To the IESG:
The specifications for Privacy Enhanced Mail (PEM) are ready for
advancement to Proposed Standard status. Per our current rules,
attached is a description, review and recommendation of the documents.
Stephen D. Crocker
Area Director for Security
Interent Engineering Task Force
�
Recommendation and Analysis of the Specifications for
Privacy Enhanced Mail
There are four documents in the Privacy Enhancement for Internet
Electronic Mail series:
draft-ietf-pem-msgproc-02.txt
draft-ietf-pem-keymgmt-01.txt
draft-ietf-pem-algorithms-02.txt (*)
draft-ietf-pem-forms-01.txt
(* The revision of draft-ietf-pem-algorithms was sent separately to
internet-drafts and should appear in the Internet-Drafts directory
shortly. It was also sent to pem-dev.)
A technical summary of each of the documents is included below. The
working group summary, technical assessment, and document quality
paragraphs are the same for all documents and are presented first.
WORKING GROUP SUMMARY
The PEM specifications originated with the Privacy and Security
Research Group. As part of the transition of the specifications
from research to standards track documents a working group within
the IETF was created, which has met at each IETF since its
creation. The documents have been available as an Internet Draft
since at least September 1992 and represent the consensus of the
working group.
TECHNICAL ASSESSMENT
The PEM specifications have been under development for almost 6
years. During that time, parts of the specifications have been
published, revised and republished, with each new publication
including corrections and enhancements commensurate with the
experience obtained from implementations and continued
deliberations. The specifications have not changed dramatically
since March 1992; they are technically sound and consistent with
the internet architecture and the anticipated internet security
architecture.
This protocol opens the door for widespread use of cryptography
throughout the Internet which will result in greatly increased
security for mail traffic. This protocol is of premier importance
in the Internet and will facilitate transition of the Internet to a
robust, commercially acceptable medium.
The approach chosen in the design of this protocol is to use the
public key infrastructure defined in X.509 and encapsulation of
messages within the RFC 822 protocol. This approach makes full use
of the prior work in the CCITT and ISO community, and it fits
cleanly into the existing mail model.
There are two difficulties with the approach taken in this design.
The articulation of boundaries and parameters is particular to
the use of PEM within the RFC 822 mail protocol. MIME includes
general facilities for these functions. It would be preferable
for this protocol to be aligned with MIME. MIME was not
available at the time this protocol was designed, so it is
proceeding separately. See below for additional comments on the
alignment of MIME and PEM.
The certificate infrastructure is large and awkward to bring
into existence. It will pay off enormously in this and future
protocols because it provides an organized framework for
establishing trusted identification and binding of identities to
public keys. However, it is not easy to initiate and
necessarily slows the deployment and adoption of PEM.
Neither of these difficulties affect the soundness of the PEM
design. In the current milieu, it is important to deploy this
protocol and deal with the difficulties over a period of time.
DOCUMENT QUALITY
Although each of the PEM specifications has a different editor, they
have all cooperated to make the documents fit together as a set.
They are well written, easy to understand, and provide enough
background material to make them suitable for a security neophyte.
At the time of the third publication of the specifications, three
independent, interoperable implementations were known to exist.
Currently, only two of those are aligned with the current version of
the specifications.
One minor nit: only the Part III includes a Table of Contents.
Part I: Message Encryption and Authentication Procedures
(draft-ietf-pem-msgproc-02.txt) -- John Linn, Editor
This document defines message encryption and authentication
procedures, in order to provide privacy-enhanced mail (PEM) services
for electronic mail transfer in the Internet. It is intended to
become one member of a related set of four RFCs. The procedures
defined are intended to be compatible with a wide range of key
management approaches, including both symmetric (secret-key) and
asymmetric (public-key) approaches for encryption of data encrypting
keys. Use of symmetric cryptography for message text encryption
and/or integrity check computation is anticipated. Other documents
specify supporting key management mechanisms based on the use of
public-key certificates; algorithms, modes, and associated
identifiers; and details of paper and electronic formats and
procedures for the key management infrastructure being established in
support of these services.
Privacy enhancement services (confidentiality, authentication,
message integrity assurance, and non-repudiation of origin) are
offered through the use of end-to-end cryptography between originator
and recipient processes at or above the User Agent level. No special
processing requirements are imposed on the Message Transfer System at
endpoints or at intermediate relay sites. This approach allows
privacy enhancement facilities to be incorporated selectively on a
site-by-site or user-by-user basis without impact on other Internet
entities. Interoperability among heterogeneous components and mail
transport facilities is supported.
The current specification's scope is confined to PEM processing
procedures for the RFC-822 textual mail environment. Integration
of PEM capabilities with MIME and possibly other mail environments
is anticipated, but the specifications are yet to be worked out.
In partial anticipation of such integration, the header
"Content-Domain" with value "RFC822" is included as a hook. See
below for additional discussion.
Part II: Certificate-Based Key Management
(draft-ietf-pem-keymgmt-o1.txt) -- Stephen Kent, Editor
This document defines a supporting key management architecture and
infrastructure, based on public-key certificate techniques, to
provide keying information to message originators and recipients. It
is intended to be one member of a related set of four RFCs.
The key management architecture described is compatible with the
authentication framework described in CCITT 1988 X.509. This
document goes beyond X.509 by establishing procedures and conventions
for a key management infrastructure for use with Privacy Enhanced
Mail (PEM) and with other protocols, from both the TCP/IP and OSI
suites, in the future. The motivations for establishing these
procedures and conventions (as opposed to relying only on the very
general framework outlined in X.509) are explained in the document.
