|
Re: Issues with S/MIME Message Specification
1999-05-24 07:46:51
Bob:
In CMS Section 12.3.2, RSA Key Management is a "should" implement
algorithm. As a result of an editorial error, in CMS Section 12.2, RSA
Signature is a "may" implement algorithm. I thought that they had the same
"should" status. This would be consistent with the MSG document.
We went through great pains to include support many, many algorithms in
CMS. The "must" implement algorithms to provide a set of interoperable
strong algorithms. The "should" implement algorithms provide backward
compatibility with S/MIMEv2. Any other algorithm is considered a "may"
implement algorithm. RSA with OAEP falls into this "may" implement category.
The IETF consistently includes strong algorithms in standards. If you wish
to discuss this policy, please discuss it in a broader context (not just
S/MIME) with the IETF Security Area Directors (Jeff Schiller and Marcus
Leech). I have CCed them on this e-mail message, so you have their
addresses. I do not consider this an approprate topic for the S/MIME mail
list.
I wish you had raised this inconsistency during CMS and MSG Last Call. The
IESG has approved these documents. I hope you will raise this topic again
when the documents are considered for Draft Standard status.
Russ
S/MIME WG Chair &
CMS Document Editor
At 12:34 PM 5/18/99 -0600, Robert R. Jueneman wrote:
I sincerely regret not having had sufficient time to review the S/MIME v3
specs in detail during last call and prior to their moving to Proposed
Standard, but I believe that there are several changes that absolutely
must be made before they can progress to final Standard.
Regarding the S/MIME Version 3 Message Specification,
draft-ietf-smime-msg-08.txt, I believe that all MUSTs and SHOULDs
regarding specific cryptographic algorithms should be removed from this
document, and contained only in the Cryptographic Message Syntax document.
I can see no reason at all why such things should be specified twice -- it
just makes conformance checking all that much more difficult. An example
of this kind of difficulty is para 2.2 of the S/MIME Message
Specification, which says that sending and receiving agents SHOULD support
rsaEncryption, whereas the Cryptographic Message Syntax , para 12.2, says
that CMS implementations "may" support RSA. Neither mentions RSA with
OAEP.
This affects section 2.1, 2.2, and 2.3, and most emphatically section 2.7,
"ContentEncryption AlgorithmIdentifier", and 2.7.1.3 "Rule 3, Unknown
Capabilities, Unknown Version of S/MIME."
Without getting into international politics, at the present time
triple-DES is not exportable from the US, at the very least, and may very
well not be importable into some other countries. Specifying that S/MIME
agents MUST implement triple-DES therefore presents a vendor with Hobson's
choice -- they can either chose not to be compliant with the RFC, or they
can chose not to export their product. Unfortunately, that is no choice
at all -- any sane US vendor will choose not to be compliant with the RFC,
rather than lose perhaps 50% of their market. The only purpose such a
red-flag-in-front-of-the-bull statement serves, therefore, is a political
one, and one that will merely lower the credibility of the IETF and the
IESG in the vendor and business community. At most the requirement should
be SHOULD.
The second part of 2.7 specifies that receiving agents SHOULD support
RC2/40 "or a compatible algorithm at a key size of 40 bits..." This
recommendation suffers from two major problems, in my view. First, it is
LESS secure than 56-bit DES, which is now acceptable world-wide (with
perhaps one or two minor exceptions -- not quite clear) for data
encryption. And second, it is a proprietary, trade-secret algorithm. Not
only is that contrary to the general direction of the IETF in not
mandating proprietary algorithms, but the fact that it is a trade secret
(not withstanding the fact that it has been reverse engineered) means that
there has not been adequate attention paid to its security in the academic
cryptanalytic community. RC2 of any size may well be worth considering
for support, and might deserve RECOMMENDED status, but that should be up
to the vendor. If RC2 is required for backwards compatibility with S/MIME
v2, then a paragraph noting that fact would be appropriate, as was
provided as the last paragraph under 2.3 ("Note that S/MIME v2 clients are
only capable of decrypting content encryption keys using the rsaEncryption
algorithm.").
(I am taking this position with no lack of respect for Ron Rivest, whom I
consider a very able cryptographer. But I would take that position if God
Herself had invented but not published some particular algorithm.)
With respect to 2.7.1.3, there are two problems. First, it mandates
triple-DES, which very well may not be available at to the recipient, and
secondly, it recommends as a fall back position the use of the
trade-secret RC2/40. Both statements should be removed. The CMS
specification should then develop a list of algorithms in rough order of
strength, to be used for such negotiations as required.
Finally, somewhere in these documents there is a statement regarding the
advisability of including the content encryption key encrypted in the
originator's public key, but despite rereading the documents multiple
times I can't find that text again. As I recall, the text said that this
SHOULD be done. I would argue that this should be changed to MUST, for I
can't imagine a situation where the originator of an encrypted message
would not want to be able to read his own message, for example in an
outgoing or Sent-Mail queue. He might need to be able to decrypted, and
even retract it in order to resend it with modifications. It would not be
reasonable to rely on the originator to bcc herself to gain this
capability -- it ought to be required by the spec.
I will be addressing my concerns with the CMS specification in a
subsequent message.
Bob
---------------------------
Robert R. Jueneman
Novell, Inc.
(See digital signature DISCLAIMER in attached vCard)
-----Original Message-----
From: owner-ietf-smime(_at_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)imc(_dot_)org]On
Behalf Of The IESG
Sent: Monday, May 17, 1999 5:26 AM
To: IETF-Announce: ;
Cc: RFC Editor; Internet Architecture Board; ietf-smime(_at_)imc(_dot_)org
Subject: Protocol Action: Cryptographic Message Syntax to Proposed
Standard
The IESG has approved publication of the following Internet-Drafts as
Proposed Standards:
o Cryptographic Message Syntax <draft-ietf-smime-cms-13.txt>
o Diffie-Hellman Key Agreement Method <draft-ietf-smime-x942-07.txt>
o S/MIME Version 3 Certificate Handling <draft-ietf-smime-cert-08.txt>
o S/MIME Version 3 Message Specification <draft-ietf-smime-msg-08.txt>
o Enhanced Security Services for S/MIME <draft-ietf-smime-ess-12.txt>
These documents are the product of the S/MIME Mail Security Working
Group.
The IESG contact persons are Jeffrey Schiller and Marcus Leech.
Technical Summary
These documents describe Version 3 of S/MIME (Secure/Multipurpose
Internet Mail Extensions). S/MIME provides for the secure
communication of MIME Objects, providing Authentication, Integrity and
Confidentiality protection. It can be used wherever MIME is used, as
it is fully conformant with the general MIME specifications. The
documents here provide for the basic message syntax and semantics as
well as the certificate and key management infrastructure
required. This work is coordinated and builds upon the work of the
IETF X.509 Public Key Infrastructure Working Group (PKIX).
In addition to the basic security services mentioned above, several
optional services are described. These include signed receipt
handling, security labeling of objects, secure mailing lists and
signing certificates.
Working Group Summary
The working group came to consensus on the work described here. A lot
of people contributed thoughtful, useful and constructive comments
during the review periods which resulted in further improvements
reflected in these documents.
Jeffrey I. Schiller reviewed the specification for IESG.
|
|