RE: RFC2632bis and subjectAltName
"Blake Ramsdell" <blake@brutesquadlabs.com> Thu, 31 July 2003 22:26 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA17282 for <smime-archive@lists.ietf.org>; Thu, 31 Jul 2003 18:26:16 -0400 (EDT)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6VLknqt013945 for <ietf-smime-bks@above.proper.com>; Thu, 31 Jul 2003 14:46:49 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6VLknDq013944 for ietf-smime-bks; Thu, 31 Jul 2003 14:46:49 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6VLkmqt013939 for <ietf-smime@imc.org>; Thu, 31 Jul 2003 14:46:48 -0700 (PDT) (envelope-from blake@brutesquadlabs.com)
Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Thu, 31 Jul 2003 14:46:45 -0700
From: Blake Ramsdell <blake@brutesquadlabs.com>
To: 'Russ Housley' <housley@vigilsec.com>, ietf-smime@imc.org
Subject: RE: RFC2632bis and subjectAltName
Date: Thu, 31 Jul 2003 14:46:45 -0700
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAXukFi0MaG0qn7guNQ9GShQEAAAAA@brutesquadlabs.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
In-Reply-To: <5.2.0.9.2.20030731150810.0363f028@mail.binhost.com>
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
> -----Original Message----- > From: Russ Housley [mailto:housley@vigilsec.com] > Sent: Thursday, July 31, 2003 12:37 PM > To: blake@brutesquadlabs.com; ietf-smime@imc.org > Subject: RE: RFC2632bis and subjectAltName > > In practice, if there is not an email address in the certificate, the > client needs to have additional stuff to bind email addresses to > certificates. This could be done in an address book or elsewhere. I agree. This is the way I've written all my clients -- it's an arbitrary binding of any certificate to any email address at the agent level ("agent" has been both standard email clients and S/MIME-enabled servers in my case). An email address present in the certificate is just a hint to me that I should probably bind it to that email address -- the actual binding is a matter of configuration. > What needs to go in the document? Dunno -- I didn't bring this up ;). There are other messages in this thread that might be relevant, specifically from Tony Capel and Alberti Antoine. Blake Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6VLknqt013945 for <ietf-smime-bks@above.proper.com>; Thu, 31 Jul 2003 14:46:49 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6VLknDq013944 for ietf-smime-bks; Thu, 31 Jul 2003 14:46:49 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6VLkmqt013939 for <ietf-smime@imc.org>; Thu, 31 Jul 2003 14:46:48 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Thu, 31 Jul 2003 14:46:45 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: "'Russ Housley'" <housley@vigilsec.com>, <ietf-smime@imc.org> Subject: RE: RFC2632bis and subjectAltName Date: Thu, 31 Jul 2003 14:46:45 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAXukFi0MaG0qn7guNQ9GShQEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <5.2.0.9.2.20030731150810.0363f028@mail.binhost.com> Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> > -----Original Message----- > From: Russ Housley [mailto:housley@vigilsec.com] > Sent: Thursday, July 31, 2003 12:37 PM > To: blake@brutesquadlabs.com; ietf-smime@imc.org > Subject: RE: RFC2632bis and subjectAltName > > In practice, if there is not an email address in the certificate, the > client needs to have additional stuff to bind email addresses to > certificates. This could be done in an address book or elsewhere. I agree. This is the way I've written all my clients -- it's an arbitrary binding of any certificate to any email address at the agent level ("agent" has been both standard email clients and S/MIME-enabled servers in my case). An email address present in the certificate is just a hint to me that I should probably bind it to that email address -- the actual binding is a matter of configuration. > What needs to go in the document? Dunno -- I didn't bring this up ;). There are other messages in this thread that might be relevant, specifically from Tony Capel and Alberti Antoine. Blake Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6VLUmqt013496 for <ietf-smime-bks@above.proper.com>; Thu, 31 Jul 2003 14:30:48 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6VLUmZR013495 for ietf-smime-bks; Thu, 31 Jul 2003 14:30:48 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [207.228.252.5]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6VLUlqt013484 for <ietf-smime@imc.org>; Thu, 31 Jul 2003 14:30:47 -0700 (PDT) (envelope-from housley@vigilsec.com) Received: (qmail 18182 invoked by uid 0); 31 Jul 2003 21:29:30 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (156.80.234.196) by woodstock.binhost.com with SMTP; 31 Jul 2003 21:29:30 -0000 Message-Id: <5.2.0.9.2.20030731150810.0363f028@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 31 Jul 2003 15:37:19 -0400 To: blake@brutesquadlabs.com, ietf-smime@imc.org From: Russ Housley <housley@vigilsec.com> Subject: RE: RFC2632bis and subjectAltName In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50S wK3EZjypY2MKAAAAQAAAAwG98Sk7zOEWQgT1C0Raw+QEAAAAA@brutesquadlabs.com> References: <5.2.0.9.2.20030729193334.03d5e1e0@mail.binhost.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Blake: > > I understand that non-email applications of CMS and the associated MIME > > types need other address forms. But, RFC2632bis does not tell an > > implementor what to do fir S/MIME (which is an email application) if the > > certificate does not contain an email address. > >I'm still not clear whether S/MIME means "secure MIME used anywhere MIME >can be used, such as XMPP or BEEP" or S/MIME means "secure MIME used for >interpersonal email messaging". Depending on the answer, you will get >different answers if it's necessary to clarify any language about the >absence of email addresses in the certificate. Once could make a statement about email and a separate statement about other MIME-enabled applications if needed. >The relevant text about current processing rules seems to be: > >Sending agents SHOULD make the address in the From or Sender header in >a mail message match an Internet mail address in the signer's >certificate. Receiving agents MUST check that the address in the From >or Sender header of a mail message matches an Internet mail address, >if present, in the signer's certificate, if mail addresses are present >in the certificate. A receiving agent SHOULD provide some explicit >alternate processing of the message if this comparison fails, which >may be to display a message that shows the recipient the addresses in >the certificate or other certificate details. > >So if there are not any email addresses found in the certificate, this >is a mismatch (blank from the certificate doesn't match nonblank from >the From or Sender), and you should go crazy insane and show a hex dump >of the certificate. > >We could clarify that "failure" includes the case where there are zero >email addresses in the certificate... In practice, if there is not an email address in the certificate, the client needs to have additional stuff to bind email addresses to certificates. This could be done in an address book or elsewhere. What needs to go in the document? Russ Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6VEpAqt089456 for <ietf-smime-bks@above.proper.com>; Thu, 31 Jul 2003 07:51:10 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6VEpAaQ089455 for ietf-smime-bks; Thu, 31 Jul 2003 07:51:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from mx2.magma.ca (mx2.magma.ca [206.191.0.250]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6VEp9qt089446 for <ietf-smime@imc.org>; Thu, 31 Jul 2003 07:51:09 -0700 (PDT) (envelope-from capel@comgate.com) Received: from mail1.magma.ca (mail1.magma.ca [206.191.0.252]) by mx2.magma.ca Magma's Mail Server with ESMTP id h6VEp08j013962; Thu, 31 Jul 2003 10:51:00 -0400 Received: from tony (ottawa-hs-209-217-122-183.s-ip.magma.ca [209.217.122.183]) by mail1.magma.ca (Magma's Mail Server) with ESMTP id h6VEoqp4004926; Thu, 31 Jul 2003 10:51:01 -0400 From: "Tony Capel" <capel@comgate.com> To: "'Blake Ramsdell'" <blake@brutesquadlabs.com>, "'Russ Housley'" <housley@vigilsec.com>, <jimsch@exmsft.com>, <ietf-smime@imc.org> Subject: RE: RFC2632bis and subjectAltName Date: Thu, 31 Jul 2003 10:50:52 -0400 Message-ID: <000f01c35773$270aa350$01b5a8c0@tony> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAwG98Sk7zOEWQgT1C0Raw+QEAAAAA@brutesquadlabs.com> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h6VEp9qt089448 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Blake: The absence of an rfc2822 e-mail address in the certificate should not be considered a "failure" since its absence must have been permitted by the certificate issuer - and we assume (!) that certificates are issued according to issuer policy. The current text (which you quoted) could be incomplete. My interpretation* of the middle sentence of this paragraph is that the check is only mandatory if the address is present (so a comparison to an absent/"blank" field is not mandatory). The following sentence then suggests what action to take if the check/comparison fails. Since if the comparison is not done, it will not fail, one could interpret that no indication is required if the address is absent from the cert. The paragraph following the quoted one addresses the display of the signer's identity: A receiving agent SHOULD display a subject name or other certificate details when displaying an indication of successful or unsuccessful signature verification. Should this be stronger in cases where the certificate has an absent rfc2822 field (and no check against the From: header field was done)? Maybe adding the sentence between these two paragraphs: "Receiving agents which do not perform the foregoing check due to the absence of an address in the certificate MUST display the subject name from the certificate when displaying an indication of successful or unsuccessful signature verification." -leaving the following paragraph as a SHOULD, strongly encouraging additional information to be displayed in this and all other cases. Tony * I interpret the phrase: "if mail addresses are present in the Certificate" to be a qualifier for the "MUST" in this sentence. | -----Original Message----- | From: owner-ietf-smime@mail.imc.org | [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Blake Ramsdell | Sent: July 31, 2003 12:53 AM | To: 'Russ Housley'; jimsch@exmsft.com; ietf-smime@imc.org | Subject: RE: RFC2632bis and subjectAltName | | | | > -----Original Message----- | > From: Russ Housley [mailto:housley@vigilsec.com] | > Sent: Tuesday, July 29, 2003 4:36 PM | > To: jimsch@exmsft.com; 'Blake Ramsdell'; ietf-smime@imc.org | > Subject: RE: RFC2632bis and subjectAltName | > | > I understand that non-email applications of CMS and the | > associated MIME | > types need other address forms. But, RFC2632bis does not tell an | > implementor what to do fir S/MIME (which is an email | > application) if the | > certificate does not contain an email address. | | I'm still not clear whether S/MIME means "secure MIME used | anywhere MIME can be used, such as XMPP or BEEP" or S/MIME | means "secure MIME used for interpersonal email messaging". | Depending on the answer, you will get different answers if | it's necessary to clarify any language about the absence of | email addresses in the certificate. | | The relevant text about current processing rules seems to be: | | | Sending agents SHOULD make the address in the From or Sender | header in a mail message match an Internet mail address in | the signer's certificate. Receiving agents MUST check that | the address in the From or Sender header of a mail message | matches an Internet mail address, if present, in the signer's | certificate, if mail addresses are present in the | certificate. A receiving agent SHOULD provide some explicit | alternate processing of the message if this comparison fails, | which may be to display a message that shows the recipient | the addresses in the certificate or other certificate details. | | | So if there are not any email addresses found in the | certificate, this is a mismatch (blank from the certificate | doesn't match nonblank from the From or Sender), and you | should go crazy insane and show a hex dump of the certificate. | | We could clarify that "failure" includes the case where there | are zero email addresses in the certificate... | | Blake | Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6VE4kqt082471 for <ietf-smime-bks@above.proper.com>; Thu, 31 Jul 2003 07:04:46 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6VE4kee082470 for ietf-smime-bks; Thu, 31 Jul 2003 07:04:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from sopragroup.com (smtp1.zpar1.sopragroup.com [213.223.36.98]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6VE4iqt082438 for <ietf-smime@imc.org>; Thu, 31 Jul 2003 07:04:45 -0700 (PDT) (envelope-from aalberti@axway.com) Received: (qmail 5228 invoked from network); 31 Jul 2003 14:04:37 -0000 Received: from Antivirus (HELO Antivirus) (Antivirus@Antivirus) by smtp1.sopragroup.com with SMTP; 31 Jul 2003 14:04:37 -0000 Received: by nt1022.pa.sopra with Internet Mail Service (5.5.2653.19) id <PXB0FRL3>; Thu, 31 Jul 2003 16:04:36 +0200 Message-ID: <2B77C2DE2313254A9065D1C3B68A0CFE1A7917@nt1022.pa.sopra> From: Alberti Antoine <aalberti@axway.com> To: "'ietf-smime@imc.org'" <ietf-smime@imc.org> Subject: RE: RFC2632bis and subjectAltName Date: Thu, 31 Jul 2003 16:04:35 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> > -----Original Message----- > From: Russ Housley [mailto:housley@vigilsec.com] > I'm still not clear whether S/MIME means "secure MIME used anywhere MIME > can be used, such as XMPP or BEEP" or S/MIME means "secure MIME used for > interpersonal email messaging". Depending on the answer, you will get > different answers if it's necessary to clarify any language about the > absence of email addresses in the certificate. I agree. S/MIME is already used in AS2 (secured EDI), in an HTTP based protocol. From my point of view, S/MIME is only a way of wrapping data, and should not be mixed with the transport. So, managing e-mail addresses, or URIs, or anything concerning transport is a problem when implementing an S/MIME module that can be used in both (or more) contexts. I am presently developping such a module, and facing such issues. And the only solution is to let upper modules (AS1, AS2, S/MIME secured SMTP,...) handle the constraints brought by the transport layer, or just ignore them, which is the case with the subjectAltName. I'm sorry not to be compliant with the SHOULD statement we are discussing, but what can I do? Best regards. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6V4qqqt022167 for <ietf-smime-bks@above.proper.com>; Wed, 30 Jul 2003 21:52:52 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6V4qqkt022166 for ietf-smime-bks; Wed, 30 Jul 2003 21:52:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6V4qpqt022158 for <ietf-smime@imc.org>; Wed, 30 Jul 2003 21:52:52 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Wed, 30 Jul 2003 21:52:49 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: "'Russ Housley'" <housley@vigilsec.com>, <jimsch@exmsft.com>, <ietf-smime@imc.org> Subject: RE: RFC2632bis and subjectAltName Date: Wed, 30 Jul 2003 21:52:49 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAwG98Sk7zOEWQgT1C0Raw+QEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <5.2.0.9.2.20030729193334.03d5e1e0@mail.binhost.com> Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> > -----Original Message----- > From: Russ Housley [mailto:housley@vigilsec.com] > Sent: Tuesday, July 29, 2003 4:36 PM > To: jimsch@exmsft.com; 'Blake Ramsdell'; ietf-smime@imc.org > Subject: RE: RFC2632bis and subjectAltName > > I understand that non-email applications of CMS and the > associated MIME > types need other address forms. But, RFC2632bis does not tell an > implementor what to do fir S/MIME (which is an email > application) if the > certificate does not contain an email address. I'm still not clear whether S/MIME means "secure MIME used anywhere MIME can be used, such as XMPP or BEEP" or S/MIME means "secure MIME used for interpersonal email messaging". Depending on the answer, you will get different answers if it's necessary to clarify any language about the absence of email addresses in the certificate. The relevant text about current processing rules seems to be: Sending agents SHOULD make the address in the From or Sender header in a mail message match an Internet mail address in the signer's certificate. Receiving agents MUST check that the address in the From or Sender header of a mail message matches an Internet mail address, if present, in the signer's certificate, if mail addresses are present in the certificate. A receiving agent SHOULD provide some explicit alternate processing of the message if this comparison fails, which may be to display a message that shows the recipient the addresses in the certificate or other certificate details. So if there are not any email addresses found in the certificate, this is a mismatch (blank from the certificate doesn't match nonblank from the From or Sender), and you should go crazy insane and show a hex dump of the certificate. We could clarify that "failure" includes the case where there are zero email addresses in the certificate... Blake Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6TNZsqt094818 for <ietf-smime-bks@above.proper.com>; Tue, 29 Jul 2003 16:35:54 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6TNZstj094816 for ietf-smime-bks; Tue, 29 Jul 2003 16:35:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [207.228.252.5]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6TNZrqt094811 for <ietf-smime@imc.org>; Tue, 29 Jul 2003 16:35:53 -0700 (PDT) (envelope-from housley@vigilsec.com) Received: (qmail 4133 invoked by uid 0); 29 Jul 2003 23:34:37 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.93.183) by woodstock.binhost.com with SMTP; 29 Jul 2003 23:34:37 -0000 Message-Id: <5.2.0.9.2.20030729193334.03d5e1e0@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 29 Jul 2003 19:35:50 -0400 To: <jimsch@exmsft.com>, "'Blake Ramsdell'" <blake@brutesquadlabs.com>, <ietf-smime@imc.org> From: Russ Housley <housley@vigilsec.com> Subject: RE: RFC2632bis and subjectAltName In-Reply-To: <003201c3561d$e1a20d40$1400a8c0@augustcellars.local> References: <5.2.0.9.2.20030729170657.049eef68@mail.binhost.