Re: Comments on SecLabel draft

Nicolls <nicolls@anet.com> Tue, 18 April 2000 04:21 UTC

Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA15743 for <smime-archive@odin.ietf.org>; Tue, 18 Apr 2000 00:21:54 -0400 (EDT)
Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id UAA05317 for ietf-smime-bks; Mon, 17 Apr 2000 20:40:30 -0700 (PDT)
Received: from zeus.anet-chi.com (root@zeus.anet-chi.com [207.7.4.6]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA05312 for <ietf-smime@imc.org>; Mon, 17 Apr 2000 20:40:29 -0700 (PDT)
Received: from anet.com (as1-96.chi.il.dial.anet.com [198.92.156.96]) by zeus.anet-chi.com (8.9.3/spamfix) with ESMTP id WAA23936; Mon, 17 Apr 2000 22:44:20 -0500 (CDT)
Message-ID: <38FBD9BB.A3A02127@anet.com>
Date: Mon, 17 Apr 2000 22:42:52 -0500
From: Nicolls <nicolls@anet.com>
X-Mailer: Mozilla 4.61 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
To: jimsch@nwlink.com
CC: ietf-smime@imc.org
Subject: Re: Comments on SecLabel draft
References: <38e20272.3756.0@nwlink.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

Jim

Thanks for your comments and questions. My responses are below >>

Jim Schaad wrote:

> SecLabel
>
> 1.  Section 1 P2 - Security labels cannot be bound to an encrypted body, only
> to a signed message.

> >> Yes.  Will reword to state that they may be included in the signed attributes
> of any
>    SignedData object.

> 2.  Please give more text explaining the difference between rank and role based
> security.  From the current description they look like the same to me.

> >> Yes, more explaination is needed.  The main different is that rank based AC is
> hierarchical while role based is not necessarily (which isnt what I wrote).
> Roles can be defined without regard to a hierarchy.  Better examples of roles
> such as  DB Administrator or Network Admin and Shipper Purchaser, which do not
> imply a hierarchy but can have their own set of information that only holders of
> that role may have access.  Another way of explaining the difference can be that
> Rank based AC is based on who you are while Role based AC is based on what you
> do.

> 3.  The Amoco policy description is not clear.  From the text I assumed that
> the confidentiality and integrity were orthogonal axis for make decisions (thus
> leading to 9 items).  Based on the conversation with you this is not true as
> the policy is choose one of the axis and then the point on the axis.  The text
> should be clarified as to which is correct.

> >> Yes, the confidentiality and integrity polices are independent so either or
> both may be chosen.  I'll add wording to 2.1.1.  I think it is also appropriate
> to remove the integrity policy values from the security classification section
> (2.2.1.2) and clearance section (2.2.2).  Integrity does not effect access
> control.  It belongs in the privacy mark section, if anywhere.

> 4. Typo - Section 1.2 last para - "while he outer signature" should be "while
> the".

>>  Yes.

> 5.  Section 2.2.1.3 -- I don't think that one should provide a syntax for the
> privacy marks.  However giving a couple of the privacy marks or guidelines from
> the policy on writting them might be useful.  Given that a privacy mark is a
> UTF8 string in the syntax, no addtional ASN syntax is really possible.

> >> Agree. Will see about on examples or guidelines.
>
> 6.  You say that categories are used informally, however without knowning how
> they would be used or specified I cannot even hope to offer syntax suggestions.
>  Given that they are informal why would they not be marked as privacy labels.
>  If they are categories then I would expect the policy module to do enforcement
> thus being informal would cause some difficulties.

>>  I meant that categories are not formally defined in the information security
policies but are used in the organization.  Project or organizations do define
their own category to limit access to data to members of an organization or a
project.  Once defined, then they are formal and are to be enforced

>> So the owner of the classification policy allows departments to define security
categories that are bound to the classification policy. A category "HR Department"
could be defined under the Company ABC classification policy OID and
CompanyABC-SecurityCategory (1) could become "HR Department Only".  Then
CompanyABC-Project NextGreatestWasher could become bound to category (2) and so
on.  The hard part being how the application knows what categories are being used
and what to display to the user.

>> As far as a syntax, would a new OID need to be defined for each category?  Does
the syntax just need to provide the application with the text to display to the
user?

> 7.  I suggest that you name Clearance in the ASN sections to be XxxxSection.
> a nd the same for the other top level items.
>

>> Will fix numbering for section 2.2.2.

>> Weston





Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id UAA05317 for ietf-smime-bks; Mon, 17 Apr 2000 20:40:30 -0700 (PDT)
Received: from zeus.anet-chi.com (root@zeus.anet-chi.com [207.7.4.6]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA05312 for <ietf-smime@imc.org>; Mon, 17 Apr 2000 20:40:29 -0700 (PDT)
Received: from anet.com (as1-96.chi.il.dial.anet.com [198.92.156.96]) by zeus.anet-chi.com (8.9.3/spamfix) with ESMTP id WAA23936; Mon, 17 Apr 2000 22:44:20 -0500 (CDT)
Message-ID: <38FBD9BB.A3A02127@anet.com>
Date: Mon, 17 Apr 2000 22:42:52 -0500
From: Nicolls <nicolls@anet.com>
X-Mailer: Mozilla 4.61 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
To: jimsch@nwlink.com
CC: ietf-smime@imc.org
Subject: Re: Comments on SecLabel draft
References: <38e20272.3756.0@nwlink.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Jim

Thanks for your comments and questions. My responses are below >>

Jim Schaad wrote:

> SecLabel
>
> 1.  Section 1 P2 - Security labels cannot be bound to an encrypted body, only
> to a signed message.

> >> Yes.  Will reword to state that they may be included in the signed attributes
> of any
>    SignedData object.

> 2.  Please give more text explaining the difference between rank and role based
> security.  From the current description they look like the same to me.

> >> Yes, more explaination is needed.  The main different is that rank based AC is
> hierarchical while role based is not necessarily (which isnt what I wrote).
> Roles can be defined without regard to a hierarchy.  Better examples of roles
> such as  DB Administrator or Network Admin and Shipper Purchaser, which do not
> imply a hierarchy but can have their own set of information that only holders of
> that role may have access.  Another way of explaining the difference can be that
> Rank based AC is based on who you are while Role based AC is based on what you
> do.

> 3.  The Amoco policy description is not clear.  From the text I assumed that
> the confidentiality and integrity were orthogonal axis for make decisions (thus
> leading to 9 items).  Based on the conversation with you this is not true as
> the policy is choose one of the axis and then the point on the axis.  The text
> should be clarified as to which is correct.

> >> Yes, the confidentiality and integrity polices are independent so either or
> both may be chosen.  I'll add wording to 2.1.1.  I think it is also appropriate
> to remove the integrity policy values from the security classification section
> (2.2.1.2) and clearance section (2.2.2).  Integrity does not effect access
> control.  It belongs in the privacy mark section, if anywhere.

> 4. Typo - Section 1.2 last para - "while he outer signature" should be "while
> the".

>>  Yes.

> 5.  Section 2.2.1.3 -- I don't think that one should provide a syntax for the
> privacy marks.  However giving a couple of the privacy marks or guidelines from
> the policy on writting them might be useful.  Given that a privacy mark is a
> UTF8 string in the syntax, no addtional ASN syntax is really possible.

> >> Agree. Will see about on examples or guidelines.
>
> 6.  You say that categories are used informally, however without knowning how
> they would be used or specified I cannot even hope to offer syntax suggestions.
>  Given that they are informal why would they not be marked as privacy labels.
>  If they are categories then I would expect the policy module to do enforcement
> thus being informal would cause some difficulties.

>>  I meant that categories are not formally defined in the information security
policies but are used in the organization.  Project or organizations do define
their own category to limit access to data to members of an organization or a
project.  Once defined, then they are formal and are to be enforced

>> So the owner of the classification policy allows departments to define security
categories that are bound to the classification policy. A category "HR Department"
could be defined under the Company ABC classification policy OID and
CompanyABC-SecurityCategory (1) could become "HR Department Only".  Then
CompanyABC-Project NextGreatestWasher could become bound to category (2) and so
on.  The hard part being how the application knows what categories are being used
and what to display to the user.

>> As far as a syntax, would a new OID need to be defined for each category?  Does
the syntax just need to provide the application with the text to display to the
user?

> 7.  I suggest that you name Clearance in the ASN sections to be XxxxSection.
> a nd the same for the other top level items.
>

>> Will fix numbering for section 2.2.2.

>> Weston




Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id HAA02965 for ietf-smime-bks; Mon, 17 Apr 2000 07:45:57 -0700 (PDT)
Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.110]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA02959 for <ietf-smime@imc.org>; Mon, 17 Apr 2000 07:45:52 -0700 (PDT)
Received: from era-t.ericsson.se (koff.ericsson.se [147.214.173.137]) by penguin.wise.edt.ericsson.se (8.9.3/8.9.3/WIREfire-1.5) with SMTP id QAA24956; Mon, 17 Apr 2000 16:45:37 +0200 (MET DST)
Received: from ericsson.com by era-t.ericsson.se (SMI-8.6/LME-DOM-2.2.5(ERA/T)) id QAA09597; Mon, 17 Apr 2000 16:45:35 +0200
Message-ID: <38FB23C7.F61925E0@ericsson.com>
Date: Mon, 17 Apr 2000 16:46:31 +0200
From: Luis Barriga <Luis.Barriga@ericsson.com>
Reply-To: Luis.Barriga@era-t.ericsson.se
Organization: Ericsson Radio Systems
X-Mailer: Mozilla 4.7 [en] (Win98; U)
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: IETF SMIME List <ietf-smime@imc.org>
CC: William Ottaway <w.ottaway@eris.dera.gov.uk>
Subject: Re: Domain-to-point security services & DOMSEC
References: <000601bfa5fd$636f2300$110a6280@wottaway.eris.dera.gov.uk>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Bill,

DOMSEC covers partially the requirements I described. Below, I explain
why and at the end I list where DOMSEC should be updated to fully
address all requirements.

DOMSEC addresses the case when an individual encrypts for a recipient's
domain and the DCA decrypts. I call this case point2domain requirement.
What I think is missing is the domain2point requirement. In this case
the domain Company.Com needs to send secure mail to one of its members
A@Company.Com, who is on the Internet reachable as A@ISP.Com. Note that
ISP.Com is considered an unstrusted domain from the Company's
perspective.

The DOMSEC draft has a very generic phrase "Messages may be encrypted
for decryption by the final recipient and/or by a DCA in the recipient's
domain". This seems to cover both point2domain and domain2point, but it
actually handles in detail only point2domain.

What I would like to see an explicit domain2point requirement, with a
more clear description how this is achieved. What I'm aiming at is that
the email from an intranet user sender@Company.Com would be encrypted by
the DCA for a recipient A@Company.Com on behalf of the sender *using the
recipient's A@Company.Com cert*. Optionally the DCA would put a domain
signature. The resulting SMIME object would then be sent to A@ISP.Com. A
mismatch between A@ISP.Com and A@Company.Com has to be solved.

The following sections should be extended:

o Abstract
 - focuses on domain interoperation. Should consider domain2point.

1. Introduction
 - there are 4 issues named and the 3rd one is about PKI deployment
issues for certification paths between organizations. The domain2point
requirement is not named. The issue here is that the sender on the
Intranet can't PKI/SMIME or there is a security policy restricting it.

2.4 Domain Encryption and Decryption
  - The definition of domain encryption excludes the domain2point case,
because it assumes a domain2domain or point2domain scenario. Domain
encryption should be defined to also include the case of encryption on
behalf of a sender *using the recipient's cert*.

4. Encryption and Decryption
  - still focused on point2domain. Should consider domain2point.

4.2 Key Management for Domain Encryption
  - The key used here is a domain key which is ok for point2domain. This
section should also consider domain2point where the encryption key is
the recipient's key.

4.3. Key Management for Domain Decryption
  - This section has been written to complete 4.2. A small caveat should
probably be needed to say that no domain decryption applies for
domain2point.

--------
Luis Barriga
Ericsson Reseach
         
William Ottaway wrote:
> 
> Hi Luis,
> 
> I believe the scenario you describe is handled in a DOMSEC environment. In
> fact this is exactly the type of scenario that drove us to produce the
> DOMSEC ID.
> 
> Section 4 of DOMSEC describes a domain and/or an individual being able to
> encrypt for a recipient or the recipient's domain (DCA - Domain
> Confidentiality Authority): -
> 
> "Messages may be encrypted for decryption by the final recipient and/or by a
> DCA in the recipient's domain."
> 
> In your scenario the originator would send a message to the intended
> recipient as usual but the originator or the originator's domain encrypts
> the message so that the recipients domain (DCA) can decrypt it.  We think
> this is covered by section 4:
> 
> * Section 4.1 describes a naming convention that must be followed so that
> the certificate for the recipient's domain can be identified.
> 
> * Section 4.3 describes how a DCA decrypts a message that has been encrypted
> by an originator and/or an originator's domain.
> 
> After re-reading this section we have changed it slightly to aid clarity,
> and (hopefully!) to make it more clear that we are covering the scenario you
> describe:
> 
> -- Begin new section 4.3
> 
> "4.3 Key Management for Domain Decryption
> 
> Domain decryption uses a domain-wide decryption key from the recipient's
> domain. This key is owned by the DCA for the recipient domain. In order for
> an encrypting process to locate the correct key, the certificate
> corresponding to the DCA in the recipient's domain must be located. This is
> achieved using the naming conventions specified in 4.1. It is vital that
> these conventions are adhered to, in order to maintain confidentiality.
> 
> It should be noted that domain decryption can be performed on messages
> encrypted by the originator and/or by a DCA in the originator's domain.
> In the first case, the encryption process is described in CMS [5]; in the
> second case, the encryption process is described in 4.2.
> 
> No specific method for locating this certificate is mandated in this
> document. An implementation may choose to access a local certificate store
> to locate the correct certificate. Alternatively, a directory may be used in
> one of the following ways:
> 
> 1. The directory may store the DCA certificate in the recipient's directory
> entry. When the user certificate attribute is requested, this certificate is
> returned.
> 
> 2. The encrypting agent maps the recipient's name to the DCA name in the
> manner specified in 4.1. The user certificate attribute associated with this
> directory entry is then obtained.
> 
> This document does not mandate either of these processes. Whichever one is
> used, the name mapping conventions must be adhered to, in order to maintain
> confidentiality.
> 
> Having located the correct certificate, the encryption process is then
> performed. A recipientInfo for the DCA is then generated, as described in
> CMS [5]."
> 
> -- End new section 4.3
> 
> We see DOMSEC as a means of describing the building blocks required to
> provide secure messaging between individuals and domains using S/MIME. How
> these blocks are integrated into real systems is very much a policy matter
> and consequently we do not go into this realm within DOMSEC.
> 
> To summarise, we believe your scenario is covered by DOMSEC. Do you agree?
> Is further clarification needed? If so where?
> 
> Bill.
> 
> > -----Original Message-----
> > From: owner-ietf-smime@mail.imc.org
> > [mailto:owner-ietf-smime@mail.imc.org]On Behalf Of Luis Barriga
> > Sent: 11 April 2000 15:16
> > To: IETF SMIME List
> > Subject: Domain-to-point security services & DOMSEC
> >
> >
> > I have a common scenario that I believe should be addressed within this
> > group. I'll refer to it as domain-to-point secure messaging and it looks
> > as follows:
> >
> > A user A@ISP.com wishes to communicate *securely* with a another user
> > B@Company.com. The user B@Company.com doesn't have a cert (or if he does
> > A@ISP.com doesn't know it). I see this as a common case, when companies
> > start migrating to PKI and:
> >
> > (1) A@ISP.com is actually a user A@Company.com, who has temporarily left
> > his corporate premises and has a public email account at an POP/IMAP
> > service provider. A wants to exchange email securely with colleagues at
> > the Company, but not all of them have certs.
> >
> > (2) A@ISP.com is an external user with no association with
> > Corporate.Com, but who wants to send important secure email to
> > B@Company.com. A@ISP.com can't access the Company's PKI.
> >
> > To solve this, the Company can deploy a domain securiy service, sort of
> > S/MIME proxy with public cert associated with Smime-proxy@Company.com.
> > The user A@ISP.com (the point) could then send S/MIME to this proxy (the
> > domain) with request to forward the email to the end user B@Company.com.
> > If A also has a cert, then B can reply securely directly or via the
> > S/MIME proxy, provided that the proxy has access to the A's PKI
> > (Company.Com or ISP.com)
> >
> > BTW, this scheme also allows users to store corporate email on
> > unstrusted public POP/IMAP services providers. It can also be used for
> > secure mailing lists and cert distribution.
> >
> > My question to You folks is:
> >
> > 1. Is there enough interest out there to work towards a draft?
> >
> > 2. It seems that this falls within the DOMSEC draft, but the scenario
> > above is not explicitly addressed. Any opinion on this?
> >
> > 3. Anybody else done something similar?
> >
> > ------
> > Luis Barriga
> > Ericsson Research
> >


Received: by ns.secondary.com (8.9.3/8.9.3) id VAA19811 for ietf-smime-bks; Sun, 16 Apr 2000 21:14:37 -0700 (PDT)
Received: from www.pressmedia.com.pl ([195.117.30.142]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA19807 for <ietf-smime@mail.proper.com>; Sun, 16 Apr 2000 21:14:35 -0700 (PDT)
Message-Id: <200004170414.VAA19807@ns.secondary.com>
Received: from kllklk (ip217.providence11.ri.pub-ip.psi.net [38.26.242.217]) by www.pressmedia.com.pl with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 28K9CBBJ; Mon, 17 Apr 2000 06:18:00 +0200
From: "Harry Trent" <jmb99@newmail.net>
Subject: Investment Marketing is Here!
To: invest28d
X-Mailer: Microsoft Outlook Express 4.72.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V(null).1712.3
Mime-Version: 1.0
Date: Sun, 16 Apr 2000 23:37:00 -0500
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id VAA19808
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Use Investment Marketing to promote whatever investment ideas you
have to 
increase stock growth.
 
