes of eight" or "one byte of one"
> etc. is the padding, right?
> 

Yeah thats what I mean. I think PKCS#11 calls it "PKCS padding". Anyway
whatever you call it that's what I meant.

So from all this I'd personally be happy with

1. MEK: not specified, doesn't matter.
2. KEK: specified as either fixed or X/8.
3. Ammend wrapping standard to use standard block padding.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA22457 for ietf-smime-bks; Tue, 1 Sep 1998 15:19:11 -0700 (PDT)
Received: from cane.deming.com (cane.deming.com [208.236.41.9] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id PAA22453 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 15:19:10 -0700 (PDT)
Received: from 208.236.41.9 by cane.deming.com with ESMTP (WorldSecure Server SMTP Relay(WSS) v3.0.1); Tue, 01 Sep 98 15:23:49 -0700
X-Server-Uuid: 1a012586-24e9-11d1-adae-00a024bc53c5
Received: by cane.deming.com with Internet Mail Service (5.5.1960.3) id <R9MKWX58>; Tue, 1 Sep 1998 15:23:49 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C53A7064@cane.deming.com>
From: "Blake Ramsdell" <blake.ramsdell@worldtalk.com>
To: "'EKR'" <ekr@terisa.com>
cc: "'Dr Stephen Henson'" <shenson@drh-consultancy.demon.co.uk>, <ietf-smime@imc.org>
Subject: RE: RC2 keylength strawpoll
Date: Tue, 1 Sep 1998 15:23:47 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
X-WSS-ID: 19F2AC7F12728-01-01
Content-Type: text/plain;  charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> -----Original Message-----
> From: EKR [mailto:ekr@terisa.com]
> Sent: Tuesday, September 01, 1998 3:11 PM
> To: Blake Ramsdell
> Cc: 'Dr Stephen Henson'; ietf-smime@imc.org
> Subject: Re: RC2 keylength strawpoll
> 
> Unfortunately, this is incorrect. Russ's Key wrapping algorithm
> does not provide a way to determing the length of the wrapped MEK.

Got it -- sorry that I was confused.  Can we fix it with symmetric block
padding?

Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103  Fax +1 425 882 8060


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id PAA22341 for ietf-smime-bks; Tue, 1 Sep 1998 15:06:05 -0700 (PDT)
Received: from terisa-bh.terisa.com (terisa-bh.terisa.COM [205.226.38.66]) by mail.proper.com (8.8.8/8.8.5) with SMTP id PAA22337 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 15:06:04 -0700 (PDT)
Received: (from uucp@localhost) by terisa-bh.terisa.com (8.6.12/8.6.11) id PAA22192; Tue, 1 Sep 1998 15:10:45 -0700
Received: from itech.terisa.com by terisa-bh.terisa.com via smap (3.2) id xma022187; Tue, 1 Sep 98 15:10:32 -0700
Received: from kmac.daisy (kmac.terisa.COM [205.226.39.35]) by itech.terisa.com (8.8.5/8.6.4) with SMTP id PAA02325; Tue, 1 Sep 1998 15:10:33 -0700 (PDT)
Received: by kmac.daisy (4.1/SMI-4.1) id AA11756; Tue, 1 Sep 98 15:10:32 PDT
To: "Blake Ramsdell" <blake.ramsdell@worldtalk.com>
Cc: "'Dr Stephen Henson'" <shenson@drh-consultancy.demon.co.uk>, <ietf-smime@imc.org>
Subject: Re: RC2 keylength strawpoll
References: <01FF24001403D011AD7B00A024BC53C53A7063@cane.deming.com>
From: EKR <ekr@terisa.com>
Date: 01 Sep 1998 15:10:31 -0700
In-Reply-To: "Blake Ramsdell"'s message of "Tue, 1 Sep 1998 14:43:44 -0700"
Message-Id: <33eab32nc.fsf@kmac.terisa.com>
Lines: 32
X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

"Blake Ramsdell" <blake.ramsdell@worldtalk.com> writes:

> > -----Original Message-----
> > From: Dr Stephen Henson [mailto:shenson@drh-consultancy.demon.co.uk]
> > Sent: Tuesday, September 01, 1998 2:12 PM
> > To: ietf-smime@imc.org
> > Subject: Re: RC2 keylength strawpoll
> > 
> > I think the only potential problem is using DH and RSA. It is quite
> > reasonable to assume that someone might want to send encrypted mail to
> > people some of whom have RSA certificates and some of whom have DH.
> > 
> > In this case the easiest way to deal with things is to have 
> > RC2 use the
> > same standard with DH and RSA for its key.
> 
> Just so we're clear, my understanding is that the MEK works fine in both
> DH and RSA right now as-is.  The only question is regarding the KEK
> which is not used in RSA, and is the only thing that is currently
> ambiguous due to the mechanism by which those keys are generated.
> 
> The use of the current RC2 MEK mechanism should work fine in both DH and
> RSA environments, as well as a mix of the two.
Unfortunately, this is incorrect. Russ's Key wrapping algorithm
does not provide a way to determing the length of the wrapped MEK.

-Ekr


-- 
[Eric Rescorla                             Terisa Systems, Inc.]
		"Put it in the top slot."