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Jim: I understand that non-email applications of CMS and the associated MIME types need other address forms. But, RFC2632bis does not tell an implementor what to do fir S/MIME (which is an email application) if the certificate does not contain an email address. Russ At 03:08 PM 7/29/2003 -0700, Jim Schaad wrote: >Russ, > >There was a big discussion about #1. -- It is a question not a >statement. The result was that this should not be required (at least >for non e-mail applications). > >jim Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6TM7cqt087931 for <ietf-smime-bks@above.proper.com>; Tue, 29 Jul 2003 15:07:38 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6TM7cuk087930 for ietf-smime-bks; Tue, 29 Jul 2003 15:07:38 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.173]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6TM7bqt087924 for <ietf-smime@imc.org>; Tue, 29 Jul 2003 15:07:37 -0700 (PDT) (envelope-from jimsch@nwlink.com) Received: from ROMANS (ip237.c132.blk1.bel.nwlink.com [209.20.132.237]) by smtp3.pacifier.net (Postfix) with ESMTP id 1CEB26DB3A; Tue, 29 Jul 2003 15:07:38 -0700 (PDT) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Russ Housley'" <housley@vigilsec.com>, "'Blake Ramsdell'" <blake@brutesquadlabs.com>, <ietf-smime@imc.org> Subject: RE: RFC2632bis and subjectAltName Date: Tue, 29 Jul 2003 15:08:02 -0700 Message-ID: <003201c3561d$e1a20d40$1400a8c0@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal In-Reply-To: <5.2.0.9.2.20030729170657.049eef68@mail.binhost.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Russ, There was a big discussion about #1. -- It is a question not a statement. The result was that this should not be required (at least for non e-mail applications). jim > -----Original Message----- > From: owner-ietf-smime@mail.imc.org > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Russ Housley > Sent: Tuesday, July 29, 2003 2:08 PM > To: Blake Ramsdell; ietf-smime@imc.org > Subject: RE: RFC2632bis and subjectAltName > > > > Blake: > > I do not think that the specification does #1. SHOULD is > very different > than "required." > > Russ > > > At 02:04 PM 7/29/2003 -0700, Blake Ramsdell wrote: > > > -----Original Message----- > > > From: owner-ietf-smime@mail.imc.org > > > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Russ Housley > > > Sent: Tuesday, July 29, 2003 9:14 AM > > > To: ietf-smime@imc.org > > > Subject: RFC2632bis and subjectAltName > > > > > > The document says: > > > > > > The email address SHOULD be in the subjectAltName extension > > > > > > This is exactly the same thing that RFC 2632 says. > > > > > > If the certificate does not bind the public key to the email > > > address, how is this done? Should we mandate an alternate > > > mechanism? Or, should we > > > change "SHOULD" to "MUST?" > > > >I think that the current spec tries to address at least two issues > >here: > > > >1. Is it required that an email address be present in the certificate > > > >2. If the email address is present, where should it be > located (subject > >DN vs. subjectAltName) > > > >Are you asking about: > > > >3. How do we understand if the CA was putting the email > address in the > >certificate purely for informational reasons vs. actually doing some > >work to make sure that the public key "belongs" to that email address > > > >If so, I have no idea -- it's "do what PKIX says" in this case. > > > >Blake > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6TL85qt085720 for <ietf-smime-bks@above.proper.com>; Tue, 29 Jul 2003 14:08:05 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6TL85Xb085719 for ietf-smime-bks; Tue, 29 Jul 2003 14:08:05 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [207.228.252.5]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6TL83qt085713 for <ietf-smime@imc.org>; Tue, 29 Jul 2003 14:08:04 -0700 (PDT) (envelope-from housley@vigilsec.com) Received: (qmail 29793 invoked by uid 0); 29 Jul 2003 21:06:48 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.5.90) by woodstock.binhost.com with SMTP; 29 Jul 2003 21:06:48 -0000 Message-Id: <5.2.0.9.2.20030729170657.049eef68@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 29 Jul 2003 17:07:57 -0400 To: "Blake Ramsdell" <blake@brutesquadlabs.com>, <ietf-smime@imc.org> From: Russ Housley <housley@vigilsec.com> Subject: RE: RFC2632bis and subjectAltName In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50S wK3EZjypY2MKAAAAQAAAAx8oh99NkkUqvZUnyoqkGnwEAAAAA@brutesquadlabs.com> References: <5.2.0.9.2.20030729120833.049d86c8@mail.binhost.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Blake: I do not think that the specification does #1. SHOULD is very different than "required." Russ At 02:04 PM 7/29/2003 -0700, Blake Ramsdell wrote: > > -----Original Message----- > > From: owner-ietf-smime@mail.imc.org > > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Russ Housley > > Sent: Tuesday, July 29, 2003 9:14 AM > > To: ietf-smime@imc.org > > Subject: RFC2632bis and subjectAltName > > > > The document says: > > > > The email address SHOULD be in the subjectAltName extension > > > > This is exactly the same thing that RFC 2632 says. > > > > If the certificate does not bind the public key to the email > > address, how > > is this done? Should we mandate an alternate mechanism? Or, > > should we > > change "SHOULD" to "MUST?" > >I think that the current spec tries to address at least two issues here: > >1. Is it required that an email address be present in the certificate > >2. If the email address is present, where should it be located (subject >DN vs. subjectAltName) > >Are you asking about: > >3. How do we understand if the CA was putting the email address in the >certificate purely for informational reasons vs. actually doing some >work to make sure that the public key "belongs" to that email address > >If so, I have no idea -- it's "do what PKIX says" in this case. > >Blake Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6TL4wqt085613 for <ietf-smime-bks@above.proper.com>; Tue, 29 Jul 2003 14:04:58 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6TL4wg5085612 for ietf-smime-bks; Tue, 29 Jul 2003 14:04:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6TL4vqt085605 for <ietf-smime@imc.org>; Tue, 29 Jul 2003 14:04:57 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Tue, 29 Jul 2003 14:04:54 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: "'Russ Housley'" <housley@vigilsec.com>, <ietf-smime@imc.org> Subject: RE: RFC2632bis and subjectAltName Date: Tue, 29 Jul 2003 14:04:54 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAx8oh99NkkUqvZUnyoqkGnwEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <5.2.0.9.2.20030729120833.049d86c8@mail.binhost.com> Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> > -----Original Message----- > From: owner-ietf-smime@mail.imc.org > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Russ Housley > Sent: Tuesday, July 29, 2003 9:14 AM > To: ietf-smime@imc.org > Subject: RFC2632bis and subjectAltName > > The document says: > > The email address SHOULD be in the subjectAltName extension > > This is exactly the same thing that RFC 2632 says. > > If the certificate does not bind the public key to the email > address, how > is this done? Should we mandate an alternate mechanism? Or, > should we > change "SHOULD" to "MUST?" I think that the current spec tries to address at least two issues here: 1. Is it required that an email address be present in the certificate 2. If the email address is present, where should it be located (subject DN vs. subjectAltName) Are you asking about: 3. How do we understand if the CA was putting the email address in the certificate purely for informational reasons vs. actually doing some work to make sure that the public key "belongs" to that email address If so, I have no idea -- it's "do what PKIX says" in this case. Blake Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6TGDoqt070658 for <ietf-smime-bks@above.proper.com>; Tue, 29 Jul 2003 09:13:50 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6TGDoEX070656 for ietf-smime-bks; Tue, 29 Jul 2003 09:13:50 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [207.228.252.5]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6TGDnqt070647 for <ietf-smime@imc.org>; Tue, 29 Jul 2003 09:13:49 -0700 (PDT) (envelope-from housley@vigilsec.com) Received: (qmail 13761 invoked by uid 0); 29 Jul 2003 16:12:32 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.164.124) by woodstock.binhost.com with SMTP; 29 Jul 2003 16:12:32 -0000 Message-Id: <5.2.0.9.2.20030729120833.049d86c8@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 29 Jul 2003 12:13:31 -0400 To: ietf-smime@imc.org From: Russ Housley <housley@vigilsec.com> Subject: RFC2632bis and subjectAltName Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> The document says: The email address SHOULD be in the subjectAltName extension This is exactly the same thing that RFC 2632 says. If the certificate does not bind the public key to the email address, how is this done? Should we mandate an alternate mechanism? Or, should we change "SHOULD" to "MUST?" Russ Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6TF83qt068379 for <ietf-smime-bks@above.proper.com>; Tue, 29 Jul 2003 08:08:03 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6TF83Bf068378 for ietf-smime-bks; Tue, 29 Jul 2003 08:08:03 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6TF81qt068371 for <ietf-smime@imc.org>; Tue, 29 Jul 2003 08:08:01 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9/8.12.9) with ESMTP id h6TF7uOA022242 for <ietf-smime@imc.org>; Wed, 30 Jul 2003 03:07:56 +1200 Received: (from pgut001@localhost) by medusa01.cs.auckland.ac.nz (8.11.6/8.11.6) id h6TF7up11514 for ietf-smime@imc.org; Wed, 30 Jul 2003 03:07:56 +1200 Date: Wed, 30 Jul 2003 03:07:56 +1200 Message-Id: <200307291507.h6TF7up11514@medusa01.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-smime@imc.org Subject: Off-list discussion of RTCS: An update Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> I wrote: >In order to resolve this problem, I'd like to invite anyone who's interested >in discussing things further, or who's currently part of one of the private >threads, to join the off-list discussion. It's not a real mailing list, just >a list of cc'd addresses, I can also bcc you if you'd prefer to lurk >anonymously. Due to the number of requests, this is now being handled as a standard mailing list rather than via cc:/bcc:, which would have been a bit unwieldy. Anyone interested can join by sending mail to rtcs-request@mbsks.franken.de with 'subscribe' in the subject line, in the standard fashion. Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6SH6Mqt072475 for <ietf-smime-bks@above.proper.com>; Mon, 28 Jul 2003 10:06:22 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6SH6MC0072474 for ietf-smime-bks; Mon, 28 Jul 2003 10:06:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from moorabbin.nexor.co.uk (moorabbin.nexor.co.uk [80.6.88.100]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6SH6Lqt072468 for <ietf-smime@imc.org>; Mon, 28 Jul 2003 10:06:21 -0700 (PDT) (envelope-from Graeme.Lunt@nexor.co.uk) Received: from typhoon (actually host 210.53.63.193.in-addr.arpa) by moorabbin.nexor.co.uk with ESMTP (Mailer) with ESMTP; Mon, 28 Jul 2003 18:03:27 +0100 Reply-To: "g.lunt" <Graeme.Lunt@nexor.co.uk> From: Graeme Lunt <Graeme.Lunt@nexor.co.uk> To: "'Russ Housley'" <housley@vigilsec.com> Cc: "'ietf-smime'" <ietf-smime@imc.org> Subject: RE: Signed Receipts and Mail Lists Date: Mon, 28 Jul 2003 18:05:28 +0100 Organization: Nexor Message-ID: <009001c3552a$723d8e50$d2353fc1@nexor.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal In-Reply-To: <5.2.0.9.2.20030722224635.0414f4d8@mail.binhost.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Spam-Status: No, hits=-101.0 required=5.0 tests=IN_REP_TO,NOSPAM_INC,QUOTED_EMAIL_TEXT,SPAM_PHRASE_00_01, USER_IN_WHITELIST version=2.43 X-Spam-Level: Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Russ, > When we designed the MLA mechanism, we assumed that each mail > list would have a separate key pair and certificate. I do not > think that this is an unreasonable assumption. Today, Web servers > that support more than one site have a certificate for each of the > sites. I had reached this conclusion on further reading of 2634. Whilst being able to use a single certificate (and ACs for example) for hundreds of lists would be useful, it is not a major concern at the moment. My main issue was to have a mechanism to indicate on whose behalf of whom a signed receipt was generated (e.g. in the case of an "All" request from a ML). Either a specific field in the Receipt structure, or just an extension mechanism (which may be more generally useful). Graeme Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6SDb9qt057754 for <ietf-smime-bks@above.proper.com>; Mon, 28 Jul 2003 06:37:10 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6SDb9oc057753 for ietf-smime-bks; Mon, 28 Jul 2003 06:37:09 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp001.bizmail.yahoo.com (smtp001.bizmail.yahoo.com [216.136.172.125]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6SDb8qt057747 for <ietf-smime@imc.org>; Mon, 28 Jul 2003 06:37:08 -0700 (PDT) (envelope-from turners@ieca.com) Received: from pool-138-88-5-194.res.east.verizon.net (HELO ieca.com) (turners@ieca.com@138.88.5.194 with plain) by smtp2.bm.vip.sc5.yahoo.com with SMTP; 28 Jul 2003 13:37:08 -0000 Message-ID: <3F252694.8000607@ieca.com> Date: Mon, 28 Jul 2003 09:35:16 -0400 From: "Sean P. Turner" <turners@ieca.com> Organization: IECA, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: SMIME <ietf-smime@imc.org> Subject: Draft Meeting Minutes Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"> <title></title> </head> <body> Please provide feedback by August 1st.<br> -------------<br> <br> Here are the draft minutes from the Austria meeting.<br> <br> Minutes for S/MIME Meeting<br> IETF 57<br> July 14, 2003<br> <br> Agenda: Sean Turner covered the agenda for the meeting. No changes were made.<br> <br> Working Group Status: Sean Turner covered the status of the active documents in the working group. The documents that have changed status since the last meeting are:<br> <br> Published as RFC:<br> - 3395 Implementing Company Classification Policy with S/MIME Security Label.<br> - 3537 Wrapping a Hashed Message Authentication Code (HMAC) key with Triple-Data Encryption Standard (DES) Key or an Advanced Encryption Standard (AES) Keys.<br> <br> RFC Editor Queue:<br> - aes-alg Use of the AES Encryption Algorithm in CMS.<br> - cms-rsaes-oaep Use of RSAE-OAEP Key Transport Algorithm in CMS.<br> <br> With IESG:<br> - Camellia Use of Camellia Encryption Algorithm in CMS.<br> <br> CMS and ESS Examples Draft: Paul Hoffman explained that new examples have been added to the –11 draft, all of which need to be verified. After verification by all, a new -12 will be issued and the ADs will be asked to issue an IETF last call.<br> <br> MSGbis and CERTbis: Sean Turner presented Blake Ramsdell's presentation. In MSGbis minor edits were included, id-dsa was changed to id-dsa-with-sha1, and AES was made a SHOULD. MSGbis is ready for an IETF last call. In CERTbis text is still needed for acknowlegements and a summary of changes to the draft. There was an issue as to whether smime-types for every know CMS type should be included in the document. It was decided that the smime-types currently in the draft will remain but any new ones will be placed in new drafts so as to not hold up MSGbis.<br> <br> X400WRAP and X400TRANS: Chris Bonatti explained that changes similar to those in MSGbis were also made to X400WRAP - id-dsa was changed to id-dsa-with-sha1, and AES was made a SHOULD. In X400TRANS, the security considerations section was updated, as a result of IESG comments, to indicate that no new security concerns are added other than those in CMS or S/MIME models. It is believed that both documents are now ready for IETF last call.<br> <br> Interoperability Matrix: Jim Schaad indicated that the tests for both SignedData and EncryptedData are complete and that only the final write-up is required. The only remaining issues are with the Key Derivation Algorithm - PBKDF2 and the Message Authentication Code Algorithm - HMAC with SHA-1 neither of which were tested will result in blocking the draft.<br> <br> RSA KEM: Jim Schaad presented an overview of the RSA KEM algorithm. The remaining issues to complete the draft are defining matching rules for usage, SMIMECapabilities attribute values, and a single ASN.1 module.<br> <br> RSA PSS: Jim Schaad presented an overview of the RSA PSS algorithm. The requirements for the parameters H1 (digest hash algorithm parameters) and H2 (internal hash algorithm parameters) SHOULD be the same, while H2 and H3 (message generation function hash algorithm parameters) are RECOMMENDED to be the same. The resolved outstanding issues are that the key identifier and signature identifier will be the same OID and that PSS parameter comparison MUST be done if they are present in the certificate. It is believed that his draft is ready for WG last call.<br> <br> ESSbis: Jim Schaad presented updates to ESS which included splitting the MLExpansionHistory attribute in to two new attributes - Receipt Behavior and ML Loop Detection. The work required to rewrite the processing rules is proving more difficult that originally thought. Jim also indicated that there were outstanding issues on the list that deal with nested cases for receipt processing and MLA attribute propagation.<br> <br> GOST Algorithm: Grigory Chudov presented the Russian national algorithm GOST and an individual submission explaining how CMS can be used with GOST. The WG agreed to publish the draft under the WG banner.<br> <br> OpenEvidence Project and ESS: Peter Sylvester explained a usage of the technology developed in the OpenEvidence project, an open source projects financed by the European commission and run by a small group of European companies. A useful application of the technology addresses the problem to make email more reliable by using a third party security infrastructure to provide more traceability for users, service providers, and organizations. The tools developed were based on existing standards, i.e., SMIME signed receipts and RFC 3029. Two of the outputs of the project are the realization that there are few toolkits to provide support for ESS and that the ASN.1, which is 88 based, is problematic for new compilers. (A more detailed presentation of OpenEvidence project has been made in the PKIX wg).<br> <br> NIST S/MIME Tester: Tim Polk discussed the NIST online S/MIME tester that is intended to test the conformance of S/MIME implementations to the NIST S/MIME profile. More information can be found at: <a class="moz-txt-link-freetext" href="http://csrc.nist.gov/pki/smime/smtest.htm">http://csrc.nist.gov/pki/smime/smtest.htm</a>.