Input to content-encryption process in CMS

luciano.medina@safelayer.com Wed, 21 May 2003 17:33 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA29250 for <smime-archive@lists.ietf.org>; Wed, 21 May 2003 13:33:59 -0400 (EDT)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LGxYAF041397 for <ietf-smime-bks@above.proper.com>; Wed, 21 May 2003 09:59:34 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4LGxYEL041396 for ietf-smime-bks; Wed, 21 May 2003 09:59:34 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from yuha.menta.net (yuha.menta.net [212.78.128.42]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LGxWAF041391 for <ietf-smime@imc.org>; Wed, 21 May 2003 09:59:33 -0700 (PDT) (envelope-from luciano.medina@safelayer.com)
Received: from gibson.menta.net ([212.78.128.22]) by yuha.menta.net (Netscape Messaging Server 4.15) with ESMTP id HF8XX401.BH6 for <ietf-smime@imc.org>; Wed, 21 May 2003 19:00:40 +0200
Received: from bcn.safelayer.com ([212.78.132.129]) by gibson.menta.net (Netscape Messaging Server 4.15 gibson Mar 14 2002 21:29:48) with ESMTP id HF8Y1201.CHC for <ietf-smime@imc.org>; Wed, 21 May 2003 19:03:02 +0200
Subject: Input to content-encryption process in CMS
To: ietf-smime@imc.org
X-Mailer: Lotus Notes Release 5.0.4 June 8, 2000
Message-ID: <OF05CB5048.BA32C3EC-ONC1256D2D.00557D54@safelayer.com>
From: luciano.medina@safelayer.com
Date: Wed, 21 May 2003 19:00:49 +0200
X-MIMETrack: Serialize by Router on Bcn/SFLY(Release 5.0.12 |February 13, 2003) at 21/05/2003 19:00:50
MIME-Version: 1.0
Content-type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

In section 6.3 "Content-encryption Process" of obsolete RFC 2630
"Cryptographic Message Syntax (CMS)", the second paragraph describes the
input to the content-encryption process. It is resumed in the sentence:
    The input to the content-encryption process is the "value" of the
content being enveloped

There was some discussion on this topic between Russ Housley and John
Pawling on the mailing list. The latter wrote:
      29) Section 6.3, para 2:  You want to preserve the following
sentence: "The
      input to the content-encryption process is the "value" of the content
being
      enveloped."  In my opinion, this sentence is not needed and is
confusing.
      For example, when encrypting an ASN.1 encoded content, an implementer
might
      interpret this statement to mean that the tag and length octets of
the ASN.1
      encoded content should not be encrypted.  I still believe that the
first
      paragraph is fine [..] and that the second paragraph should be
deleted.

Finally, the second paragraph of section 6.3 was removed in the new RFC
3369, and no mention to the input of the content-encryption process
remains.

From John's words, I understand that if we want to nest a SignedData into
an EnvelopedData, we shall encrypt the whole BER encoded SignedData
(including tag and length octets). This is incompatible with PKCS#7 (RFC
2315), where it is clearly stated that only the content octets of the BER
encoding are encrypted.
I need to be sure that this is the intended meaning, because there is a
whole section (5.2.1) in RFC 3369 explaining the incompatibility of
SignedData in CMS and PKCS#7, but nothing is said about the incompatibility
of encrypted contents.