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA22080 for ietf-smime-bks; Tue, 1 Sep 1998 14:39:11 -0700 (PDT)
Received: from cane.deming.com (cane.deming.com [208.236.41.9] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id OAA22076 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 14:39:10 -0700 (PDT)
Received: from 208.236.41.9 by cane.deming.com with ESMTP (WorldSecure Server SMTP Relay(WSS) v3.0.1); Tue, 01 Sep 98 14:43:45 -0700
X-Server-Uuid: 1a012586-24e9-11d1-adae-00a024bc53c5
Received: by cane.deming.com with Internet Mail Service (5.5.1960.3) id <R9MKWXZC>; Tue, 1 Sep 1998 14:43:45 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C53A7063@cane.deming.com>
From: "Blake Ramsdell" <blake.ramsdell@worldtalk.com>
To: "'Dr Stephen Henson'" <shenson@drh-consultancy.demon.co.uk>, <ietf-smime@imc.org>
Subject: RE: RC2 keylength strawpoll
Date: Tue, 1 Sep 1998 14:43:44 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
X-WSS-ID: 19F2B51B12331-01-01
Content-Type: text/plain;  charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> -----Original Message-----
> From: Dr Stephen Henson [mailto:shenson@drh-consultancy.demon.co.uk]
> Sent: Tuesday, September 01, 1998 2:12 PM
> To: ietf-smime@imc.org
> Subject: Re: RC2 keylength strawpoll
> 
> I think the only potential problem is using DH and RSA. It is quite
> reasonable to assume that someone might want to send encrypted mail to
> people some of whom have RSA certificates and some of whom have DH.
> 
> In this case the easiest way to deal with things is to have 
> RC2 use the
> same standard with DH and RSA for its key.

Just so we're clear, my understanding is that the MEK works fine in both
DH and RSA right now as-is.  The only question is regarding the KEK
which is not used in RSA, and is the only thing that is currently
ambiguous due to the mechanism by which those keys are generated.

The use of the current RC2 MEK mechanism should work fine in both DH and
RSA environments, as well as a mix of the two.

> The only problem here (which may be due to my missing the latest key
> wrapping spec) is that the key wrapping spec doesn't allow 
> the length of
> the "packaged" wrapped key to be unambiguously determined (except
> through trial and error): my suggestion (in another message) 
> about using
> PKCS padding would fix that though.

Shouldn't it just be regular ol' block padding?  You're using a
symmetric block cipher to protect the data.  I think that for RC2 this
is an 8 byte block, so the "eight bytes of eight" or "one byte of one"
etc. is the padding, right?

> > Based on the underwhelming poll results (two responses), 
> I'd say pick an
> > answer and write it up for the DH using RC2 as a KEK, and 
> leave existing
> > RC2 MEKs alone.  This is, of course, unless I'm missing something
> > significant about RC2's use as a MEK within the DH realm.
> > 
> 
> I counted three. Maybe there should be other alternatives, 
> "don't care"
> and "Whut?" :-)

I kinda like "Whut?", myself.

Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103  Fax +1 425 882 8060


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id OAA21141 for ietf-smime-bks; Tue, 1 Sep 1998 14:12:16 -0700 (PDT)
Received: from post.mail.demon.net (post-12.mail.demon.net [194.217.242.41]) by mail.proper.com (8.8.8/8.8.5) with SMTP id OAA21137 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 14:12:14 -0700 (PDT)
Received: from (drh-consultancy.demon.co.uk) [193.237.150.98]  by post.mail.demon.net with esmtp (Exim 1.82 #2) id 0zDxma-00050I-00; Tue, 1 Sep 1998 21:16:08 +0000
Message-ID: <35EC632C.4721523C@drh-consultancy.demon.co.uk>
Date: Tue, 01 Sep 1998 22:12:12 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: RC2 keylength strawpoll
References: <01FF24001403D011AD7B00A024BC53C53A7061@cane.deming.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Blake Ramsdell wrote:
> 
> I don't believe that the current discussion should apply to the current
> use of RC2 as a message encryption algorithm -- I don't think there is a
> problem here.  Changing this for the sake of being in parallel with RC2
> when used as a KEK with DH is interesting, but unnecessary.  I don't
> believe that there is any complexity for implementors.
> 

I think the only potential problem is using DH and RSA. It is quite
reasonable to assume that someone might want to send encrypted mail to
people some of whom have RSA certificates and some of whom have DH.

In this case the easiest way to deal with things is to have RC2 use the
same standard with DH and RSA for its key.

There are lots of other alternatives which might be regarded as better,
one is to explicitly include the keylength as an OPTIONAL parameter if
the content encryption algorithm needs it and then just make
recommendations in the spec with the proviso that the recipient MUST be
able to handle different keylengths.

Another solution is to just specify a standard for the wrapping key and
leave the content encryption key unspecified. That way whatever is used
for RSA it can be wrapped appropriately. 

The only problem here (which may be due to my missing the latest key
wrapping spec) is that the key wrapping spec doesn't allow the length of
the "packaged" wrapped key to be unambiguously determined (except
through trial and error): my suggestion (in another message) about using
PKCS padding would fix that though.

> Based on the underwhelming poll results (two responses), I'd say pick an
> answer and write it up for the DH using RC2 as a KEK, and leave existing
> RC2 MEKs alone.  This is, of course, unless I'm missing something
> significant about RC2's use as a MEK within the DH realm.
> 

I counted three. Maybe there should be other alternatives, "don't care"
and "Whut?" :-)

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA20904 for ietf-smime-bks; Tue, 1 Sep 1998 13:46:17 -0700 (PDT)
Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id NAA20900 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 13:46:15 -0700 (PDT)
Received: from dredd.mcom.com (dredd.mcom.com [205.217.237.54]) by netscape.com (8.8.5/8.8.5) with ESMTP id NAA00380 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 13:49:59 -0700 (PDT)
Received: from netscape.com ([208.12.62.96]) by dredd.mcom.com (Netscape Messaging Server 3.52)  with ESMTP id AAA3B9; Tue, 1 Sep 1998 13:49:56 -0700
Message-ID: <35EC5DD5.350CCDCB@netscape.com>
Date: Tue, 01 Sep 1998 13:49:25 -0700
From: relyea@netscape.com (Bob Relyea)
X-Mailer: Mozilla 4.06 [en] (WinNT; U)
MIME-Version: 1.0
To: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
CC: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: RC2 Keylength Strawpoll
References: <199808312238.PAA04119@speedy.rtfm.com> <35EBD80F.805BA031@drh-consultancy.demon.co.uk> <3hfyrj3mr.fsf@kmac.terisa.com> <35EC33E3.43D138C6@drh-consultancy.demon.co.uk>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Dr Stephen Henson wrote:

> EKR wrote:
> >
> > Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk> writes:
> >
> > >
> > > I propose this option not because its the best but because its what the
> > > two versions I've tested use: viz Netscape Messenger and Microsoft
> > > Outlook.
> > Representatives from both companies are here. It seems to me best
> > to see what their opinions are.
> >
>
> As I've said before. I know they use X/8 on send. I'm not expecting
> anyone to just take my word for it. I can demonstrate this to anyone who
> doubts it.

In our S/MIME version 2 implementation we use X/8 on send, and accept physical
keys of any length on receive (up to the RC-2 limit). Early version of our
products did not accept the longer keys, but some S/MIME 2 implementations
generated them.

My personal preference would be to use an out of band way of communicating the
length if the wrapping mechanism did not implicitly include the length (perhaps
as a parameter to the wrapping mechanism). This helps me abstract way cipher
specific stuff from the PKCS 7 parsing code. Failing that either of the other
proposals (effective key size or fixed key size) are acceptable. both entail
about the same amount of cipher specific code.

bob

bob



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA20616 for ietf-smime-bks; Tue, 1 Sep 1998 13:09:36 -0700 (PDT)
Received: from cane.deming.com (cane.deming.com [208.236.41.9] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id NAA20611 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 13:09:34 -0700 (PDT)
Received: from 208.236.41.9 by cane.deming.com with ESMTP (WorldSecure Server SMTP Relay(WSS) v3.0.1); Tue, 01 Sep 98 13:13:54 -0700
X-Server-Uuid: 1a012586-24e9-11d1-adae-00a024bc53c5
Received: by cane.deming.com with Internet Mail Service (5.5.1960.3) id <R9MKWXVN>; Tue, 1 Sep 1998 13:13:54 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C53A7061@cane.deming.com>
From: "Blake Ramsdell" <blake.ramsdell@worldtalk.com>
To: "'Rescorla'" <ekr@terisa.com>, <ietf-smime@imc.org>
Subject: RE: RC2 keylength strawpoll
Date: Tue, 1 Sep 1998 13:13:53 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
X-WSS-ID: 19F28A0811579-01-01
Content-Type: text/plain;  charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

> -----Original Message-----
> From: Rescorla [mailto:ekr@terisa.com]
> Sent: Monday, August 31, 1998 3:36 PM
> To: ietf-smime@imc.org
> Subject: RC2 keylength strawpoll
> 
> Don't bother with a message body, I am just going to count the 
> messages.  Discussion of the content of this message should reply to 
> this message. 

I'm trying to figure out what we are solving and the path that we are
pursuing to solve it.

1. RC2 is currently used as a message encryption algorithm.  This does
not have any problems that I am aware of.

2. The X9.42 variant of DH that is proposed for use for key exchange
requires the use of an additional symmetric cipher for the protection of
the message encryption key.  RC2 has been proposed for this purpose as
one alternative.  Because RC2 has a disconnect between the length of the
input keying material and the effective key length, and because the
proposed DH method is using a hash-based PRNG to generate keying
material, the length of the input keying material must be specified or
at least agreed upon.  There are exactly zero implementations that
currently use DH and RC2 right now, so backwards compatibility is not an
issue.

Current S/MIME practice for RC2 does not limit the length of the input
keying material for use with RC2.  For better or worse.  At the very
least, vendors using the RSA TIPEM library will produce input keying
material of a length greater than the effective keylength being used
with RC2.  This has been demonstrated to be interoperable (every vendor
that has tested RC2 can handle lots of keying material being boiled down
to 40 bits of effective keying material).

I don't believe that the current discussion should apply to the current
use of RC2 as a message encryption algorithm -- I don't think there is a
problem here.  Changing this for the sake of being in parallel with RC2
when used as a KEK with DH is interesting, but unnecessary.  I don't
believe that there is any complexity for implementors.

Based on the underwhelming poll results (two responses), I'd say pick an
answer and write it up for the DH using RC2 as a KEK, and leave existing
RC2 MEKs alone.  This is, of course, unless I'm missing something
significant about RC2's use as a MEK within the DH realm.

Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103  Fax +1 425 882 8060


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id NAA20585 for ietf-smime-bks; Tue, 1 Sep 1998 13:06:10 -0700 (PDT)
Received: from post.mail.demon.net (post-11.mail.demon.net [194.217.242.40]) by mail.proper.com (8.8.8/8.8.5) with SMTP id NAA20581 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 13:06:08 -0700 (PDT)
Received: from (drh-consultancy.demon.co.uk) [193.237.150.98]  by post.mail.demon.net with esmtp (Exim 1.82 #2) id 0zDwlD-0005hr-00; Tue, 1 Sep 1998 20:10:39 +0000
Message-ID: <35EC543B.B55793DF@drh-consultancy.demon.co.uk>
Date: Tue, 01 Sep 1998 21:08:27 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: RC2 Keylength Strawpoll
References: <199808312238.PAA04119@speedy.rtfm.com> <35EBD80F.805BA031@drh-consultancy.demon.co.uk> <3hfyrj3mr.fsf@kmac.terisa.com> <35EC33E3.43D138C6@drh-consultancy.demon.co.uk> <367f73cjj.fsf@kmac.terisa.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