<br> <br> <br> </body> </html> Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6SCEgqt051320 for <ietf-smime-bks@above.proper.com>; Mon, 28 Jul 2003 05:14:42 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6SCEgQE051319 for ietf-smime-bks; Mon, 28 Jul 2003 05:14:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6SCEeqt051314 for <ietf-smime@imc.org>; Mon, 28 Jul 2003 05:14:41 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9/8.12.9) with ESMTP id h6SCEZV8021092 for <ietf-smime@imc.org>; Tue, 29 Jul 2003 00:14:35 +1200 Received: (from pgut001@localhost) by medusa01.cs.auckland.ac.nz (8.11.6/8.11.6) id h6SCEaY04751 for ietf-smime@imc.org; Tue, 29 Jul 2003 00:14:36 +1200 Date: Tue, 29 Jul 2003 00:14:36 +1200 Message-Id: <200307281214.h6SCEaY04751@medusa01.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-smime@imc.org Subject: Off-list discussion of RTCS Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> After the previous RTCS posts I got a number of off-list replies, including several in which the authors specifically said that they din't want to comment in public, e.g: i did not post it to the list, because i do not think that a objective discussion is possible there. moreover, i do not want to waste my time in religious discussions. This is unfortunate, because I'm now carrying on multiple private discussions with potential spill-over between them, but only one person at a time is seeing each thread, which is limiting its usefulness somewhat. In order to resolve this problem, I'd like to invite anyone who's interested in discussing things further, or who's currently part of one of the private threads, to join the off-list discussion. It's not a real mailing list, just a list of cc'd addresses, I can also bcc you if you'd prefer to lurk anonymously. (This move is rather unfortunate because I'd like to get open feedback on RTCS, but it doesn't appear that this is possible). Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6S66cqt008528 for <ietf-smime-bks@above.proper.com>; Sun, 27 Jul 2003 23:06:38 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6S66cee008526 for ietf-smime-bks; Sun, 27 Jul 2003 23:06:38 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from web8001.mail.in.yahoo.com (web8001.mail.in.yahoo.com [203.199.70.95]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6S66Zqt008486 for <ietf-smime@imc.org>; Sun, 27 Jul 2003 23:06:36 -0700 (PDT) (envelope-from nmandya@yahoo.co.in) Message-ID: <20030728060626.36668.qmail@web8001.mail.in.yahoo.com> Received: from [202.144.91.253] by web8001.mail.in.yahoo.com via HTTP; Mon, 28 Jul 2003 07:06:26 BST Date: Mon, 28 Jul 2003 07:06:26 +0100 (BST) From: =?iso-8859-1?q?Nagaraj=20Mandya?= <nmandya@yahoo.co.in> Subject: RFC 2634 and encryption for mailing list recipients To: ietf-smime@imc.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Hi, Though RFC2634 talks in detail about adding a signature to a mail that is to be sent to a mailing list, it only mentions that MLAs can encrypt the mail for each recipient. It does not discuss this in detail. Where can I get more information on what process should be followed by MLAs to encrypt the mail for each recipient? Should it be done after the outer signature has been added by the MLA? Thanks. -- Regards, Nagaraj ________________________________________________________________________ Send free SMS using the Yahoo! Messenger. Go to http://in.mobile.yahoo.com/new/pc/ Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6NK1Yqt067269 for <ietf-smime-bks@above.proper.com>; Wed, 23 Jul 2003 13:01:34 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6NK1YIq067268 for ietf-smime-bks; Wed, 23 Jul 2003 13:01:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.173]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6NK1Xqt067263 for <ietf-smime@imc.org>; Wed, 23 Jul 2003 13:01:33 -0700 (PDT) (envelope-from jimsch@nwlink.com) Received: from ROMANS (dialup-171.75.41.190.Dial1.Washington1.Level3.net [171.75.41.190]) by smtp3.pacifier.net (Postfix) with ESMTP id A92AF6D654; Wed, 23 Jul 2003 13:01:32 -0700 (PDT) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Blake Ramsdell'" <blake@brutesquadlabs.com>, <ietf-smime@imc.org> Subject: RE: WG LAST CALL: draft-ietf-smime-rfc2632bis-03 Date: Wed, 23 Jul 2003 16:01:59 -0400 Message-ID: <001d01c35155$4c558950$8b40a051@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAArOG3H4vmqkCKD2y8D/4N0gEAAAAA@brutesquadlabs.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> 1. Section 1.2: Does this need to be updated to refer to version 3.1 agents as well? 2. References need to be divided. 3. Acknowlegements is [TBD] 4. Section at beginning of document on changes since RFC2632 is required. 5. KEYMAC as a reference sent me to keyed macs, not to key management for ACs. 6. Section 4.4.2 - Key Usage is not a required extension. What happens in para #4 if the extension is not present. Does this imply that the bits are set? Jim Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6NK1Tqt067256 for <ietf-smime-bks@above.proper.com>; Wed, 23 Jul 2003 13:01:29 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6NK1TW4067255 for ietf-smime-bks; Wed, 23 Jul 2003 13:01:29 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.173]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6NK1Sqt067250 for <ietf-smime@imc.org>; Wed, 23 Jul 2003 13:01:28 -0700 (PDT) (envelope-from jimsch@nwlink.com) Received: from ROMANS (dialup-171.75.41.190.Dial1.Washington1.Level3.net [171.75.41.190]) by smtp3.pacifier.net (Postfix) with ESMTP id 130316DAF5; Wed, 23 Jul 2003 13:01:27 -0700 (PDT) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Blake Ramsdell'" <blake@brutesquadlabs.com>, <ietf-smime@imc.org> Subject: RE: WG LAST CALL: draft-ietf-smime-rfc2633bis-04 Date: Wed, 23 Jul 2003 16:01:59 -0400 Message-ID: <001a01c35155$48f4ab10$8b40a051@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAL37WMsWTzkmnqyuxWko0QAEAAAAA@brutesquadlabs.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Comments are on the -05 version of the document. 1. Section 1.4 talks about version 3 not version 3.1 agents. 2. Section 2.1: Given your request for manditory inclusion of hash algorithms in DigestAlgorithmIdentifier, is there a reason you don't make population here atleast a SHOULD if not a MUST? 3. Section 2.2: There is no techincal reason that an S/MIME v2 client cannot be augmented to verify an id-dsa-with-sha1 signature. This statement should be that S/MIME v2 clients are only REQUIRED to implement rsaEncryption with either SHA-1 or MD5. 4. Section 2.2: The required hash algorithms supported with rsaEncryption needs to be noded as part of this section. 5. Section 2.3: Agents should support ES Diffie-Hellman. SS is not a requirement. 6. Section 2.4: CMS does not define the CompressedData content type last time I checked. 7. Section 2.4.4: Is there a reason why there is not any text describing when one should and when one should not compress data? (i.e. don't compress after encryption). Add reference to section 3.6? 8. Section 2.5: The text "Sending agents SHOULD generate one instance of the signingCertificate signed attribute in each S/MIME message." should state "signed attribute in each SignerInfo structure". 9. Section 2.5.2, para 4: I would like to have the following text added. " Because of the requirement for identical encoding, individuals documenting algorithms to be used in the SMIMECapabilities attribute should explicitly document the correct byte sequence for the common cases." 10. Section 2.5.2, para 5: I think we need to remove the "In the case of symmetric algorithms," phrase from this paragraph. The need for dealing with parameters can occur for other algorithms such as OAEP, KEM and PSS. It may be necessary to distinguish more explicitly between algorithm parameters such as rounds and block size as oppose to the IV. 11. Section 2.5.2 - where do we document SMimeCapabilities for RC2? Should be a 40-bit vs 128-bit difference between these which needs an ASN.1 structure and encoding. Based on reading of this document I could not correctly encode these values. 12. Section 2.5.3, last para: what happended to the clock skew text for SMIMECapabiltlies that clarifies what this sentence refers to? -- found it in section 2.7.1 - not immediately apparent should have some type of reference in either 2.5.2 or 2.5.3 or both. 13. Section 2.7.1, para 2: Change reference to section 2.5.2 14. Section 2.7.1.2: Should we remove this paragraph? It does not really follow from the fact that you recived a signed (by me) then encrypted message that I was actually the party that enrypted the message. It could have been an DOS attacker, a gateway, an MLA and so forth. 15. Section 2.7.1.3: Need to be updated to comment on AES. 16. Section 3.1, last para: I would like to see some additional comments provided to help people make the decision between a message that is protecting the headers and a message which is an attachment. 17. Section 3.1.2 para 3: Change the "SHOULD NOT use 7-bit" to "SHOULD use binary" to make a positive rather than a negative statement. 18. Section 3.1, General: Do you need to canonicalize before you compress? 19. Section 3.2.1: Can we really justify limiting the file name to eight characters any more? All common windows platforms no longer have this restriction. Apple and Unix platforms have not had this restriction for a long time (if ever). 20. Section 3.2.2: I would like to get some rewrites on this section as to the purpose of S/MIME type. I think it is JUST to provide information about the information (misspelt in the document) about the contained content. It just happens that for display via UAs, the distinction between signed and enveloped was consisted to be an important part of the content. Additionally, I think this is the correct direction for us to tell people about how to define new smime-types in the future. The next question is weither a compressed only message would show up in my mailbox. I think that the correct smime-type for a compressed and signed message is actually signed-data not compressed data. 21. Section 3.4.1, last para: Currently this reads Messages signed using the signedData format cannot be viewed by a recipient unless they have S/MIME facilities. However, if they have S/MIME facilities, these messages can always be verified if they were not changed in transit. But duh for the last sentence. The correct statement would be. "However, the signedData format protects the message content from being changed by benign intermediate agents. Such agents might do line wrapping or content-transfer encoding changes which would break the signature." 22. Section 3.4.3.2, algorithm table: The last item in the table needs to be removed. The corect answer is that this value needs to be defined by documents describing other hashing algorithms. 23. Section 3.4.3.3: Just for giggles, I think that adding a section with the hex encoding of the acutal bytes hashed for this sample would be a good idea. This is one of the things people always have problems with when doing multipart signed data. Also it might be interesting to make the body a multipart/alternative. On the other hand this would probably be better in an appendix. 24. Section 4: Reference to [CERT3] needs updating. 25. Section 4.1: Language and protocol statements needs to be updated in this section to reflect the change in algorithms. 26. Appendix B: Refernces need to be divided. Jim Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6NJfqqt066811 for <ietf-smime-bks@above.proper.com>; Wed, 23 Jul 2003 12:41:52 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6NJfq7e066810 for ietf-smime-bks; Wed, 23 Jul 2003 12:41:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [207.228.252.5]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6NJfpqt066804 for <ietf-smime@imc.org>; Wed, 23 Jul 2003 12:41:51 -0700 (PDT) (envelope-from housley@vigilsec.com) Received: (qmail 23204 invoked by uid 0); 23 Jul 2003 19:40:37 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.154.159) by woodstock.binhost.com with SMTP; 23 Jul 2003 19:40:37 -0000 Message-Id: <5.2.0.9.2.20030722224635.0414f4d8@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 22 Jul 2003 22:51:17 -0400 To: "g.lunt" <Graeme.Lunt@nexor.co.uk> From: Russ Housley <housley@vigilsec.com> Subject: RE: Signed Receipts and Mail Lists Cc: "'ietf-smime'" <ietf-smime@imc.org> In-Reply-To: <001f01c340a1$cf01f470$d2353fc1@nexor.co.uk> References: <009701c33ce3$a86b4170$3d0311ac@augustcellars.local> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Graeme: When we designed the MLA mechanism, we assumed that each mail list would have a separate key pair and certificate. I do not think that this is an unreasonable assumption. Today, Web servers that support more than one site have a certificate for each of the sites. Russ >Jim, > > > If we adopted the solution you gave, what limits me from making > > arbitrary statements about who I am in this field that then need to be > > > independently verified by the receipt processing code? (I.e. what if > > I put the fact that I am turners@ieca.com in this field and sign with > > my jimsch@exmsft.com certificate). > >First off, having looked in more detail at 2634 it implicitly requires >each mail list to have its own certificate. In particular, the >EntityIdentifier, used in MLExpansionHistory, refers only to a >certificate. So having a single certificate for an MLA supporting >multiple lists would cause the loop detection algorithm to fail. > >So what I was looking at (a single certificate for a mail list agent >supporting multiple lists) is a more fundamental change than I first >thought. > >But back to your question. > >The basic answer is that nothing would limit you. Do you see this as a >major issue? > >x400wrap has a similar case where the content being signed contains an >"originator" field. > >"Receiving agents SHOULD check that the originator address in the X.400 >content matches an X.400 address in the signer's certificate, if X.400 >addresses are present in the certificate and an originator address is >available in the content. A receiving agent SHOULD provide some explicit >alternate processing of the message if this comparison fails, which may >be to display a message that shows the recipient the addresses in the >certificate or other certificate details." > >I think that similar wording to section 4.3 of this draft may be >acceptable? > >This wording allows us to take our own action to correlate the x400 >originator to the signer in the case that they don't match (we use >attribute certificates to do the signer to originator validation). > >So for your example, I may see something like: > >"signed receipt from jimsch@exmsft.com on behalf of turners@ieca.com at ><time>" > >The receiptFrom field I proposed is primarily aimed at supporting the >correlation of the signed receipt to the original recipient by providing >original address the signed receipt was requested from. > >There are a number of reasons why I may not be able to match the >address[es] (subjectAltName) from the certificate to one of the >addresses I to: > >a) Valid aliases not in the subjectAltNames of the certificate > >b) Signed receipt from a recipient who received the message as a result >of ML expansion. > >c) Mail redirections - e.g. sent to "ceo@corp.com" which redirects to a >personal mailbox. >Similar to a). > > >Graeme > > > > > -----Original Message----- > > > From: owner-ietf-smime@mail.imc.org > > > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Graeme Lunt > > > Sent: Wednesday, June 25, 2003 12:40 AM > > > To: 'Sean P. Turner' > > > Cc: 'ietf-smime' > > > Subject: RE: Signed Receipts and Mail Lists > > > > > > > > > > > > Sean, > > > > > > > I'm not sure that the MLA returns a receipt on behalf of the ML > > > > members. > > > > > > OK - if an MLA should not return signed receipts then there is not a > > > > problem with my scenario. > > > > > > > I looked through ESS again and I couldn't find anything > > > that said if a > > > > message enters an MLA with a signed receipt request that it > > > > > > > shouldn't or should return a receipt. > > > > > > Is an MLA considered a "receiving agent"/"receiving > > > software"/"processing software" in section 2.3 of ESS? I had assumed > > > > that it was but agree it is unclear. > > > > > > > Typically (I think), originators want to know that the > > > final recipient > > > got > > > > the message not whether the MLA got it. > > > > > > I think there are arguments for both. If an originator > > sends a message > > > to: > > > > > > complaints@bigbank.co.uk > > > > > > the originator probably only wants to know that it got to the > > > complaints department at bigbank. The originator doesn't want to > > > know (and bigbank doesn't want to let the originator know) which > > > individuals within bigbank read the message. > > > > > > > Then again maybe I didn't understand your scenario. > > > > > > I don't think the originator needs to understand if the addresses > > > they are requesting signed receipts from are address lists or not. > > > If an originator sends a message to two recipients - one a mail > > > list, one an individual - and requests first tier signed receipts, > > > they will never receive a signed receipt from the mail list > > > recipient. The user may find this unexpected. Correlation software > > > *may* be able to detect a mail list recipient and handle it > > > appropriately. > > > > > > > > > Graeme > > > > > > > > > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6NIFDqt059448 for <ietf-smime-bks@above.proper.com>; Wed, 23 Jul 2003 11:15:13 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6NIFDKf059447 for ietf-smime-bks; Wed, 23 Jul 2003 11:15:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from gamma.isi.edu (gamma.isi.edu [128.9.144.145]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6NIFBqt059437 for <ietf-smime@imc.org>; Wed, 23 Jul 2003 11:15:11 -0700 (PDT) (envelope-from rfc-ed@ISI.EDU) Received: from ISI.EDU (jet.isi.edu [128.9.160.87]) by gamma.isi.edu (8.11.6p2/8.11.2) with ESMTP id h6NIEIJ09010; Wed, 23 Jul 2003 11:14:18 -0700 (PDT) Message-Id: <200307231814.h6NIEIJ09010@gamma.isi.edu> To: IETF-Announce: ; Subject: RFC 3565 on Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS) Cc: rfc-editor@rfc-editor.org, ietf-smime@imc.org From: rfc-editor@rfc-editor.org Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary=NextPart Date: Wed, 23 Jul 2003 11:14:18 -0700 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> --NextPart A new Request for Comments is now available in online RFC libraries. RFC 3565 Title: Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS) Author(s): J. Schaad Status: Standards Track Date: July 2003 Mailbox: jimsch@exmsft.com Pages: 14 Characters: 26773 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-smime-aes-alg-07.txt URL: ftp://ftp.rfc-editor.org/in-notes/rfc3565.txt This document specifies the conventions for using the Advanced Encryption Standard (AES) algorithm for encryption with the Cryptographic Message Syntax (CMS). This document is a product of the S/MIME Mail Security Working Group of the IETF. This is now a Proposed Standard Protocol. This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF-REQUEST@IETF.ORG. Requests to be added to or deleted from the RFC-DIST distribution list should be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG. Details on obtaining RFCs via FTP or EMAIL may be obtained by sending an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body help: ways_to_get_rfcs. For example: To: rfc-info@RFC-EDITOR.ORG Subject: getting rfcs help: ways_to_get_rfcs Requests for special distribution should be addressed to either the author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution.echo Submissions for Requests for Comments should be sent to RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC Authors, for further information. Joyce K. Reynolds and Sandy Ginoza USC/Information Sciences Institute ... Below is the data which will enable a MIME compliant Mail Reader implementation to automatically retrieve the ASCII version of the RFCs. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="RFC-INFO@RFC-EDITOR.ORG" Content-Type: text/plain Content-ID: <030723111250.RFC@RFC-EDITOR.ORG> RETRIEVE: rfc DOC-ID: rfc3565 --OtherAccess Content-Type: Message/External-body; name="rfc3565.txt"; site="ftp.isi.edu"; access-type="anon-ftp"; directory="in-notes" Content-Type: text/plain Content-ID: <030723111250.RFC@RFC-EDITOR.ORG> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6NIFEqt059450 for <ietf-smime-bks@above.proper.com>; Wed, 23 Jul 2003 11:15:14 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6NIFDAL059449 for ietf-smime-bks; Wed, 23 Jul 2003 11:15:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from gamma.isi.edu (gamma.isi.edu [128.9.144.145]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6NIFBqt059438 for <ietf-smime@imc.org>; Wed, 23 Jul 2003 11:15:12 -0700 (PDT) (envelope-from rfc-ed@ISI.EDU) Received: from ISI.EDU (jet.isi.edu [128.9.160.87]) by gamma.isi.edu (8.11.6p2/8.11.2) with ESMTP id h6NICMJ08546; Wed, 23 Jul 2003 11:12:22 -0700 (PDT) Message-Id: <200307231812.h6NICMJ08546@gamma.isi.edu> To: IETF-Announce: ; Subject: RFC 3560 on Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message Syntax (CMS) Cc: rfc-editor@rfc-editor.org, ietf-smime@imc.org From: rfc-editor@rfc-editor.org Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary=NextPart Date: Wed, 23 Jul 2003 11:12:22 -0700 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> --NextPart A new Request for Comments is now available in online RFC libraries. RFC 3560 Title: Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS) Author(s): R. Housley Status: Standards Track Date: July 2003 Mailbox: housley@vigilsec.com Pages: 18 Characters: 37381 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-smime-cms-rsaes-oaep-07.txt URL: ftp://ftp.rfc-editor.org/in-notes/rfc3560.txt This document describes the conventions for using the RSAES-OAEP key transport algorithm with the Cryptographic Message Syntax (CMS). The CMS specifies the enveloped-data content type, which consists of an encrypted content and encrypted content-encryption keys for one or more recipients. The RSAES-OAEP key transport algorithm can be used to encrypt content-encryption keys for intended recipients. This document is a product of the S/MIME Mail Security Working Group of the IETF. This is now a Proposed Standard Protocol. This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF-REQUEST@IETF.ORG. Requests to be added to or deleted from the RFC-DIST distribution list should be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG. Details on obtaining RFCs via FTP or EMAIL may be obtained by sending an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body help: ways_to_get_rfcs. For example: To: rfc-info@RFC-EDITOR.ORG Subject: getting rfcs help: ways_to_get_rfcs Requests for special distribution should be addressed to either the author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution.echo Submissions for Requests for Comments should be sent to RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC Authors, for further information. Joyce K. Reynolds and Sandy Ginoza USC/Information Sciences Institute ... Below is the data which will enable a MIME compliant Mail Reader implementation to automatically retrieve the ASCII version of the RFCs. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="RFC-INFO@RFC-EDITOR.ORG" Content-Type: text/plain Content-ID: <030723111047.RFC@RFC-EDITOR.ORG> RETRIEVE: rfc DOC-ID: rfc3560 --OtherAccess Content-Type: Message/External-body; name="rfc3560.txt"; site="ftp.isi.edu"; access-type="anon-ftp"; directory="in-notes" Content-Type: text/plain Content-ID: <030723111047.RFC@RFC-EDITOR.ORG> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6N0Woqt081045 for <ietf-smime-bks@above.proper.com>; Tue, 22 Jul 2003 17:32:50 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6N0Wo5U081044 for ietf-smime-bks; Tue, 22 Jul 2003 17:32:50 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [207.228.252.5]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6N0Wnqt081039 for <ietf-smime@imc.org>; Tue, 22 Jul 2003 17:32:49 -0700 (PDT) (envelope-from housley@vigilsec.com) Received: (qmail 27722 invoked by uid 0); 23 Jul 2003 00:31:26 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (12.159.173.193) by woodstock.binhost.com with SMTP; 23 Jul 2003 00:31:26 -0000 Message-Id: <5.2.0.9.2.20030722132917.035db820@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 22 Jul 2003 13:33:57 -0400 To: Tim Moses <tim.moses@entrust.com>, ietf-smime@imc.org From: Russ Housley <housley@vigilsec.com> Subject: Re: In this day and age ... In-Reply-To: <9A4F653B0A375841AC75A8D17712B9C906494E3A@sottmxs04.entrust .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Tim: Please take a look at draft-ietf-smime-rfc2633bis-05. I believe that you will see improvements in this area. Russ At 10:32 AM 7/18/2003 -0400, Tim Moses wrote: >Colleagues - As I read RFC 2633, it uses normative language in Section 3.1 >when discussing content-transfer encoding applied to MIME content prior to >security processing. But, the language relating to content transfer >encoding applied to protected content is not normative. Section 3.2 says >"Since CMS objects are binary data, in most cases base-64 transfer encoding >is appropriate". That sounds like a SHOULD. > >It seems to me that message-transfer agents commonly apply content-transfer >encoding to 8-bit data. I am unsure whether they do this selectively or >whether they only apply it when needed. > >I wonder whether it is still necessary for S/MIME to "recommend" the >application of content-transfer encoding to secured sub-parts. > >Can anyone offer an informed view? Thanks a lot. All the best. Tim. > >----------------------------------------------------------------- >Tim Moses >613.270.3183 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6IEWnqt002964 for <ietf-smime-bks@above.proper.com>; Fri, 18 Jul 2003 07:32:49 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6IEWniC002963 for ietf-smime-bks; Fri, 18 Jul 2003 07:32:49 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from sottmxssm.entrust.com (sottmxssm.entrust.com [216.191.252.10]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6IEWlqt002957 for <ietf-smime@imc.org>; Fri, 18 Jul 2003 07:32:48 -0700 (PDT) (envelope-from tim.moses@entrust.com) Received: from sottguard01.entrust.com (sottguard01.entrust.com [10.4.61.249]) by sottmxssm.entrust.com (Switch-2.2.6/Switch-2.2.4) with SMTP id V6IE0T7N14914 for <ietf-smime@imc.org>; Fri, 18 Jul 2003 10:29:07 -0400 Received: (qmail 4724 invoked by uid 64014); 18 Jul 2003 14:26:50 -0000 Received: from tim.moses@entrust.com by sottguard01.entrust.com with AmikaGuardian-Server-1.1.2 (Processed in 0.255903 secs); 18 Jul 2003 14:26:50 -0000 Received: from unknown (HELO SOTTMXS01.entrust.com) (10.4.61.7) by sottguard01.entrust.com with SMTP; 18 Jul 2003 14:26:49 -0000 Received: by sottmxs01.entrust.com with Internet Mail Service (5.5.2656.59) id <PFK4KBA4>; Fri, 18 Jul 2003 10:32:42 -0400 Message-ID: <9A4F653B0A375841AC75A8D17712B9C906494E3A@sottmxs04.entrust.com> From: Tim Moses <tim.moses@entrust.com> To: "'S/MIME'" <ietf-smime@imc.org> Subject: In this day and age ... Date: Fri, 18 Jul 2003 10:32:41 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Colleagues - As I read RFC 2633, it uses normative language in Section 3.1 when discussing content-transfer encoding applied to MIME content prior to security processing. But, the language relating to content transfer encoding applied to protected content is not normative. Section 3.2 says "Since CMS objects are binary data, in most cases base-64 transfer encoding is appropriate". That sounds like a SHOULD. It seems to me that message-transfer agents commonly apply content-transfer encoding to 8-bit data. I am unsure whether they do this selectively or whether they only apply it when needed. I wonder whether it is still necessary for S/MIME to "recommend" the application of content-transfer encoding to secured sub-parts. Can anyone offer an informed view? Thanks a lot. All the best. Tim. ----------------------------------------------------------------- Tim Moses 613.270.3183 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6I32aqt042434 for <ietf-smime-bks@above.proper.com>; Thu, 17 Jul 2003 20:02:36 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6I32Z8r042433 for ietf-smime-bks; Thu, 17 Jul 2003 20:02:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6I32Yqt042412; Thu, 17 Jul 2003 20:02:34 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Thu, 17 Jul 2003 20:02:31 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: <jimsch@exmsft.com>, "'Ietf-Smime-Examples'" <ietf-smime-examples@imc.org>, <ietf-smime@imc.org>, <phoffman@imc.org> Cc: "'Sean P. Turner'" <turners@ieca.com>, "'Russ Housley'" <housley@vigilsec.com> Subject: RE: Draft-11Parital Results Date: Thu, 17 Jul 2003 20:02:31 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAg6Sc0IFlH0m+phfIjZYjNAEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <001301c34c2c$c04b2cd0$8b40a051@augustcellars.local> Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> > -----Original Message----- > From: owner-ietf-smime@mail.imc.org > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Jim Schaad > Sent: Wednesday, July 16, 2003 11:29 PM > To: 'Blake Ramsdell'; jimsch@exmsft.com; > 'Ietf-Smime-Examples'; ietf-smime@imc.org; phoffman@imc.org > Cc: 'Sean P. Turner'; 'Russ Housley' > Subject: RE: Draft-11Parital Results > > What needs to > be changed is the commentary not the message. OK, then we need to come up with language. Maybe: A full S/MIME message, including MIME, that includes a MIME encoded version of the body part from 5.1. Blake Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6HBMhqt084239 for <ietf-smime-bks@above.proper.com>; Thu, 17 Jul 2003 04:22:44 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6HBMhJg084238 for ietf-smime-bks; Thu, 17 Jul 2003 04:22:43 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp002.bizmail.yahoo.com (smtp002.bizmail.yahoo.com [216.136.172.126]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6HBMgqt084233 for <ietf-smime@imc.org>; Thu, 17 Jul 2003 04:22:42 -0700 (PDT) (envelope-from turners@ieca.com) Received: from tweety.ietf57.telekom.at (HELO ieca.com) (turners@ieca.com@81.160.172.151 with plain) by smtp2.bm.vip.sc5.yahoo.com with SMTP; 17 Jul 2003 11:22:33 -0000 Message-ID: <3F1686C5.2040405@ieca.com> Date: Thu, 17 Jul 2003 13:21:41 +0200 From: "Sean P. Turner" <turners@ieca.com> Organization: IECA, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: SMIME <ietf-smime@imc.org> Subject: SMIME WG Summary Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title></title> </head> <body> All,<br> <br> Here is a short summary of the agenda topics discussed at the meeting in Austria:<br> <br> * MSGbis fixed some nits believe it is ready for security ADs and IETF-wide last call<br> * CERTbis text needs to be added for acknowledgements but after that it's ready for security ADs and IETF-wide last call<br> * Examples added 11 new cases all need to be verified<br> * X400Trans and X400Wrap had minor comments from IESG, which have all been addressed<br> * Interoperability Matrix is completed but final report needs to be written<br> * RSA PSS and CMS going to WG LC as soon as next version is produced<br> * RSA KEM has 3 remaining issues but then ready for WG LC<br> * ESSbis separating MLExpansiionHistory in to ReceiptBehavior and MLLoopDetection is proving more difficult than expected<br> * GOST algorithm for CMS will be published under WG<br> * Peter Sylvester gave a presentation on OpenEvidence<br> * Tim Polk gave pointers to NIST's Online SMIME tester<br> <br> I hope to have meeting minutes out by next week some time.<br> <br> spt </body> </html> Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6H6Spqt044447 for <ietf-smime-bks@above.proper.com>; Wed, 16 Jul 2003 23:28:51 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6H6SpRX044446 for ietf-smime-bks; Wed, 16 Jul 2003 23:28:51 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6H6Smqt044426; Wed, 16 Jul 2003 23:28:48 -0700 (PDT) (envelope-from jimsch@nwlink.com) Received: from ROMANS (unknown [81.160.64.139]) by smtp1.pacifier.net (Postfix) with ESMTP id F1EB670450; Wed, 16 Jul 2003 23:28:45 -0700 (PDT) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Blake Ramsdell'" <blake@brutesquadlabs.com>, <jimsch@exmsft.com>, "'Ietf-Smime-Examples'" <ietf-smime-examples@imc.org>, <ietf-smime@imc.org>, <phoffman@imc.org> Cc: "'Sean P. Turner'" <turners@ieca.com>, "'Russ Housley'" <housley@vigilsec.com> Subject: RE: Draft-11Parital Results Date: Thu, 17 Jul 2003 08:29:14 +0200 Message-ID: <001301c34c2c$c04b2cd0$8b40a051@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAbHTrol9BRUa93ZPzwMATPQEAAAAA@brutesquadlabs.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Blake, I completely agree that it was discussed. (I think I raised the issue.) And I agree that the content for the message is correct. What needs to be changed is the commentary not the message. jim > -----Original Message----- > From: Blake Ramsdell [mailto:blake@brutesquadlabs.com] > Sent: Wednesday, July 16, 2003 10:15 PM > To: jimsch@exmsft.com; 'Ietf-Smime-Examples'; > ietf-smime@imc.org; phoffman@imc.org > Cc: 'Sean P. Turner'; 'Russ Housley' > Subject: RE: Draft-11Parital Results > > > > -----Original Message----- > > From: Jim Schaad [mailto:jimsch@nwlink.com] > > Sent: Wednesday, July 16, 2003 7:19 AM > > To: Ietf-Smime-Examples; ietf-smime@imc.org; phoffman@imc.org > > Cc: Sean P. Turner; Blake Ramsdell; Russ Housley > > Subject: Draft-11Parital Results > > > > 5.9 failed > > Commentary text states that the body part is the same > as 5.1 - this > > is not correct as the signature values and exContent are different > > (content is actually "\0xd\0xaThis is some sample content." > > This is something we discussed a bit ago -- the problem is > that ExContent.bin is not valid MIME data. The compromise we > reached was that a CRLF would be inserted at the beginning, > which would make it valid MIME data (implicit text/plain). > When the MIME wrapping is removed, it results in ExContent.bin. > > Blake > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6GKFLqt005616 for <ietf-smime-bks@above.proper.com>; Wed, 16 Jul 2003 13:15:21 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6GKFLSH005615 for ietf-smime-bks; Wed, 16 Jul 2003 13:15:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6GKFKqt005608; Wed, 16 Jul 2003 13:15:20 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Wed, 16 Jul 2003 13:15:16 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: <jimsch@exmsft.com>, "'Ietf-Smime-Examples'" <ietf-smime-examples@imc.org>, <ietf-smime@imc.org>, <phoffman@imc.org> Cc: "'Sean P. Turner'" <turners@ieca.com>, "'Russ Housley'" <housley@vigilsec.com> Subject: RE: Draft-11Parital Results Date: Wed, 16 Jul 2003 13:15:16 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAbHTrol9BRUa93ZPzwMATPQEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <000e01c34ba5$38ac5150$8b40a051@augustcellars.local> Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> > -----Original Message----- > From: Jim Schaad [mailto:jimsch@nwlink.com] > Sent: Wednesday, July 16, 2003 7:19 AM > To: Ietf-Smime-Examples; ietf-smime@imc.org; phoffman@imc.org > Cc: Sean P. Turner; Blake Ramsdell; Russ Housley > Subject: Draft-11Parital Results > > 5.9 failed > Commentary text states that the body part is the same as 5.1 - > this is not correct as the signature values and exContent are > different > (content is actually "\0xd\0xaThis is some sample content." This is something we discussed a bit ago -- the problem is that ExContent.bin is not valid MIME data. The compromise we reached was that a CRLF would be inserted at the beginning, which would make it valid MIME data (implicit text/plain). When the MIME wrapping is removed, it results in ExContent.bin. Blake Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6GEIfqt083989 for <ietf-smime-bks@above.proper.com>; Wed, 16 Jul 2003 07:18:41 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6GEIf1w083988 for ietf-smime-bks; Wed, 16 Jul 2003 07:18:41 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.173]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6GEIdqt083974; Wed, 16 Jul 2003 07:18:39 -0700 (PDT) (envelope-from jimsch@nwlink.com) Received: from ROMANS (unknown [81.160.64.139]) by smtp3.pacifier.net (Postfix) with ESMTP id 5F87E6DF25; Wed, 16 Jul 2003 07:18:37 -0700 (PDT) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "Ietf-Smime-Examples" <ietf-smime-examples@imc.org>, <ietf-smime@imc.org>, <phoffman@imc.org> Cc: "Sean P. Turner" <turners@ieca.com>, "Blake Ramsdell" <blake@brutesquadlabs.com>, "Russ Housley" <housley@vigilsec.com> Subject: Draft-11Parital Results Date: Wed, 16 Jul 2003 16:19:04 +0200 Message-ID: <000e01c34ba5$38ac5150$8b40a051@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h6GEIdqt083975 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> People, Here is the current state of draft 11 with my testing. I will continue to fill out more of the data in the this table as I get some more items debugged in my code. I am still trying to figure out why I cannot do DH. jim 4.1 pass 4.2 pass 5.1 pass 5.2 pass 5.3 -- not checked --- 5.4 pass with comments 1. certificates are Alice DSS, Carl DSS (root), Alice RSA 2. unsigned attributes are JUST counter signature 5.5 pass 5.6 --- not checked -- - structurally fine - Diane signature unchecked 5.7 pass 5.8 -- not checked -- I have an assumption that the wrong signature OID is used in the message. 