Re: Issues with S/MIME Message Specification

Russ Housley <> Mon, 24 May 1999 16:01 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id MAA09099 for <>; Mon, 24 May 1999 12:01:00 -0400 (EDT)
Received: (from majordomo@localhost) by (8.8.8/8.8.5) id HAA25739 for ietf-smime-bks; Mon, 24 May 1999 07:46:51 -0700 (PDT)
Received: from ( []) by (8.8.8/8.8.5) with ESMTP id HAA25735 for <>; Mon, 24 May 1999 07:46:50 -0700 (PDT)
Received: from ([]) by (8.7.6/8.7.3/arc) with SMTP id HAA06087; Mon, 24 May 1999 07:44:42 -0700 (PDT)
Message-Id: <>
Message-Id: <>
X-Sender: (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
Date: Mon, 24 May 1999 10:45:37 -0400
From: Russ Housley <>
Subject: Re: Issues with S/MIME Message Specification
In-Reply-To: <006701bea15d$124b2e60$>
References: <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>


In CMS Section 12.3.2, RSA Key Management is a "should" implement
algorithm.  As a result of an editorial error, in CMS Section 12.2, RSA
Signature is a "may" implement algorithm.  I thought that they had the same
"should" status.  This would be consistent with the MSG document.

We went through great pains to include support many, many algorithms in
CMS.  The  "must" implement algorithms to provide a set of interoperable
strong algorithms.  The "should" implement algorithms provide backward
compatibility with S/MIMEv2.  Any other algorithm is considered a "may"
implement algorithm. RSA with OAEP falls into this "may" implement category.

The IETF consistently includes strong algorithms in standards.  If you wish
to discuss this policy, please discuss it in a broader context (not just
S/MIME) with the IETF Security Area Directors (Jeff Schiller and Marcus
Leech).  I have CCed them on this e-mail message, so you have their
addresses.  I do not consider this an approprate topic for the S/MIME mail

I wish you had raised this inconsistency during CMS and MSG Last Call.  The
IESG has approved these documents.  I hope you will raise this topic again
when the documents are considered for Draft Standard status.