EKR wrote:
> 
> > As I've said before. I know they use X/8 on send. I'm not expecting
> > anyone to just take my word for it. I can demonstrate this to anyone who
> > doubts it.
> There are two primary reasons to be concerned with current behavior:
> 1. Backwards compatibility
> Provided that they are prepared to accept arbitrary keylength
> on receive, this isn't an issue. They'll have to change their
> code to accomodate S/MIMEv3 ANYWAY, so they can change
> this behavior as well.
> 2. Implementation hassle for the programmers.
> Often, changing one's behavior is a hassle. Sometimes it's not.
> I expect that the Netscape and Microsoft representatives
> can take this into account when voting.
> 
> It's not that I don't believe you about what Netscape and Microsoft
> do. I just don't think it's that relevant.
> 

Fair enough. Comments NS and MS please?

> > > IMHO, anyone who assumes X/8 when receiving has broken the cardinal
> > > rule of being liberal in what you accept. Sending is a different
> > > issue.
> > >
> >
> > Yes I suppose that could be argued. Of course a "hands up whose software
> > is broken" question may bring a limited response :-)
> >
> > In some crypto libraries (SSLeay for example) you specify the unwrapping
> > cipher when you unwrap a key with RSA. In the case of RC2 with 40 bits
> > this specifies the effective bits and key size. The key size is then
> > used as an additional integrity check on the decrypted RSA block.
> In the face of the Million Message attack, this no longer
> seems like such a great idea.
> 

I've just checked the bulletin re this attack. Under "Countermeasures"
doing a stronger integrity check was one way of considerably reducing
the probabilty of a random ciphertext being "good". It says checking the
length actually makes the attack harder: it quotes from 1 million to 20
million questions.

Anyway the main cause of that problem was being able to determine the
integrity check had failed based on the type of error. 

All irrelevant to S/MIME though, as it points out.

> 
> > In any case CMS needs an additional note if fixed keylength is adopted.
> > Something like it MUST be fixed if key agreement is used for any
> > recipient used and SHOULD|MUST|MAY (Comments?) if no recpients use key
> > agreement.
> Nonsense. Provided that all recipients will accept a fixed
> length key, MUST is perfectly acceptable in all cases.

I have no problems with MUST. But with purely key exchange it is not
mandatory. I agree though that MUST would be better for both.

> 
> > IMHO prohibiting a keysize larger than 128 bits is not a good idea. Even
> > if hardly anyone will ever use anything larger than 128 bits we should
> > at least define a standard to handle this so people don't all do
> > different and incompatible things.
> On the contrary. I think it's a fantastic idea. People who want
> a cipher that is 128 bits strong should choose something better
> analyzed than RC2.
> 

I have a very vague recollection of some advertising material suggesting
something using 255 bit RC2 for S/MIME, though I might be thinking of
something else.

Comments anyone?

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA19884 for ietf-smime-bks; Tue, 1 Sep 1998 11:39:02 -0700 (PDT)
Received: from cane.deming.com (cane.deming.com [208.236.41.9] (may be forged)) by mail.proper.com (8.8.8/8.8.5) with SMTP id LAA19880 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 11:39:01 -0700 (PDT)
Received: from 208.236.41.9 by cane.deming.com with ESMTP (WorldSecure Server SMTP Relay(WSS) v3.0.1); Tue, 01 Sep 98 11:43:38 -0700
X-Server-Uuid: 1a012586-24e9-11d1-adae-00a024bc53c5
Received: by cane.deming.com with Internet Mail Service (5.5.1960.3) id <R9MKWXSC>; Tue, 1 Sep 1998 11:43:38 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C53A705E@cane.deming.com>
From: "Blake Ramsdell" <blake.ramsdell@worldtalk.com>
To: "'Bob Jueneman'" <BJUENEMAN@novell.com>, <ietf-smime@imc.org>, <jsp@jgvandyke.com>, <t93512kw@sfc.keio.ac.jp>
Subject: RE: 42nd meeting
Date: Tue, 1 Sep 1998 11:43:36 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
X-WSS-ID: 19F29FD010864-01-01
Content-Type: text/plain;  charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

It appears that sge.net did something strange.  I have notified Paul...

Blake

> -----Original Message-----
> From:	Bob Jueneman [SMTP:BJUENEMAN@novell.com]
> Sent:	Tuesday, September 01, 1998 10:55 AM
> To:	ietf-smime@imc.org; jsp@jgvandyke.com; t93512kw@sfc.keio.ac.jp
> Subject:	Re: 42nd meeting
> 
> Is there something wrong with my mail package?
> 
> All I'm seeing on several messages is the following -- 
> maybe it's the joke of the day?
> 
> Bob
> 
> >>> John Pawling <jsp@jgvandyke.com> 08/31 8:09 AM >>>
> --AAA08737.904575102/kryptonite.sge.net--
> 
> 