Investment Marketing uses mailings to get your ideas out there to the
people who want to read them and USE them for capital gains.
 
Our extensive lists of quality leads are compiled of people who have
asked to receive mail.
 
We use only state-of-the-art promotional software and do
all of the work for you.  You won't need any special software
or hardware.  Just send us your advertisement or HOT INVESTMENT TIP 
and we will send you an e-mail with the time and date when the
marketing mail will be sent.  Then you just keep a close eye on the
stock you picked
and watch it GROW!
 
 

Please call 401-433-5811 for more information and our rates.
 
Thank you,
Investment Marketing Specialists 

/////////////////////////////////////////////////////////////////////
///
Please remove at:
mailto:brir7@netscape.net?subject=remove
/////////////////////////////////////////////////////////////////////
///





Received: by ns.secondary.com (8.9.3/8.9.3) id QAA07382 for ietf-smime-bks; Fri, 14 Apr 2000 16:00:30 -0700 (PDT)
Received: from cane.deming.com (mail.deming.com [208.236.41.137]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id QAA07378 for <ietf-smime@imc.org>; Fri, 14 Apr 2000 16:00:29 -0700 (PDT)
Received: from 208.236.41.137 by cane.deming.com with ESMTP (WorldSecure Server SMTP Relay(WSS) v4.3); Fri, 14 Apr 00 16:03:49 -0700
X-Server-Uuid: 1a012586-24e9-11d1-adae-00a024bc53c5
Received: by mail.deming.com with Internet Mail Service (5.5.2650.21) id <H63WR71L>; Fri, 14 Apr 2000 16:03:49 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C594FB4F@mail.deming.com>
From: "Blake Ramsdell" <blake.ramsdell@tumbleweed.com>
To: "'jimsch@nwlink.com'" <jimsch@nwlink.com>, ietf-smime@imc.org
Subject: RE: draft-ietf-smime-idea-03
Date: Fri, 14 Apr 2000 16:03:48 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
X-WSS-ID: 14E97C5F83985-01-01
Content-Type: text/plain;  charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Agree.  I think this should be 300D at the beginning, and trim the last two
bytes off of both examples.

Blake

-----Original Message-----
From: Jim Schaad [mailto:jimsch@nwlink.com]
Sent: Friday, April 14, 2000 12:35 AM
To: ietf-smime@imc.org
Subject: draft-ietf-smime-idea-03


The S/MIME Capability sequences appear to be wrong.  In section 4 paragraph
2,
the text states that the parameters field must be absent, however the
encoding
sequence given has the parameters encoded as NULL.  The same is true in
paragraph
3 of the same section.

jim
http://www.nwlink.com



Received: by ns.secondary.com (8.9.3/8.9.3) id PAA06967 for ietf-smime-bks; Fri, 14 Apr 2000 15:31:17 -0700 (PDT)
Received: from smtp.nwlink.com (smtp.nwlink.com [209.20.130.57]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA06963 for <ietf-smime@imc.org>; Fri, 14 Apr 2000 15:31:16 -0700 (PDT)
Received: from nwlink.com (listserv.nwlink.com [209.20.130.70]) by smtp.nwlink.com (8.9.3/8.9.3) with SMTP id PAA28123 for <ietf-smime@imc.org>; Fri, 14 Apr 2000 15:35:06 -0700 (PDT)
From: "Jim Schaad" <jimsch@nwlink.com>
Reply-to: jimsch@nwlink.com
To: ietf-smime@imc.org
Date: Fri, 14 Apr 2000 15:35:06 +0800
Subject: draft-ietf-smime-idea-03
Message-id: <38f79d1a.7668.0@nwlink.com>
X-User-Info: 203.108.193.31
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

The S/MIME Capability sequences appear to be wrong.  In section 4 paragraph 2,
the text states that the parameters field must be absent, however the encoding
sequence given has the parameters encoded as NULL.  The same is true in paragraph
3 of the same section.

jim
http://www.nwlink.com


Received: by ns.secondary.com (8.9.3/8.9.3) id IAA29917 for ietf-smime-bks; Fri, 14 Apr 2000 08:19:05 -0700 (PDT)
Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA29913 for <ietf-smime@imc.org>; Fri, 14 Apr 2000 08:19:00 -0700 (PDT)
Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id DAA13315 for <ietf-smime@imc.org>; Sat, 15 Apr 2000 03:22:40 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <95572576004216>; Sat, 15 Apr 2000 03:22:40 (NZST)
From: pgut001@cs.aucKland.ac.nz (Peter Gutmann)
To: ietf-smime@imc.org
Subject: Re: id-ct-compressedData vs id-ct-publishCert
Reply-To: pgut001@cs.aucKland.ac.nz
X-Charge-To: pgut001
X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz
Date: Sat, 15 Apr 2000 03:22:40 (NZST)
Message-ID: <95572576004216@kahu.cs.auckland.ac.nz>
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Maxim Masiutin <max@ritlabs.com> writes:

> id-ct-compressedData from draft-ietf-smime-compression-00.txt and
> id-ct-publishCert from draft-ietf-smime-certdist-04.txt has same OID

I posted a comment on this here a fortnight ago (in fact it was in reply to
a message from you), the id-ct-compressedData value was chosen when there was 
nothing else occupying that slot, it's now:

  id-ct-compressedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 7 }

(which was free as of the time of the previous posting).

Peter.



Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id DAA23982 for ietf-smime-bks; Fri, 14 Apr 2000 03:33:49 -0700 (PDT)
Received: from ns0.eris.dera.gov.uk (ns0.eris.dera.gov.uk [128.98.1.1]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id DAA23977 for <ietf-smime@imc.org>; Fri, 14 Apr 2000 03:33:47 -0700 (PDT)
Received: (qmail 23597 invoked from network); 14 Apr 2000 10:37:30 -0000
Received: from unknown (HELO mail-relay.eris.dera.gov.uk) (128.98.2.7) by ns0.eris.dera.gov.uk with SMTP; 14 Apr 2000 10:37:30 -0000
Received: (qmail 15584 invoked from network); 14 Apr 2000 10:37:29 -0000
Received: from wottoway.eris.dera.gov.uk (HELO wottaway.eris.dera.gov.uk) (128.98.10.17) by mail-relay.eris.dera.gov.uk with SMTP; 14 Apr 2000 10:37:29 -0000
From: "William Ottaway" <w.ottaway@eris.dera.gov.uk>
To: <Luis.Barriga@ericsson.com>, "IETF SMIME List" <ietf-smime@imc.org>
Subject: RE: Domain-to-point security services & DOMSEC
Date: Fri, 14 Apr 2000 11:37:10 +0100
Message-ID: <000601bfa5fd$636f2300$110a6280@wottaway.eris.dera.gov.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0
In-Reply-To: <38F33394.CB5A17F8@verkstad.net>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2120.0
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Hi Luis,

I believe the scenario you describe is handled in a DOMSEC environment. In
fact this is exactly the type of scenario that drove us to produce the
DOMSEC ID.

Section 4 of DOMSEC describes a domain and/or an individual being able to
encrypt for a recipient or the recipient's domain (DCA - Domain
Confidentiality Authority): -

"Messages may be encrypted for decryption by the final recipient and/or by a
DCA in the recipient's domain."

In your scenario the originator would send a message to the intended
recipient as usual but the originator or the originator's domain encrypts
the message so that the recipients domain (DCA) can decrypt it.  We think
this is covered by section 4:

* Section 4.1 describes a naming convention that must be followed so that
the certificate for the recipient's domain can be identified.

* Section 4.3 describes how a DCA decrypts a message that has been encrypted
by an originator and/or an originator's domain.

After re-reading this section we have changed it slightly to aid clarity,
and (hopefully!) to make it more clear that we are covering the scenario you
describe:

-- Begin new section 4.3

"4.3 Key Management for Domain Decryption

Domain decryption uses a domain-wide decryption key from the recipient's
domain. This key is owned by the DCA for the recipient domain. In order for
an encrypting process to locate the correct key, the certificate
corresponding to the DCA in the recipient's domain must be located. This is
achieved using the naming conventions specified in 4.1. It is vital that
these conventions are adhered to, in order to maintain confidentiality.

It should be noted that domain decryption can be performed on messages
encrypted by the originator and/or by a DCA in the originator's domain.
In the first case, the encryption process is described in CMS [5]; in the
second case, the encryption process is described in 4.2.

No specific method for locating this certificate is mandated in this
document. An implementation may choose to access a local certificate store
to locate the correct certificate. Alternatively, a directory may be used in
one of the following ways:

1. The directory may store the DCA certificate in the recipient's directory
entry. When the user certificate attribute is requested, this certificate is
returned.

2. The encrypting agent maps the recipient's name to the DCA name in the
manner specified in 4.1. The user certificate attribute associated with this
directory entry is then obtained.

This document does not mandate either of these processes. Whichever one is
used, the name mapping conventions must be adhered to, in order to maintain
confidentiality.

Having located the correct certificate, the encryption process is then
performed. A recipientInfo for the DCA is then generated, as described in
CMS [5]."

-- End new section 4.3

We see DOMSEC as a means of describing the building blocks required to
provide secure messaging between individuals and domains using S/MIME. How
these blocks are integrated into real systems is very much a policy matter
and consequently we do not go into this realm within DOMSEC.


To summarise, we believe your scenario is covered by DOMSEC. Do you agree?
Is further clarification needed? If so where?

Bill.

> -----Original Message-----
> From: owner-ietf-smime@mail.imc.org
> [mailto:owner-ietf-smime@mail.imc.org]On Behalf Of Luis Barriga
> Sent: 11 April 2000 15:16
> To: IETF SMIME List
> Subject: Domain-to-point security services & DOMSEC
>
>
> I have a common scenario that I believe should be addressed within this
> group. I'll refer to it as domain-to-point secure messaging and it looks
> as follows:
>
> A user A@ISP.com wishes to communicate *securely* with a another user
> B@Company.com. The user B@Company.com doesn't have a cert (or if he does
> A@ISP.com doesn't know it). I see this as a common case, when companies
> start migrating to PKI and:
>
> (1) A@ISP.com is actually a user A@Company.com, who has temporarily left
> his corporate premises and has a public email account at an POP/IMAP
> service provider. A wants to exchange email securely with colleagues at
> the Company, but not all of them have certs.
>
> (2) A@ISP.com is an external user with no association with
> Corporate.Com, but who wants to send important secure email to
> B@Company.com. A@ISP.com can't access the Company's PKI.
>
> To solve this, the Company can deploy a domain securiy service, sort of
> S/MIME proxy with public cert associated with Smime-proxy@Company.com.
> The user A@ISP.com (the point) could then send S/MIME to this proxy (the
> domain) with request to forward the email to the end user B@Company.com.
> If A also has a cert, then B can reply securely directly or via the
> S/MIME proxy, provided that the proxy has access to the A's PKI
> (Company.Com or ISP.com)
>
> BTW, this scheme also allows users to store corporate email on
> unstrusted public POP/IMAP services providers. It can also be used for
> secure mailing lists and cert distribution.
>
> My question to You folks is:
>
> 1. Is there enough interest out there to work towards a draft?
>
> 2. It seems that this falls within the DOMSEC draft, but the scenario
> above is not explicitly addressed. Any opinion on this?
>
> 3. Anybody else done something similar?
>
> ------
> Luis Barriga
> Ericsson Research
>



Received: by ns.secondary.com (8.9.3/8.9.3) id HAA21692 for ietf-smime-bks; Thu, 13 Apr 2000 07:22:23 -0700 (PDT)
Received: from gate.ritlabs.com (IDENT:root@gw-ritlabs.mldnet.com [212.56.195.233]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA21688; Thu, 13 Apr 2000 07:22:15 -0700 (PDT)
Received: from ritlabs250.mldnet.com (max [212.56.194.250]) by gate.ritlabs.com (8.8.8/8.8.8) with ESMTP id RAA24796; Thu, 13 Apr 2000 17:28:34 +0300
Date: Thu, 13 Apr 2000 17:25:51 +0300
From: Maxim Masiutin <max@ritlabs.com>
X-Mailer: The Bat! (v1.42 Beta/17)
Organization: RIT Research Labs
X-Priority: 3 (Normal)
Message-ID: <169195212875.20000413172551@ritlabs.com>
To: ietf-pkix@imc.org, ietf-smime@imc.org
Subject: id-ct-compressedData vs id-ct-publishCert
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Hello!

  id-ct-compressedData from draft-ietf-smime-compression-00.txt and
  id-ct-publishCert from draft-ietf-smime-certdist-04.txt has same OID

  In draft-ietf-smime-compression-00.txt, it is defined as

iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 3

  In draft-ietf-smime-certdist-04.txt, it is defined as

iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-ct(1) 3

  which is same. I've found it confusing; I would like go get a solution
  from the authors of drafts above mentioned.


-- 
Maxim Masiutin,
Software Engineer
RIT Research Labs  http://www.ritlabs.com/




Received: by ns.secondary.com (8.9.3/8.9.3) id GAA20710 for ietf-smime-bks; Thu, 13 Apr 2000 06:44:40 -0700 (PDT)
Received: from gate.ritlabs.com (IDENT:root@gw-ritlabs.mldnet.com [212.56.195.233]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA20705; Thu, 13 Apr 2000 06:44:25 -0700 (PDT)
Received: from ritlabs250.mldnet.com (max [212.56.194.250]) by gate.ritlabs.com (8.8.8/8.8.8) with ESMTP id QAA01818; Thu, 13 Apr 2000 16:50:24 +0300
Date: Thu, 13 Apr 2000 16:47:40 +0300
From: Maxim Masiutin <max@ritlabs.com>
X-Mailer: The Bat! (v1.42 Beta/17)
Organization: RIT Research Labs
X-Priority: 3 (Normal)
Message-ID: <105192921875.20000413164740@ritlabs.com>
To: ietf-pkix@imc.org, ietf-smime@imc.org
Subject: duplicate aliases of the same OID in draft-ietf-pkix-new-part1-01.txt
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Hello!

  I've found duplicate aliases of the same OID in
  draft-ietf-pkix-new-part1-01.txt

  sha-1WithRSAEncryption (section 7.2.1) and sha1WithRSAEncryption
  (elsewhere).

  The first variant was also found in rfc2632, rfc2633 (along with the
  second variant).

  Second variant was also found in draft-ietf-smime-certdist-04.txt,
  draft-ietf-smime-examples-03.txt and rfc2633.

  There are also numerous duplicate OID aliases, for example
  PKCS#9-relaeted; they are different in PKIX documents, S/MIME
  documents and PKCS#9 itself.
  
  I've found it writing my ASN.1 code to work with S/MIME messages and
  X.509 certificates. Having multiple names of a same OIDS is much worse
  than having one, I think both workgroups should take care of that.
  
-- 
Maxim Masiutin,
Software Engineer
RIT Research Labs  http://www.ritlabs.com/




Received: by ns.secondary.com (8.9.3/8.9.3) id FAA19947 for ietf-smime-bks; Thu, 13 Apr 2000 05:52:43 -0700 (PDT)
Received: from mars.syndata.com ([208.195.248.153]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA19942 for <ietf-smime@imc.org>; Thu, 13 Apr 2000 05:52:42 -0700 (PDT)
Received: by MARS with Internet Mail Service (5.5.2650.21) id <2JTDM9CY>; Thu, 13 Apr 2000 08:56:09 -0400
Message-ID: <D92EE22C97C3D311855E005004E0CBF00336B1@MARS>
From: Aram Perez <aperez@syndata.com>
To: ietf-smime@imc.org
Subject: RE: CERTDIST
Date: Thu, 13 Apr 2000 08:56:07 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

> -----Original Message-----
> From: Mike Just [mailto:mike.just@entrust.com]
> Sent: Wednesday, April 12, 2000 11:47 AM
> To: ietf-smime@imc.org
> Cc: 'dpkemp@missi.ncsc.mil'; 'Russ Housley'
> Subject: RE: CERTDIST
> 
> 
> Two points.
> 
> 1) I agree with David. The document must be clear that if 
> using LDAP, user
> certificates should be in the userCertificate attribute; user 
> certificates
> MUST NOT be in the userSMimeCertificate attribute. (In other words,
> userSMimeCertificate is only used as a source of a user's S/MIME
> capabilities.)