5.9 failed id-dsa is the signature algorithm not id-dsa-with-sha1 Commentary text states that the body part is the same as 5.1 - this is not correct as the signature values and exContent are different (content is actually "\0xd\0xaThis is some sample content." 5.10 pass with comments List of attributes is 1. content type 2. message digest 3. 1.2.5555 (unknown) 4. content hint 5. smime capabilities 6. security label 7. content reference 8. encrypt key preference 9. ML expansion history 10. Equivalent label 5.11 pass with comments Text should be Alice's and Carl's DSS certificates. 6.1 -- not checked -- 6.2 passed 6.3 passed with comments RC2/128 for the content encryption algorithm. 6.4 -- not checked -- 6.5 -- not checked -- 6.6 -- not checked -- 6.7 -- not checked -- fail on the RC2/40 not clear what the source is yet. 6.8 -- not checked -- 6.9 failed Content hints says the content is 1.2.6.5.4 not id-data 6.10 -- not checked -- 6.11 FAIL test vectors are appended below on this message. I don't know where I am going wrong and this code worked in the past. 7.0 pass 8.1 passed 8.2 passed with comment Need to specify that this uses the same key value as does 8.1 9 -- checked-- 10.1 -- not checked -- 10.2 -- not checked -- 11.1 fails Text states signed with RSA, message signed with DSA DSA signature OID incorrect Receipt is going to cn="AliceRSA" and robert.colestock@wang.com - should alice be an RFC822 name? 11.2 -- not checked -- 11.3 passed 11.4 passed 11.5 -- not checked -- 11.6 -- not checked -- **************************************** 6.11 intermediate data from my test **************** But it fails.... Wrapped key 0x0012F248 74 31 c0 45 51 4c 3c 2d 2e da 63 50 8b ae d4 ac t1ÀEQL<-.ÚcP.®Ô¬ 0x0012F258 64 cc 95 ae af cd 0f 8c b6 48 1f 0b 45 12 4d fb dÌ.®¯Í..¶H..E.M. 0x0012F268 a4 ab c7 83 30 4b 69 ad ¤«Ç.0Ki Mail list key 0x00324354 25 5e 0d 1c 07 b6 46 df b3 13 4c c8 43 ba 8a a7 %^...¶Fß³.LÈCº.§ 0x00324364 1f 02 5b 7c 08 38 25 1f After decrypt #1 0x00324630 d7 10 66 ee 9a 42 e0 80 62 a3 e5 de b5 ef 4e 7e ×.f..B..b£.Þµ.N~ 0x00324640 5f 13 30 b5 13 d3 a8 4f be dc 02 d4 81 27 db 50 _.0µ.Ó¨O¾Ü.Ô.'ÛP 0x00324650 e5 d8 0f e9 25 38 f1 7b .Ø..%8.{ IV 0x00324630 7b f1 38 25 e9 0f d8 e5 {.8%..Ø. Post Decrypt #2 0x00324630 50 db 27 81 d4 02 dc be 4f a8 d3 13 b5 30 13 5f PÛ'.Ô.ܾO¨Ó.µ0._ 0x00324640 7e 4e ef b5 de e5 a3 62 80 e0 42 9a ee 66 10 d7 ~N.µÞ.£b..B..f.× Computed check sum 0x0012EFD8 53 fb 3e cc 8a 06 cc af S.>Ì..̯ Actual Check sum 80 e0 42 9a ee 66 10 d7 --- they don't match!!!!! Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FDR1qt079641 for <ietf-smime-bks@above.proper.com>; Tue, 15 Jul 2003 06:27:01 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6FDR136079640 for ietf-smime-bks; Tue, 15 Jul 2003 06:27:01 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from mail4.consignia.com (mail4.consignia.com [144.87.143.84]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FDR0qt079635 for <ietf-smime@imc.org>; Tue, 15 Jul 2003 06:27:00 -0700 (PDT) (envelope-from chris.gilbert@royalmail.com) Received: from postoffice.co.uk (mta2.int.consignia.com [144.87.146.16]) by mail4.consignia.com (Postfix) with SMTP id 42CDF12278B for <ietf-smime@imc.org>; Tue, 15 Jul 2003 14:27:00 +0100 (BST) Received: by postoffice.co.uk(Lotus SMTP MTA v4.6.6 (890.1 7-16-1999)) id 00256D64.004F63F6 ; Tue, 15 Jul 2003 14:27:09 +0000 X-Lotus-FromDomain: POSTOFFICE From: chris.gilbert@royalmail.com To: ietf-smime@imc.org Message-ID: <00256D64.004F61C7.00@postoffice.co.uk> Date: Tue, 15 Jul 2003 14:26:44 +0000 Subject: Re: (Practical) S/MIME certificate chain handling Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Jim, apologies for the delay. I've been on vacation and have just salvaged your email from the 800 or so spams that were waiting for me :-) I also got over enthusiastic about my mail box management and succeeded in deleting the original of this. The headers are munged because I recovered this text from the IETF archive! Jim Schaad wrote: > I hope there is a great deal more to this than what you are stating for > a Best Practice recommendation. Indeed. I did say it was 'a' recommendation without alluding to the others, some of which concern the management of the root CA certificate store. > 1. Acceptance of root certificates by end-users is a real problem. > They tend to say yes without any good reason to do so. This means that > it is easy to stick "bad" root certificates on a persons machine I agree completely. At the organisation level, however, the management of the Root CA store is a administrative policy issue rather than a technical one. The inclusion of the trust chain with outgoing emails facilitates the distribution of trust in the continued absence of a global recovery mechanism. It does not preclude correct and secure usage of such paths, in-line with policy, at the recipient device. > If you are really working in a single structure, then this information > should be automatically distributed to people's machines and not send > from the sender. By a single structure do you mean a single organisation or a single trust tree ? Policy should certainly be managed centrally although I'm unconvinced that many organisations really understand the future, legal implications of permitting their end-users to grow their own Root CA stores. As you imply, we are not yet anywhere near widespread, correct usage. In the main this is due to the fact that Digital Certificates are still being used in many areas merely as technology enablers rather than the trust mechanisms that they are designed to be. As such, acceptance of trust (and thus liability) by end users is too easy and uncontrolled and simply allows the software to work rather than trust be maintained. Chris Royal Mail is a trading name of Royal Mail Group plc. Registered in England and Wales. Registered number 4138203. Registered office at 148 Old Street, LONDON EC1V 9HQ Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FD99qt077311 for <ietf-smime-bks@above.proper.com>; Tue, 15 Jul 2003 06:09:09 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6FD9949077310 for ietf-smime-bks; Tue, 15 Jul 2003 06:09:09 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from mx2.magma.ca (mx2.magma.ca [206.191.0.250]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FD98qt077301 for <ietf-smime@imc.org>; Tue, 15 Jul 2003 06:09:08 -0700 (PDT) (envelope-from capel@comgate.com) Received: from mail1.magma.ca (mail1.magma.ca [206.191.0.252]) by mx2.magma.ca Magma's Mail Server with ESMTP id h6FD97Nq017320; Tue, 15 Jul 2003 09:09:07 -0400 Received: from tony (ottawa-hs-209-217-122-183.s-ip.magma.ca [209.217.122.183]) by mail1.magma.ca (Magma's Mail Server) with ESMTP id h6FD8qFU023765; Tue, 15 Jul 2003 09:09:07 -0400 From: "Tony Capel" <capel@comgate.com> To: "'Blake Ramsdell'" <blake@brutesquadlabs.com>, <ietf-smime@imc.org> Subject: RE: Discussing RTCS Date: Tue, 15 Jul 2003 09:08:56 -0400 Message-ID: <000601c34ad2$42a0ae00$01b5a8c0@tony> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAW78oSlo46k69IkJ+uWj+gQEAAAAA@brutesquadlabs.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h6FD98qt077304 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Blake: I see potential value in a "CMS style" request/response format for a certificate validation service. Specifically one might imagine that a (signed) CMS data structure returned by a validating server could be integrated directing within the CMS message types. This would require compatibility between the server response and CMS. I realise that Peter's proposal makes a big deal about its ability to use simplified database lookups, yes/no responses, etc. and that this aspect has prompted strong PKIX reactions. However, the ability to use directly compatible CMS structures is the attraction for me. How the server is implemented is arguably an implementation (or maybe PKIX) issue. So, yes I would like to see some discussion on this topic here; and if Peter's proposal is a way to do that fine - although I agree that if we discuss it, we should do it co-operatively with PKIX. That is, we should address CMS compatibility issues (and how this service might be used by CMS) and leave the server side to them. Tony | -----Original Message----- | From: owner-ietf-smime@mail.imc.org | [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Blake Ramsdell | Sent: June 27, 2003 5:12 PM | To: ietf-smime@imc.org | Subject: Discussing RTCS | | | | Peter Gutmann has made an individual draft submission for his | CMS-based RTCS protocol. A URL to this draft is: | http://www.ietf.org/internet-drafts/draft-gutmann-cms-rtcs-00.txt He would like to get some review of the CMS parts of this, and it seems reasonable to discuss it here on the IETF-SMIME list if there is interest. Since this draft is CMS based and potentially adds value to CMS or S/MIME in general, should we consider bringing it into this working group? Comments? Blake -- Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FD10qt075190 for <ietf-smime-bks@above.proper.com>; Tue, 15 Jul 2003 06:01:00 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6FD102r075189 for ietf-smime-bks; Tue, 15 Jul 2003 06:01:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FD0vqt075145; Tue, 15 Jul 2003 06:00:58 -0700 (PDT) (envelope-from kent@bbn.com) Received: from [81.160.154.187] (ssh.bbn.com [192.1.50.70]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id h6FCxwDD029536; Tue, 15 Jul 2003 09:00:07 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@localhost Message-Id: <p05200f04bb39a7534e0a@[81.160.154.187]> In-Reply-To: <000301c34ab3$cb30a4b0$8b40a051@augustcellars.local> References: <000301c34ab3$cb30a4b0$8b40a051@augustcellars.local> Date: Tue, 15 Jul 2003 08:46:24 -0400 To: <jimsch@exmsft.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Discussing RTCS Cc: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, "'Sean P. Turner'" <turners@ieca.com>, <ietf-smime@imc.org>, "'pkix'" <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> At 11:30 +0200 7/15/03, Jim Schaad wrote: >I agree with Denis, this is a certificate validation issue and as such >belongs in the PKIX WG if to be standardized by the IETF. I think that >we can provide a review of the document if requested for it's usage of >CMS, but not it's general suitablity. > >jim > Jim, I agree with you and Denis that this is really a PKIX matter, vs. an S/MIME matter. However, I had several problems with Peter bringing this in as a WG item: - we already have OCSP and OCSPv2 has been worked on - this protocol goes beyond the OCSP semantics to provide delegated cert (not cert path) validation. we have just agreed to adopt SCVP for delegated cert path validation, and I was worried that this overlap would conflict with SCVP - PKIX has been told to not take on new work items Steve Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FB3Oqt063647 for <ietf-smime-bks@above.proper.com>; Tue, 15 Jul 2003 04:03:24 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6FB3O9p063646 for ietf-smime-bks; Tue, 15 Jul 2003 04:03:24 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6FB3Lqt063633; Tue, 15 Jul 2003 04:03:22 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9/8.12.9) with ESMTP id h6FB2YYM012981; Tue, 15 Jul 2003 23:02:34 +1200 Received: (from pgut001@localhost) by medusa01.cs.auckland.ac.nz (8.11.6/8.11.6) id h6FB2We15157; Tue, 15 Jul 2003 23:02:32 +1200 Date: Tue, 15 Jul 2003 23:02:32 +1200 Message-Id: <200307151102.h6FB2We15157@medusa01.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: Denis.Pinkas@bull.net, turners@ieca.com Subject: Re: Discussing RTCS Cc: ietf-pkix@imc.org, ietf-smime@imc.org Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Denis Pinkas <Denis.Pinkas@bull.net> writes: >This is a topic to be addressed by the PKIX WG, not by the SMIME WG. We already tried that, but you made sure it wouldn't work. For those who aren't on the PKIX list, a short summary: - Denis has some sort of rabid opposition to what RTCS does. I had private mail from another PKIX member to say that RTCS' crime is that it provides a basic yes/no response rather than a CRL-style revoked/not revoked/maybe/ maybe not response. Someone else thought that it was because it made OCSP look bad. I'm not sure what it really is. - The result of this was a series of increasingly hysterical attacks by Denis on RTCS, using every reason he could dream up (see the PKIX list from late last year some time). The highlights were him posting several messages in which he quoted sections of text and claimed the exact opposite of what the text said. In one message I got a quote of him saying something wasn't possible, after which I had another quote of him saying the exact opposite earlier on. You get the idea... the debate wasn't very coherent, or useful, except perhaps for amusement value. - When his hissy fit on the list failed, he tried a private appeal to the WG chair to get it killed. - The only (unfortunate) effect of his fit was that it drove most of the discussion into private mail, because no-one (apart from me apparently :-) wanted to become the target of his attacks. I did, however, get some good feedback, which made it into the new draft. So because of Denis it isn't really possible to have any coherent discussion on the PKIX list. My last message to him on that list was: It's obvious from your messages (and others have commented on this as well) that you've barely read the RTCS draft (if at all), and even then only to pick out bits to complain about. The posting of obviously incorrect claims such as the ones cited above aren't helping your credibility much either. As the next sentence from his current post shows: The advantages of this new protocol versus draft-ietf-pkix-ocspv2-ext-01.txt (Online Certificate Status Protocol, version 2) and the differences should be first explained. he still hasen't actually read the draft. Hint for Denis: The answer to your question is in Section 2, right after the Abstract, which is section 1. I'm now pointing this out for the third (or fourth) time, but I doubt it'll make any difference. So to summarise: Denis has some sort of strong religious objection to RTCS. He will engage in whatever hysterics he thinks necessary to attack it. If anyone wants to see the rest, see the PKIX thread on this (or wait for Denis' next message). Peter (sorry for the sarcasm and whatnot, but I was hoping he'd finalled given up after the last time... it's like listening to a broken record. In the meantime, as ever, I welcome constructive feedback on RTCS). Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6F9UUqt055338 for <ietf-smime-bks@above.proper.com>; Tue, 15 Jul 2003 02:30:30 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6F9UUq2055337 for ietf-smime-bks; Tue, 15 Jul 2003 02:30:30 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.174]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6F9USqt055320; Tue, 15 Jul 2003 02:30:28 -0700 (PDT) (envelope-from jimsch@nwlink.com) Received: from ROMANS (unknown [81.160.64.139]) by smtp4.pacifier.net (Postfix) with ESMTP id 9023D6A9C8; Tue, 15 Jul 2003 02:08:03 -0700 (PDT) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, "'Sean P. Turner'" <turners@ieca.com> Cc: <ietf-smime@imc.org>, "'pkix'" <ietf-pkix@imc.org> Subject: RE: Discussing RTCS Date: Tue, 15 Jul 2003 11:30:53 +0200 Message-ID: <000301c34ab3$cb30a4b0$8b40a051@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <3F13BB30.4030906@bull.net> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> I agree with Denis, this is a certificate validation issue and as such belongs in the PKIX WG if to be standardized by the IETF. I think that we can provide a review of the document if requested for it's usage of CMS, but not it's general suitablity. jim > -----Original Message----- > From: owner-ietf-smime@mail.imc.org > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Denis Pinkas > Sent: Tuesday, July 15, 2003 10:29 AM > To: Sean P. Turner > Cc: ietf-smime@imc.org; pkix > Subject: Re: Discussing RTCS > > > > Sean, > > > Does anyone have an opinion on bringing this to the working group? > > This is a topic to be addressed by the PKIX WG, not by the SMIME WG. > > The PKIX WG is attempting (but not always succeeding) to > avoid duplication > of protocols for the same topic. > > We all know that it would have been better to use CMS for > building the OCSP > protocol, but this was not the case. > > The advantages of this new protocol versus > draft-ietf-pkix-ocspv2-ext-01.txt > (Online Certificate Status Protocol, version 2) and the > differences should > be first explained. > > Denis > > > > spt > > > > Blake Ramsdell wrote: > > > >>Peter Gutmann has made an individual draft submission for his > >>CMS-based RTCS protocol. A URL to this draft is: > >> > >>http://www.ietf.org/internet-drafts/draft-gutmann-cms-rtcs-00.txt > >> > >>He would like to get some review of the CMS parts of this, and it > >>seems reasonable to discuss it here on the IETF-SMIME list > if there is > >>interest. > >> > >>Since this draft is CMS based and potentially adds value to CMS or > >>S/MIME in general, should we consider bringing it into this working > >>group? > >> > >>Comments? > >> > >>Blake > >>-- > >>Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com > >> > >> > >> > > > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6F8Suqt045009 for <ietf-smime-bks@above.proper.com>; Tue, 15 Jul 2003 01:28:56 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6F8SuZL045008 for ietf-smime-bks; Tue, 15 Jul 2003 01:28:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6F8Shqt044980; Tue, 15 Jul 2003 01:28:44 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net) Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA37988; Tue, 15 Jul 2003 10:33:13 +0200 Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id KAA06126; Tue, 15 Jul 2003 10:28:44 +0200 Message-ID: <3F13BB30.4030906@bull.net> Date: Tue, 15 Jul 2003 10:28:32 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull SA. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: "Sean P. Turner" <turners@ieca.com> CC: ietf-smime@imc.org, pkix <ietf-pkix@imc.org> Subject: Re: Discussing RTCS References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAW78oSlo46k69IkJ+uWj+gQEAAAAA@brutesquadlabs.com> <3F1283C0.50402@ieca.