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id LAA19792 for ietf-smime-bks; Tue, 1 Sep 1998 11:32:42 -0700 (PDT)
Received: from terisa-bh.terisa.com (terisa-bh.terisa.COM [205.226.38.66]) by mail.proper.com (8.8.8/8.8.5) with SMTP id LAA19788 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 11:32:41 -0700 (PDT)
Received: (from uucp@localhost) by terisa-bh.terisa.com (8.6.12/8.6.11) id LAA18294; Tue, 1 Sep 1998 11:37:14 -0700
Received: from itech.terisa.com by terisa-bh.terisa.com via smap (3.2) id xma018289; Tue, 1 Sep 98 11:36:48 -0700
Received: from kmac.daisy (kmac.terisa.COM [205.226.39.35]) by itech.terisa.com (8.8.5/8.6.4) with SMTP id LAA28979; Tue, 1 Sep 1998 11:36:49 -0700 (PDT)
Received: by kmac.daisy (4.1/SMI-4.1) id AA11737; Tue, 1 Sep 98 11:36:49 PDT
To: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Cc: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: RC2 Keylength Strawpoll
References: <199808312238.PAA04119@speedy.rtfm.com> <35EBD80F.805BA031@drh-consultancy.demon.co.uk> <3hfyrj3mr.fsf@kmac.terisa.com> <35EC33E3.43D138C6@drh-consultancy.demon.co.uk>
From: EKR <ekr@terisa.com>
Date: 01 Sep 1998 11:36:48 -0700
In-Reply-To: Dr Stephen Henson's message of "Tue, 01 Sep 1998 18:50:27 +0100"
Message-Id: <367f73cjj.fsf@kmac.terisa.com>
Lines: 90
X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk> writes:

> EKR wrote:
> > 
> > Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk> writes:
> > 
> > >
> > > I propose this option not because its the best but because its what the
> > > two versions I've tested use: viz Netscape Messenger and Microsoft
> > > Outlook.
> > Representatives from both companies are here. It seems to me best
> > to see what their opinions are.
> > 
> 
> As I've said before. I know they use X/8 on send. I'm not expecting
> anyone to just take my word for it. I can demonstrate this to anyone who
> doubts it.
There are two primary reasons to be concerned with current behavior:
1. Backwards compatibility
Provided that they are prepared to accept arbitrary keylength
on receive, this isn't an issue. They'll have to change their
code to accomodate S/MIMEv3 ANYWAY, so they can change
this behavior as well.
2. Implementation hassle for the programmers.
Often, changing one's behavior is a hassle. Sometimes it's not.
I expect that the Netscape and Microsoft representatives
can take this into account when voting. 

It's not that I don't believe you about what Netscape and Microsoft
do. I just don't think it's that relevant.

> > IMHO, anyone who assumes X/8 when receiving has broken the cardinal
> > rule of being liberal in what you accept. Sending is a different
> > issue.
> > 
> 
> Yes I suppose that could be argued. Of course a "hands up whose software
> is broken" question may bring a limited response :-)
> 
> In some crypto libraries (SSLeay for example) you specify the unwrapping
> cipher when you unwrap a key with RSA. In the case of RC2 with 40 bits
> this specifies the effective bits and key size. The key size is then
> used as an additional integrity check on the decrypted RSA block.
In the face of the Million Message attack, this no longer
seems like such a great idea.

> Oh BTW I did some tests on Netscape and Outlook 98 anyway. As I said
> they both use X/8 on send but neither assumes X/8 on receive. So that's
> two implementations a fixed keysize wont break anyway...
> 
> > > As for this being more complicated to code and test I'd say that depends
> > > on the implementation. Currently, for example, SSLeay would need some
> > > modification to support option 2 with its envelope routines whereas
> > > option 1 is already supported.
> > That's not a reasonable standard. Clearly, any change is more
> > difficult to develop and test than no change. That's why we
> > take current practice into account. The issue with development
> > and test assumes you're starting from scratch. From THAT
> > perspective fixed is easier.
> 
> Well current practice seems to be X/8 on send with the implementations
> I've tested. Anyone know of anything that doesn't use X/8 on send? 
At Chicago, Blake asserted that a number of implementationd o other
things. Perhaps he'd be willing to speak up.

> In any case CMS needs an additional note if fixed keylength is adopted.
> Something like it MUST be fixed if key agreement is used for any
> recipient used and SHOULD|MUST|MAY (Comments?) if no recpients use key
> agreement.
Nonsense. Provided that all recipients will accept a fixed
length key, MUST is perfectly acceptable in all cases.
> If this isn't stated then we either need a standard for key lengths
> larger than 128 or an absolute prohibition of a key length greater than
> 128 bits for RC2.
This would be fine with me.

> IMHO prohibiting a keysize larger than 128 bits is not a good idea. Even
> if hardly anyone will ever use anything larger than 128 bits we should
> at least define a standard to handle this so people don't all do
> different and incompatible things.
On the contrary. I think it's a fantastic idea. People who want
a cipher that is 128 bits strong should choose something better
analyzed than RC2.

-Ekr
> 

-- 
[Eric Rescorla                             Terisa Systems, Inc.]
		"Put it in the top slot."


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA19411 for ietf-smime-bks; Tue, 1 Sep 1998 10:54:58 -0700 (PDT)
Received: from ORM-BBWEB.orem.novell.com (orm-bbweb.orem.novell.com [151.155.134.147]) by mail.proper.com (8.8.8/8.8.5) with SMTP id KAA19407 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 10:54:57 -0700 (PDT)
Received: from GATEWAYS-Message_Server by ORM-BBWEB.orem.novell.com with Novell_GroupWise; Tue, 01 Sep 1998 11:55:20 -0600
Message-Id: <s5ebe0a8.002@ORM-BBWEB.orem.novell.com>
X-Mailer: Novell GroupWise 5.5
Date: Tue, 01 Sep 1998 11:54:46 -0600
From: "Bob Jueneman" <BJUENEMAN@novell.com>
To: <ietf-smime@imc.org>, <jsp@jgvandyke.com>, <t93512kw@sfc.keio.ac.jp>
Subject: Re: 42nd meeting
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.proper.com id KAA19408
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Is there something wrong with my mail package?

All I'm seeing on several messages is the following -- 
maybe it's the joke of the day?

