Network Working Group R. Housley Request for Comments: 4073 Vigil Security Category: Standards Track May 2005
Network Working Group R. Housley Request for Comments: 4073 Vigil Security Category: Standards Track May 2005
Protecting Multiple Contents with the Cryptographic Message Syntax (CMS)
使用加密消息语法(CMS)保护多个内容
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
This document describes a convention for using the Cryptographic Message Syntax (CMS) to protect a content collection. If desired, attributes can be associated with the content.
本文档描述了使用加密消息语法(CMS)保护内容集合的约定。如果需要,可以将属性与内容关联。
This document describes a convention for using the Cryptographic Message Syntax (CMS) [CMS] to protect a content collection. The content-collection content type is used to transfer one or more contents, each identified by a content type. If desired, the content-with-attributes content type can be used to associate arbitrary attributes with the content.
本文档描述了使用加密消息语法(CMS)[CMS]保护内容集合的约定。内容集合内容类型用于传输一个或多个内容,每个内容由内容类型标识。如果需要,可以使用“具有属性的内容”内容类型将任意属性与内容关联。
The convention described in this document is not needed when CMS is used with MIME [MSG]. MIME multipart [MIME] provides a straightforward and widely deployed mechanism for carrying more than one content item, each associated with a MIME type.
当CMS与MIME[MSG]一起使用时,不需要本文档中描述的约定。MIME multipart[MIME]提供了一种简单且广泛部署的机制,用于承载多个内容项,每个内容项都与MIME类型关联。
However, CMS is not always used with MIME. Sometimes CMS is used in an exclusively ASN.1 [ASN1] environment. In this case, the content-collection content type is used to gather more than one content item, each with an object identifier to specify the content type.
但是,CMS并不总是与MIME一起使用。有时,CMS在专用ASN.1[ASN1]环境中使用。在这种情况下,内容集合内容类型用于收集多个内容项,每个内容项都有一个对象标识符来指定内容类型。
In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as described in [STDWORDS].
在本文件中,关键字“必须”、“不得”、“必需”、“应当”、“不应当”、“建议”、“可以”和“可选”应按照[STDOWORDS]中的说明进行解释。
This section provides one simple example to illustrate the need for the content-collection content type. Consider an art collector who wants to sell one of his pieces, an ancient Greek urn called an amphora. The collector wants to compose a digitally signed offer for sale. It includes three parts. The first part contains the owner's offer for sale, including the asking price. The second part contains a high-quality image of the amphora. The final part contains an appraisal from a well-respected ceramics expert. The final part is digitally signed by the expert. Figure 1 illustrates the structure, and the CMS SignedData content type is used for the two digital signatures.
本节提供了一个简单的示例来说明对内容集合内容类型的需求。试想一个艺术收藏家想卖他的一件作品,一个古希腊瓮叫阿姆拉。收藏家想撰写一份数字签名的出售要约。它包括三个部分。第一部分包括业主的出售报价,包括要价。第二部分包含了一幅高质量的安波拉图像。最后一部分是一位备受尊敬的陶瓷专家的评价。最后一部分由专家进行数字签名。图1说明了结构,CMS SignedData内容类型用于两个数字签名。
+---------------------------------------------------------+ | | | ContentInfo | | | | +-----------------------------------------------------+ | | | | | | | SignedData | | | | | | | | +-------------------------------------------------+ | | | | | | | | | | | ContentCollection | | | | | | | | | | | | +-----------+ +-----------+ +-----------------+ | | | | | | | | | | | | | | | | | | | Owner's | | Image | | SignedData | | | | | | | | Offer to | | of the | | | | | | | | | | Sell the | | Amphora | | +-------------+ | | | | | | | | Amphora | | | | | | | | | | | | | | | | | | | Appraisal | | | | | | | | | | | | | | of Ceramics | | | | | | | | | | | | | | Expert | | | | | | | | | | | | | | | | | | | | | | | | | | | +-------------+ | | | | | | | | | | | | | | | | | | | +-----------+ +-----------+ +-----------------+ | | | | | | | | | | | +-------------------------------------------------+ | | | | | | | +-----------------------------------------------------+ | | | +---------------------------------------------------------+
+---------------------------------------------------------+ | | | ContentInfo | | | | +-----------------------------------------------------+ | | | | | | | SignedData | | | | | | | | +-------------------------------------------------+ | | | | | | | | | | | ContentCollection | | | | | | | | | | | | +-----------+ +-----------+ +-----------------+ | | | | | | | | | | | | | | | | | | | Owner's | | Image | | SignedData | | | | | | | | Offer to | | of the | | | | | | | | | | Sell the | | Amphora | | +-------------+ | | | | | | | | Amphora | | | | | | | | | | | | | | | | | | | Appraisal | | | | | | | | | | | | | | of Ceramics | | | | | | | | | | | | | | Expert | | | | | | | | | | | | | | | | | | | | | | | | | | | +-------------+ | | | | | | | | | | | | | | | | | | | +-----------+ +-----------+ +-----------------+ | | | | | | | | | | | +-------------------------------------------------+ | | | | | | | +-----------------------------------------------------+ | | | +---------------------------------------------------------+
Figure 1. Sample use of the ContentCollection Content Type
图1。ContentCollection内容类型的示例使用
This section provides one simple example to illustrate the need for the content-with-attributes content type. Consider the art collector from the previous example. Instead of providing a single image of the amphora, the collector provides several images. To aid potential buyers, the collector attaches several attributes to each image. The attributes provide information about the resolution of the image, the date the image was taken, the photographer, and so on. Figure 2 illustrates the collection of images, showing only two images, each with three attributes. This entire image content collection could be carried instead of the single image shown in Figure 1, allowing it to be covered by the collector's digital signature.