  S/MIME WG Chair  &
  CMS Document Editor

At 12:34 PM 5/18/99 -0600, Robert R. Jueneman wrote:
>I sincerely regret not having had sufficient time to review the S/MIME v3
>specs in detail during last call and prior to their moving to Proposed
>Standard, but I believe that there are several changes that absolutely
>must be made before they can progress to final Standard.
>Regarding the S/MIME Version 3 Message Specification,
>draft-ietf-smime-msg-08.txt, I believe that all MUSTs and SHOULDs
>regarding specific cryptographic algorithms should be removed from this
>document, and contained only in the Cryptographic Message Syntax document.
>I can see no reason at all why such things should be specified twice -- it
>just makes conformance checking all that much more difficult.  An example
>of this kind of difficulty is para 2.2 of the S/MIME Message
>Specification, which says that sending and receiving agents SHOULD support
>rsaEncryption, whereas the Cryptographic Message Syntax , para 12.2, says
>that CMS implementations "may" support RSA.  Neither mentions RSA with
>This affects section 2.1, 2.2, and 2.3, and most emphatically section 2.7,
>"ContentEncryption AlgorithmIdentifier", and "Rule 3, Unknown
>Capabilities, Unknown Version of S/MIME."
>Without getting into international politics, at the present time
>triple-DES is not exportable from the US, at the very least, and may very
>well not be importable into some other countries.  Specifying that S/MIME
>agents MUST implement triple-DES therefore presents a vendor with Hobson's
>choice -- they can either chose not to be compliant with the RFC, or they
>can chose not to export their product.  Unfortunately, that is no choice
>at all -- any sane US vendor will choose not to be compliant with the RFC,
>rather than lose perhaps 50% of their market.  The only purpose such a
>red-flag-in-front-of-the-bull statement serves, therefore, is a political
>one, and one that will merely lower the credibility of the IETF and the
>IESG in the vendor and business community.  At most the requirement should
>The second part of 2.7 specifies that receiving agents SHOULD support
>RC2/40 "or a compatible algorithm at a key size of 40 bits..." This
>recommendation suffers from two major problems, in my view. First, it is
>LESS secure than 56-bit DES, which is now acceptable world-wide (with
>perhaps one or two minor exceptions -- not quite clear) for data
>encryption.  And second, it is a proprietary, trade-secret algorithm.  Not
>only is that contrary to the general direction of the IETF in not
>mandating proprietary algorithms, but the fact that it is a trade secret
>(not withstanding the fact that it has been reverse engineered) means that
>there has not been adequate attention paid to its security in the academic
>cryptanalytic community.  RC2 of any size may well be worth considering
>for support, and might deserve RECOMMENDED status, but that should be up
>to the vendor.  If RC2 is required for backwards compatibility with S/MIME
>v2, then a paragraph noting that fact would be appropriate, as was
>provided as the last paragraph under 2.3 ("Note that S/MIME v2 clients are
>only capable of decrypting content encryption keys using the rsaEncryption
>(I am taking this position with no lack of respect for Ron Rivest, whom I
>consider a very able cryptographer.  But I would take that position if God
>Herself had invented but not published some particular algorithm.)
>With respect to, there are two problems. First, it mandates
>triple-DES, which very well may not be available at to the recipient, and
>secondly, it recommends as a fall back position the use of the
>trade-secret RC2/40.  Both statements should be removed. The CMS
>specification should then develop a list of algorithms in rough order of
>strength, to be used for such negotiations as required.
>Finally, somewhere in these documents there is a statement regarding the
>advisability of including the content encryption key encrypted in the
>originator's public key, but despite rereading the documents multiple
>times I can't find that text again.  As I recall, the text said that this
>SHOULD be done.  I would argue that this should be changed to MUST, for I
>can't imagine a situation where the originator of an encrypted message
>would not want to be able to read his own message, for example in an
>outgoing or Sent-Mail queue. He might need to be able to decrypted, and
>even retract it in order to resend it with modifications.  It would not be
>reasonable to rely on the originator to bcc herself to gain this
>capability -- it ought to be required by the spec.
>I will be addressing my concerns with the CMS specification in a
>subsequent message.
>Robert R. Jueneman
>Novell, Inc.
>(See digital signature DISCLAIMER in attached vCard)
>>-----Original Message-----
>>From: []On
>>Behalf Of The IESG
>>Sent: Monday, May 17, 1999 5:26 AM
>>To: IETF-Announce: ;
>>Cc: RFC Editor; Internet Architecture Board;
>>Subject: Protocol Action: Cryptographic Message Syntax to Proposed
>>The IESG has approved publication of the following Internet-Drafts as
>>Proposed Standards:
>> o Cryptographic Message Syntax <draft-ietf-smime-cms-13.txt>
>> o Diffie-Hellman Key Agreement Method <draft-ietf-smime-x942-07.txt>
>> o S/MIME Version 3 Certificate Handling <draft-ietf-smime-cert-08.txt>
>> o S/MIME Version 3 Message Specification <draft-ietf-smime-msg-08.txt>
>> o Enhanced Security Services for S/MIME <draft-ietf-smime-ess-12.txt>
>>These documents are the product of the S/MIME Mail Security Working
>>The IESG contact persons are Jeffrey Schiller and Marcus Leech.
>>Technical Summary
>>These documents describe Version 3 of S/MIME (Secure/Multipurpose
>>Internet Mail Extensions). S/MIME provides for the secure
>>communication of MIME Objects, providing Authentication, Integrity and
>>Confidentiality protection. It can be used wherever MIME is used, as
>>it is fully conformant with the general MIME specifications. The
>>documents here provide for the basic message syntax and semantics as
>>well as the certificate and key management infrastructure
>>required. This work is coordinated and builds upon the work of the
>>IETF X.509 Public Key Infrastructure Working Group (PKIX).
>>In addition to the basic security services mentioned above, several
>>optional services are described. These include signed receipt
>>handling, security labeling of objects, secure mailing lists and
>>signing certificates.
>>Working Group Summary
>>The working group came to consensus on the work described here. A lot
>>of people contributed thoughtful, useful and constructive comments
>>during the review periods which resulted in further improvements
>>reflected in these documents.
>>Jeffrey I. Schiller reviewed the specification for IESG.