I also agree, but shouldn't that field be called userSMimeCapabilities?
userSMimeCertificate implies that it stores a certificate.

Regards,
Aram Perez

[snip]


Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id NAA18202 for ietf-smime-bks; Wed, 12 Apr 2000 13:23:54 -0700 (PDT)
Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA18198; Wed, 12 Apr 2000 13:23:53 -0700 (PDT)
Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id <GFRJM7DD>; Wed, 12 Apr 2000 16:27:03 -0400
Message-ID: <33BD629222C0D211B6DB0060085ACF31965D63@wfhqex01.wangfed.com>
From: "Pawling, John" <John.Pawling@wang.com>
To: "'SMIME WG'" <ietf-smime@imc.org>, ietf-pkix@imc.org
Subject: SNACC ASN.1 Freeware Release & Mail List
Date: Wed, 12 Apr 2000 16:27:03 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

All,

J. G. Van Dyke and Associates (VDA), a Wang Government Services Company, has
delivered an enhanced version of the freeware SNACC v1.3 rev 0.07 Abstract
Syntax Notation.1 (ASN.1) Compiler and Library.  In past releases, VDA
enhanced the C++ version of the SNACC library to implement the Distinguished
Encoding Rules (DER).  In the new release, VDA enhanced the C and C++
versions of the SNACC library to support PrintableString, TeletexString,
NumericString, IA5String, 
VisibileString, BMPString, UniversalString and UTF8String character string
types.  We added an optional function to SNACC that can be used to convert
ASN.1 OCTET STRINGs to single- or multi-byte character strings (as
appropriate).  This is needed to support the RFC 2459 PKIX requirements.
The SNACC enhancement is completely optional and does not impact existing
code that uses SNACC.  The SNACC library decodes an object as it always has.
If the application/library needs the ASN.1 OCTET STRINGs converted to
character strings, then it calls the new SNACC function/class to perform the
conversion.  If an application/library does not need the ASN.1 OCTET STRINGs
converted, then it does not need to call the conversion function/classes and
can use the SNACC-generated structures/classes as always.  

The VDA-enhanced SNACC compiler and C++ library is available along with the
S/MIME Freeware Library (SFL)
<http://www.armadillo.huntsville.al.us/software/smime> that uses SNACC to
implement the S/MIME v3 set of specifications.  The snacc1_6VDA.zip file
contains the SNACC v1.3 rev 0.07 ASN.1 Compiler and C++ Library source code
compilable for Unix and MS Windows NT/95/98/2000.   

The VDA-enhanced SNACC C library is available along with the freeware
Certificate Management Library (CML)
<http://www.armadillo.huntsville.al.us/software/certmgmt/index.html)> that
uses SNACC to implement the 1997 X.509 Recommendation and RFC 2459.  The
CML17sr.tar.Z file includes the source code for the CML and VDA-enhanced
SNACC C library compilable for Unix and MS Windows NT/95/98/2000. 

We plan to consolidate the enhancements made by VDA to the C and C++
versions of the SNACC source code into a single baseline that can be
delivered in a single tar/zip file.

In the new release, we also corrected a bug in the DEC_LOAD_ANYBUF macro.
We changed "bytesDecoded" to "bytesDecodedXX" to avoid conflict other SNACC
uses of the "bytesDecoded" variable.  We also enhanced the AsnOid method so
that it accepts a dynamic number of components within an object identifier. 

SNACC implements the majority of ASN.1 encoding/decoding rules.  SNACC does
not support all of
the latest ASN.1 features, but there are work-arounds that allow SNACC to be
used to produce ASN.1 hex encodings that are identical to those produced by
ASN.1 libraries that do support the latest ASN.1 features.  Also note that
many of the PKIX specs, such as RFC 2459, include 1988-compliant ASN.1
syntax modules which can be directly compiled using SNACC.

The SNACC ASN.1 library is totally unencumbered as stated in the SFL Public
License.  All source code for the VDA-enhanced SNACC software is being
provided at no cost and with no financial limitations regarding its use and
distribution.  Organizations can use the VDA-enhanced SNACC software without
paying any royalties or licensing fees.  

The Internet Mail Consortium (IMC) has established a SNACC web page
<http://www.imc.org/imc-snacc/>.  The IMC has also established a SNACC mail
list which is used to: distribute information regarding SNACC releases;
discuss SNACC-related issues; and provide a means for SNACC users to provide
feedback, comments, bug reports, etc.  Subscription information for the
imc-snacc mail list is at the IMC web site listed above.

VDA welcomes all feedback regarding the VDA-enhanced SNACC software.  If
bugs are reported, then VDA will investigate each reported bug and, if
required, will produce a patch or an updated release of the software to
repair the bug.  We recommend that comments should be sent to the imc-snacc
mail list.  We will respond to all messages on that list.

============================================
John Pawling, Director - Systems Engineering
J.G. Van Dyke & Associates, Inc;
a Wang Government Services Company
john.pawling@wang.com
============================================ 



Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id NAA17843 for ietf-smime-bks; Wed, 12 Apr 2000 13:15:10 -0700 (PDT)
Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA17839 for <ietf-smime@imc.org>; Wed, 12 Apr 2000 13:15:09 -0700 (PDT)
Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id <GFRJM7AW>; Wed, 12 Apr 2000 16:18:19 -0400
Message-ID: <33BD629222C0D211B6DB0060085ACF31965D57@wfhqex01.wangfed.com>
From: "Pawling, John" <John.Pawling@wang.com>
To: "'SMIME WG'" <ietf-smime@imc.org>
Subject: v1.6 S/MIME Freeware Library & Mail List
Date: Wed, 12 Apr 2000 16:18:20 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

All,

J.G. Van Dyke and Associates (VDA), a Wang Government Services Company, has 
delivered Version 1.6 of the S/MIME Freeware Library (SFL) source code and 
Application Programming Interface (API).  The SFL source code files are 
freely available to everyone from the Fortezza Developer's S/MIME Page
<http://www.armadillo.huntsville.al.us/software/smime>.  

The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message 
Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS) specifications. 
It also implements portions of the RFC 2633 Message Specification and 
RFC 2632 Certificate Handling document.  When used in conjunction with
the Crypto++ freeware library, the SFL implements the RFC 2631 
Diffie-Hellman (D-H) Key Agreement Method specification.  It has been 
successfully tested using the MS Windows NT/95/98 and Solaris 2.7 operating 
systems.  Further enhancements, ports and testing of the SFL are still in 
process.  Further releases of the SFL will be provided as significant 
capabilities are added. 

The SFL has been successfully used to sign, verify, encrypt and decrypt
CMS/ESS 
objects using: S/MIME v3 mandatory-to-implement algorithms (DSA, E-S D-H,
3DES) 
provided by the Crypto++ 3.1 library; RSA suite of algorithms provided by
the 
RSA BSAFE v4.2 and Crypto++ 3.1 libraries; and Fortezza suite of algorithms 
provided by the Fortezza Crypto Card.  The SFL uses the VDA-enhanced SNACC
v1.3 
ASN.1 C++ Library to encode/decode objects. The v1.6 SFL release includes:
SFL
High-level library; Free (a.k.a. Crypto++) Crypto Token Interface Library
(CTIL); 
BSAFE CTIL; Fortezza CTIL; SPEX/ CTIL; PKCS #11 CTIL (still being tested);
VDA-
enhanced GNU SNACC v1.3 rev 0.07 ASN.1 Compiler and C++ Library; test
utilities; 
test drivers and test data.  All CTILs were tested as Dynamically Linked 
Libraries (DLL) using MS Windows.  The Fortezza, BSAFE and Crypto++ CTILs
were
tested with the respective security libraries as shared objects using
Solaris 2.7.  

The SFL has been successfully used to exchange signedData and envelopedData 
messages with the Microsoft (MS) Internet Explorer Outlook Express v4.01 and

Netscape Communicator 4.X S/MIME v2 products.  Signed messages have been 
exchanged with the RSA S/MAIL, WorldTalk and Entrust S/MIME v2 products. 

The SFL has also been used to perform S/MIME v3 interoperability testing
with 
Microsoft that exercised the majority of the features specified by RFCs
2630, 
2631 and 2634.  This testing included the RSA, mandatory S/MIME V3 and
Fortezza 
suites of algorithms.  We have also performed limited S/MIME v3 testing with

Baltimore and Entrust.  

The following enhancements are included in the v1.6 SFL release (compared
with 
the v1.5 release):

1) We used the SFL to successfully process all of the SFL-supported sample
data included in the S/MIME WG "Examples of S/MIME Messages" document.  We
also used the SFL to construct sample data (such as signed receipts) to be
added to the document. We automated this SFL testing (through the use of
test drivers and configuration files) so that it can be easily repeated and
modified by us or independently by a third party.  We developed sample
objects that illustrate each feature in the Examples document that the SFL
supports.  This self-contained environment uses the specified certificates
(DSA, RSA, and DH) in the login as described in the document.  This
directory resides in "./smimeR1.6/test/specMatrix.d/CMS_Examples.d"; the
binaries are named as in the document (e.g. 5.4.bin, etc.).  The config
files used to generate these examples are in the "config.d" subdirectory.
The certificate build config files are in the "certs.d/config.d"
subdirectory.

2) We successfully completed RFC 2634 signed receipt interoperability
testing between the SFL and
Microsoft.  We added a check to the SFL to ensure that the application
always includes in the receiptRequest attribute a receiptsTo e-mail address
to which the signed receipt is to be sent.

3) We verified that the SFL can produce and process the SFL-supported
features documented in the S/MIME v3 interoperability matrices created by
Jim Schaad.  We automated this SFL testing so that it can be easily repeated
and modified by us or independently by a third party.  We have developed
sample objects that illustrate each feature in the matrix that the SFL
supports.  We updated the Interop.xls document (contained in the
"./smimeR1.6/test/specMatrix.d" subdirectories) to indicate the testing
performed using the SFL.  Within this document, each feature row contains a
reference to a binary file in the "CMS_Examples.d" directory that
demonstrates that feature if applicable.  These additional file names are
preceded by the name "ExInterop..." to distinguish them from the
"examples-03.txt" example binaries.

4) Fixed a number of bugs in the SFL and test drivers found during the
aforementioned interoperability testing.  Features improved in the SFL
include: proper SignedData and SignerInfo version numbers;
creating/processing encrypted messages without a User Key Material (UKM);
added SubjectKeyIdentifier (SKI) processing in SignedData and EnvelopedData
(Originator only, the RecipientInfos automatically use SKI for Fortezza/SPEX
CTILs); and EnvelopedData unprotectedAttrs from the test config file.  We
also corrected the following bugs in the test driver/configuration files
used to create X.509 Certificates for SFL testing: corrected inconsistent
UTC and General Time Dates; included dates past 1999; corrected object
identifiers (OID) for algorithms; and regenerated certificates to include
unsigned integers.
 
5) List template processing has been fixed to use the same "CSM_ListC"
template from the common libCert DLL.  The old convention required a new
name for this list class in each DLL; the new convention uses the same
CSM_ListC template class from libCert.  This forces the compiler to build
the logic for the actual class lists uniquely in the new DLL (see references
to CSM_ListC in the SFL for an example).  This simplifies the list logic in
support libraries and any new user libraries interested in using the list
template.

6) CertificateBuilder utility has been improved in functionality and tested
more thoroughly.  This utility can view, edit, and create certificates
(including extensions) as well as generate a variety of public/private keys
for processing by the SFL.  A new command line CertificateBuilderCL has been
created (it does not yet allow the building of keys, private or public).
The command line utility has not yet been tested on Unix.

7) Tested SFL with the C++ version of the SNACC ASN.1 library enhanced to
support PrintableString, TeletexString, NumericString, IA5String,
VisibileString, BMPString, UniversalString and UTF8String character string
types.  We added an optional function to SNACC to convert ASN.1 OCTET
STRINGs to single- or multi-byte character strings (as appropriate).  

8) Developed new test code and configuration files to implement test cases;
and

9) Performed regression testing to ensure that aforementioned enhancements
did 
not break existing SFL functionality.


We are still in the process of enhancing and testing the SFL.  Future
releases 
will include: completion of PKCS #11 CTIL testing; SPEX/ CTIL 
encrypt/decrypt/ESDH capabilities; finish CertificateBuilder command line 
utility; enhancing CertificateBuilder to support creation of Attribute 
Certificates; modify PKCS #12 code in test utilities to provide
interoperable key 
storage; add MIME support for test drivers; add "Certificate Management 
Messages over CMS" ASN.1 encode/decode functions; add enhanced test
routines; 
bug fixes; support for other crypto APIs (possible); and support for other
operating systems. 

The SFL is developed to maximize portability to 32-bit operating 
systems.  In addition to testing on MS Windows and Solaris 2.7, we plan to
port 
the SFL to the following operating systems: Linux, HP/UX 11, IBM AIX 3.2 
(possibly), SCO 5.0 (possibly) and Macintosh (possibly).

The following SFL files are available from the Fortezza Developer's S/MIME
Page:

1) SFL Documents: Fact Sheet, Software Design Description, API, CTIL API, 
Software Test Description, Implementers Guide, Overview Briefing and Public 
License.
     
2) snacc1_6VDA.zip: Zip file containing SNACC v1.3 rev 0.07 ASN.1 Compiler
and 
C++ Library source code compilable for Unix and MS Windows NT/95/98/2000
that has been 
enhanced by VDA to implement the Distinguished Encoding Rules and to support
multiple-byte character strings.  Project files and makefiles are included. 
This file includes a sample test project demonstrating the use of the SNACC
classes.

3) smimeR16.zip:  Zip file containing all SFL source code including: 
SFL Hi-Level source code; VDA-enhanced SNACC-generated ASN.1 source 
code; project files.  This file also contains test driver source code, 
sample CMS/ESS test data and test X.509 Certificates.  This file also 
includes test utilities to create X.509 Certificates that each include 
a D-H, DSA or RSA public key.  SNACC release and debug libraries
are compiled for MS Windows NT/95/98/2000. MS Windows NT/95/98/2000
project files and Unix makefiles are included for the SNACC code and
Crypto++.    

4) smR16CTI.zip:  Source code for the following CTILs: Test (no crypto), 
Crypto++, BSAFE, Fortezza, SPEX/ and PKCS #11.  The Win95/98/NT/2000
projects are 
also included.  (NOTE: The Free (a.k.a. Crypto++) CTIL includes
VDA-developed 
source code to use the RSA public key algorithm implemented within the
external 
Crypto++ library.  As with all of the external crypto token libraries, the 
Crypto++ library is not distributed as part of the SFL source code.  
To use the Crypto++ library with the SFL, the application developer must 
independently obtain the Crypto++ library from the Crypto++ Web Page 
<http://www.eskimo.com/~weidai/cryptlib.html> and then compile it with 
the VDA-developed Crypto++ CTIL source code.  The RSA public key 
algorithm is covered by U.S. Patent 4,405,829 "Cryptographic Communication 
System and Method".  Within the U.S., users of the RSA public key algorithm 
provided by the external Crypto++ library must obtain a license from RSA 
granting them permission to use the RSA algorithm.)

5) csmime.mdl contains SFL Class diagrams created using Microsoft 
Visual Modeler (comes with MS Visual Studio 6.0, Enterprise Tools).
The file can also be viewed using Rational Rose C++ Demo 4.0
45 day evaluation copy which can be obtained from
<http://www.rational.com/uml/resources/practice_uml/index.jtmpl>.
Not all classes are documented in the MDL file at this time.

All source code for the SFL is being provided at no cost and with no 
financial limitations regarding its use and distribution. 
Organizations can use the SFL without paying any royalties or 
licensing fees.  VDA is developing the SFL under contract to the U.S. 
Government.  The U.S. Government is furnishing the SFL source code at no 
cost to the vendor subject to the conditions of the "SFL Public 
License" available from the VDA SFL Page and Fortezza Developer's 
S/MIME Page.

On 14 January 2000, the U.S. Department of Commerce, Bureau of 
Export Administration published a new regulation implementing an update to
the U.S. Government's encryption export policy 
<http://www.bxa.doc.gov/Encryption/Default.htm>.  In accordance with the 
revisions to the Export Administration Regulations (EAR) of 14 Jan 2000,
the downloading of the SFL source code is not password controlled.