本节提供了一个简单的示例来说明对具有属性的内容内容类型的需求。请考虑前面例子中的艺术收集器。收集器提供了多张图像,而不是提供一张amphora的图像。为了帮助潜在买家,收集者将多个属性附加到每个图像上。属性提供有关图像分辨率、图像拍摄日期、摄影师等的信息。图2展示了图像的集合,只显示了两个图像,每个图像有三个属性。可以携带整个图像内容集合,而不是图1所示的单个图像,从而允许收集器的数字签名覆盖它。
+----------------------------------------------------------+ | | | ContentCollection | | | | +-------------------------+ +-------------------------+ | | | | | | | | | ContentWithAttributes | | ContentWithAttributes | | | | | | | | | | +---------------------+ | | +---------------------+ | | | | | | | | | | | | | | | First Image of | | | | Second Image of | | | | | | the Amphora | | | | the Amphora | | | | | | | | | | | | | | | | | | | | | | | | | +---------------------+ | | +---------------------+ | | | | | | | | | | +---------------+ | | +---------------+ | | | | | | | | | | | | | | | Attribute 1 | | | | Attribute 1 | | | | | | +--+ | | | +--+ | | | | +-+-------------+ | | | +-+-------------+ | | | | | | Attribute 2 | | | | Attribute 2 | | | | | | +--+ | | | +--+ | | | | +-+--------------+ | | | +-+--------------+ | | | | | | Attribute 3 | | | | Attribute 3 | | | | | | | | | | | | | | | +-----------------+ | | +-----------------+ | | | | | | | | | +-------------------------+ +-------------------------+ | | | +----------------------------------------------------------+
+----------------------------------------------------------+ | | | ContentCollection | | | | +-------------------------+ +-------------------------+ | | | | | | | | | ContentWithAttributes | | ContentWithAttributes | | | | | | | | | | +---------------------+ | | +---------------------+ | | | | | | | | | | | | | | | First Image of | | | | Second Image of | | | | | | the Amphora | | | | the Amphora | | | | | | | | | | | | | | | | | | | | | | | | | +---------------------+ | | +---------------------+ | | | | | | | | | | +---------------+ | | +---------------+ | | | | | | | | | | | | | | | Attribute 1 | | | | Attribute 1 | | | | | | +--+ | | | +--+ | | | | +-+-------------+ | | | +-+-------------+ | | | | | | Attribute 2 | | | | Attribute 2 | | | | | | +--+ | | | +--+ | | | | +-+--------------+ | | | +-+--------------+ | | | | | | Attribute 3 | | | | Attribute 3 | | | | | | | | | | | | | | | +-----------------+ | | +-----------------+ | | | | | | | | | +-------------------------+ +-------------------------+ | | | +----------------------------------------------------------+
Figure 2. Sample use of the ContentWithAttributes Content Type
图2。ContentWithAttributes内容类型的示例使用
The content-collection content type is used to transfer a collection of content items, each identified by a content type. The syntax accommodates contents with varying levels of protection. For example, a content collection could include CMS protection content types as well as unprotected content types. A content collection is expected to be encapsulated in one or more CMS protecting content types, but this is not required by this specification.