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Sean, > Does anyone have an opinion on bringing this to the working group? This is a topic to be addressed by the PKIX WG, not by the SMIME WG. The PKIX WG is attempting (but not always succeeding) to avoid duplication of protocols for the same topic. We all know that it would have been better to use CMS for building the OCSP protocol, but this was not the case. The advantages of this new protocol versus draft-ietf-pkix-ocspv2-ext-01.txt (Online Certificate Status Protocol, version 2) and the differences should be first explained. Denis > spt > > Blake Ramsdell wrote: > >>Peter Gutmann has made an individual draft submission for his CMS-based >>RTCS protocol. A URL to this draft is: >> >>http://www.ietf.org/internet-drafts/draft-gutmann-cms-rtcs-00.txt >> >>He would like to get some review of the CMS parts of this, and it seems >>reasonable to discuss it here on the IETF-SMIME list if there is >>interest. >> >>Since this draft is CMS based and potentially adds value to CMS or >>S/MIME in general, should we consider bringing it into this working >>group? >> >>Comments? >> >>Blake >>-- >>Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com >> >> >> > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6EB4Pqt063044 for <ietf-smime-bks@above.proper.com>; Mon, 14 Jul 2003 04:04:25 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6EB4PIe063043 for ietf-smime-bks; Mon, 14 Jul 2003 04:04:25 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6EB4Oqt063036; Mon, 14 Jul 2003 04:04:24 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Mon, 14 Jul 2003 04:04:19 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: "'Paul Hoffman / IMC'" <phoffman@imc.org>, <ietf-smime-examples@imc.org>, <ietf-smime@imc.org> Subject: RE: Status of the examples draft Date: Mon, 14 Jul 2003 04:04:19 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAY/4vlI401kmhQPHeOHCC0gEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <p05210609bb28ab8d2f11@[63.202.92.152]> Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> > -----Original Message----- > From: owner-ietf-smime@mail.imc.org > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Paul Hoffman / IMC > Sent: Wednesday, July 02, 2003 8:44 AM > To: ietf-smime-examples@imc.org; ietf-smime@imc.org > Subject: Status of the examples draft > > Hi again. The -11 draft has the following changes: The comments that I posted regarding the -10 draft stand for the -11 draft, and I have included them below for completeness. The only thing that I've had trouble with so far is 5.6.bin appears to have changed the order of the SignerInfos. I don't believe that this change is relevant, so I don't think there needs to be any modification of the draft. The files I have worked with: 5.1.bin -- Identified as a CMS SignedData with signatures and content, checked certificates were present, matched content to ExContent.bin, verified one signer 5.2.bin -- Checked certificates were present, matched content to ExContent.bin, verified one signer 5.3.bin -- Identified as a CMS SignedData with signatures and no content, checked certificates were present, verified one signer against external content in ExContent.bin 5.4.bin -- Extracted signing time attribute, checked certificates were present, checked CRLs were present, matched content to ExContent.bin, verified one signer 5.5.bin -- Checked certificates were present, matched content to ExContent.bin, verified one signer 5.6.bin -- Checked certificates were present, matched content to ExContent.bin, verified two signers 5.7.bin -- Checked certificates were present, matched content to ExContent.bin, verified one signer 5.8.eml -- Parsed content with MIME parser, matched extracted text content from text part to ExContent.bin, checked certificates were present, verified one signer against first part of message, identified as a CMS SignedData with signatures and no content 5.9.eml -- Parsed content with MIME parser, matched extracted text content from text part to ExContent.bin, checked certificates were present, verified one signer, identified as a CMS SignedData with signatures and content 5.10.bin -- Matched content to ExContent.bin, verified one signer 5.11.bin -- Identified as a CMS SignedData with no signatures and no content, checked certificates were present 6.2.bin -- Decrypted message, matched content to ExContent.bin, identified as a CMS EnvelopedData 6.3.bin -- Decrypted message, matched content to ExContent.bin 7.0.bin -- Verified hash, matched content to ExContent.bin 8.1.bin -- Decrypted data with given key, matched content to ExContent.bin I also worked with the following certificates and private keys: AliceDSSSignByCarlNoInherit.cer AlicePrivRSASign.pri AliceRSASignByCarl.cer BobPrivRSAEncrypt.pri BobRSASignByCarl.cer CarlDSSCRLForAll.crl CarlDSSSelf.cer CarlPrivDSSSign.pri CarlPrivRSASign.pri CarlRSASelf.cer DianeDHEncryptByCarl.cer DianeDSSSignByCarlInherit.cer DianePrivRSASignEncrypt.pri DianeRSASignByCarl.cer EricaDHEncryptByCarl.cer Blake Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h6EAJtqt059596 for <ietf-smime-bks@above.proper.com>; Mon, 14 Jul 2003 03:19:55 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h6EAJtis059595 for ietf-smime-bks; Mon, 14 Jul 2003 03:19:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp002.bizmail.yahoo.com (smtp002.bizmail.yahoo.com [216.136.172.126]) by above.proper.com (8.12.9/8.12.8) with SMTP id h6EAJqqt059588 for <ietf-smime@imc.org>; Mon, 14 Jul 2003 03:19:54 -0700 (PDT) (envelope-from turners@ieca.com) Received: from tweety.ietf57.telekom.at (HELO ieca.com) (turners@ieca.com@81.160.152.206 with plain) by smtp2.bm.vip.sc5.yahoo.com with SMTP; 14 Jul 2003 10:19:52 -0000 Message-ID: <3F1283C0.50402@ieca.com> Date: Mon, 14 Jul 2003 12:19:44 +0200 From: "Sean P. Turner" <turners@ieca.com> Organization: IECA, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-smime@imc.org Subject: Re: Discussing RTCS References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAW78oSlo46k69IkJ+uWj+gQEAAAAA@brutesquadlabs.com> Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"> <title></title> </head> <body> Does anyone have an opinion on bringing this to the working group?<br> <br> spt<br> <br> Blake Ramsdell wrote:<br> <blockquote type="cite" cite="mid!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAW78oSlo46k69IkJ+uWj+gQEAAAAA@brutesquadlabs.com"> <pre wrap="">Peter Gutmann has made an individual draft submission for his CMS-based RTCS protocol. A URL to this draft is: <a class="moz-txt-link-freetext" href="http://www.ietf.org/internet-drafts/draft-gutmann-cms-rtcs-00.txt">http://www.ietf.org/internet-drafts/draft-gutmann-cms-rtcs-00.txt</a> He would like to get some review of the CMS parts of this, and it seems reasonable to discuss it here on the IETF-SMIME list if there is interest. Since this draft is CMS based and potentially adds value to CMS or S/MIME in general, should we consider bringing it into this working group? Comments? Blake -- Blake Ramsdell | Brute Squad Labs | <a class="moz-txt-link-freetext" href="http://www.brutesquadlabs.com">http://www.brutesquadlabs.com</a> </pre> </blockquote> <br> </body> </html> Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h69Mcpqt027896 for <ietf-smime-bks@above.proper.com>; Wed, 9 Jul 2003 15:38:51 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h69McpYO027895 for ietf-smime-bks; Wed, 9 Jul 2003 15:38:51 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h69Mcoqt027889 for <ietf-smime@imc.org>; Wed, 9 Jul 2003 15:38:50 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Wed, 9 Jul 2003 15:38:46 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: <agenda@ietf.org>, <ietf-smime@imc.org> Cc: "'Sean P. Turner'" <turners@ieca.com> Subject: REVISED S/MIME Working Group Agenda for the 57th IETF Date: Wed, 9 Jul 2003 15:38:46 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAA52UkwHJaDUG5RUF2X5K+BQEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Revised agenda for the S/MIME working group meeting at IETF 57. Introductions (Sean Turner) Working group status (Sean Turner) CMS and ESS examples update (Paul Hoffman) MSGbis and CERTbis update (Blake Ramsdell) X400Wrap and X400Transport update (Chris Bonatti) Interoperability matrix update (Jim Schaad) PSS status (Jim Schaad) KEM overview (Jim Schaad) ESSbis overview (Jim Schaad) GOST overview (Gregory S. Chudov) Project OpenEvidence and ESS (Peter Sylvester) Wrap up (Sean Turner) Blake -- Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h69ENlqt098848 for <ietf-smime-bks@above.proper.com>; Wed, 9 Jul 2003 07:23:47 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h69ENlri098847 for ietf-smime-bks; Wed, 9 Jul 2003 07:23:47 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h69ENiqt098836; Wed, 9 Jul 2003 07:23:45 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net) Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA33082; Wed, 9 Jul 2003 16:28:17 +0200 Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id QAA07578; Wed, 9 Jul 2003 16:23:47 +0200 Message-ID: <3F0C256D.3090300@bull.net> Date: Wed, 09 Jul 2003 16:23:41 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull SA. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: pkix <ietf-pkix@imc.org>, S-MIME / IETF <ietf-smime@imc.org> Subject: Policy Requirements for Attribute Authorities Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h69ENkqt098837 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> ETSI is making available a draft document for public comments called: "Policy requirements for certification service providers issuing Attribute Certificates". The document is available at the following URL: http://docbox.etsi.org/ESI/Open/ETSI%20TS%20102_158%20v01.zip This document has been approved by ETSI Technical Committee - Electronic Signatures and Infrastructures for public review. Comments are invited on it, to be submitted to the editor and/or the task leader by 2003.08.24. Editor: Denis Pinkas <Denis.Pinkas@bull.net> Task leader: Franco Ruggieri <f.ruggieri@FLASHNET.IT> Do not send your comments to the PKIX or to the SMIME mailing list. This will allow the consolidation by 2003.09.07 of a final draft to be approved for publication at TC ESI # 05 in Sophia Antipolis, 23 24 September 2003 as ETSI Technical Specification (TS) 102 158. If you choose to place your comments in-line in the text of the document please return them under the same file name with the addition "&your initials". If you are aware of other public lists whose members might benefit from awareness of this document and have their own views to offer, please feel free to forward the document to them with copy of this message. Regards, Denis Pinkas. Document editor. Franco Ruggieri. Task leader. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h67NJHqt000558 for <ietf-smime-bks@above.proper.com>; Mon, 7 Jul 2003 16:19:17 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h67NJHPn000557 for ietf-smime-bks; Mon, 7 Jul 2003 16:19:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h67NJGqt000549 for <ietf-smime@imc.org>; Mon, 7 Jul 2003 16:19:16 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Mon, 7 Jul 2003 16:19:13 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: <ietf-smime@imc.org> Cc: "'Sean P. Turner'" <turners@ieca.com> Subject: Text conferencing at IETF 57 Date: Mon, 7 Jul 2003 16:19:13 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAzapNg5K/Sk2Rk7O93ki5VAEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> The following is information about XMPP conferencing at IETF 57. In order for us to participate, we will need a scribe. Any volunteers, please stand up... Blake Remote Access for the 57th IETF meeting in Vienna: Text Conferencing At each IETF meeting, two of the working group meeting rooms are equipped for video multicast and remote participation. That is, for every IETF meeting slot, two of the working groups can see and hear the meeting. For the 57th IETF, in *addition* to the usual network A/V, text conferencing will be provided for every working group that meets. All of the conference rooms will be hosted on ietf.jabber.at and each is named using the official IETF abbreviation found in the agenda (e.g., "apparea", "dhc", "forces", and so on -- for all the examples that follow, we'll use "foobar" as the abbreviation). Each conference room also has a 'bot which records everything that gets sent. So, the minute taker can review this information right after the meeting. In addition to the conference rooms for each wg that is meeting, there are three others of general interest: bar, hallway, and plenary. 1. Before the meeting: 1.1. If you want to participate If you don't already have one, get yourself a Jabber client, here are some suggestions: platform suggestion -------- ---------- win32 http://exodus.jabberstudio.org 'nix http://gabber.sf.net macos http://jabberfox.sf.net When you start the client for the first time, it will eventually ask if you want to register on a public server. Go ahead and do that. If you want to find out more, instead of choosing these defaults, here are pointers to some additional information: list of clients: http://www.jabber.org/user/clientlist.php howto: http://www.jabber.org/user/userguide/ server list: http://www.jabber.org/user/publicservers.php To make sure everything is running ok, do a "Join Group Chat" with your Jabber client: Group/Room: testing Server: conference.ietf.jabber.com This conference room is up and running right now (although probably no one will be in it when you connect). 1.2. What the Chair does If you want to make text conferencing available, you'll need to have a volunteer scribe in the meeting room. The scribe will be typing in a running commentary as to what's going on in the room (who's presenting, what question is being asked, etc.) So, why not send an email out on the mailing list now, before the meeting, to ask for volunteers? 2. At the meeting 2.1. What the Chair does When a session starts, the chair asks if someone in the room is willing to act as "scribe". If no one volunteers, read no further, we're done! Otherwise, the scribe should do a "Join Group Chat" with their Jabber client, e.g., Group/Room: foobar Server: conference.ietf.jabber.com 2.2. What the Scribe does The scribe types in a running commentary as to what's going on in the room. For example, if a speaker makes a presentation, the scribe types in the URL for the presentation (more on this in a bit). Simlarly, during question time, a remote participant can type a question into the room and the scribe can pass it on to the speaker. 2.3. What each Presenter does Each presenter should put a copy of their presentation on a web server somewhere, so remote participants can follow along. 2.4. Where to find the conference log [ tbd ] ####### -- Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h665VOqt013827 for <ietf-smime-bks@above.proper.com>; Sat, 5 Jul 2003 22:31:24 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h665VOom013826 for ietf-smime-bks; Sat, 5 Jul 2003 22:31:24 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h665VNqt013819 for <ietf-smime@imc.org>; Sat, 5 Jul 2003 22:31:23 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Sat, 5 Jul 2003 22:31:21 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: <agenda@ietf.org>, <ietf-smime@imc.org> Cc: "'Sean P. Turner'" <turners@ieca.com>, "Housley, Russ" <housley@vigilsec.com> Subject: S/MIME Working Group Agenda for the 57th IETF Date: Sat, 5 Jul 2003 22:31:20 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAATh+vk8BwM0af/M1goB1NjgEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Here is the agenda for the S/MIME working group meeting at IETF 57. Introductions (Sean Turner) Working group status (Sean Turner) CMS and ESS examples update (Paul Hoffman) MSGbis and CERTbis update (Blake Ramsdell) Interoperability matrix update (Jim Schaad) KEM overview (Jim Schaad) PSS status (Jim Schaad) ESSbis overview (Jim Schaad) GOST overview (Gregory S. Chudov) Wrap up (Sean Turner) Blake -- Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h65Ma5qt005458 for <ietf-smime-bks@above.proper.com>; Sat, 5 Jul 2003 15:36:05 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h65Ma5Is005457 for ietf-smime-bks; Sat, 5 Jul 2003 15:36:05 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.174]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h65Ma4qt005452 for <ietf-smime@imc.org>; Sat, 5 Jul 2003 15:36:04 -0700 (PDT) (envelope-from jimsch@nwlink.com) Received: from ROMANS (ip237.c132.blk1.bel.nwlink.com [209.20.132.237]) by smtp4.pacifier.net (Postfix) with ESMTP id 84C956AA2D; Sat, 5 Jul 2003 15:14:06 -0700 (PDT) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Blake Ramsdell'" <blake@brutesquadlabs.com> Cc: <ietf-smime@imc.org> Subject: RE: proposed addition to application/pkcs7-mime smime parameter Date: Sat, 5 Jul 2003 15:36:29 -0700 Message-ID: <00a301c34345$e13e5970$1400a8c0@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <00a801c33d34$976fdbf0$3d0311ac@augustcellars.local> Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Blake, In the process of looking at ESS, I notice that there is an smime-type defined there. So it appears that MSG will not contain the definitive list no matter what is done. I would like it to contain the definitive list of all of CMS however. jim > -----Original Message----- > From: owner-ietf-smime@mail.imc.org > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Jim Schaad > Sent: Friday, June 27, 2003 10:18 PM > To: 'Blake Ramsdell'; jimsch@exmsft.com > Cc: ietf-smime@imc.org > Subject: RE: proposed addition to application/pkcs7-mime > smime parameter > > > > Blake, > > > > I see a few ways to proceed, in my personal preference order: > > > > 1. Commit to the current direction of using the MSG draft to > > define how to use MIME with everything in CMS, as well as > > providing a constrained subset of CMS for the purpose of > > interpersonal messaging. > > > > 2. Don't put anything in MSG at all that doesn't have to do > > with interpersonal messaging, but leave what's there (the > > definition of the application/pkcs7-mime and the currently > > used smime-types). Any additional smime-type values are > > defined outside of the MSG draft. > > > > 3. Separate everything that has to do with the MIME wrapping > > of CMS objects into its own draft (CMS/MIME), and don't > > discuss anything about interpersonal messaging at all. The > > MSG draft simply contains references to the CMS/MIME draft, > > and is a profile of it. This is somewhat like the separation > > of CMS and CMSALG, I think. > > > > I will admit that my preference order is influenced by my > > role as the editor, and the desire to see MSG progress sooner > > rather than later. > > I have one argument for varient 3 that I just thought of that > might be overwelming at a later date, but certiantly not > currently. If SIP is dependent on the CMS/SMIME/Messaging > draft, and we update that draft for a messaging only item, > then SIP gets reset on its progression path as well. I don't > think this is an immeadiate issue, but something to consider > in the future. > > If we go with the version 1 draft, then