Bob

>>> John Pawling <jsp@jgvandyke.com> 08/31 8:09 AM >>>
--AAA08737.904575102/kryptonite.sge.net--





Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id KAA19389 for ietf-smime-bks; Tue, 1 Sep 1998 10:53:09 -0700 (PDT)
Received: from post.mail.demon.net (post-20.mail.demon.net [194.217.242.27]) by mail.proper.com (8.8.8/8.8.5) with SMTP id KAA19374 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 10:52:10 -0700 (PDT)
Received: from (drh-consultancy.demon.co.uk) [193.237.150.98]  by post.mail.demon.net with esmtp (Exim 1.82 #2) id 0zDuff-0007FS-00; Tue, 1 Sep 1998 17:56:47 +0000
Message-ID: <35EC33E3.43D138C6@drh-consultancy.demon.co.uk>
Date: Tue, 01 Sep 1998 18:50:27 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: RC2 Keylength Strawpoll
References: <199808312238.PAA04119@speedy.rtfm.com> <35EBD80F.805BA031@drh-consultancy.demon.co.uk> <3hfyrj3mr.fsf@kmac.terisa.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

EKR wrote:
> 
> Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk> writes:
> 
> >
> > I propose this option not because its the best but because its what the
> > two versions I've tested use: viz Netscape Messenger and Microsoft
> > Outlook.
> Representatives from both companies are here. It seems to me best
> to see what their opinions are.
> 

As I've said before. I know they use X/8 on send. I'm not expecting
anyone to just take my word for it. I can demonstrate this to anyone who
doubts it.

> > If you permit a larger key length then it may break an existing
> > implementation that assumes that the the keylength is X/8. It would
> > break mine for example but I can fix that.
> >
> > I can't comment on whether the above implementations assume X/8, can
> > anyone else? If no one knows then I can do some tests and post the
> > results back here.
> IMHO, anyone who assumes X/8 when receiving has broken the cardinal
> rule of being liberal in what you accept. Sending is a different
> issue.
> 

Yes I suppose that could be argued. Of course a "hands up whose software
is broken" question may bring a limited response :-)

In some crypto libraries (SSLeay for example) you specify the unwrapping
cipher when you unwrap a key with RSA. In the case of RC2 with 40 bits
this specifies the effective bits and key size. The key size is then
used as an additional integrity check on the decrypted RSA block.

Using the keysize as an integrity check is IMHO not unreasonable but
this would make things difficult if the keysize is not known in advance. 
As to how many implementations or crypto libraries this affects I've no
idea...

Oh BTW I did some tests on Netscape and Outlook 98 anyway. As I said
they both use X/8 on send but neither assumes X/8 on receive. So that's
two implementations a fixed keysize wont break anyway...

> > As for this being more complicated to code and test I'd say that depends
> > on the implementation. Currently, for example, SSLeay would need some
> > modification to support option 2 with its envelope routines whereas
> > option 1 is already supported.
> That's not a reasonable standard. Clearly, any change is more
> difficult to develop and test than no change. That's why we
> take current practice into account. The issue with development
> and test assumes you're starting from scratch. From THAT
> perspective fixed is easier.

Well current practice seems to be X/8 on send with the implementations
I've tested. Anyone know of anything that doesn't use X/8 on send? 

In any case CMS needs an additional note if fixed keylength is adopted.
Something like it MUST be fixed if key agreement is used for any
recipient used and SHOULD|MUST|MAY (Comments?) if no recpients use key
agreement.

> > If option 2 is taken then what should the fixed keylength be? If we set
> > it as (for example) 128 bits then that restricts anyone who wishes to
> > use more. So you couldn't just say "fixed keylength" you'd have to say
> > for example: "the keylength is rounded up to the nearest multiple of 16
> > to X/8". One conclusion to this is, of course, you might as well have a
> > variable key length to begin with.
> This is a non-problem. The permissible RC2 keylengths in S/MIME are
> 40,64, and 128. Consequently, fixed 128 will work just fine.
> 

I may have missed something here but is this explicitly stated anywhere?
I know that 40, 64 and 128 are given as examples but the RC2 spec
permits larger keysizes as does the S/MIME capabilities attribute.

If this isn't stated then we either need a standard for key lengths
larger than 128 or an absolute prohibition of a key length greater than
128 bits for RC2.

IMHO prohibiting a keysize larger than 128 bits is not a good idea. Even
if hardly anyone will ever use anything larger than 128 bits we should
at least define a standard to handle this so people don't all do
different and incompatible things.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id IAA18211 for ietf-smime-bks; Tue, 1 Sep 1998 08:19:07 -0700 (PDT)
Received: from post.mail.demon.net (post-20.mail.demon.net [194.217.242.27]) by mail.proper.com (8.8.8/8.8.5) with SMTP id IAA18207 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 08:19:05 -0700 (PDT)
Received: from (drh-consultancy.demon.co.uk) [193.237.150.98]  by post.mail.demon.net with esmtp (Exim 1.82 #2) id 0zDsHU-0007U0-00; Tue, 1 Sep 1998 15:23:41 +0000
Message-ID: <35EC10FC.77D33CDD@drh-consultancy.demon.co.uk>
Date: Tue, 01 Sep 1998 16:21:32 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: CMS key wrapping suggestion.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Apologies if this has been mentioned before but in the last version of
the key wrapping standard I have:

5.  Generate the number of pad octets necessary to make the
    result a multiple of the key-encryption algorithm block
    size, then append them to the result.

This sounds as though it is incompatible with PKCS padding which adds a
block of padding octets if the result is already a multiple of the block
size.

