S/MIME Mail Security (smime) Chair: Russ Housley Security Area Director: Jeffrey Schiller Marcus Leech Mailing Lists: General Discussion: ietf-smime(_at_)imc(_dot_)org To Subscribe: ietf-smime-request(_at_)imc(_dot_)org Archive: http://www.imc.org/ietf-smime/ Description of Working Group: The S/MIME Working Group has completed a series of Proposed Standards that comprise the S/MIME version 3 specification. Current efforts update and build upon these base specifications. The Cryptographic Message Syntax (CMS) is cryptographic algorithm independent, yet there is always more than one way to use any algorithm. To ensure interoperability, each algorithm should have a specification that describes its use with CMS. Specifications for the use of additional cryptographic algorithms will be developed. As part of the specification update, a new suite of "mandatory to implement" algorithms will be selected. These algorithms will be reflected in updates to RFC 2632 and RFC 2633. To aid implementers, documents containing example output for CMS will be collected and published. Some of the examples will include structures and signed attributes defined in the Enhanced Security Services (ESS) document. In some situations it would be advantageous for the CMS RecipientInfo structure to support additional key management techniques, including cryptographic keys derived from passwords. Also, a mechanism to facilitate the definition of additional key management techniques will be defined. Compressing data prior to encryption or signature has a number of advantages. Compression improves security by removing known data patterns, improves throughput by reducing the amount of data which needs to be encrypted or hashed, and reduces the overall message size. Enabling S/MIME version 3 to use compression will provide all of these advantages. S/MIME version 3 permits the use of previously distributed symmetric key-encryption keys. Specifications for the distribution of symmetric key-encryption keys to multiple message recipients will be developed. Mail List Agents (MLAs) are one user of symmetric key-encryption keys. The specification will be algorithm independent. S/MIME version 3 supports security labels. Specifications that show how this feature can be used to implement an organizational security policy will be developed. Security policies from large organizations will be used as examples. As part of S/MIME version 3, CMS is used to provide security to the message content. CMS can also be employed in an X.400 electronic messaging envionments. Specifications will be developed allowing this to be done in an interoperable manner. Perform necessary interoperability testing to progress the S/MIME version 3 specifications to Draft Standard. Due to the dependency of the CMS specification on the PKIX certificate and CRL profile, the timeline for the actual progression is impossible to estimate. Goals and Milestones: History: Submit CMS compressed data content type a Proposed Standard. Submit security label usage specification as Informational RFC. Submit elliptic curve algorithm specification as Informational RFC. Submit mail list key distribution as a Proposed Standard. Submit update to RFC 2630 as a Proposed Standard. Submit AES key wrap algorithm description as Informational RFC. Last call on X.400 CMS wrapper specification. Last call on X.400 transport specification. Last call on HMAC key wrap description specification. First draft of CMS and ESS examples document. First draft of RSA OAEP algorithm specification. First draft of AES algorithm specification. First draft of update to RFC 2632. Frist draft of update to RFC 2633. May 2002: First draft of RSA KEM algorithm specification. Submit X.400 CMS wrapper specification as a Proposed Standard. Submit X.400 transport as a Proposed Standard. Submit HMAC key wrap description as an Informational RFC. June 2002: First draft of RSA PSS algorithm specification. Last call on CMS and ESS examples document. July 2002: Last call on update to RFC 2632. Last call on update to RFC 2633. Last call on AES algorithm specification. Last call on RSA OAEP algorithm specification. August 2002: Last call on RSA KEM algorithm specification. Submit CMS and ESS examples document as Informational RFC. September 2002: Last call on RSA PSS algorithm specification. October 2002: Sumbit update to RFC 2632 as Proposed Standard. Sumbit update to RFC 2633 as Proposed Standard. December 2002: Sumbit AES algorithm specification as Proposed Standard. Submit RSA KEM algorithm specification as Proposed Standard. Submit RSA PSS algorithm specification as Proposed Standard. Submit RSA OAEP algorithm specification as Historical RFC.