we should perhaps > look at reorginaizing the draft along the lines of looking > like a profile of a previously defined item rather than > having items intermixed. I have not looked at the documents > to see how intermixed messaging is with the document and will > do so later this weekend. > > > > > Blake > > > > Jim > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h65M7Lqt003770 for <ietf-smime-bks@above.proper.com>; Sat, 5 Jul 2003 15:07:21 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h65M7LdF003769 for ietf-smime-bks; Sat, 5 Jul 2003 15:07:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h65M7Eqt003763 for <ietf-smime@imc.org>; Sat, 5 Jul 2003 15:07:14 -0700 (PDT) (envelope-from jimsch@nwlink.com) Received: from ROMANS (ip237.c132.blk1.bel.nwlink.com [209.20.132.237]) by smtp1.pacifier.net (Postfix) with ESMTP id 95CD76FF7E; Sat, 5 Jul 2003 15:07:15 -0700 (PDT) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Blake Ramsdell'" <blake@brutesquadlabs.com>, <ietf-smime@imc.org> Cc: "'Gregory S. Chudov'" <chudov@cryptopro.ru> Subject: RE: GOST with CMS Date: Sat, 5 Jul 2003 15:07:39 -0700 Message-ID: <009d01c34341$da1880c0$1400a8c0@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAbWMMVYx/3k2rzkaJBoDzmAEAAAAA@brutesquadlabs.com> Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Please note that the link below was broken in half during transport to my machine. http://www.ietf.org/internet-drafts/draft-leontiev-cryptopro-cpcms-00.tx t jim > -----Original Message----- > From: owner-ietf-smime@mail.imc.org > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Blake Ramsdell > Sent: Wednesday, July 02, 2003 8:16 AM > To: ietf-smime@imc.org > Cc: 'Gregory S. Chudov' > Subject: GOST with CMS > > > > A new draft is available, profiling the use of the Russian > national cryptography standards (GOST) in CMS: > > Title: Cryptographic Message Syntax (CMS) algorithms for GOST > 28147-89, GOST R 34.10-94, GOST R 34.10-2001, GOST R 34.11-94. > > Authors: Serguei Leontiev, Vladimir Popov > > Filename: draft-leontiev-cryptopro-cpcms-00.txt > http://www.ietf.org/internet-drafts/draft-leontiev-cryptopro-cpcms-00.tx t Gregory Chudov has asked to introduce this draft to the group at the next working group meeting, and we will be providing him with some time to do that. I presume that this draft will become a draft of the working group in the next revision. Blake -- Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h64GrLqt004301 for <ietf-smime-bks@above.proper.com>; Fri, 4 Jul 2003 09:53:21 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h64GrLpD004300 for ietf-smime-bks; Fri, 4 Jul 2003 09:53:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from sottmxssm.entrust.com (sottmxssm.entrust.com [216.191.252.10]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h64GrKqt004282 for <ietf-smime@imc.org>; Fri, 4 Jul 2003 09:53:20 -0700 (PDT) (envelope-from Darrell.Dykstra@entrust.com) Received: from sottguard01.entrust.com (sottguard01.entrust.com [10.4.61.249]) by sottmxssm.entrust.com (Switch-2.2.6/Switch-2.2.4) with SMTP id V64G3DBD27672 for <ietf-smime@imc.org>; Fri, 04 Jul 2003 12:49:47 -0400 Received: (qmail 13035 invoked by uid 64014); 4 Jul 2003 16:48:05 -0000 Received: from Darrell.Dykstra@entrust.com by sottguard01.entrust.com with AmikaGuardian-Server-1.1.2 (Processed in 0.252055 secs); 04 Jul 2003 16:48:05 -0000 Received: from unknown (HELO SOTTMXS01.entrust.com) (10.4.61.7) by 10.4.61.249 with SMTP; 4 Jul 2003 16:48:05 -0000 Received: by sottmxs01.entrust.com with Internet Mail Service (5.5.2656.59) id <MX4BR338>; Fri, 4 Jul 2003 12:53:14 -0400 Message-ID: <BFB44293CE13C9419B7AFE7CBC35B939042B808E@sottmxs08.entrust.com> From: Darrell Dykstra <Darrell.Dykstra@entrust.com> To: "'Blake Ramsdell'" <blake@brutesquadlabs.com>, "'Julien Stern'" <julien.stern@cryptolog.com>, jimsch@exmsft.com, ietf-smime@imc.org Subject: RE: (Practical) S/MIME certificate chain handling Date: Fri, 4 Jul 2003 12:53:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> > > > I believe that most clients transmit the certificate chain (not > > including the root) today. > > To the best of my knowledge, Outlook does not, and it has > quite a large > market share ... (Although, I'd be happy to know how to make > it do so if > there is a way ;) ). I believe an end user can configure to some degree, which certificates are sent in a signed message. To access the UI in Outlook 2002, go to Tools/Options/Security/Settings... There should be a check box for "Send these certificates with signed messages". I have not verified as to what exactly this checkbox controls (I am in a strict 1 level hierarchy so I can't verify if sub-CA's are included without some prep work). I would think that, despite its naming, Outlook 2002 will always send the signer's certs, and depending on the state of the checkbox, the chain from the signer's certs to a trusted root. Can anybody confirm or deny my theory (do you have a more complex hierarchy to test with)? Thanks, Darrell Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h64GG8qt099805 for <ietf-smime-bks@above.proper.com>; Fri, 4 Jul 2003 09:16:08 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h64GG6PV099802 for ietf-smime-bks; Fri, 4 Jul 2003 09:16:06 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from kraid.nerim.net (smtp-105-friday.nerim.net [62.4.16.105]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h64GG4qt099785 for <ietf-smime@imc.org>; Fri, 4 Jul 2003 09:16:05 -0700 (PDT) (envelope-from julien.stern@cryptolog.com) Received: from jupiter.cry.pto (cryptolog.net1.nerim.net [80.65.224.225]) by kraid.nerim.net (Postfix) with ESMTP id 6A28D40F0A; Fri, 4 Jul 2003 18:07:16 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by jupiter.cry.pto (Postfix) with ESMTP id 7724E40F5; Fri, 4 Jul 2003 18:07:12 +0200 (CEST) Received: from jupiter.cry.pto ([127.0.0.1]) by localhost (jupiter [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 06213-09; Fri, 4 Jul 2003 18:07:12 +0200 (CEST) Received: from callisto.cry.pto (callisto.cry.pto [10.0.1.4]) by jupiter.cry.pto (Postfix) with SMTP id 452F540E7; Fri, 4 Jul 2003 18:07:12 +0200 (CEST) Received: by callisto.cry.pto (sSMTP sendmail emulation); Fri, 4 Jul 2003 18:07:12 +0200 From: "Julien Stern" <julien.stern@cryptolog.com> Date: Fri, 4 Jul 2003 18:07:12 +0200 To: Blake Ramsdell <blake@brutesquadlabs.com> Cc: jimsch@exmsft.com, ietf-smime@imc.org Subject: Re: (Practical) S/MIME certificate chain handling Message-ID: <20030704160712.GA12030@cryptolog.com> References: <20030630103504.GA10502@cryptolog.com> <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAHQr9HqmMOESm/BDsbOUW0AEAAAAA@brutesquadlabs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAHQr9HqmMOESm/BDsbOUW0AEAAAAA@brutesquadlabs.com> User-Agent: Mutt/1.5.4i X-Virus-Scanned: by amavisd-new-20030314-p2 (Debian) at example.com Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> On Mon, Jun 30, 2003 at 03:40:01PM -0700, Blake Ramsdell wrote: > > > -----Original Message----- > > From: owner-ietf-smime@mail.imc.org > > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Julien Stern > > Sent: Monday, June 30, 2003 3:35 AM > > To: Blake Ramsdell; jimsch@exmsft.com; ietf-smime@imc.org > > Subject: Re: (Practical) S/MIME certificate chain handling > > > > > I believe that most clients transmit the certificate chain (not > > > including the root) today. > > > > To the best of my knowledge, Outlook does not, and it has > > quite a large > > market share ... (Although, I'd be happy to know how to make > > it do so if > > there is a way ;) ). > > Outlook 2002 sends all the certificates in the chain (I just verified > this). When Jim Schaad wrote the code way back in something like > Outlook 97, I'm fairly certain that it sent all the certificates also. > This could very well be a case of misconfiguration of some sort, and I'd > be happy to work through it with you offline. The early S/MIME > implementations all understood the utility of this, and included the > certificates for exactly the reasons that you cite. We did a bit of research, and it seems that, for Outlook, if intermediate certificates are stored in the local machine stores, they are indeed sent. However, if these certificates are stored in the user stores (the ones in the user profile) they are not sent, despite the fact the chain is correctly reconstructed. This behavior is different from the one in Outlook Express. > [many things regarding automatic verification snipped] Regarding the rest of this thread, thanks to all for your enlightening replies. I guess I'll take the pragmatic approach and attempt to focus on the settings that actually work ;) And hopefully, at some point, I will have the insurance that, given the extensions in my chain of cert, and the available servers, _any_ S/MIME compliant receiver will indeed be able to verify everything automatically, including revocation... -- Julien Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62KXiFK082593 for <ietf-smime-bks@above.proper.com>; Wed, 2 Jul 2003 13:33:44 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h62KXiHH082592 for ietf-smime-bks; Wed, 2 Jul 2003 13:33:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62KXgFK082587 for <ietf-smime@imc.org>; Wed, 2 Jul 2003 13:33:43 -0700 (PDT) (envelope-from nsyracus@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA13167; Wed, 2 Jul 2003 16:33:41 -0400 (EDT) Message-Id: <200307022033.QAA13167@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-smime@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-smime-x400transport-08.txt Date: Wed, 02 Jul 2003 16:33:41 -0400 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the S/MIME Mail Security Working Group of the IETF. Title : Transporting S/MIME Objects in X.400 Author(s) : P. Hoffman, C. Bonatti Filename : draft-ietf-smime-x400transport-08.txt Pages : 6 Date : 2003-7-2 This document describes protocol options for conveying CMS-protected objects associated with S/MIME version 3 over an X.400 message transfer system. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-smime-x400transport-08.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-smime-x400transport-08.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-smime-x400transport-08.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-7-2161846.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-smime-x400transport-08.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-smime-x400transport-08.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-7-2161846.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62KXgFK082585 for <ietf-smime-bks@above.proper.com>; Wed, 2 Jul 2003 13:33:42 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h62KXgpH082584 for ietf-smime-bks; Wed, 2 Jul 2003 13:33:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62KXdFK082576 for <ietf-smime@imc.org>; Wed, 2 Jul 2003 13:33:40 -0700 (PDT) (envelope-from nsyracus@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA13145; Wed, 2 Jul 2003 16:33:37 -0400 (EDT) Message-Id: <200307022033.QAA13145@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-smime@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-smime-x400wrap-07.txt Date: Wed, 02 Jul 2003 16:33:37 -0400 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the S/MIME Mail Security Working Group of the IETF. Title : Securing X.400 Content with S/MIME Author(s) : P. Hoffman, C. Bonatti, A. Eggen Filename : draft-ietf-smime-x400wrap-07.txt Pages : 11 Date : 2003-7-2 This document describes a protocol for adding cryptographic signature and encryption services to X.400 content. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-smime-x400wrap-07.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-smime-x400wrap-07.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-smime-x400wrap-07.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-7-2161836.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-smime-x400wrap-07.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-smime-x400wrap-07.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-7-2161836.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62KXaFK082571 for <ietf-smime-bks@above.proper.com>; Wed, 2 Jul 2003 13:33:36 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h62KXaqr082570 for ietf-smime-bks; Wed, 2 Jul 2003 13:33:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62KXYFK082565 for <ietf-smime@imc.org>; Wed, 2 Jul 2003 13:33:34 -0700 (PDT) (envelope-from nsyracus@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA13125; Wed, 2 Jul 2003 16:33:32 -0400 (EDT) Message-Id: <200307022033.QAA13125@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-smime@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-smime-rfc2633bis-05.txt Date: Wed, 02 Jul 2003 16:33:32 -0400 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the S/MIME Mail Security Working Group of the IETF. Title : S/MIME Version 3.1 Message Specification Author(s) : B. Ramsdell Filename : draft-ietf-smime-rfc2633bis-05.txt Pages : 0 Date : 2003-7-2 S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a consistent way to send and receive secure MIME data. Based on the popular Internet MIME standard, S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and data confidentiality (using encryption). S/MIME can be used by traditional mail user agents (MUAs) to add cryptographic security services to mail that is sent, and to interpret cryptographic security services in mail that is received. However, S/MIME is not restricted to mail; it can be used with any transport mechanism that transports MIME data, such as HTTP. As such, S/MIME takes advantage of the object-based features of MIME and allows secure messages to be exchanged in mixed-transport systems. Further, S/MIME can be used in automated message transfer agents that use cryptographic security services that do not require any human intervention, such as the signing of software-generated documents and the encryption of FAX messages sent over the Internet. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-smime-rfc2633bis-05.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-smime-rfc2633bis-05.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-smime-rfc2633bis-05.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-7-2161826.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-smime-rfc2633bis-05.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-smime-rfc2633bis-05.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-7-2161826.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62FiXFK066678 for <ietf-smime-bks@above.proper.com>; Wed, 2 Jul 2003 08:44:33 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h62FiXJW066677 for ietf-smime-bks; Wed, 2 Jul 2003 08:44:33 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from [63.202.92.152] (adsl-63-202-92-152.dsl.snfc21.pacbell.net [63.202.92.152]) (authenticated bits=0) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62FiSFN066656; Wed, 2 Jul 2003 08:44:30 -0700 (PDT) (envelope-from phoffman@imc.org) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p05210609bb28ab8d2f11@[63.202.92.152]> In-Reply-To: <200307021056.GAA03059@ietf.org> References: <200307021056.GAA03059@ietf.org> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report>. Date: Wed, 2 Jul 2003 08:44:28 -0700 To: ietf-smime-examples@imc.org, ietf-smime@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Status of the examples draft Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Hi again. The -11 draft has the following changes: 5.1.bin 5.3.bin 5.4.bin 5.6.bin 5.7.bin 5.10.bin 8.2.bin 11.1.bin 11.2.bin It would be great if everyone who has tested can re-test with these new examples. BTW, I forgot to change the title of 6.3 to say RC2/128, and will do so in the -12 draft. (Just to be sure, I have already started the -12 draft so I don't space out again...) I would like to update the chart below for the -11 draft soon so we can move it to IETF last call. ====================================== Status of the examples in -10 4. Trivial Examples 4.1 ContentInfo with Data type, BER John Pawling: tested OK. Jim Schaad: tested OK. Jeff Jacoby: tested OK. Holger Ebel: tested OK. 4.2 ContentInfo with Data type, DER John Pawling: tested OK. Jim Schaad: tested OK. Jeff Jacoby: tested OK. Holger Ebel: tested OK. 5. Signed-data Jim Schaad pointed out that many examples had the signatureAlgorithm of 1.2.840.10040.4.1 (dsa) but it should instead be 1.2.840.10040.4.3 (dsaWithSha1). The general decision was that the examples should have dsaWithSha1. John Pawling and Sue Beauchamp at DigitalNet agreed to re-generate the examples. 5.1 Basic signed content, DSS John Pawling: tested OK. Blake Ramsdell: tested OK. Jim Schaad: failed. signatureAlgorithm is dsa but should be dsaWithSha1 Holger Ebel: tested OK. Sue Beauchamp sent new example file. 5.2 Basic signed content, RSA John Pawling: tested OK. Blake Ramsdell: tested OK. Jim Schaad: tested OK. Jeff Jacoby: tested OK. Holger Ebel: tested OK. 5.3 Basic signed content, detached content John Pawling: tested OK. Blake Ramsdell: tested OK. Jim Schaad: failed. Contains Alice's RSA certificate No content hint unsigned attribute signatureAlgorithm is dsa but should be dsaWithSha1 Jeff Jacoby: tested OK. Holger Ebel: tested OK. Sue Beauchamp sent new example file. 5.4 Fancier signed content John Pawling: tested OK. Blake Ramsdell: tested OK. Jeff Jacoby: tested OK. Holger Ebel: tested OK. Countersigner is Alice, not Diane No content hint Sue Beauchamp sent new example file. 5.5 All RSA signed message John Pawling: tested OK. Blake Ramsdell: tested OK. Jim Schaad: tested OK. Jeff Jacoby: tested OK. Holger Ebel: tested OK. 5.6 Multiple signers John Pawling: tested OK. Blake Ramsdell: tested OK. Jim Schaad: failed. signatureAlgorithm is dsa but should be dsaWithSha1 Holger Ebel: tested OK. Sue Beauchamp sent new example file. 5.7 Signing using SKI John Pawling: tested OK. Blake Ramsdell: tested OK. Jim Schaad: failed. signatureAlgorithm is dsa but should be dsaWithSha1 Holger Ebel: tested OK. Sue Beauchamp sent new example file. 5.8 S/MIME multipart/signed message John Pawling: tested OK. Blake Ramsdell: tested OK. Holger Ebel: tested OK except that it has a CRLF prepended. 5.9 S/MIME application/pkcs7-mime signed message John Pawling: tested OK. Blake Ramsdell: tested OK. Jim Schaad: failed because signatureAlgorithm of dsa not dsaWithSha1 Holger Ebel: tested OK except that it has a CRLF prepended. 5.10 SignedData With Attributes John Pawling: tested OK. Blake Ramsdell: tested OK. Jim Schaad: failed. Change "unknown OID" to "unknown OID (1.2.5555)" Content Hint should have an OID of 1.2.840.113549.1.7.1 Content Identifier attribute absent Contains Security Label attribute Contains encrypt key preference attribute Contains ML Expansion History attribute Contains Equivalent Label attribute Jeff Jacoby: tested OK. Holger Ebel: failed (not signed by Alice). 