draft-ietf-lamps-cms-update-alg-id-protect-00.txt   draft-ietf-lamps-cms-update-alg-id-protect-01.txt 
Network Working Group R. Housley Network Working Group R. Housley
Internet-Draft Vigil Security Internet-Draft Vigil Security
Updates: 5652 (if approved) January 21, 2020 Updates: 5652 (if approved) March 09, 2020
Intended status: Standards Track Intended status: Standards Track
Expires: July 24, 2020 Expires: September 10, 2020
Update to the Cryptographic Message Syntax (CMS) for Algorithm Update to the Cryptographic Message Syntax (CMS) for Algorithm
Identifier Protection Identifier Protection
draft-ietf-lamps-cms-update-alg-id-protect-00 draft-ietf-lamps-cms-update-alg-id-protect-01
Abstract Abstract
This document updates the Cryptographic Message Syntax (CMS) This document updates the Cryptographic Message Syntax (CMS)
specified in RFC 5652 to ensure that algorithm identifiers are specified in RFC 5652 to ensure that algorithm identifiers are
adequately protected. adequately protected.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 24, 2020. This Internet-Draft will expire on September 10, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Require use the same hash algorithm . . . . . . . . . . . . . 3 3. Require use the same hash algorithm . . . . . . . . . . . . . 3
3.1. RFC 5652, Section 5.3 . . . . . . . . . . . . . . . . . . 3 3.1. RFC 5652, Section 5.3 . . . . . . . . . . . . . . . . . . 3
3.2. RFC 5652, Section 5.4 . . . . . . . . . . . . . . . . . . 4 3.2. RFC 5652, Section 5.4 . . . . . . . . . . . . . . . . . . 4
3.3. RFC 5652, Section 5.6 . . . . . . . . . . . . . . . . . . 4 3.3. RFC 5652, Section 5.6 . . . . . . . . . . . . . . . . . . 4
3.4. Backward Compatibility Considerations . . . . . . . . . . 5 3.4. Backward Compatibility Considerations . . . . . . . . . . 5
3.5. Timestamp Compatibility Considerations . . . . . . . . . 5 3.5. Timestamp Compatibility Considerations . . . . . . . . . 5
4. Recommend inclusion of the CMSAlgorithmProtection attribute . 5 4. Recommend inclusion of the CMSAlgorithmProtection attribute . 6
4.1. RFC 5652, Section 14 . . . . . . . . . . . . . . . . . . 6 4.1. RFC 5652, Section 14 . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
This document updates the Cryptographic Message Syntax (CMS) This document updates the Cryptographic Message Syntax (CMS)
[RFC5652] to ensure that algorithm identifiers are adequately [RFC5652] to ensure that algorithm identifiers are adequately
protected. protected.
The CMS Signed-data Content Type [RFC5652], unlike X.509 certificates The CMS Signed-data Content Type [RFC5652], unlike X.509 certificates
skipping to change at page 5, line 41 skipping to change at page 5, line 41
and the digest of signed attributes, please tell us on the and the digest of signed attributes, please tell us on the
spasm@ietf.org mail list. spasm@ietf.org mail list.
3.5. Timestamp Compatibility Considerations 3.5. Timestamp Compatibility Considerations
The new requirement introduced above might lead to compatibility The new requirement introduced above might lead to compatibility
issues for timestamping systems when the originator does not wish to issues for timestamping systems when the originator does not wish to
share the message content with the Time Stamp Authority (TSA) share the message content with the Time Stamp Authority (TSA)
[RFC3161]. In this situation, the originator sends a TimeStampReq to [RFC3161]. In this situation, the originator sends a TimeStampReq to
the TSA that includes a MessageImprint, which consists of a digest the TSA that includes a MessageImprint, which consists of a digest
algorithm identifier and a digest value, then the TSA uses the digest algorithm identifier and a digest value, then the TSA uses the
in the MessageImprint. As a result, the signature algorithm used by originator-provided digest in the MessageImprint.
the TSA needs to be compatible with the digest algorithm selected by
the originator for the MessageImprint. When producing the TimeStampToken, the TSA MUST use same digest
algorithm to compute the digest of the encapContentInfo eContent,
which is an OCTET STRING that contains the TSTInfo, and the message-
digest attribute within the SignerInfo.
To ensure that TimeStampToken values that were generated before this
update remain valid, no requirement is placed on a TSA to ensure that
the digest algorithm for the TimeStampToken matches the digest
algorithm for the MessageImprint embedded within the TSTTokenInfo.
4. Recommend inclusion of the CMSAlgorithmProtection attribute 4. Recommend inclusion of the CMSAlgorithmProtection attribute
This section updates [RFC5652] to recommend that the originator This section updates [RFC5652] to recommend that the originator
include the CMSAlgorithmProtection attribute [RFC6211] whenever include the CMSAlgorithmProtection attribute [RFC6211] whenever
signed attributes or authenticated attributes are present. signed attributes or authenticated attributes are present.
4.1. RFC 5652, Section 14 4.1. RFC 5652, Section 14
Add the following paragraph as the eighth paragraph in Section 14: Add the following paragraph as the eighth paragraph in Section 14:
 End of changes. 7 change blocks. 
11 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/