[Top] [All Lists]

Charter Revision

1999-06-21 13:16:38
I have finally taken all of the inputs that I received and combined them
with stuff that I made up out of thin air.  I had to do this because not
everyone sent in information about their plans.

Anyway, here is my proposed revised charter.  Please comment.


= = = = = = = = = = 

S/MIME Mail Security (smime)

     Russ Housley <housley(_at_)spyrus(_dot_)com>

Security Area Director:
     Jeffrey Schiller <jis(_at_)mit(_dot_)edu>
     Marcus Leech <mleech(_at_)nortel(_dot_)ca>

Mailing Lists:
     General Discussion: ietf-smime(_at_)imc(_dot_)org
     To Subscribe:       ietf-smime-request(_at_)imc(_dot_)org

Description of Working Group:

The S/MIME Working Group has completed five Proposed Standards that
comprise the S/MIME version 3 specification.  Current efforts build
on these base specifications.

The use of Diffie-Hellman Key Agreement as the mandatory to implement
key establishment mechanism may expose some implementations to 
vulnerabilities based on "small subgroup" attacks.  An informational 
document will be prepared describing techniques that can be used to 
avoid these attacks.

The Cryptographic Message Syntax (CMS) is cryptographic algorithm 
independent, yet there is always more than one way to use any algorithm.
To ensure interoperability, each algorithm should have a specification 
that decribes its use with CMS.  Specifications for the use of optional
cryptographic algorithms will be developed.

To aid implementers, documents containing example output for CMS will
be collected and published.  Some of the examples will include structures 
and signed attributed defined in the Extended Security Services (ESS) 

Current methods of publishing certificates in the Directory do not 
allow the inclusion of secondary support information such as the 
SMimeCapabilities attribute.  A method of publishing certificates 
along with authenticated secondary support information will be 

In some situations it would be advantageous for the CMS RecipiontInfo
structure to support additional key management techniques, including
cryptographic keys derived from passwords.  A mechanism to facilitate 
the definition of additional key management techniques will be defined.

S/MIME version 3 supports encrypted mail lists.  Specifications for the 
distribution of symmetric mail list keys to mail list agents (MLAs) and
message recipients will be developed.  The specification will be 
cryptographic algorithm independent.

S/MIME version 3 supports security labels.  Specifications that show 
how this feature can be used to implement an organizational security 
policy will be developed.  Security policies from large corporations will
be used as examples.

S/MIME version 3 can be used to protect electronic mail to and from a
domain.  In such an environment, S/MIME v3 processing is performed by 
message transfer agents, guards, and gateways in order to provide 
"Domain Security Services."  Mechanisms are needed to solve a number of 
interoperability problems and technical limitations that arise when  
domains supporting different security policies wish to interoperate.

The S/MIME Working Group will attempt to coordinate its efforts with the
OpenPGP Working Group in areas where the work of the two groups overlap.

Goals and Milestones:

     First draft of small subgroup attack avoidance.
     First draft of certificate distribution specification.
     First draft of domain security services document.
     First draft of CMS and ESS examples document.
     First draft of KEA and SKIPJACK algorithm specification.
     First draft of IDEA algorithm specification.

July 1999:
     First draft of security label usage specification.

August 1999:
     Last call on small subgroup attack avoidance.
     Last call on KEA and SKIPJACK algorithm specification.

September 1999:
     First draft of CMS RecipiontInfo extension.
     First draft of mail list key distribution.
     Last call on certificate distribution specification.

November 1999:
     Updated draft of domain security services document.
     Last call on security label usage specification.
     Submit small subgroup attack avoidance as Informational RFC.
     Submit KEA and SKIPJACK algorithm specification as Informational RFC.

December 1999:
     Last call on CMS and ESS examples document.
     Last call on IDEA algorithm specification.
     Last call on CMS RecipiontInfo extension.

January 2000:
     Last call on mail list key distribution.
     Submit certificate distribution specification as a Proposed Standard.

February 2000:
     Submit security label usage specification as Informational RFC.

March 2000:
     Submit CMS and ESS examples document as Informational RFC.
     Submit IDEA algorithm specification as Informational RFC.
     Submit CMS RecipiontInfo extension as a Proposed Standard.
     Submit mail list key distribution as a Proposed Standard.

July 2000:
     Last call on domain security services document.

September 2000:
     Submit domain security services as Experimental RFC.

<Prev in Thread] Current Thread [Next in Thread>