5.11 SignedData with Certificates Only John Pawling: tested OK. Blake Ramsdell: tested OK. Jeff Jacoby: tested OK. Holger Ebel: tested OK. 6. Enveloped-data 6.1 Basic encrypted content, TripleDES and DH John Pawling: tested OK. Holger Ebel: tested OK. 6.2 Basic encrypted content, TripleDES and RSA John Pawling: tested OK. Blake Ramsdell: tested OK. Jeff Jacoby: tested OK. Holger Ebel: tested OK. 6.3 Basic encrypted content, RC2/40 and RSA Blake Ramsdell: this is actually a 128-bit key. Jeff Jacoby: confirmed Blake's assertion. Paul Hoffman: thinks we could just change the title of the example. John Pawling: tested OK. Blake Ramsdell: tested OK. Jeff Jacoby: tested OK. Holger Ebel: tested OK. 6.4 Encrypted content, two recipients, no shared keying material John Pawling: tested OK but noted unsuccessful Invalid tag for privateKeyInfo for second login. Holger Ebel: tested OK. 6.5 Encrypted content, two recipients, shared keying material John Pawling: could not test due to bug in his code. Holger Ebel: tested OK. 6.6 Encrypted content, TripleDES and DH, previously-distributed keys John Pawling: tested OK. Holger Ebel: tested OK. 6.7 Encrypted content, RC2/40 and RSA, previously-distributed keys John Pawling: tested OK. Holger Ebel: tested OK. 6.8 S/MIME application/pkcs7-mime encrypted message John Pawling: tested OK. Holger Ebel: tested OK. 6.9 EnvelopedData with All Recipient Types John Pawling: tested OK. Holger Ebel: tested OK. 6.10 EnvelopedData with KARI RC2 Encryption John Pawling: tested OK. Holger Ebel: tested OK. 6.11 EnvelopedData with KEK 3DES Encryption John Pawling: tested OK. Holger Ebel: tested OK. 7. Digested-data Blake Ramsdell: tested OK. Jeff Jacoby: tested OK. 8. Encrypted-data 8.1 Simple EncryptedData Blake Ramsdell: tested OK. Jim Schaad: tested OK. Jeff Jacoby: tested OK. 8.2 EncryptedData with unprotected attributes Jim Schaad: failed badly. The key is not in the text and it is not the same as 8.1 The encapsulated content type is EncryptedData not id-data The content hint content type does not match the encapsulated content type 9. Authenticated-data There are still no examples in this section. 10. Key Wrapping John Pawling: tested OK. 10.1 Wrapping RC2 John Pawling: tested OK. 10.2 Wrapping TripleDES John Pawling: tested OK. Holger Ebel: tested OK. 11. ESS Examples 11.1 ReceiptRequest John Pawling: test failed, has sent new example file. Jeff Jacoby: tested OK. 11.2 Receipt John Pawling: test failed, has sent new example file. 11.3 eSSSecurityLabel John Pawling: tested OK. Jim Schaad: tested OK. Jeff Jacoby: tested OK. 11.4 EquivalentLabels John Pawling: tested OK. Jeff Jacoby: tested OK. 11.5 mlExpansionHistory John Pawling: tested OK. Jeff Jacoby: tested OK. 11.6 SigningCertificate John Pawling: tested OK. Jeff Jacoby: tested OK. --Paul Hoffman, Director --Internet Mail Consortium Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62FFgFK062351 for <ietf-smime-bks@above.proper.com>; Wed, 2 Jul 2003 08:15:42 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h62FFgbh062350 for ietf-smime-bks; Wed, 2 Jul 2003 08:15:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62FFaFK062339 for <ietf-smime@imc.org>; Wed, 2 Jul 2003 08:15:36 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Wed, 2 Jul 2003 08:15:32 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: <ietf-smime@imc.org> Cc: "'Gregory S. Chudov'" <chudov@cryptopro.ru> Subject: GOST with CMS Date: Wed, 2 Jul 2003 08:15:32 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAbWMMVYx/3k2rzkaJBoDzmAEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> A new draft is available, profiling the use of the Russian national cryptography standards (GOST) in CMS: Title: Cryptographic Message Syntax (CMS) algorithms for GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, GOST R 34.11-94. Authors: Serguei Leontiev, Vladimir Popov Filename: draft-leontiev-cryptopro-cpcms-00.txt http://www.ietf.org/internet-drafts/draft-leontiev-cryptopro-cpcms-00.tx t Gregory Chudov has asked to introduce this draft to the group at the next working group meeting, and we will be providing him with some time to do that. I presume that this draft will become a draft of the working group in the next revision. Blake -- Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62DwHFK057578 for <ietf-smime-bks@above.proper.com>; Wed, 2 Jul 2003 06:58:17 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h62DwH3b057577 for ietf-smime-bks; Wed, 2 Jul 2003 06:58:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from moorabbin.nexor.co.uk (moorabbin.nexor.co.uk [80.6.88.100]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62DwAFK057564 for <ietf-smime@imc.org>; Wed, 2 Jul 2003 06:58:16 -0700 (PDT) (envelope-from Graeme.Lunt@nexor.co.uk) Received: from typhoon (actually host 210.53.63.193.in-addr.arpa) by moorabbin.nexor.co.uk with ESMTP (Mailer) with ESMTP; Wed, 2 Jul 2003 14:55:15 +0100 Reply-To: "g.lunt" <Graeme.Lunt@nexor.co.uk> From: Graeme Lunt <Graeme.Lunt@nexor.co.uk> To: "'jimsch'" <jimsch@exmsft.com>, "'Sean P. Turner'" <turners@ieca.com> Cc: "'ietf-smime'" <ietf-smime@imc.org> Subject: RE: Signed Receipts and Mail Lists Date: Wed, 2 Jul 2003 14:56:58 +0100 Organization: Nexor Message-ID: <001f01c340a1$cf01f470$d2353fc1@nexor.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: <009701c33ce3$a86b4170$3d0311ac@augustcellars.local> X-Spam-Status: No, hits=-100.7 required=5.0 tests=IN_REP_TO,NOSPAM_INC,QUOTED_EMAIL_TEXT,SPAM_PHRASE_03_05, USER_IN_WHITELIST version=2.43 X-Spam-Level: Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Jim, > If we adopted the solution you gave, what limits me from making > arbitrary statements about who I am in this field that then need to be > independently verified by the receipt processing code? (I.e. what if > I put the fact that I am turners@ieca.com in this field and sign with > my jimsch@exmsft.com certificate). First off, having looked in more detail at 2634 it implicitly requires each mail list to have its own certificate. In particular, the EntityIdentifier, used in MLExpansionHistory, refers only to a certificate. So having a single certificate for an MLA supporting multiple lists would cause the loop detection algorithm to fail. So what I was looking at (a single certificate for a mail list agent supporting multiple lists) is a more fundamental change than I first thought. But back to your question. The basic answer is that nothing would limit you. Do you see this as a major issue? x400wrap has a similar case where the content being signed contains an "originator" field. "Receiving agents SHOULD check that the originator address in the X.400 content matches an X.400 address in the signer's certificate, if X.400 addresses are present in the certificate and an originator address is available in the content. A receiving agent SHOULD provide some explicit alternate processing of the message if this comparison fails, which may be to display a message that shows the recipient the addresses in the certificate or other certificate details." I think that similar wording to section 4.3 of this draft may be acceptable? This wording allows us to take our own action to correlate the x400 originator to the signer in the case that they don't match (we use attribute certificates to do the signer to originator validation). So for your example, I may see something like: "signed receipt from jimsch@exmsft.com on behalf of turners@ieca.com at <time>" The receiptFrom field I proposed is primarily aimed at supporting the correlation of the signed receipt to the original recipient by providing original address the signed receipt was requested from. There are a number of reasons why I may not be able to match the address[es] (subjectAltName) from the certificate to one of the addresses I to: a) Valid aliases not in the subjectAltNames of the certificate b) Signed receipt from a recipient who received the message as a result of ML expansion. c) Mail redirections - e.g. sent to "ceo@corp.com" which redirects to a personal mailbox. Similar to a). Graeme > > -----Original Message----- > > From: owner-ietf-smime@mail.imc.org > > [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Graeme Lunt > > Sent: Wednesday, June 25, 2003 12:40 AM > > To: 'Sean P. Turner' > > Cc: 'ietf-smime' > > Subject: RE: Signed Receipts and Mail Lists > > > > > > > > Sean, > > > > > I'm not sure that the MLA returns a receipt on behalf of the ML > > > members. > > > > OK - if an MLA should not return signed receipts then there is not a > > problem with my scenario. > > > > > I looked through ESS again and I couldn't find anything > > that said if a > > > message enters an MLA with a signed receipt request that it > > > > > shouldn't or should return a receipt. > > > > Is an MLA considered a "receiving agent"/"receiving > > software"/"processing software" in section 2.3 of ESS? I had assumed > > that it was but agree it is unclear. > > > > > Typically (I think), originators want to know that the > > final recipient > > got > > > the message not whether the MLA got it. > > > > I think there are arguments for both. If an originator > sends a message > > to: > > > > complaints@bigbank.co.uk > > > > the originator probably only wants to know that it got to the > > complaints department at bigbank. The originator doesn't want to > > know (and bigbank doesn't want to let the originator know) which > > individuals within bigbank read the message. > > > > > Then again maybe I didn't understand your scenario. > > > > I don't think the originator needs to understand if the addresses > > they are requesting signed receipts from are address lists or not. > > If an originator sends a message to two recipients - one a mail > > list, one an individual - and requests first tier signed receipts, > > they will never receive a signed receipt from the mail list > > recipient. The user may find this unexpected. Correlation software > > *may* be able to detect a mail list recipient and handle it > > appropriately. > > > > > > Graeme > > > > > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62AuuFK051294 for <ietf-smime-bks@above.proper.com>; Wed, 2 Jul 2003 03:56:56 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h62AuuC7051292 for ietf-smime-bks; Wed, 2 Jul 2003 03:56:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62AutFK051285 for <ietf-smime@imc.org>; Wed, 2 Jul 2003 03:56:55 -0700 (PDT) (envelope-from nsyracus@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA03059; Wed, 2 Jul 2003 06:56:54 -0400 (EDT) Message-Id: <200307021056.GAA03059@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-smime@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-smime-examples-11.txt Date: Wed, 02 Jul 2003 06:56:53 -0400 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the S/MIME Mail Security Working Group of the IETF. Title : Examples of S/MIME Messages Author(s) : P. Hoffman Filename : draft-ietf-smime-examples-11.txt Pages : 8 Date : 2003-7-1 This document gives examples of message bodies formatted using S/MIME. Specifically, it has examples of Cryptographic Message Syntax (CMS) objects, S/MIME messages (including the MIME formatting), and Enhanced Security Services for S/MIME (ESS). It includes examples of most or all common CMS and ESS formats; in addition, it gives examples that show common pitfalls in implementing CMS. The purpose of this document is to help increase interoperability for S/MIME and other protocols that rely on CMS. This draft is being discussed on the 'ietf-smime' mailing list. To join the list, send a message to <ietf-smime-request@imc.org> with the single word 'subscribe' in the body of the message. Also, there is a Web site for the mailing list at <http://www.imc.org/ietf-smime/>. This draft is being discussed on the 'ietf-smime' mailing list. To join the list, send a message to <ietf-smime-request@imc.org> with the single word 'subscribe' in the body of the message. Also, there is a Web site for the mailing list at <http://www.imc.org/ietf-smime/>. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-smime-examples-11.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-smime-examples-11.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-smime-examples-11.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-7-1134908.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-smime-examples-11.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-smime-examples-11.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-7-1134908.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62ApUFK050485 for <ietf-smime-bks@above.proper.com>; Wed, 2 Jul 2003 03:51:30 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h62ApUV0050484 for ietf-smime-bks; Wed, 2 Jul 2003 03:51:30 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h62ApTFK050473 for <ietf-smime@imc.org>; Wed, 2 Jul 2003 03:51:30 -0700 (PDT) (envelope-from nsyracus@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA01615; Wed, 2 Jul 2003 06:51:26 -0400 (EDT) Message-Id: <200307021051.GAA01615@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; CC: sipping@ietf.org, ietf-smime@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-mahy-sipping-smime-vs-digest-01.txt Date: Wed, 02 Jul 2003 06:51:26 -0400 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Discussion of suitability: S/MIME instead of Digest Authentication in the Session Initiation Protocol (SIP) Author(s) : R. Mahy Filename : draft-mahy-sipping-smime-vs-digest-01.txt Pages : 11 Date : 2003-7-1 Digest authentication (as defined in RFC2617) is used in SIP (RFC3261) for user authentication, and less frequently for message integrity of MIME bodies carried in SIP. Various members of the IETF security community have periodically suggested that Digest should be deprecated in favor of the SIP use of S/MIME (RFC2633), support for which was recently introduced in RFC3261. The author seeks clarity from the IETF security community on behalf of the SIP community about the feasibility and possible benefits of using S/MIME instead of Digest in one or both of these applications. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-mahy-sipping-smime-vs-digest-01.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-mahy-sipping-smime-vs-digest-01.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-mahy-sipping-smime-vs-digest-01.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-7-1133733.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-mahy-sipping-smime-vs-digest-01.txt --OtherAccess Content-Type: Message/External-body; name="draft-mahy-sipping-smime-vs-digest-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-7-1133733.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h61LodFK087936 for <ietf-smime-bks@above.proper.com>; Tue, 1 Jul 2003 14:50:39 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h61Lodk8087935 for ietf-smime-bks; Tue, 1 Jul 2003 14:50:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from brutesquadlabs.com (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h61LocFK087918 for <ietf-smime@imc.org>; Tue, 1 Jul 2003 14:50:39 -0700 (PDT) (envelope-from blake@brutesquadlabs.com) Received: from DEXTER ([192.168.0.5]) by brutesquadlabs.com with ESMTP ; Tue, 1 Jul 2003 14:50:35 -0700 From: "Blake Ramsdell" <blake@brutesquadlabs.com> To: <ietf-smime@imc.org> Cc: "'Sean Turner'" <turners@ieca.com> Subject: DRAFT S/MIME working group agenda Date: Tue, 1 Jul 2003 14:50:35 -0700 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAH5/oOPiN10yLsjkx1W//HgEAAAAA@brutesquadlabs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> Here is a draft agenda based on the response so far. This will most likely be the final agenda unless Sean or I hear something different. Introductions (Sean Turner) Working group status (Sean Turner) CMS and ESS examples update (Paul Hoffman) MSGbis and CERTbis update (Blake Ramsdell) Interoperability matrix update (Jim Schaad) KEM overview (Jim Schaad) PSS status (Jim Schaad) ESSbis overview (Jim Schaad) Blake -- Blake Ramsdell | Brute Squad Labs | http://www.brutesquadlabs.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h619D0FK031127 for <ietf-smime-bks@above.proper.com>; Tue, 1 Jul 2003 02:13:00 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h619D0uv031126 for ietf-smime-bks; Tue, 1 Jul 2003 02:13:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz ([130.216.35.151]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h619CwFK030843 for <ietf-smime@imc.org>; Tue, 1 Jul 2003 02:12:59 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9/8.12.9) with ESMTP id h6198iXX012517; Tue, 1 Jul 2003 21:08:44 +1200 Received: (from pgut001@localhost) by medusa01.cs.auckland.ac.nz (8.11.6/8.11.6) id h6198gB18508; Tue, 1 Jul 2003 21:08:42 +1200 Date: Tue, 1 Jul 2003 21:08:42 +1200 Message-Id: <200307010908.h6198gB18508@medusa01.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: blake@brutesquadlabs.com, ietf-smime@imc.org, jimsch@exmsft.com, julien.stern@cryptolog.com Subject: RE: (Practical) S/MIME certificate chain handling Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-smime/mail-archive/> List-ID: <ietf-smime.imc.org> List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe> "Blake Ramsdell" <blake@brutesquadlabs.com> writes: >I agree, and that's why they send all the certificates along with messages to >this date. By "they", I mean S/MIME-enabled versions of Netscape, Outlook >Express, Outlook, and the S/MIME plugin for Eudora that I wrote. Just as another data point, a small portion of my certificate zoo consists of cert chains from S/MIME sigs, and every one of them is a full chain (or at least some sort of chain), rather than a single cert. I don't track where they originally came from, but they cover (at least) Outlook (many versions), Netscape, and a few S/MIME gateways that auto-sign everything passing through them (most of the stuff I've seen in general mail in fact would be auto- signed, either by a gateway or because the sender turned it on and forgot about it). I do have some single-cert chains, but they're from oddball applications like EDI messaging (the certs have EDI altnames and whatnot) which aren't representative of general usage. Peter.
- RFC2632bis and subjectAltName Russ Housley
- RE: RFC2632bis and subjectAltName Russ Housley
- RE: RFC2632bis and subjectAltName Blake Ramsdell
- RE: RFC2632bis and subjectAltName Jim Schaad
- RE: RFC2632bis and subjectAltName Russ Housley
- RE: RFC2632bis and subjectAltName Blake Ramsdell
- RE: RFC2632bis and subjectAltName Alberti Antoine
- RE: RFC2632bis and subjectAltName Tony Capel
- RE: RFC2632bis and subjectAltName Russ Housley
- RE: RFC2632bis and subjectAltName Blake Ramsdell
- RE: RFC2632bis and subjectAltName Russ Housley