The SFL is composed of a high-level library that performs generic CMS 
and ESS processing independent of the crypto algorithms used to 
protect a specific object.  The SFL high-level library makes calls to 
an algorithm-independent CTIL API.  The underlying, external crypto
token libraries are not distributed as part of the SFL 
source code. The application developer must independently obtain these 
libraries and then link them with the SFL.  For example, the SFL uses 
the freeware Crypto++ library to obtain 3DES, D-H and DSA.  To use 
the SFL with Crypto++ the vendor must download the Crypto++ freeware 
library from the Crypto++ Web Page and then compile it with the  
VDA-developed Crypto++ CTIL source code.  

The Internet Mail Consortium (IMC) has established an SFL web page
<http://www.imc.org/imc-sfl>.  The IMC has also established an SFL
mail list which is used to: distribute information regarding SFL
releases; discuss SFL-related issues; and provide a means for SFL
users to provide feedback, comments, bug reports, etc.  Subscription
information for the imc-sfl mailing list is at the IMC web site
listed above.

All comments regarding the SFL source code and documents are welcome. 
We recommend that comments should be sent to the imc-sfl mail list.  
We will respond to all messages on that list.

============================================
John Pawling, Director - Systems Engineering
J.G. Van Dyke & Associates, Inc;
a Wang Government Services Company
john.pawling@wang.com
============================================ 


Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id LAA15264 for ietf-smime-bks; Wed, 12 Apr 2000 11:30:22 -0700 (PDT)
Received: from ps2.walltech.com (ps2.walltech.com [207.5.77.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA15260 for <ietf-smime@imc.org>; Wed, 12 Apr 2000 11:30:20 -0700 (PDT)
Received: from dtasi1 (null@demeter.veritas.com [204.177.156.26]) by ps2.walltech.com (8.10.0/8.10.0/walltech-2.10) with SMTP id e3CIXgb18510; Wed, 12 Apr 2000 11:33:42 -0700 (PDT)
Message-Id: <3.0.5.32.20000412113339.00923100@pop.walltech.com>
X-Sender: bgreenblatt@pop.walltech.com
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32)
Date: Wed, 12 Apr 2000 11:33:39 -0700
To: Mike Just <mike.just@entrust.com>, ietf-smime@imc.org
From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Subject: RE: CERTDIST
Cc: "'dpkemp@missi.ncsc.mil'" <dpkemp@missi.ncsc.mil>, "'Russ Housley'" <housley@spyrus.com>
In-Reply-To: <ED026032A3FCD211AEDA00105A9C4696017C0EE5@sothmxs05.entrust .com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

As long as we're talking about where to put certificates, I thought that
I'd point out a draft that I wrote, that I received some pretty good
feedback on.  Check out the draft with the title: "LDAP Object Class for
Holding Certificate Information" at your favorite ietf drafts site, e.g.: 

http://search.ietf.org/internet-drafts/draft-greenblatt-ldap-certinfo-schema
-02.txt

It defines a "certificateType" structural object class, and "Use the
certificateType structural class to indicate that an object in the
directory is a specific type of certificate.  Each cer-
tificateType object in the directory appears directly beneath the owner of
the certificate in the directory hierarchy."

Comments are welcome... Cheers,

Bruce

At 11:47 AM 4/12/2000 -0400, Mike Just wrote:
>Two points.
>
>1) I agree with David. The document must be clear that if using LDAP, user
>certificates should be in the userCertificate attribute; user certificates
>MUST NOT be in the userSMimeCertificate attribute. (In other words,
>userSMimeCertificate is only used as a source of a user's S/MIME
>capabilities.)
>
>2) The document doesn't specify the behaviour of a client in the case that
>the userSMimeCertificate attribute is not populated (with the user's S/MIME
>capabilities).  This might only require a reference to the similar
>discussion in RFC 2633. Though there should be some indication that the
>userSMimeCertificate attribute is not required to be populated in an entry.
>
>Mike Just
>
>
>> -----Original Message-----
>> From: Russ Housley [mailto:housley@spyrus.com]
>> Sent: Tuesday, April 11, 2000 11:11 PM
>> To: ietf-smime@imc.org
>> Cc: jis@mit.edu; MLeech@nortel.ca
>> Subject: CERTDIST
>> 
>> 
>> All:
>> 
>> It is clear to me that we have not reached consensus on 
>> CERTDIST.  I cannot 
>> recommend forwarding this document to the IESG until this 
>> certificates 
>> issue is resolved.  I hope that the  most interested parties 
>> can have an 
>> objective discussion and develop a solution that aligns with 
>> the PKIX LDAP 
>> schema.
>> 
>> Russ
>> 
>> At 09:22 AM 04/11/2000 -0400, David P. Kemp wrote:
>> >Russ,
>> >
>> >I too would like to resolve the outstanding issue of what attributes
>> >are used to hold certificates, both End Entity and CA,
>> >in the case where certificates are retrieved from an LDAP directory.
>> >
>> >As I noted after the 22 October 1999 announcement of working 
>> group last
>> >call for certdist-04, the paragraph added in response to 
>> Ella's concern
>> >is an improvement, however it does not go far enough because it does
>> >not require a single location that all applications can count on in
>> >order to ensure interoperability.   The text I proposed, 
>> quoted below,
>> >does ensure that all applications can count on finding both EE and CA
>> >certs in the PKIX-standard location, but it is not the only possible
>> >text which would ensure this result.  If Jim or anyone else has
>> >alternate proposed text for interoperability when using LDAP, please
>> >put it forward.
>> >
>> >Blake agrees that the PKIX attributes should be mandatory 
>> for LDAP in the
>> >SMIME cert-handling specification.  I am concerned that if 
>> certdist-04
>> >becomes an RFC, it will conflict with cert-handling and perpetuate
>> >confusion over which LDAP attributes should be used.  It will result
>> >in hard-to-diagnose problems when some apps look in one directory
>> >attribute and other apps look elsewhere, and it would not ensure
>> >that SMIME and non-SMIME applications can share the same directory
>> >infrastructure.
>> >
>> >Can we get a clear statement that when the smimeUserCertificate
>> >attribute is populated in an LDAP directory, it contains NO
>> >certificates?
>> >
>> >Regards,
>> >Dave
>> >
>> >
>> >
>> >
>> > > Date: Mon, 10 Apr 2000 16:34:33 -0400
>> > > To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
>> > > From: Russ Housley <housley@spyrus.com>
>> > > Subject: Re: which usercertificate attribute
>> > > Cc: ietf-smime@imc.org
>> > >
>> > > Dave:
>> > >
>> > > Of course, Jim Schaad should be the one to answer this 
>> question.  He is 
>> > the
>> > > author of CERTDIST.  Note:  The CERTDIST document is in 
>> Working Group Last
>> > > Call, so if there are issues, they need to be resolved NOW.
>> > >
>> > > The paragraph that you are talking about was added 
>> because if comments
>> > > received from Ell Gardner at MITRE.  If memory serves, 
>> she was concerned
>> > > about two locations in the Directory for the same 
>> information.  The
>> > > paragrah that you quote is Jim Schaad's proposed 
>> solution: Get the certs
>> > > from userCertificates and the algorithm preference information
>> > > userSMimeCertificate.
>> > >
>> > > Russ
>> > >
>> > >
>> > > At 01:22 PM 04/07/2000 -0400, David P. Kemp wrote:
>> > >
>> > > >Russ,
>> > > >
>> > > >Certdist-04 section 4.5 explains:
>> > > >
>> > > >   "If the SignedData object is to be published in 
>> userSMimeCertificate,
>> > > >   the end-entity certificates MAY be omitted from the 
>> certificate bag
>> > > >   and published in the userCertificates [sic] LDAP 
>> attribute instead."
>> > > >
>> > > >How is an application developer supposed to interpret 
>> this requirement?
>> > > >I would read it to say that since the EE cert MAY be in 
>> either attribute,
>> > > >applications MUST look for it in BOTH attributes.  But 
>> Terry Hayes'
>> > > >posting indicates that (without an add-on) Communicator 
>> does not look
>> > > >in the userCertificate attribute.
>> > > >
>> > > >Section 2 justifies the inclusion of a cert path in the 
>> SignedData
>> > > >object by claiming that in non-X.500 (DAP or LDAP) 
>> directories it is
>> > > >difficult to impossible to obtain CA certificates.  But 
>> it does not
>> > > >follow through with that logic by *not* requiring a full 
>> cert path when
>> > > >the object *is* stored in an LDAP directory.
>> > > >
>> > > >Section 4.3 should be changed from:
>> > > >
>> > > >   "A chain of certificate from the 
>> end-entitycertificate(s) to the root
>> > > >   certificate(s) MUST be included in the CertificateSet."
>> > > >
>> > > >to:
>> > > >
>> > > >   "A chain of certificate from the 
>> end-entitycertificate(s) to the root
>> > > >   certificate(s) MUST be included in the CertificateSet 
>> unless the
>> > > >   SignedData object is published in 
>> userSMimeCertificate, in which case
>> > > >   the CertificateSet MUST be empty."
>> > > >
>> > > >and section 4.5 should be adjusted accordingly.
>> > > >
>> > > >This would ensure that when using LDAP, applications 
>> always use the
>> > > >PKIX-standard locations for both CA and EE certificates.
>> > > >
>> > > >Dave Kemp
>> 
>
>
==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com


Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id IAA10269 for ietf-smime-bks; Wed, 12 Apr 2000 08:44:19 -0700 (PDT)
Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA10264 for <ietf-smime@imc.org>; Wed, 12 Apr 2000 08:44:18 -0700 (PDT)
Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <2X4T77A6>; Wed, 12 Apr 2000 11:47:27 -0400
Message-ID: <ED026032A3FCD211AEDA00105A9C4696017C0EE5@sothmxs05.entrust.com>
From: Mike Just <mike.just@entrust.com>
To: ietf-smime@imc.org
Cc: "'dpkemp@missi.ncsc.mil'" <dpkemp@missi.ncsc.mil>, "'Russ Housley'" <housley@spyrus.com>
Subject: RE: CERTDIST
Date: Wed, 12 Apr 2000 11:47:26 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Two points.

1) I agree with David. The document must be clear that if using LDAP, user
certificates should be in the userCertificate attribute; user certificates
MUST NOT be in the userSMimeCertificate attribute. (In other words,
userSMimeCertificate is only used as a source of a user's S/MIME
capabilities.)

2) The document doesn't specify the behaviour of a client in the case that
the userSMimeCertificate attribute is not populated (with the user's S/MIME
capabilities).  This might only require a reference to the similar
discussion in RFC 2633. Though there should be some indication that the
userSMimeCertificate attribute is not required to be populated in an entry.

Mike Just


> -----Original Message-----
> From: Russ Housley [mailto:housley@spyrus.com]
> Sent: Tuesday, April 11, 2000 11:11 PM
> To: ietf-smime@imc.org
> Cc: jis@mit.edu; MLeech@nortel.ca
> Subject: CERTDIST
> 
> 
> All:
> 
> It is clear to me that we have not reached consensus on 
> CERTDIST.  I cannot 
> recommend forwarding this document to the IESG until this 
> certificates 
> issue is resolved.  I hope that the  most interested parties 
> can have an 
> objective discussion and develop a solution that aligns with 
> the PKIX LDAP 
> schema.
> 
> Russ
> 
> At 09:22 AM 04/11/2000 -0400, David P. Kemp wrote:
> >Russ,
> >
> >I too would like to resolve the outstanding issue of what attributes
> >are used to hold certificates, both End Entity and CA,
> >in the case where certificates are retrieved from an LDAP directory.
> >
> >As I noted after the 22 October 1999 announcement of working 
> group last
> >call for certdist-04, the paragraph added in response to 
> Ella's concern
> >is an improvement, however it does not go far enough because it does
> >not require a single location that all applications can count on in
> >order to ensure interoperability.   The text I proposed, 
> quoted below,
> >does ensure that all applications can count on finding both EE and CA
> >certs in the PKIX-standard location, but it is not the only possible
> >text which would ensure this result.  If Jim or anyone else has
> >alternate proposed text for interoperability when using LDAP, please
> >put it forward.
> >
> >Blake agrees that the PKIX attributes should be mandatory 
> for LDAP in the
> >SMIME cert-handling specification.  I am concerned that if 
> certdist-04
> >becomes an RFC, it will conflict with cert-handling and perpetuate
> >confusion over which LDAP attributes should be used.  It will result
> >in hard-to-diagnose problems when some apps look in one directory
> >attribute and other apps look elsewhere, and it would not ensure
> >that SMIME and non-SMIME applications can share the same directory
> >infrastructure.
> >
> >Can we get a clear statement that when the smimeUserCertificate
> >attribute is populated in an LDAP directory, it contains NO
> >certificates?
> >
> >Regards,
> >Dave
> >
> >
> >
> >
> > > Date: Mon, 10 Apr 2000 16:34:33 -0400
> > > To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
> > > From: Russ Housley <housley@spyrus.com>
> > > Subject: Re: which usercertificate attribute
> > > Cc: ietf-smime@imc.org
> > >
> > > Dave:
> > >
> > > Of course, Jim Schaad should be the one to answer this 
> question.  He is 
> > the
> > > author of CERTDIST.  Note:  The CERTDIST document is in 
> Working Group Last
> > > Call, so if there are issues, they need to be resolved NOW.
> > >
> > > The paragraph that you are talking about was added 
> because if comments
> > > received from Ell Gardner at MITRE.  If memory serves, 
> she was concerned
> > > about two locations in the Directory for the same 
> information.  The
> > > paragrah that you quote is Jim Schaad's proposed 
> solution: Get the certs
> > > from userCertificates and the algorithm preference information
> > > userSMimeCertificate.
> > >
> > > Russ
> > >
> > >
> > > At 01:22 PM 04/07/2000 -0400, David P. Kemp wrote:
> > >
> > > >Russ,
> > > >
> > > >Certdist-04 section 4.5 explains:
> > > >
> > > >   "If the SignedData object is to be published in 
> userSMimeCertificate,
> > > >   the end-entity certificates MAY be omitted from the 
> certificate bag
> > > >   and published in the userCertificates [sic] LDAP 
> attribute instead."
> > > >
> > > >How is an application developer supposed to interpret 
> this requirement?
> > > >I would read it to say that since the EE cert MAY be in 
> either attribute,
> > > >applications MUST look for it in BOTH attributes.  But 
> Terry Hayes'
> > > >posting indicates that (without an add-on) Communicator 
> does not look
> > > >in the userCertificate attribute.
> > > >
> > > >Section 2 justifies the inclusion of a cert path in the 
> SignedData
> > > >object by claiming that in non-X.500 (DAP or LDAP) 
> directories it is
> > > >difficult to impossible to obtain CA certificates.  But 
> it does not
> > > >follow through with that logic by *not* requiring a full 
> cert path when
> > > >the object *is* stored in an LDAP directory.
> > > >
> > > >Section 4.3 should be changed from:
> > > >
> > > >   "A chain of certificate from the 
> end-entitycertificate(s) to the root
> > > >   certificate(s) MUST be included in the CertificateSet."
> > > >
> > > >to:
> > > >
> > > >   "A chain of certificate from the 
> end-entitycertificate(s) to the root
> > > >   certificate(s) MUST be included in the CertificateSet 
> unless the
> > > >   SignedData object is published in 
> userSMimeCertificate, in which case
> > > >   the CertificateSet MUST be empty."
> > > >
> > > >and section 4.5 should be adjusted accordingly.
> > > >
> > > >This would ensure that when using LDAP, applications 
> always use the
> > > >PKIX-standard locations for both CA and EE certificates.
> > > >
> > > >Dave Kemp
> 


Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id UAA27196 for ietf-smime-bks; Tue, 11 Apr 2000 20:22:44 -0700 (PDT)
Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA27188 for <ietf-smime@imc.org>; Tue, 11 Apr 2000 20:22:42 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com.au (dial02.spyrus.com [207.212.34.122]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id UAA22035; Tue, 11 Apr 2000 20:26:12 -0700 (PDT)
Message-Id: <4.2.0.58.20000411230325.00a6b4c0@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Tue, 11 Apr 2000 23:11:06 -0400
To: ietf-smime@imc.org
From: Russ Housley <housley@spyrus.com>
Subject: CERTDIST
Cc: jis@mit.edu, MLeech@nortel.ca
In-Reply-To: <200004111322.JAA07907@missi.ncsc.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

All:

It is clear to me that we have not reached consensus on CERTDIST.  I cannot 
recommend forwarding this document to the IESG until this certificates 
issue is resolved.  I hope that the  most interested parties can have an 
objective discussion and develop a solution that aligns with the PKIX LDAP 
schema.