Since (from what I can see) symmetric algorithms for the message
encryption use PKCS padding (see CMS 6.3) I see no real reason why it
shouldn't be also applied here: it does add a small additional integrity
check. Otherwise two different padding schemes would be applied, no
padding (for key wrap) and PKCS padding (for content encryption).

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id HAA17849 for ietf-smime-bks; Tue, 1 Sep 1998 07:38:29 -0700 (PDT)
Received: from terisa-bh.terisa.com (terisa-bh.terisa.COM [205.226.38.66]) by mail.proper.com (8.8.8/8.8.5) with SMTP id HAA17845 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 07:38:29 -0700 (PDT)
Received: (from uucp@localhost) by terisa-bh.terisa.com (8.6.12/8.6.11) id HAA12600; Tue, 1 Sep 1998 07:42:43 -0700
Received: from itech.terisa.com by terisa-bh.terisa.com via smap (3.2) id xma012598; Tue, 1 Sep 98 07:42:37 -0700
Received: from kmac.daisy (kmac.terisa.COM [205.226.39.35]) by itech.terisa.com (8.8.5/8.6.4) with SMTP id HAA26065; Tue, 1 Sep 1998 07:42:37 -0700 (PDT)
Received: by kmac.daisy (4.1/SMI-4.1) id AA11686; Tue, 1 Sep 98 07:42:37 PDT
To: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Cc: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: RC2 Keylength Strawpoll
References: <199808312238.PAA04119@speedy.rtfm.com> <35EBD80F.805BA031@drh-consultancy.demon.co.uk>
From: EKR <ekr@terisa.com>
Date: 01 Sep 1998 07:42:36 -0700
In-Reply-To: Dr Stephen Henson's message of "Tue, 01 Sep 1998 12:18:39 +0100"
Message-Id: <3hfyrj3mr.fsf@kmac.terisa.com>
Lines: 52
X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk> writes:

> Sorry I missed the comment about discussion being as a reply. Anyway
> here are my original comments...
> 
> I propose this option not because its the best but because its what the
> two versions I've tested use: viz Netscape Messenger and Microsoft
> Outlook.
Representatives from both companies are here. It seems to me best
to see what their opinions are.

> If you permit a larger key length then it may break an existing
> implementation that assumes that the the keylength is X/8. It would
> break mine for example but I can fix that. 
>
> I can't comment on whether the above implementations assume X/8, can
> anyone else? If no one knows then I can do some tests and post the
> results back here.
IMHO, anyone who assumes X/8 when receiving has broken the cardinal
rule of being liberal in what you accept. Sending is a different
issue.

> As for this being more complicated to code and test I'd say that depends
> on the implementation. Currently, for example, SSLeay would need some
> modification to support option 2 with its envelope routines whereas
> option 1 is already supported.
That's not a reasonable standard. Clearly, any change is more
difficult to develop and test than no change. That's why we
take current practice into account. The issue with development
and test assumes you're starting from scratch. From THAT 
perspective fixed is easier.
> There is a standard that that sort of defines it. The standard I'm
> referring to is PKCS#12 password based encryption. In this case the
> keylength is specifically implied by the algorithm as X/8.
> 
> Since my original message I've thought of something else...
> 
> If option 2 is taken then what should the fixed keylength be? If we set
> it as (for example) 128 bits then that restricts anyone who wishes to
> use more. So you couldn't just say "fixed keylength" you'd have to say
> for example: "the keylength is rounded up to the nearest multiple of 16
> to X/8". One conclusion to this is, of course, you might as well have a
> variable key length to begin with. 
This is a non-problem. The permissible RC2 keylengths in S/MIME are
40,64, and 128. Consequently, fixed 128 will work just fine.

-Ekr


-- 
[Eric Rescorla                             Terisa Systems, Inc.]
		"Put it in the top slot."


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id EAA16498 for ietf-smime-bks; Tue, 1 Sep 1998 04:15:41 -0700 (PDT)
Received: from post.mail.demon.net (post-11.mail.demon.net [194.217.242.40]) by mail.proper.com (8.8.8/8.8.5) with SMTP id EAA16494 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 04:15:39 -0700 (PDT)
Received: from (drh-consultancy.demon.co.uk) [193.237.150.98]  by post.mail.demon.net with esmtp (Exim 1.82 #2) id 0zDoTv-0007F6-00; Tue, 1 Sep 1998 11:20:15 +0000
Message-ID: <35EBD80F.805BA031@drh-consultancy.demon.co.uk>
Date: Tue, 01 Sep 1998 12:18:39 +0100
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
Organization: Dr S N Henson
X-Mailer: Mozilla 4.06 [en] (Win95; U)
MIME-Version: 1.0
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: RC2 Keylength Strawpoll
References: <199808312238.PAA04119@speedy.rtfm.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Sorry I missed the comment about discussion being as a reply. Anyway
here are my original comments...

I propose this option not because its the best but because its what the
two versions I've tested use: viz Netscape Messenger and Microsoft
Outlook.

If you permit a larger key length then it may break an existing
implementation that assumes that the the keylength is X/8. It would
break mine for example but I can fix that. 

I can't comment on whether the above implementations assume X/8, can
anyone else? If no one knows then I can do some tests and post the
results back here.

As for this being more complicated to code and test I'd say that depends
on the implementation. Currently, for example, SSLeay would need some
modification to support option 2 with its envelope routines whereas
option 1 is already supported.

There is a standard that that sort of defines it. The standard I'm
referring to is PKCS#12 password based encryption. In this case the
keylength is specifically implied by the algorithm as X/8.

Since my original message I've thought of something else...