The infrastructure specified in this document establishes a single
root for all certification within the Internet, the Internet Policy
Registration Authority (IPRA). The IPRA establishes global policies,
described in this document, which apply to all certification effected
under this hierarchy. Beneath IPRA root are Policy Certification
Authorities (PCAs), each of which establishes and publishes (in the
form of an informational RFC) its policies for registration of users
or organizations. Each PCA is certified by the IPRA. Below PCAs,
Certification Authorities (CAs) will be established to certify users
and subordinate organizational entities (e.g., departments, offices,
subsidiaries, etc.). Initially, the majority of users are expected
to be registered via organizational affiliation, consistent with
current practices for how most user mailboxes are provided.
Some CAs are expected to provide certification for residential users
in support of users who wish to register independent of any
organizational affiliation. For users who wish anonymity while
taking advantage of PEM privacy facilities, one or more PCAs are
expected to be established with policies that allow for registration
of users, under subordinate CAs, who do not wish to disclose their
identities.
Part III: Algorithms, Modes, and Identifiers
(draft-ietf-pem-algorithms-02.txt) -- David Balenson, Editor
This document provides definitions, formats, references, and
citations for cryptographic algorithms, usage modes, and associated
identifiers and parameters used in support of Privacy Enhanced Mail.
It is intended to become one member of a related set of four RFCs.
It is organized into four primary sections, dealing with message
encryption algorithms, message integrity check algorithms, symmetric
key management algorithms, and asymmetric key management algorithms
(including both asymmetric encryption and asymmetric signature
algorithms). Some parts of this material are cited by other
documents and it is anticipated that some of the material herein may
be changed, added, or replaced without affecting the citing
documents.
Part IV: Key Certification and Related Services
(draft-ietf-pem-forms-01.txt) -- Burt Kaliski, Editor
This document describes three types of service in support of Internet
Privacy Enhanced Mail: key certification, certificate revocation
list (CRL) storage, and CRL retrieval. It is intended to be one
member of a related set of four RFCs.
The services described are among those required of a Certification
Authority. Each involves an electronic mail request message and an
electronic mail reply message. The request may be either a privacy
enhanced mail message or a message with a new syntax defined in this
document. The new syntax has a different process type, thereby
distinguishing it from ordinary privacy enhanced mail messages. The
reply is either a privacy enhanced mail message or an ordinary
unstructured message.
Replies that are privacy enhanced messages can be processed like any
other privacy enhanced message, so that the new certificate or the
retrieved CRLs can be inserted into the requester's database during
normal privacy enhanced mail processing.
Certification authorities may also require non-electronic forms of
the request and may return non-electronic replies. It is expected
that descriptions of such forms, which are outside the scope of this
document, will be available through a Certification Authority's
"information" service.
FUTURE DEVELOPMENTS
Integration of MIME and PEM
As noted above, it is desirable for MIME and PEM to be integrated.
Although there is great pressure to integrate these as quickly as
possible, there is even greater pressure to bring PEM out as quickly
as possible. The clear consensus is to move these specifications
forward now. In the future, proposals and trial implementations for
merged MIME-with-PEM systems will be developed, and the resulting
specifications may appear on the standards track in short order.
Compatibility between these specifications and any new specifications
will be of obvious concern. Preliminary analysis indicates that
translation between PEM into MIME-with-PEM will be trivial. In my
opinion, translation from MIME-with-PEM to PEM is also expected to be
straightforward as long as the MIME-with-PEM messages contain only
plain text, message and multipart content types.
Alternative Algorithms
Part III of these specifications define the use of the RSA, DES, MD2
and MD5 algorithms. The U.S. government is actively developing an
alternative suite of algorithms which it intends to standardize. Many
U.S. government agencies feel it will be necessary to use these
algorithms and not to use the algorithms defined in Part III of this
specification.
As a separate but related matter, the U.S. government, along with
other members of CoCom, prohibit the general export of software
containing certain forms of cryptography. In particular, software
containing DES for encryption is not generally exportable. Although
software can be developed separately in some countries to avoid the
export issue, a more general solution is to use a set of algorithms
which are exportable. Export permission has been granted for various
symmetric algorithms which are weaker than DES and for the use RSA
with limits on the key size. Of particular note, the Software
Publishers Association has reached agreement with the U.S. government
for general export of software containing RC2 and RC4 with 40 bit keys
and RSA with a limit of 512 bit keys when RSA is used for key
exchange. (There is no limit when RSA is used only for signature and
integrity.) RC2 and RC4 are symmetric key encryption algorithms
developed by RSADSI and available under license. The U.S. government
is now providing expedited processing of license requests for software
that meets these terms.
The pressure to use these alternative algorithms poses a challenge for
our community and our standards process. The introduction of new
algorithm requires substantial vetting to make sure it is technically
sound. No complete methods exist for proving the soundness of a
cryptographic algorithm, so this is necessarily a tedious and artful
process. Moreover, the use of multiple algorithms within the same
environment poses substantial compatibility problems. For these
reasons, it is desirable to set a high threshold before admitting any
additional algorithms onto the standards track. At the same time, the
pressures to incorporate additional algorithms are already evident.
Completely ignoring or prohibiting the use of alternative algorithms
will not be a successful strategy.
The Part III specification speaks to the issue of incorporation of
additional algorithms into the standard and says such incorporation
will be accomplished by issuing a successor document. Part III
specification also addresses the interim development process by
suggesting that alternative algorithms may be documented in
Experimental or Prototype RFCs prior to adoption into the standard.
As experience is gained, these protocols may be considered for
incorporation into the standard.