Russ

At 09:22 AM 04/11/2000 -0400, David P. Kemp wrote:
>Russ,
>
>I too would like to resolve the outstanding issue of what attributes
>are used to hold certificates, both End Entity and CA,
>in the case where certificates are retrieved from an LDAP directory.
>
>As I noted after the 22 October 1999 announcement of working group last
>call for certdist-04, the paragraph added in response to Ella's concern
>is an improvement, however it does not go far enough because it does
>not require a single location that all applications can count on in
>order to ensure interoperability.   The text I proposed, quoted below,
>does ensure that all applications can count on finding both EE and CA
>certs in the PKIX-standard location, but it is not the only possible
>text which would ensure this result.  If Jim or anyone else has
>alternate proposed text for interoperability when using LDAP, please
>put it forward.
>
>Blake agrees that the PKIX attributes should be mandatory for LDAP in the
>SMIME cert-handling specification.  I am concerned that if certdist-04
>becomes an RFC, it will conflict with cert-handling and perpetuate
>confusion over which LDAP attributes should be used.  It will result
>in hard-to-diagnose problems when some apps look in one directory
>attribute and other apps look elsewhere, and it would not ensure
>that SMIME and non-SMIME applications can share the same directory
>infrastructure.
>
>Can we get a clear statement that when the smimeUserCertificate
>attribute is populated in an LDAP directory, it contains NO
>certificates?
>
>Regards,
>Dave
>
>
>
>
> > Date: Mon, 10 Apr 2000 16:34:33 -0400
> > To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
> > From: Russ Housley <housley@spyrus.com>
> > Subject: Re: which usercertificate attribute
> > Cc: ietf-smime@imc.org
> >
> > Dave:
> >
> > Of course, Jim Schaad should be the one to answer this question.  He is 
> the
> > author of CERTDIST.  Note:  The CERTDIST document is in Working Group Last
> > Call, so if there are issues, they need to be resolved NOW.
> >
> > The paragraph that you are talking about was added because if comments
> > received from Ell Gardner at MITRE.  If memory serves, she was concerned
> > about two locations in the Directory for the same information.  The
> > paragrah that you quote is Jim Schaad's proposed solution: Get the certs
> > from userCertificates and the algorithm preference information
> > userSMimeCertificate.
> >
> > Russ
> >
> >
> > At 01:22 PM 04/07/2000 -0400, David P. Kemp wrote:
> >
> > >Russ,
> > >
> > >Certdist-04 section 4.5 explains:
> > >
> > >   "If the SignedData object is to be published in userSMimeCertificate,
> > >   the end-entity certificates MAY be omitted from the certificate bag
> > >   and published in the userCertificates [sic] LDAP attribute instead."
> > >
> > >How is an application developer supposed to interpret this requirement?
> > >I would read it to say that since the EE cert MAY be in either attribute,
> > >applications MUST look for it in BOTH attributes.  But Terry Hayes'
> > >posting indicates that (without an add-on) Communicator does not look
> > >in the userCertificate attribute.
> > >
> > >Section 2 justifies the inclusion of a cert path in the SignedData
> > >object by claiming that in non-X.500 (DAP or LDAP) directories it is
> > >difficult to impossible to obtain CA certificates.  But it does not
> > >follow through with that logic by *not* requiring a full cert path when
> > >the object *is* stored in an LDAP directory.
> > >
> > >Section 4.3 should be changed from:
> > >
> > >   "A chain of certificate from the end-entitycertificate(s) to the root
> > >   certificate(s) MUST be included in the CertificateSet."
> > >
> > >to:
> > >
> > >   "A chain of certificate from the end-entitycertificate(s) to the root
> > >   certificate(s) MUST be included in the CertificateSet unless the
> > >   SignedData object is published in userSMimeCertificate, in which case
> > >   the CertificateSet MUST be empty."
> > >
> > >and section 4.5 should be adjusted accordingly.
> > >
> > >This would ensure that when using LDAP, applications always use the
> > >PKIX-standard locations for both CA and EE certificates.
> > >
> > >Dave Kemp



Received: by ns.secondary.com (8.9.3/8.9.3) id HAA19846 for ietf-smime-bks; Tue, 11 Apr 2000 07:09:58 -0700 (PDT)
Received: from solo.verkstad.net (solo.verkstad.net [192.71.20.34]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA19841 for <ietf-smime@imc.org>; Tue, 11 Apr 2000 07:09:56 -0700 (PDT)
Received: from verkstad.net (luke.verkstad.net [192.36.157.24]) by solo.verkstad.net (8.9.1/8.9.1) with ESMTP id QAA00123 for <ietf-smime@imc.org>; Tue, 11 Apr 2000 16:13:27 +0200
Message-ID: <38F33394.CB5A17F8@verkstad.net>
Date: Tue, 11 Apr 2000 16:15:48 +0200
From: Luis Barriga <Luis.Barriga@verkstad.net>
Reply-To: Luis.Barriga@ericsson.com
Organization: Ericsson Research
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.13 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: IETF SMIME List <ietf-smime@imc.org>
Subject: Domain-to-point security services & DOMSEC
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

I have a common scenario that I believe should be addressed within this
group. I'll refer to it as domain-to-point secure messaging and it looks
as follows:

A user A@ISP.com wishes to communicate *securely* with a another user
B@Company.com. The user B@Company.com doesn't have a cert (or if he does
A@ISP.com doesn't know it). I see this as a common case, when companies
start migrating to PKI and:

(1) A@ISP.com is actually a user A@Company.com, who has temporarily left
his corporate premises and has a public email account at an POP/IMAP
service provider. A wants to exchange email securely with colleagues at
the Company, but not all of them have certs.

(2) A@ISP.com is an external user with no association with
Corporate.Com, but who wants to send important secure email to
B@Company.com. A@ISP.com can't access the Company's PKI. 

To solve this, the Company can deploy a domain securiy service, sort of
S/MIME proxy with public cert associated with Smime-proxy@Company.com.
The user A@ISP.com (the point) could then send S/MIME to this proxy (the
domain) with request to forward the email to the end user B@Company.com.
If A also has a cert, then B can reply securely directly or via the
S/MIME proxy, provided that the proxy has access to the A's PKI
(Company.Com or ISP.com)

BTW, this scheme also allows users to store corporate email on
unstrusted public POP/IMAP services providers. It can also be used for
secure mailing lists and cert distribution.

My question to You folks is:

1. Is there enough interest out there to work towards a draft?

2. It seems that this falls within the DOMSEC draft, but the scenario
above is not explicitly addressed. Any opinion on this?

3. Anybody else done something similar?

------
Luis Barriga
Ericsson Research


Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA19221 for ietf-smime-bks; Tue, 11 Apr 2000 06:19:12 -0700 (PDT)
Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA19217 for <ietf-smime@imc.org>; Tue, 11 Apr 2000 06:19:11 -0700 (PDT)
Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id JAA27916 for <ietf-smime@imc.org>; Tue, 11 Apr 2000 09:21:31 -0400 (EDT)
Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by roadblock.missi.ncsc.mil with ESMTP id JAA27908 for <ietf-smime@imc.org>; Tue, 11 Apr 2000 09:21:31 -0400 (EDT)
Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.57.72]) by missi.ncsc.mil (8.8.8/8.8.8) with SMTP id JAA07907 for <ietf-smime@imc.org>; Tue, 11 Apr 2000 09:22:30 -0400 (EDT)
Message-Id: <200004111322.JAA07907@missi.ncsc.mil>
Date: Tue, 11 Apr 2000 09:22:08 -0400 (EDT)
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Subject: Re: which usercertificate attribute
To: ietf-smime@imc.org
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: HtSfrKcxfw7kaMm87Y9Qkg==
X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc 
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Russ,

I too would like to resolve the outstanding issue of what attributes
are used to hold certificates, both End Entity and CA,
in the case where certificates are retrieved from an LDAP directory.

As I noted after the 22 October 1999 announcement of working group last
call for certdist-04, the paragraph added in response to Ella's concern
is an improvement, however it does not go far enough because it does
not require a single location that all applications can count on in
order to ensure interoperability.   The text I proposed, quoted below,
does ensure that all applications can count on finding both EE and CA
certs in the PKIX-standard location, but it is not the only possible
text which would ensure this result.  If Jim or anyone else has
alternate proposed text for interoperability when using LDAP, please
put it forward.

Blake agrees that the PKIX attributes should be mandatory for LDAP in the
SMIME cert-handling specification.  I am concerned that if certdist-04
becomes an RFC, it will conflict with cert-handling and perpetuate
confusion over which LDAP attributes should be used.  It will result
in hard-to-diagnose problems when some apps look in one directory
attribute and other apps look elsewhere, and it would not ensure
that SMIME and non-SMIME applications can share the same directory
infrastructure.

Can we get a clear statement that when the smimeUserCertificate
attribute is populated in an LDAP directory, it contains NO
certificates?

Regards,
Dave




> Date: Mon, 10 Apr 2000 16:34:33 -0400
> To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
> From: Russ Housley <housley@spyrus.com>
> Subject: Re: which usercertificate attribute
> Cc: ietf-smime@imc.org
> 
> Dave:
> 
> Of course, Jim Schaad should be the one to answer this question.  He is the 
> author of CERTDIST.  Note:  The CERTDIST document is in Working Group Last 
> Call, so if there are issues, they need to be resolved NOW.
> 
> The paragraph that you are talking about was added because if comments 
> received from Ell Gardner at MITRE.  If memory serves, she was concerned 
> about two locations in the Directory for the same information.  The 
> paragrah that you quote is Jim Schaad's proposed solution: Get the certs 
> from userCertificates and the algorithm preference information 
> userSMimeCertificate.
> 
> Russ
> 
> 
> At 01:22 PM 04/07/2000 -0400, David P. Kemp wrote:
> 
> >Russ,
> >
> >Certdist-04 section 4.5 explains:
> >
> >   "If the SignedData object is to be published in userSMimeCertificate,
> >   the end-entity certificates MAY be omitted from the certificate bag
> >   and published in the userCertificates [sic] LDAP attribute instead."
> >
> >How is an application developer supposed to interpret this requirement?
> >I would read it to say that since the EE cert MAY be in either attribute,
> >applications MUST look for it in BOTH attributes.  But Terry Hayes'
> >posting indicates that (without an add-on) Communicator does not look
> >in the userCertificate attribute.
> >
> >Section 2 justifies the inclusion of a cert path in the SignedData
> >object by claiming that in non-X.500 (DAP or LDAP) directories it is
> >difficult to impossible to obtain CA certificates.  But it does not
> >follow through with that logic by *not* requiring a full cert path when
> >the object *is* stored in an LDAP directory.
> >
> >Section 4.3 should be changed from:
> >
> >   "A chain of certificate from the end-entitycertificate(s) to the root
> >   certificate(s) MUST be included in the CertificateSet."
> >
> >to:
> >
> >   "A chain of certificate from the end-entitycertificate(s) to the root
> >   certificate(s) MUST be included in the CertificateSet unless the
> >   SignedData object is published in userSMimeCertificate, in which case
> >   the CertificateSet MUST be empty."
> >
> >and section 4.5 should be adjusted accordingly.
> >
> >This would ensure that when using LDAP, applications always use the
> >PKIX-standard locations for both CA and EE certificates.
> >
> >Dave Kemp



Received: by ns.secondary.com (8.9.3/8.9.3) id DAA11642 for ietf-smime-bks; Tue, 11 Apr 2000 03:50:01 -0700 (PDT)
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA11638 for <ietf-smime@imc.org>; Tue, 11 Apr 2000 03:50:00 -0700 (PDT)
Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA27992; Tue, 11 Apr 2000 06:53:32 -0400 (EDT)
Message-Id: <200004111053.GAA27992@ietf.org>
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
To: IETF-Announce: ;
Cc: ietf-smime@imc.org
From: Internet-Drafts@ietf.org
Reply-to: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-smime-cast-128-02.txt
Date: Tue, 11 Apr 2000 06:53:32 -0400
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

--NextPart

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the S/MIME Mail Security Working Group of the IETF.

	Title		: Use of the CAST-128 Encryption Algorithm in CMS
	Author(s)	: C. Adams
	Filename	: draft-ietf-smime-cast-128-02.txt
	Pages		: 6
	Date		: 10-Apr-00
	
This document specifies how to incorporate CAST-128 [RFC2144] into 
the S/MIME Cryptographic Message Syntax (CMS) as an additional  
algorithm for symmetric encryption.  The relevant OIDs and processing 
steps are provided so that CAST-128 may be included in the CMS 
specification [RFC2630] for symmetric content and key encryption.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-smime-cast-128-02.txt

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
	"get draft-ietf-smime-cast-128-02.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html 
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt


Internet-Drafts can also be obtained by e-mail.

Send a message to:
	mailserv@ietf.org.
In the body type:
	"FILE /internet-drafts/draft-ietf-smime-cast-128-02.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
		
		
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"

--OtherAccess
Content-Type: Message/External-body;
	access-type="mail-server";
	server="mailserv@ietf.org"

Content-Type: text/plain
Content-ID:	<20000410122630.I-D@ietf.org>

ENCODING mime
FILE /internet-drafts/draft-ietf-smime-cast-128-02.txt

--OtherAccess
Content-Type: Message/External-body;
	name="draft-ietf-smime-cast-128-02.txt";
	site="ftp.ietf.org";
	access-type="anon-ftp";
	directory="internet-drafts"

Content-Type: text/plain
Content-ID:	<20000410122630.I-D@ietf.org>

--OtherAccess--

--NextPart--




Received: by ns.secondary.com (8.9.3/8.9.3) id DAA11636 for ietf-smime-bks; Tue, 11 Apr 2000 03:49:56 -0700 (PDT)
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA11632 for <ietf-smime@imc.org>; Tue, 11 Apr 2000 03:49:54 -0700 (PDT)
Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA27980; Tue, 11 Apr 2000 06:53:26 -0400 (EDT)
Message-Id: <200004111053.GAA27980@ietf.org>
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
To: IETF-Announce: ;
Cc: ietf-smime@imc.org
From: Internet-Drafts@ietf.org
Reply-to: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-smime-idea-03.txt
Date: Tue, 11 Apr 2000 06:53:26 -0400
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

--NextPart

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the S/MIME Mail Security Working Group of the IETF.

	Title		: Incorporation of IDEA Encryption Algorithm in S/MIME
	Author(s)	: S. Teiwes, P. Hartmann, D. Kuenzi
	Filename	: draft-ietf-smime-idea-03.txt
	Pages		: 6
	Date		: 10-Apr-00
	
This memo specifies how to incorporate IDEA (International Data
Encryption Algorithm) [IDEA] into S/MIME [SMIME2, SMIME3] as 
an additional strong algorithm for symmetric encryption. For 
organizations who make use of IDEA for data security purposes 
it is of high interest that IDEA is also available in S/MIME. 
The intention of this memo is to provide the OIDs and algorithms 
required that IDEA can be included in S/MIME for symmetric content
and key encryption.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-smime-idea-03.txt

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
	"get draft-ietf-smime-idea-03.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html 
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt


Internet-Drafts can also be obtained by e-mail.

Send a message to:
	mailserv@ietf.org.
In the body type:
	"FILE /internet-drafts/draft-ietf-smime-idea-03.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
		
		
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"

--OtherAccess
Content-Type: Message/External-body;
	access-type="mail-server";
	server="mailserv@ietf.org"

Content-Type: text/plain
Content-ID:	<20000410122620.I-D@ietf.org>

ENCODING mime
FILE /internet-drafts/draft-ietf-smime-idea-03.txt

--OtherAccess
Content-Type: Message/External-body;
	name="draft-ietf-smime-idea-03.txt";
	site="ftp.ietf.org";
	access-type="anon-ftp";
	directory="internet-drafts"

Content-Type: text/plain
Content-ID:	<20000410122620.I-D@ietf.org>

--OtherAccess--

--NextPart--




Received: by ns.secondary.com (8.9.3/8.9.3) id PAA23879 for ietf-smime-bks; Mon, 10 Apr 2000 15:01:10 -0700 (PDT)
Received: from cane.deming.com (mail.deming.com [208.236.41.137]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id PAA23875 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 15:01:09 -0700 (PDT)
Received: from 208.236.41.137 by cane.deming.com with ESMTP (WorldSecure Server SMTP Relay(WSS) v4.3); Mon, 10 Apr 00 15:04:09 -0700
X-Server-Uuid: 1a012586-24e9-11d1-adae-00a024bc53c5
Received: by mail.deming.com with Internet Mail Service (5.5.2650.21) id <H63WR5CP>; Mon, 10 Apr 2000 15:04:09 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C594FAF3@mail.deming.com>
From: "Blake Ramsdell" <blake.ramsdell@tumbleweed.com>
To: "'ietf-smime@imc.org'" <ietf-smime@imc.org>
Subject: CERTDIST comments
Date: Mon, 10 Apr 2000 15:04:08 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
X-WSS-ID: 14EC905360985-01-01
Content-Type: text/plain;  charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Whoops.  I should pay more attention to deadlines ;).