If option 2 is taken then what should the fixed keylength be? If we set
it as (for example) 128 bits then that restricts anyone who wishes to
use more. So you couldn't just say "fixed keylength" you'd have to say
for example: "the keylength is rounded up to the nearest multiple of 16
to X/8". One conclusion to this is, of course, you might as well have a
variable key length to begin with. 

There is a third option: include the keylength in the CMS as an OPTIONAL
parameter with a default of, say, X/8 if not present.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson@drh-consultancy.demon.co.uk
PGP key: via homepage.



Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id DAA14406 for ietf-smime-bks; Tue, 1 Sep 1998 03:02:36 -0700 (PDT)
Received: from nic.incolumitas.se (nic.incolumitas.se [194.52.80.4]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id DAA14402 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 03:02:33 -0700 (PDT)
Received: (from jang@localhost) by nic.incolumitas.se (8.8.7/8.8.7) id MAA15706; Tue, 1 Sep 1998 12:07:53 +0200 (MET DST)
To: ietf-smime@imc.org
Subject: OPTION 1: RC2 Key Length X/8
From: jang@incolumitas.se (Jan Garefelt)
Date: 01 Sep 1998 12:07:52 +0200
Message-ID: <y0fn28kdu2v.fsf@nic.incolumitas.se>
Lines: 0
X-Mailer: Gnus v5.5/Emacs 20.3
Sender: owner-ietf-smime@imc.org
Precedence: bulk


Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id CAA14135 for ietf-smime-bks; Tue, 1 Sep 1998 02:03:57 -0700 (PDT)
Received: from titanium.sge.net (titanium.sge.net [152.91.9.2]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id CAA14131 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 02:03:54 -0700 (PDT)
Received: (from uucp@localhost) by titanium.sge.net (8.8.5/8.8.5) id TAA18498; Tue, 1 Sep 1998 19:06:59 +1000 (EST)
Received: from kryptonite.sge.net(10.1.2.11) by titanium.sge.net via smap (3.2) id xma018477; Tue, 1 Sep 98 19:06:48 +1000
Received: from amber (ice-int2.sge.net [10.1.2.254]) by kryptonite.sge.net (8.8.8/8.8.8) with SMTP id TAA14498; Tue, 1 Sep 1998 19:06:48 +1000 (EST)
Date: Mon, 31 Aug 1998 10:09:44 -0400
Message-Id: <199808311409.KAA04784@ajsn101.jgvandyke.com>
X-Sender: jsp@ajsn101
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Koujirou Wakabayashi <t93512kw@sfc.keio.ac.jp>, ietf-smime@imc.org
From: jsp@jgvandyke.com (John Pawling)
Subject: Re: 42nd meeting
Sender: owner-ietf-smime@imc.org
Precedence: bulk

--AAA08737.904575102/kryptonite.sge.net--




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA13631 for ietf-smime-bks; Tue, 1 Sep 1998 00:23:53 -0700 (PDT)
Received: from titanium.sge.net (titanium.sge.net [152.91.9.2]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA13627 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 00:23:50 -0700 (PDT)
Received: (from uucp@localhost) by titanium.sge.net (8.8.5/8.8.5) id RAA15105 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 17:27:55 +1000 (EST)
Received: from kryptonite.sge.net(10.1.2.11) by titanium.sge.net via smap (3.2) id xma014965; Tue, 1 Sep 98 17:27:23 +1000
Received: from amber (ice-int2.sge.net [10.1.2.254]) by kryptonite.sge.net (8.8.8/8.8.8) with SMTP id RAA04829 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 17:27:17 +1000 (EST)
Message-Id: <199808310829.RAA09740@ccz00.sfc.keio.ac.jp>
To: ietf-smime@imc.org
Subject: 42nd meeting
Date: Mon, 31 Aug 1998 17:29:48 +0900
From: Koujirou Wakabayashi <t93512kw@sfc.keio.ac.jp>
Sender: owner-ietf-smime@imc.org
Precedence: bulk

--TAA23930.904555102/kryptonite.sge.net--




Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id AAA13569 for ietf-smime-bks; Tue, 1 Sep 1998 00:16:14 -0700 (PDT)
Received: from titanium.sge.net (titanium.sge.net [152.91.9.2]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id AAA13565 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 00:16:11 -0700 (PDT)
Received: (from uucp@localhost) by titanium.sge.net (8.8.5/8.8.5) id RAA12545 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 17:20:16 +1000 (EST)
Received: from kryptonite.sge.net(10.1.2.11) by titanium.sge.net via smap (3.2) id xma012226; Tue, 1 Sep 98 17:20:01 +1000
Received: from amber (ice-int2.sge.net [10.1.2.254]) by kryptonite.sge.net (8.8.8/8.8.8) with SMTP id RAA01874 for <ietf-smime@imc.org>; Tue, 1 Sep 1998 17:20:01 +1000 (EST)
Message-Id: <199808310812.RAA13603@robotmail.ne.jp>
X-Authentication-Warning: robotmail.ne.jp: oracle set sender to profile@mail.dddd.ne.jp using -f
X-RM-Status: 9
X-RM-GetFrom: Sent
Date: Mon, 31 Aug 1998 17:12:19 +0900 (JST)
From: "=?ISO-2022-JP?B?GyRCPGNOUxsoQg==?= =?ISO-2022-JP?B?GyRCOSc8IU86GyhC?=" <profile@mail.dddd.ne.jp>
To: ietf-smime@imc.org
Subject: 42nd meeting
MIME-version: 1.0
X-Mailer: RobotMail ver. 1.0 b6
X-URL: http://robotmail.ne.jp/
X-Message: ------ This mail was sent by RobotMail. -----
Content-type: text/plain
Sender: owner-ietf-smime@imc.org
Precedence: bulk

--TAA23521.904554737/kryptonite.sge.net--