In the example, the S/MIME capability:

SEQUENCE {
  OBJECT IDENTIFIER
  rc2CBC (1 2 840 113549 3 2)
  INTEGER 160
  }

should probably be:

SEQUENCE {
  OBJECT IDENTIFIER
  rc2CBC (1 2 840 113549 3 2)
  INTEGER 40
  }

(notice the INTEGER 40).  In the capabilities, the keylengths for RC2 are
stored unobfuscated.  Since this is an example, it may not be important that
this be correct.

Blake
--
Blake C. Ramsdell
Tumbleweed Communications (formerly Worldtalk Corp.)
For current info, check http://www.deming.com/users/blaker
Voice +1 425 376 0225 x103  Fax +1 425 376 0915




Received: by ns.secondary.com (8.9.3/8.9.3) id NAA22710 for ietf-smime-bks; Mon, 10 Apr 2000 13:59:22 -0700 (PDT)
Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA22706 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 13:59:21 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com.au ([209.172.119.101]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id OAA08082; Mon, 10 Apr 2000 14:02:16 -0700 (PDT)
Message-Id: <4.2.0.58.20000410163516.00a5d5c0@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Mon, 10 Apr 2000 16:37:01 -0400
To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
From: Russ Housley <housley@spyrus.com>
Subject: Re: which usercertificate attribute
Cc: ietf-smime@imc.org
In-Reply-To: <200004071722.NAA28346@missi.ncsc.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Dave:

I am not convinced that LDAP support is a MUST requirement.  S/MIMEv2 
included a mechanism to support clients that are directory-impaired.  So 
far, this capability has remained in S/MIMEv3.

If LDAP is supported, then I agree with the things you say.

Russ


At 01:22 PM 04/07/2000 -0400, David P. Kemp wrote:
>The correct attribute in which to publish end-entity certificates is
>the one defined by RFC 2587 "LDAPv2 Schema", namely userCertificate.
>
>RFC 2632 "S/MIME Version 3 Certificate Handling", section 4, does not
>specify user agent requirements, leaving implementors on their own to
>decide how to retrieve certs.  It mentions X.500 (presumably meaning
>DAP) and DNS, but says:
>
>   "At a minimum, for initial S/MIME deployment, a user agent
>   could automatically generate a message to an intended recipient
>   requesting that recipient's certificate in a signed return
>   message."
>
>For son-of-2632, the first paragraph of section 4 needs to be rewritten
>to reflect the current directory environment.  At that time, it should
>also provide a little more guidance on interoperability.  I suggest:
>
>   "At a minimum, S/MIME user agents MUST support LDAP (RFC 2559) and
>   the LDAP v2 Schema (RFC 2587)."
>
>The new section 4 could mention certdist as an option, but standard
>LDAP should be mandatory.  Certdist could (if modified) be used to
>communicate the recipient's algorithm preferences without containing
>the recipient's certificate(s).
>
>Dave Kemp
>
>
>
>
>
> > From: thayes@netscape.com (Terry Hayes)
> >
> > Thierry Van Doninck wrote:
> >
> > > Hi,
> > >
> > > When I use Netscape Communicator as a mail client, I can 'get' the
>certificates of my correspondents from a ldap directory.
> > > Netscape however looks for a userSMIMEcertificate instead of a
>userCertificate.
> > >
> > > Which is the correct attribute to publish Certificates in ?
> > > I would think that using 1 certificate for all applications would be 
> a lot
>more user friendly.
> > >
> >
> > The userSMIMEcertificate attribute contains additional information 
> about the
>SMIME recipient, in particular the preferred
> > encryption algorithms.  Without this information, the message sender 
> has to
>guess what algorithms would be acceptable.  This is
> > why Communicator used userSMIMEcertificate.
> >
> > More recent versions of SMIME support for Communicator (in particular 
> the PSM
>security add-on) supports retrieval of the
> > certificates from both attributes in the directory.  In addition, PSM has
>support for automatically retrieving certificates
> > from your primary directory (address book) without manual intervention.
> >
> > Terry Hayes
> > thayes@netscape.com



Received: by ns.secondary.com (8.9.3/8.9.3) id NAA22705 for ietf-smime-bks; Mon, 10 Apr 2000 13:59:21 -0700 (PDT)
Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA22701 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 13:59:20 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com.au ([209.172.119.101]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id OAA08077; Mon, 10 Apr 2000 14:02:04 -0700 (PDT)
Message-Id: <4.2.0.58.20000410155350.00a4b640@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Mon, 10 Apr 2000 16:34:33 -0400
To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
From: Russ Housley <housley@spyrus.com>
Subject: Re: which usercertificate attribute
Cc: ietf-smime@imc.org
In-Reply-To: <200004071723.NAA28352@missi.ncsc.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Dave:

Of course, Jim Schaad should be the one to answer this question.  He is the 
author of CERTDIST.  Note:  The CERTDIST document is in Working Group Last 
Call, so if there are issues, they need to be resolved NOW.

The paragraph that you are talking about was added because if comments 
received from Ell Gardner at MITRE.  If memory serves, she was concerned 
about two locations in the Directory for the same information.  The 
paragrah that you quote is Jim Schaad's proposed solution: Get the certs 
from userCertificates and the algorithm preference information 
userSMimeCertificate.

Russ


At 01:22 PM 04/07/2000 -0400, David P. Kemp wrote:

>Russ,
>
>Certdist-04 section 4.5 explains:
>
>   "If the SignedData object is to be published in userSMimeCertificate,
>   the end-entity certificates MAY be omitted from the certificate bag
>   and published in the userCertificates [sic] LDAP attribute instead."
>
>How is an application developer supposed to interpret this requirement?
>I would read it to say that since the EE cert MAY be in either attribute,
>applications MUST look for it in BOTH attributes.  But Terry Hayes'
>posting indicates that (without an add-on) Communicator does not look
>in the userCertificate attribute.
>
>Section 2 justifies the inclusion of a cert path in the SignedData
>object by claiming that in non-X.500 (DAP or LDAP) directories it is
>difficult to impossible to obtain CA certificates.  But it does not
>follow through with that logic by *not* requiring a full cert path when
>the object *is* stored in an LDAP directory.
>
>Section 4.3 should be changed from:
>
>   "A chain of certificate from the end-entitycertificate(s) to the root
>   certificate(s) MUST be included in the CertificateSet."
>
>to:
>
>   "A chain of certificate from the end-entitycertificate(s) to the root
>   certificate(s) MUST be included in the CertificateSet unless the
>   SignedData object is published in userSMimeCertificate, in which case
>   the CertificateSet MUST be empty."
>
>and section 4.5 should be adjusted accordingly.
>
>This would ensure that when using LDAP, applications always use the
>PKIX-standard locations for both CA and EE certificates.
>
>Dave Kemp
>
>
>
>
> > From: Russ Housley <housley@spyrus.com>
> >
> > See draft-ietf-smime-certdist-04.txt for a description of
> > userSMimeCertificate.  I think the document does a good job explaining why
> > userSMimeCertificate and userCertificate both exist.
> >
> > Russ



Received: by ns.secondary.com (8.9.3/8.9.3) id HAA15456 for ietf-smime-bks; Mon, 10 Apr 2000 07:54:41 -0700 (PDT)
Received: from po2.bbn.com (PO2.BBN.COM [192.1.50.36]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15451 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 07:54:39 -0700 (PDT)
Received: from wwilliams4 (wwilliams2.bbn.com [171.78.1.7]) by po2.bbn.com (8.9.1/8.9.1) with SMTP id KAA10546; Mon, 10 Apr 2000 10:58:12 -0400 (EDT)
From: "Walter Williams" <walter.williams@genuity.com>
To: "Aram Perez" <aperez@syndata.com>, <ietf-smime@imc.org>
Subject: RE: which usercertificate attribute
Date: Mon, 10 Apr 2000 10:49:49 -0400
Message-ID: <GOENLDDMNGGIIALPLGOEOEBACCAA.walter.williams@genuity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
In-Reply-To: <D92EE22C97C3D311855E005004E0CBF003369C@MARS>
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Actually, smimeUserCertificate and userCertificate objects are both part of
the IETF standard organizationalPerson and inetOrgPerson schemas.  The first
is RFC2256 if my memory does not fail me and the second is a draft on the
standards track, and has been widely adopted in the industry.  Therefor:
There is a standard LDAP schema which you can use

Walter Williams
TSD
Senior IT Analyst
Genuity

Please note: GTE Internetworking is now Genuity

-----Original Message-----
From: owner-ietf-smime@mail.imc.org
[mailto:owner-ietf-smime@mail.imc.org]On Behalf Of Aram Perez
Sent: Monday, April 10, 2000 9:54 AM
To: ietf-smime@imc.org
Subject: RE: which usercertificate attribute


David is right. Why have standards if you can't interoperate with other
implementations? Over a year ago I asked if there was a standard way of
getting a user's certificate from an LDAP directory. While I received a
number of replys, not one reply said: There is a standard LDAP schema which
you can use.

Regards,
Aram Perez

-----Original Message-----
From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil]
Sent: Monday, April 10, 2000 8:46 AM
To: ietf-smime@imc.org
Subject: Re: which usercertificate attribute


Peter,

Bob put the right words in my mouth :-).  IETF specifications use
"MUST", "SHOULD", and "MAY" in a uniform manner to enhance the
ability to interoperate.  MUST always means "must implement",
not "must use".

But I meant mandatory in an even more limited sense:  *if* applications
are going to support LDAP (i.e. X.500 directory attributes) to retrieve
certs, then they MUST be able to do it in accordance with the
standard LDAP schema.

Dave



> To: ietf-smime@imc.org
> Subject: Re: which usercertificate attribute
>
> "David P. Kemp" <dpkemp@missi.ncsc.mil> writes:
>
> >The new section 4 could mention certdist as an option, but standard LDAP
> >should be mandatory.
>
> Why should it be mandatory?  I can see that saying that finding a cert is
> a good idea, but mandating it is not (there will always be situations
where
> it doesn't make sense), and mandating one particular way of doing it is
even
> worse - even if you are in a situation where retrieving a cert is useful,
> being forced to do it via LDAP is an unnecessary restriction.
>
> Peter.



Received: by ns.secondary.com (8.9.3/8.9.3) id HAA15064 for ietf-smime-bks; Mon, 10 Apr 2000 07:29:43 -0700 (PDT)
Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15060 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 07:29:42 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com.au ([209.172.119.101]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id HAA03395; Mon, 10 Apr 2000 07:32:23 -0700 (PDT)
Message-Id: <4.2.0.58.20000410092030.00a5db60@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
X-Priority: 2 (High)
Date: Mon, 10 Apr 2000 09:46:44 -0400
To: jis@mit.edu, MLeech@nortel.ca
From: Russ Housley <housley@spyrus.com>
Subject: Ready for IETF Last Call: draft-ietf-smime-cast-128-02.txt
Cc: ietf-smime@imc.org, ietf-secretary@ietf.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Jeff & Marcus:

The S/MIME Working Group is finished with the CAST-128 algorithm 
specification.  It is ready for IETF Last Call and publication as a 
Proposed Standard RFC.

Russ



Received: by ns.secondary.com (8.9.3/8.9.3) id GAA14439 for ietf-smime-bks; Mon, 10 Apr 2000 06:51:17 -0700 (PDT)
Received: from mars.syndata.com ([208.195.248.153]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA14435 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 06:51:16 -0700 (PDT)
Received: by MARS with Internet Mail Service (5.5.2650.21) id <2JTDM7AN>; Mon, 10 Apr 2000 09:54:05 -0400
Message-ID: <D92EE22C97C3D311855E005004E0CBF003369C@MARS>
From: Aram Perez <aperez@syndata.com>
To: ietf-smime@imc.org
Subject: RE: which usercertificate attribute
Date: Mon, 10 Apr 2000 09:53:59 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

David is right. Why have standards if you can't interoperate with other
implementations? Over a year ago I asked if there was a standard way of
getting a user's certificate from an LDAP directory. While I received a
number of replys, not one reply said: There is a standard LDAP schema which
you can use.

Regards,
Aram Perez

-----Original Message-----
From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil]
Sent: Monday, April 10, 2000 8:46 AM
To: ietf-smime@imc.org
Subject: Re: which usercertificate attribute


Peter,

Bob put the right words in my mouth :-).  IETF specifications use
"MUST", "SHOULD", and "MAY" in a uniform manner to enhance the
ability to interoperate.  MUST always means "must implement",
not "must use".

But I meant mandatory in an even more limited sense:  *if* applications
are going to support LDAP (i.e. X.500 directory attributes) to retrieve
certs, then they MUST be able to do it in accordance with the 
standard LDAP schema.

Dave



> To: ietf-smime@imc.org
> Subject: Re: which usercertificate attribute
> 
> "David P. Kemp" <dpkemp@missi.ncsc.mil> writes:
> 
> >The new section 4 could mention certdist as an option, but standard LDAP 
> >should be mandatory.  
> 
> Why should it be mandatory?  I can see that saying that finding a cert is
> a good idea, but mandating it is not (there will always be situations
where
> it doesn't make sense), and mandating one particular way of doing it is
even
> worse - even if you are in a situation where retrieving a cert is useful,
> being forced to do it via LDAP is an unnecessary restriction.
> 
> Peter.


Received: by ns.secondary.com (8.9.3/8.9.3) id FAA13432 for ietf-smime-bks; Mon, 10 Apr 2000 05:43:08 -0700 (PDT)
Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA13428 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 05:43:07 -0700 (PDT)
Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id IAA17891 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 08:45:29 -0400 (EDT)
Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by roadblock.missi.ncsc.mil with ESMTP id IAA17887 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 08:45:29 -0400 (EDT)
Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.57.72]) by missi.ncsc.mil (8.8.8/8.8.8) with SMTP id IAA07830 for <ietf-smime@imc.org>; Mon, 10 Apr 2000 08:46:21 -0400 (EDT)
Message-Id: <200004101246.IAA07830@missi.ncsc.mil>
Date: Mon, 10 Apr 2000 08:46:00 -0400 (EDT)
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Subject: Re: which usercertificate attribute
To: ietf-smime@imc.org
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: JJI8xtBbRS6Zc6mSf2Yuhg==
X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc 
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Peter,

Bob put the right words in my mouth :-).  IETF specifications use
"MUST", "SHOULD", and "MAY" in a uniform manner to enhance the
ability to interoperate.  MUST always means "must implement",
not "must use".

But I meant mandatory in an even more limited sense:  *if* applications
are going to support LDAP (i.e. X.500 directory attributes) to retrieve
certs, then they MUST be able to do it in accordance with the 
standard LDAP schema.

Dave



> To: ietf-smime@imc.org
> Subject: Re: which usercertificate attribute
> 
> "David P. Kemp" <dpkemp@missi.ncsc.mil> writes:
> 
> >The new section 4 could mention certdist as an option, but standard LDAP 
> >should be mandatory.  
> 
> Why should it be mandatory?  I can see that saying that finding a cert is
> a good idea, but mandating it is not (there will always be situations where
> it doesn't make sense), and mandating one particular way of doing it is even
> worse - even if you are in a situation where retrieving a cert is useful,
> being forced to do it via LDAP is an unnecessary restriction.
> 
> Peter.



Received: by ns.secondary.com (8.9.3/8.9.3) id WAA05388 for ietf-smime-bks; Sat, 8 Apr 2000 22:03:39 -0700 (PDT)
Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id WAA05382 for <ietf-smime@imc.org>; Sat, 8 Apr 2000 22:03:37 -0700 (PDT)
Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Sat, 08 Apr 2000 23:06:28 -0600
Message-Id: <s8efbb74.030@prv-mail20.provo.novell.com>
X-Mailer: Novell GroupWise Internet Agent 5.5.3.1
Date: Sat, 08 Apr 2000 23:06:19 -0600
From: "Bob Jueneman" <BJUENEMAN@novell.com>
To: <pgut001@cs.aucKland.ac.nz>, <ietf-smime@imc.org>
Subject: Re: which usercertificate attribute
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="=_6B32AEC4.FC9D72C4"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

This is a MIME message. If you are reading this text, you may want to 
consider changing to a mail reader or gateway that understands how to 
properly handle MIME multipart messages.

--=_6B32AEC4.FC9D72C4
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Peter,

At the risk of putting words in David's mouth, I think he was trying to =
define a=20
mandatory minimum environment that compliant software could be assumed=20
to support, so as to help ensure interoperability.

That certainly shouldn't preclude retrieving certificates some other way, =
of=20
course.

Bob

>>> Peter Gutmann <pgut001@cs.aucKland.ac.nz> 04/08/00 09:34AM >>>
"David P. Kemp" <dpkemp@missi.ncsc.mil> writes:

>The new section 4 could mention certdist as an option, but standard =
LDAP=20
>should be mandatory. =20

Why should it be mandatory?  I can see that saying that finding a cert is
a good idea, but mandating it is not (there will always be situations =
where
it doesn't make sense), and mandating one particular way of doing it is =
even
worse - even if you are in a situation where retrieving a cert is useful,
being forced to do it via LDAP is an unnecessary restriction.

Peter.

--=_6B32AEC4.FC9D72C4
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" http-equiv=3DContent-Type=
>
<META content=3D"MSHTML 5.00.2614.3401" name=3DGENERATOR></HEAD>
<BODY style=3D"FONT: 8pt MS Sans Serif; MARGIN-LEFT: 2px; MARGIN-TOP: =
2px">
<DIV><FONT size=3D1>Peter,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>At the risk of putting words in David's mouth, I think he was trying =
to=20
define a </DIV>
<DIV>mandatory minimum environment that compliant software could be =
assumed=20
</DIV>
<DIV>to support, so as to help ensure interoperability.</DIV>
<DIV>&nbsp;</DIV>
<DIV>That certainly shouldn't preclude retrieving certificates some other =
way,=20
of </DIV>
<DIV>course.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Bob<BR><BR>&gt;&gt;&gt; Peter Gutmann &lt;pgut001@cs.aucKland.ac.nz&gt=
;=20
04/08/00 09:34AM &gt;&gt;&gt;<BR>"David P. Kemp" &lt;dpkemp@missi.ncsc.mil&=
gt;=20
writes:<BR><BR>&gt;The new section 4 could mention certdist as an option, =
but=20
standard LDAP <BR>&gt;should be mandatory.&nbsp; <BR><BR>Why should it =
be=20
mandatory?&nbsp; I can see that saying that finding a cert is<BR>a good =
idea,=20
but mandating it is not (there will always be situations where<BR>it =
doesn't=20
make sense), and mandating one particular way of doing it is even<BR>worse =
-=20
even if you are in a situation where retrieving a cert is useful,<BR>being=
=20
forced to do it via LDAP is an unnecessary=20
restriction.<BR><BR>Peter.<BR><BR></DIV></BODY></HTML>

--=_6B32AEC4.FC9D72C4--


Received: by ns.secondary.com (8.9.3/8.9.3) id NAA05493 for ietf-smime-bks; Sat, 8 Apr 2000 13:38:21 -0700 (PDT)
Received: from relay2.sion.com (root@relay2.sion.com [200.43.36.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA05479 for <ietf-smime@imc.org>; Sat, 8 Apr 2000 13:38:18 -0700 (PDT)
Received: from PROXY (smtp.sion.com [200.43.36.110]) by relay2.sion.com (8.9.3/8.9.3) with ESMTP id RAA17625 for <ietf-smime@imc.org>; Sat, 8 Apr 2000 17:56:43 -0300
Received: from intranet - 200.43.37.94 by sion.net with Microsoft SMTPSVC; Sat, 8 Apr 2000 17:38:27 -0300
From: "PortalProfesional.com" <info@portalprofesional.com>
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Date: Sat, 08 Apr 2000 17:40:10 -0300
Subject: LEAME, ES IMPORTANTE - www.portalprofesional.com
Reply-To: info@portalprofesional.com
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Priority: 1
Message-ID: <012682738200840PROXY@sion.net>
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Muchas Preguntas:
- Estas Buscando Empleo?
- Tienes empleo pero quieres uno mejor?
- No sabes donde dejar tu Curriculum?
- Eres Profesional o a punto de egresar?
- Ud es una Empresa y necesita hacer publicidad?
- Necesitas EMAIL Gratis?
- Necesitas Pagina Web Gratis?
- Ud es una Consultora o Empresa y necesita publicar sus Busquedas Laborales?
- Nunca encuentras lo que buscas en Internet?

UNA SOLA RESPUESTA: www.portalprofesional.com


VISITANOS. No te vas a arrepentir!
ICQ: 64451825
www.portalprofesional.com.ar





Received: by ns.secondary.com (8.9.3/8.9.3) id OAA13517 for ietf-smime-bks; Fri, 7 Apr 2000 14:31:14 -0700 (PDT)
Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA13513 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 14:31:12 -0700 (PDT)
Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id JAA13063 for <ietf-smime@imc.org>; Sat, 8 Apr 2000 09:34:23 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <95514326315978>; Sat, 8 Apr 2000 09:34:23 (NZST)
From: pgut001@cs.aucKland.ac.nz (Peter Gutmann)
To: ietf-smime@imc.org
Subject: Re: which usercertificate attribute
Reply-To: pgut001@cs.aucKland.ac.nz
X-Charge-To: pgut001
X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz
Date: Sat, 8 Apr 2000 09:34:23 (NZST)
Message-ID: <95514326315978@kahu.cs.auckland.ac.nz>
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

"David P. Kemp" <dpkemp@missi.ncsc.mil> writes:

>The new section 4 could mention certdist as an option, but standard LDAP 
>should be mandatory.  

Why should it be mandatory?  I can see that saying that finding a cert is
a good idea, but mandating it is not (there will always be situations where
it doesn't make sense), and mandating one particular way of doing it is even
worse - even if you are in a situation where retrieving a cert is useful,
being forced to do it via LDAP is an unnecessary restriction.

Peter.



Received: by ns.secondary.com (8.9.3/8.9.3) id MAA11241 for ietf-smime-bks; Fri, 7 Apr 2000 12:00:40 -0700 (PDT)
Received: from cane.deming.com (mail.deming.com [208.236.41.137]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA11236 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 12:00:39 -0700 (PDT)
Received: from 208.236.41.137 by cane.deming.com with ESMTP (WorldSecure Server SMTP Relay(WSS) v4.3); Fri, 07 Apr 00 12:03:22 -0700
X-Server-Uuid: 1a012586-24e9-11d1-adae-00a024bc53c5
Received: by mail.deming.com with Internet Mail Service (5.5.2650.21) id <H63WRZDC>; Fri, 7 Apr 2000 12:03:22 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C594FAAA@mail.deming.com>
From: "Blake Ramsdell" <blake.ramsdell@tumbleweed.com>
To: "'David P. Kemp'" <dpkemp@missi.ncsc.mil>, ietf-smime@imc.org
Subject: RE: which usercertificate attribute
Date: Fri, 7 Apr 2000 12:03:19 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
X-WSS-ID: 14F0EF7049102-01-01
Content-Type: text/plain;  charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

This sounds reasonable.

I presume that there's going to be a round of edits surrounding a magic date
in September...

Blake

-----Original Message-----
From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil]
Sent: Friday, April 07, 2000 10:22 AM
To: ietf-smime@imc.org
Subject: Re: which usercertificate attribute


The correct attribute in which to publish end-entity certificates is
the one defined by RFC 2587 "LDAPv2 Schema", namely userCertificate.

RFC 2632 "S/MIME Version 3 Certificate Handling", section 4, does not
specify user agent requirements, leaving implementors on their own to
decide how to retrieve certs.  It mentions X.500 (presumably meaning
DAP) and DNS, but says:

  "At a minimum, for initial S/MIME deployment, a user agent
  could automatically generate a message to an intended recipient
  requesting that recipient's certificate in a signed return
  message."

For son-of-2632, the first paragraph of section 4 needs to be rewritten
to reflect the current directory environment.  At that time, it should
also provide a little more guidance on interoperability.  I suggest:

  "At a minimum, S/MIME user agents MUST support LDAP (RFC 2559) and
  the LDAP v2 Schema (RFC 2587)."

The new section 4 could mention certdist as an option, but standard
LDAP should be mandatory.  Certdist could (if modified) be used to
communicate the recipient's algorithm preferences without containing
the recipient's certificate(s).

Dave Kemp





> From: thayes@netscape.com (Terry Hayes)
> 
> Thierry Van Doninck wrote:
> 
> > Hi,
> >
> > When I use Netscape Communicator as a mail client, I can 'get' the 
certificates of my correspondents from a ldap directory.
> > Netscape however looks for a userSMIMEcertificate instead of a 
userCertificate.
> >
> > Which is the correct attribute to publish Certificates in ?
> > I would think that using 1 certificate for all applications would be a
lot 
more user friendly.
> >
> 
> The userSMIMEcertificate attribute contains additional information about
the 
SMIME recipient, in particular the preferred
> encryption algorithms.  Without this information, the message sender has
to 
guess what algorithms would be acceptable.  This is
> why Communicator used userSMIMEcertificate.
> 
> More recent versions of SMIME support for Communicator (in particular the
PSM 
security add-on) supports retrieval of the
> certificates from both attributes in the directory.  In addition, PSM has 
support for automatically retrieving certificates
> from your primary directory (address book) without manual intervention.
> 
> Terry Hayes
> thayes@netscape.com




Received: by ns.secondary.com (8.9.3/8.9.3) id KAA09102 for ietf-smime-bks; Fri, 7 Apr 2000 10:20:08 -0700 (PDT)
Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA09097 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 10:20:07 -0700 (PDT)
Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id NAA08568 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 13:22:34 -0400 (EDT)
Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by roadblock.missi.ncsc.mil with ESMTP id NAA08564 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 13:22:34 -0400 (EDT)
Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.57.72]) by missi.ncsc.mil (8.8.8/8.8.8) with SMTP id NAA28352 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 13:23:06 -0400 (EDT)
Message-Id: <200004071723.NAA28352@missi.ncsc.mil>
Date: Fri, 7 Apr 2000 13:22:52 -0400 (EDT)
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Subject: Re: which usercertificate attribute
To: ietf-smime@imc.org
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: q8nMbHtQLiwjjPX0tKcHwA==
X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc 
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Russ,

Certdist-04 section 4.5 explains:

  "If the SignedData object is to be published in userSMimeCertificate,
  the end-entity certificates MAY be omitted from the certificate bag
  and published in the userCertificates [sic] LDAP attribute instead."

How is an application developer supposed to interpret this requirement?
I would read it to say that since the EE cert MAY be in either attribute,
applications MUST look for it in BOTH attributes.  But Terry Hayes'
posting indicates that (without an add-on) Communicator does not look
in the userCertificate attribute.

Section 2 justifies the inclusion of a cert path in the SignedData
object by claiming that in non-X.500 (DAP or LDAP) directories it is
difficult to impossible to obtain CA certificates.  But it does not
follow through with that logic by *not* requiring a full cert path when
the object *is* stored in an LDAP directory.

Section 4.3 should be changed from:

  "A chain of certificate from the end-entitycertificate(s) to the root
  certificate(s) MUST be included in the CertificateSet."

to:

  "A chain of certificate from the end-entitycertificate(s) to the root
  certificate(s) MUST be included in the CertificateSet unless the
  SignedData object is published in userSMimeCertificate, in which case
  the CertificateSet MUST be empty."

and section 4.5 should be adjusted accordingly.

This would ensure that when using LDAP, applications always use the
PKIX-standard locations for both CA and EE certificates.

Dave Kemp




> From: Russ Housley <housley@spyrus.com>
> 
> See draft-ietf-smime-certdist-04.txt for a description of 
> userSMimeCertificate.  I think the document does a good job explaining why 
> userSMimeCertificate and userCertificate both exist.
> 
> Russ



Received: by ns.secondary.com (8.9.3/8.9.3) id KAA09054 for ietf-smime-bks; Fri, 7 Apr 2000 10:19:36 -0700 (PDT)
Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA09050 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 10:19:34 -0700 (PDT)
Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id NAA08499 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 13:22:02 -0400 (EDT)
Received: from missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by roadblock.missi.ncsc.mil with ESMTP id NAA08490 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 13:22:02 -0400 (EDT)
Received: from ara.missi.ncsc.mil (ara.missi.ncsc.mil [144.51.57.72]) by missi.ncsc.mil (8.8.8/8.8.8) with SMTP id NAA28346 for <ietf-smime@imc.org>; Fri, 7 Apr 2000 13:22:33 -0400 (EDT)
Message-Id: <200004071722.NAA28346@missi.ncsc.mil>
Date: Fri, 7 Apr 2000 13:22:19 -0400 (EDT)
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Subject: Re: which usercertificate attribute
To: ietf-smime@imc.org
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: e7FyxxG+tmYzlbvZgtpdKQ==
X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc 
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

The correct attribute in which to publish end-entity certificates is
the one defined by RFC 2587 "LDAPv2 Schema", namely userCertificate.

RFC 2632 "S/MIME Version 3 Certificate Handling", section 4, does not
specify user agent requirements, leaving implementors on their own to
decide how to retrieve certs.  It mentions X.500 (presumably meaning
DAP) and DNS, but says:

  "At a minimum, for initial S/MIME deployment, a user agent
  could automatically generate a message to an intended recipient
  requesting that recipient's certificate in a signed return
  message."

For son-of-2632, the first paragraph of section 4 needs to be rewritten
to reflect the current directory environment.  At that time, it should
also provide a little more guidance on interoperability.  I suggest:

  "At a minimum, S/MIME user agents MUST support LDAP (RFC 2559) and
  the LDAP v2 Schema (RFC 2587)."

The new section 4 could mention certdist as an option, but standard
LDAP should be mandatory.  Certdist could (if modified) be used to
communicate the recipient's algorithm preferences without containing
the recipient's certificate(s).

Dave Kemp





> From: thayes@netscape.com (Terry Hayes)
> 
> Thierry Van Doninck wrote:
> 
> > Hi,
> >
> > When I use Netscape Communicator as a mail client, I can 'get' the 
certificates of my correspondents from a ldap directory.
> > Netscape however looks for a userSMIMEcertificate instead of a 
userCertificate.
> >
> > Which is the correct attribute to publish Certificates in ?
> > I would think that using 1 certificate for all applications would be a lot 
more user friendly.
> >
> 
> The userSMIMEcertificate attribute contains additional information about the 
SMIME recipient, in particular the preferred
> encryption algorithms.  Without this information, the message sender has to 
guess what algorithms would be acceptable.  This is
> why Communicator used userSMIMEcertificate.
> 
> More recent versions of SMIME support for Communicator (in particular the PSM 
security add-on) supports retrieval of the
> certificates from both attributes in the directory.  In addition, PSM has 
support for automatically retrieving certificates
> from your primary directory (address book) without manual intervention.
> 
> Terry Hayes
> thayes@netscape.com



Received: by ns.secondary.com (8.9.3/8.9.3) id IAA03769 for ietf-smime-bks; Thu, 6 Apr 2000 08:40:50 -0700 (PDT)
Received: from thehub.knight-hub.com (root@thehub.knight-hub.com [205.177.16.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA03765 for <ietf-smime@imc.org>; Thu, 6 Apr 2000 08:40:48 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com.au (va.spyrus.com [205.177.169.194]) by thehub.knight-hub.com (8.9.3/8.9.3) with ESMTP id LAA10863; Thu, 6 Apr 2000 11:41:27 -0400
Message-Id: <4.2.0.58.20000406113958.00a4fe00@209.172.119.123>
X-Sender: rhousley#mail.spyrus.com@209.172.119.123
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Thu, 06 Apr 2000 11:43:21 -0400
To: Thierry Van Doninck <Thierry.VanDoninck@dexia.be>
From: Russ Housley <housley@spyrus.com>
Subject: Re: which usercertificate attribute
Cc: ietf-smime <ietf-smime@imc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Thierry:

 > When I use Netscape Communicator as a mail client, I can 'get' the 
certificates of my correspondents from a ldap directory.
 > Netscape however looks for a userSMIMEcertificate instead of a 
userCertificate.
 >
 > Which is the correct attribute to publish Certificates in ?
 > I would think that using 1 certificate for all applications would be a 
lot more user friendly.

See draft-ietf-smime-certdist-04.txt for a description of 
userSMimeCertificate.  I think the document does a good job explaining why 
userSMimeCertificate and userCertificate both exist.

Russ


Received: by ns.secondary.com (8.9.3/8.9.3) id HAA02959 for ietf-smime-bks; Thu, 6 Apr 2000 07:57:56 -0700 (PDT)
Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA02937 for <ietf-smime@imc.org>; Thu, 6 Apr 2000 07:57:51 -0700 (PDT)
Received: from dredd.mcom.com (dredd.mcom.com [205.217.237.54]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA01851 for <ietf-smime@imc.org>; Thu, 6 Apr 2000 07:55:12 -0700 (PDT)
Received: from netscape.com ([206.222.244.213]) by dredd.mcom.com (Netscape Messaging Server 4.1) with ESMTP id FSLOCS00.0OY; Thu, 6 Apr 2000 08:00:28 -0700 
Message-ID: <38ECA68E.A217222@netscape.com>
Date: Thu, 06 Apr 2000 08:00:30 -0700
From: thayes@netscape.com (Terry Hayes)
X-Mailer: Mozilla 4.72 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Thierry Van Doninck <Thierry.VanDoninck@dexia.be>
CC: ietf-smime <ietf-smime@imc.org>
Subject: Re: which usercertificate attribute
References: <0551838EC845D14B*/c=be/admd=publilink/prmd=gkbccb/o=notes/s=SY064/@MHS>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Thierry Van Doninck wrote:

> Hi,
>
> When I use Netscape Communicator as a mail client, I can 'get' the certificates of my correspondents from a ldap directory.
> Netscape however looks for a userSMIMEcertificate instead of a userCertificate.
>
> Which is the correct attribute to publish Certificates in ?
> I would think that using 1 certificate for all applications would be a lot more user friendly.
>

The userSMIMEcertificate attribute contains additional information about the SMIME recipient, in particular the preferred
encryption algorithms.  Without this information, the message sender has to guess what algorithms would be acceptable.  This is
why Communicator used userSMIMEcertificate.

More recent versions of SMIME support for Communicator (in particular the PSM security add-on) supports retrieval of the
certificates from both attributes in the directory.  In addition, PSM has support for automatically retrieving certificates
from your primary directory (address book) without manual intervention.

Terry Hayes
thayes@netscape.com



Received: by ns.secondary.com (8.9.3/8.9.3) id FAA00578 for ietf-smime-bks; Thu, 6 Apr 2000 05:33:16 -0700 (PDT)
Received: from spdl113_tr0.dexia.be (hstcentd.dexia.be [193.91.97.6]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA00574 for <ietf-smime@imc.org>; Thu, 6 Apr 2000 05:33:14 -0700 (PDT)
Date: 06 Apr 2000 14:34:37 +0200
From: Thierry Van Doninck <Thierry.VanDoninck@dexia.be>
To: ietf-smime <ietf-smime@imc.org>
Subject: which usercertificate attribute
Message-Id: <0551838EC845D14B*/c=be/admd=publilink/prmd=gkbccb/o=notes/s=SY064/@MHS>
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Hi,

When I use Netscape Communicator as a mail client, I can 'get' the certificates of my correspondents from a ldap directory.
Netscape however looks for a userSMIMEcertificate instead of a userCertificate.

Which is the correct attribute to publish Certificates in ?
I would think that using 1 certificate for all applications would be a lot more user friendly.

I only have one physical passport, why would I need several digital one's ?

Thierry
eMail : thierry.vandoninck@dexia.be


Received: by ns.secondary.com (8.9.3/8.9.3) id QAA07915 for ietf-smime-bks; Tue, 4 Apr 2000 16:47:14 -0700 (PDT)
Received: from poltegor.igo.wroc.pl (poltegor.igo.wroc.pl [156.17.53.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA07910 for <ietf-smime@mail.proper.com>; Tue, 4 Apr 2000 16:47:12 -0700 (PDT)
Received: from kllklk (cranston-ip-2-114.dynamic.ziplink.net [209.206.5.114]) by poltegor.igo.wroc.pl (AIX4.2/UCB 8.7/8.7) with ESMTP id BAA18502; Wed, 5 Apr 2000 01:14:57 +0200 (DFT)
Message-Id: <200004042314.BAA18502@poltegor.igo.wroc.pl>
From: "Wayne" <hjyt76@yahoo.com>
Subject: Top Notch
To: foryou9k@poltegor.igo.wroc.pl
X-Mailer: Microsoft Outlook Express 4..72.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V(null).1712.3
Mime-Version: 1.0
Date: Tue, 04 Apr 2000 18:51:59 -0500
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id QAA07911
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

*Earn $2000 - $5000 weekly-starting within 1-4 weeks
*78% Profit Paid Daily
*No Selling
*No Risk Guarantee
*Work from home, No overhead, or employees.
*High Tech Training & Support
*Not MLM, 100x more profitable
*Multibillion Dollar Travel Industry
 
The most incredible part of our business
is that ALL MY CLIENTS CALL ME!
 
DO YOU QUALIFY FOR OUR MENTOR PROGRAM?
ACCEPTING ONLY 12 NEW ASSOCIATES
 
This is not a hobby!  Serious Inquires Only!!

Please reply with the following information 
NAME:
EMAIL ADDRESS:
PHONE:             (Required)
BEST TIME TO CALL:

TO:

mailto:poland4343@bigfoot.com?subject=more_info


FOR MORE INFORMATION

If you are an entrepreneur or have always wanted to be your own BOSS,
read on.  We supply state-of-the-art training and a support system
that allows you to work your business from your home with just a
phone-without cold calling.  DO NOT REPLY IF YOU ARE LOOKING FOR A 
"GET RICH QUICK" SCHEME or some extra cash or if you're lazy.  We are
only looking for  FOCUSED serious entrepreneurs. (Pt/FT) with the
DESIRE to  improve their lifestyle immediately. 

///////////////////////////////////////////////////////////
Please remove at mailto:swaqt@doramail.com?subject=remove
///////////////////////////////////////////////////////////





Received: by ns.secondary.com (8.9.3/8.9.3) id RAA11665 for ietf-smime-bks; Sun, 2 Apr 2000 17:52:25 -0700 (PDT)
Received: from mcaprov.mcanet.com.br (mcaprov.mcanet.com.br [200.194.224.1]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id RAA11661 for <ietf-smime@mail.proper.com>; Sun, 2 Apr 2000 17:52:09 -0700 (PDT)
Received: from kllklk (unverified [38.26.242.199]) by mcaprov.mcanet.com.br (EMWAC SMTPRS 0.83) with SMTP id <B0001254891@mcaprov.mcanet.com.br>; Sun, 02 Apr 2000 20:50:32 +0000
Message-ID: <B0001254891@mcaprov.mcanet.com.br>
From: "Harry" <andty@mail.warmmail.com>
Subject: Increase Your Chances
To: win28sj
X-Mailer: Microsoft Outlook Express 4.72.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V(null).1712.3
Mime-Version: 1.0
Date: Sun, 02 Apr 2000 17:55:04 -0500
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id RAA11662
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Are you interested in increasing your odds in winning a lottery?
To Find out how, Print this email, complete the form & fax it to 
407-359-1545

Name: ______________________________

Country: ___________________ST______

Email Address: _____________________

The above information is required to receive information via email



*****************************************************************
This message is sent in compliance of the new email bill
section 301. Per Section 301, Paragraph (a)(2)(C) of S. 1618,
further transmissions to you by the sender of this email may be
stopped at no cost to you.This message is not intended for
residents in the State of WA, CA & VA Screening of addresses
has been done to the best of our technical ability.If you are a 
Washington, Virginia, or California resident please remove
yourself.
=========================================
If you wish to be removed from future mailings, please
Reply to:
mailto:binwk@netscape.net?subject=remove
===================================================





Received: by ns.secondary.com (8.9.3/8.9.3) id LAA08786 for ietf-smime-bks; Sun, 2 Apr 2000 11:29:14 -0700 (PDT)
Received: from www.pressmedia.com.pl ([195.117.30.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA08782 for <ietf-smime@mail.proper.com>; Sun, 2 Apr 2000 11:29:12 -0700 (PDT)
Message-Id: <200004021829.LAA08782@ns.secondary.com>
Received: from cranston-ip-1-193.dynamic.ziplink.net by www.pressmedia.com.pl with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id 2CS50T4D; Sun, 2 Apr 2000 04:37:19 +0200
From: "Greg" <rttm@angelfire.com>
Subject: Between us...
To: look90h
X-Mailer: Mozilla 4.70 [en] (Win95; I)
Mime-Version: 1.0
Date: Sat, 01 Apr 2000 20:52:52 -0500
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id LAA08783
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

FREE E-COMMERCE WHEN YOU HOST WITH US!!

Tired of expensive e-commerce software, set up fees and leasing
contracts?
Here is the deal: You host your site with us and you get free E
-Commerce,
including a merchant account, real-time software and shopping cart.

NO ONE CAN BEAT OUR PRICE! IF YOU FIND A BETTER DEAL FOR OUR PACKAGE
ANYWHERE ELSE, WE WILL MATCH OUR COMPETITOR'S PRICE PLUS GIVE YOU THE
FIRST MONTH FOR FREE. 

While others charge you hundreds of dollars to get a merchant account
or
put you on a 48 months non-cancelable lease agreement we charge you
NOTHING for E-commerce when you sign up for our e-commerce hosting
plan. If you wish to stay with your current hosting company you still
can get the same deal. 
Check it out first and make an informed decision. 

You have never seen a package deal like this before:

* Your own merchant account with one of the lowest rates in the
industry
* Real-Time software to accept VISA, MASTERCARD, AMEX,
DISCOVER/NOVUS, DINERSCLUB/CARTE BLANCHE, JCB
* Direct deposit within 48 hrs into your checking account
* Shopping Cart store front software with an easy to use web based
interface
* Real-Time Credit Card Processing software
* Virtual terminal for phone/fax/mail orders
* Automated E-mail receipts to your clients
* Recurring billing feature with batch uploads
* Password generator for membership sites
* Automatic batch closing
* Address verification system (AVS)
* Back office to 24/7 access account history
* 75 MB (megabytes) of disk space
* 30 GB (gigabyte) of data transfer per month
* 25 POP3 E-mail accounts
* Unlimited alias E-mail addresses
* Live web site statistics
* Unlimited FTP uploads
* Anonymous FTP
* CGI directory for your own scripts
* Site control panel
* Installation included
* Tech support included

All this and more when you sign up for our E-Commerce Hosting plan
for ONLY $69.95 per month and a one time set up fee of $199.00.  That
's right. NO ADDITIONAL SET UP FEES or application fees for your
merchant account
real-time software or shopping cart storefront. A one-stop E-Commerce
solution. And the best is:

NO LEASING, NO LONG TERM COMMITMENT. YOU CAN CANCEL ANYTIME.

THIS PRICE APPLIES TO U.S. BASED COMPANIES OR INDIVIDUALS ONLY! 
BUT WE ALSO HAVE A SOLUTION FOR INTERNATIONAL MERCHANTS! 

Please reply to:

mailto:wrkv@pplmail.com?subject=INFO-PLEASE
to receive our FREE information package without obligations.



 
*********************************************************
Remove at mailto:bnm99t@usa.net?subject=remove
*********************************************************





Received: by ns.secondary.com (8.9.3/8.9.3) id UAA16156 for ietf-smime-bks; Sat, 1 Apr 2000 20:11:23 -0800 (PST)
Received: from ttic01.tatung.com.tw (IDENT:root@ttic01.tatung.com.tw [139.223.65.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA16149 for <ietf-smime@mail.proper.com>; Sat, 1 Apr 2000 20:11:19 -0800 (PST)
Received: from kllklk (cranston-ip-1-50.dynamic.ziplink.net [209.206.4.50]) by ttic01.tatung.com.tw (8.9.3/8.9.3) with ESMTP id MAA03816; Sun, 2 Apr 2000 12:11:38 +0800
Message-Id: <200004020411.MAA03816@ttic01.tatung.com.tw>
From: "Greg" <rttm@angelfire.com>
Subject: Between us...
To: look90h@ttic01.tatung.com.tw
X-Mailer: Mozilla 4.70 [en] (Win95; I)
Mime-Version: 1.0
Date: Sat, 01 Apr 2000 22:29:24 -0500
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id UAA16150
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

FREE E-COMMERCE WHEN YOU HOST WITH US!!

Tired of expensive e-commerce software, set up fees and leasing
contracts?
Here is the deal: You host your site with us and you get free E
-Commerce,
including a merchant account, real-time software and shopping cart.

NO ONE CAN BEAT OUR PRICE! IF YOU FIND A BETTER DEAL FOR OUR PACKAGE
ANYWHERE ELSE, WE WILL MATCH OUR COMPETITOR'S PRICE PLUS GIVE YOU THE
FIRST MONTH FOR FREE. 

While others charge you hundreds of dollars to get a merchant account
or
put you on a 48 months non-cancelable lease agreement we charge you
NOTHING for E-commerce when you sign up for our e-commerce hosting
plan. If you wish to stay with your current hosting company you still
can get the same deal. 
Check it out first and make an informed decision. 

You have never seen a package deal like this before:

* Your own merchant account with one of the lowest rates in the
industry
* Real-Time software to accept VISA, MASTERCARD, AMEX,
DISCOVER/NOVUS, DINERSCLUB/CARTE BLANCHE, JCB
* Direct deposit within 48 hrs into your checking account
* Shopping Cart store front software with an easy to use web based
interface
* Real-Time Credit Card Processing software
* Virtual terminal for phone/fax/mail orders
* Automated E-mail receipts to your clients
* Recurring billing feature with batch uploads
* Password generator for membership sites
* Automatic batch closing
* Address verification system (AVS)
* Back office to 24/7 access account history
* 75 MB (megabytes) of disk space
* 30 GB (gigabyte) of data transfer per month
* 25 POP3 E-mail accounts
* Unlimited alias E-mail addresses
* Live web site statistics
* Unlimited FTP uploads
* Anonymous FTP
* CGI directory for your own scripts
* Site control panel
* Installation included
* Tech support included

All this and more when you sign up for our E-Commerce Hosting plan
for ONLY $69.95 per month and a one time set up fee of $199.00.  That
's right. NO ADDITIONAL SET UP FEES or application fees for your
merchant account
real-time software or shopping cart storefront. A one-stop E-Commerce
solution. And the best is:

NO LEASING, NO LONG TERM COMMITMENT. YOU CAN CANCEL ANYTIME.

THIS PRICE APPLIES TO U.S. BASED COMPANIES OR INDIVIDUALS ONLY! 
BUT WE ALSO HAVE A SOLUTION FOR INTERNATIONAL MERCHANTS! 

Please reply to:

mailto:wrkv@pplmail.com?subject=INFO-PLEASE
to receive our FREE information package without obligations.



 
*********************************************************
Remove at mailto:bnm99t@usa.net?subject=remove
*********************************************************





Received: by ns.secondary.com (8.9.3/8.9.3) id SAA04926 for ietf-smime-bks; Sat, 1 Apr 2000 18:35:45 -0800 (PST)
Received: from www.pressmedia.com.pl ([195.117.30.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA04911 for <ietf-smime@mail.proper.com>; Sat, 1 Apr 2000 18:35:41 -0800 (PST)
Message-Id: <200004020235.SAA04911@ns.secondary.com>
Received: from cranston-ip-1-193.dynamic.ziplink.net by www.pressmedia.com.pl with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1457.7) id 2CS50T4D; Sun, 2 Apr 2000 04:37:19 +0200
From: "Greg" <rttm@angelfire.com>
Subject: Between us...
To: look90h
X-Mailer: Mozilla 4.70 [en] (Win95; I)
Mime-Version: 1.0
Date: Sat, 01 Apr 2000 20:52:52 -0500
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id SAA04919
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

FREE E-COMMERCE WHEN YOU HOST WITH US!!

Tired of expensive e-commerce software, set up fees and leasing
contracts?
Here is the deal: You host your site with us and you get free E
-Commerce,
including a merchant account, real-time software and shopping cart.

NO ONE CAN BEAT OUR PRICE! IF YOU FIND A BETTER DEAL FOR OUR PACKAGE
ANYWHERE ELSE, WE WILL MATCH OUR COMPETITOR'S PRICE PLUS GIVE YOU THE
FIRST MONTH FOR FREE. 

While others charge you hundreds of dollars to get a merchant account
or
put you on a 48 months non-cancelable lease agreement we charge you
NOTHING for E-commerce when you sign up for our e-commerce hosting
plan. If you wish to stay with your current hosting company you still
can get the same deal. 
Check it out first and make an informed decision. 

You have never seen a package deal like this before:

* Your own merchant account with one of the lowest rates in the
industry
* Real-Time software to accept VISA, MASTERCARD, AMEX,
DISCOVER/NOVUS, DINERSCLUB/CARTE BLANCHE, JCB
* Direct deposit within 48 hrs into your checking account
* Shopping Cart store front software with an easy to use web based
interface
* Real-Time Credit Card Processing software
* Virtual terminal for phone/fax/mail orders
* Automated E-mail receipts to your clients
* Recurring billing feature with batch uploads
* Password generator for membership sites
* Automatic batch closing
* Address verification system (AVS)
* Back office to 24/7 access account history
* 75 MB (megabytes) of disk space
* 30 GB (gigabyte) of data transfer per month
* 25 POP3 E-mail accounts
* Unlimited alias E-mail addresses
* Live web site statistics
* Unlimited FTP uploads
* Anonymous FTP
* CGI directory for your own scripts
* Site control panel
* Installation included
* Tech support included

All this and more when you sign up for our E-Commerce Hosting plan
for ONLY $69.95 per month and a one time set up fee of $199.00.  That
's right. NO ADDITIONAL SET UP FEES or application fees for your
merchant account
real-time software or shopping cart storefront. A one-stop E-Commerce
solution. And the best is:

NO LEASING, NO LONG TERM COMMITMENT. YOU CAN CANCEL ANYTIME.

THIS PRICE APPLIES TO U.S. BASED COMPANIES OR INDIVIDUALS ONLY! 
BUT WE ALSO HAVE A SOLUTION FOR INTERNATIONAL MERCHANTS! 

Please reply to:

mailto:wrkv@pplmail.com?subject=INFO-PLEASE
to receive our FREE information package without obligations.



 
*********************************************************
Remove at mailto:bnm99t@usa.net?subject=remove
*********************************************************