内容集合内容类型用于传输内容项集合,每个内容项由内容类型标识。该语法适应具有不同保护级别的内容。例如,内容集合可以包括CMS保护内容类型以及未保护的内容类型。内容集合应封装在一个或多个保护内容类型的CMS中,但本规范不要求这样做。
The following object identifier names the content collection content type:
以下对象标识符命名了内容集合内容类型:
id-ct-contentCollection OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 19 }
id-ct-contentCollection OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 19 }
The content-collection content has the following syntax:
内容集合内容具有以下语法:
ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo
ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo
The ContentCollection contains a sequence of ContentInfo, one for each content in the collection. The ContentInfo structure is defined in CMS. The contentType object identifier within the ContentInfo indicates the type of the associated content. Implementations of this specification SHOULD be prepared to handle object identifiers for the SignedData, EncryptedData, EnvelopedData, and AuthenticatedData content types, as specified in [CMS]. Implementations of this specification SHOULD also be prepared to handle the object identifier for the CompressedData content type as specified in [COMPRESS].
ContentCollection包含一系列ContentInfo,集合中的每个内容对应一个ContentInfo。ContentInfo结构在CMS中定义。ContentInfo中的contentType对象标识符指示关联内容的类型。本规范的实施应准备好处理[CMS]中规定的SignedData、EncryptedData、EnvelopedData和AuthenticatedData内容类型的对象标识符。本规范的实现还应准备好处理[COMPRESS]中指定的CompressedData内容类型的对象标识符。
The content-with-attributes content type is used to transfer a single content, which is identified by a content type, and a collection of attributes associated with that content. The syntax accommodates an arbitrary number of attributes; however, there must be at least one attribute.
“具有属性的内容”内容类型用于传输由内容类型标识的单个内容以及与该内容关联的属性集合。语法可容纳任意数量的属性;但是,必须至少有一个属性。
The following object identifier names the content-with-attributes content type:
以下对象标识符使用属性内容类型命名内容:
id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 20 }
id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 20 }
The content-with-attributes content has the following syntax:
具有属性内容的内容具有以下语法:
ContentWithAttributes ::= SEQUENCE { content ContentInfo, attrs SEQUENCE SIZE (1..MAX) OF Attribute }
ContentWithAttributes ::= SEQUENCE { content ContentInfo, attrs SEQUENCE SIZE (1..MAX) OF Attribute }
The ContentWithAttributes contains a sequence of a single ContentInfo item followed by a sequence of attributes. The ContentInfo structure is defined in CMS. The contentType object identifier within the ContentInfo indicates the type of the content. The Attribute structure was originally defined in X.501 [X501], and the definition is repeated in CMS.
ContentWithAttributes包含单个ContentInfo项的序列,后跟一系列属性。ContentInfo结构在CMS中定义。ContentInfo中的contentType对象标识符指示内容的类型。属性结构最初在X.501[X501]中定义,该定义在CMS中重复。
The content-collection content type is used to transfer one or more contents, each identified by a content type. The syntax accommodates contents with varying levels of protection. For example, a content collection could include CMS protection content types as well as unprotected content types. A content collection is expected to be encapsulated in one or more CMS protecting content types, but this is not required by this specification. As a result, implementations MUST be prepared to handle multiple levels of encapsulation.
内容集合内容类型用于传输一个或多个内容,每个内容由内容类型标识。该语法适应具有不同保护级别的内容。例如,内容集合可以包括CMS保护内容类型以及未保护的内容类型。内容集合应封装在一个或多个保护内容类型的CMS中,但本规范不要求这样做。因此,实现必须准备好处理多个级别的封装。
The security considerations discussed in [CMS] are relevant when CMS is used to protect more than one content by making use of the content collection content type or content with attributes content type.
[CMS]中讨论的安全注意事项与CMS通过使用内容集合内容类型或具有属性的内容内容类型来保护多个内容相关。
[ASN1] CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988.
[ASN1]CCITT。建议X.208:抽象语法符号1(ASN.1)的规范。1988
[COMPRESS] Gutmann, P., "Compressed Data Content Type for Cryptographic Message Syntax (CMS)", RFC 3274, June 2002.
[COMPRESS]Gutmann,P.,“加密消息语法(CMS)的压缩数据内容类型”,RFC 3274,2002年6月。
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004.
[CMS]Housley,R.,“加密消息语法(CMS)”,RFC 38522004年7月。
[STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[STDWORDS]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[MIME] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies", RFC 2045, November 1996.
[MIME]Freed,N.和N.Borenstein,“多用途Internet邮件扩展(MIME)第一部分:Internet邮件正文格式”,RFC 20451996年11月。
[MSG] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", RFC 3851, July 2004.
[MSG]Ramsdell,B.,“安全/多用途Internet邮件扩展(S/MIME)版本3.1消息规范”,RFC 3851,2004年7月。
[X501] CCITT. Recommendation X.501: The Directory -- Models. 1988.
[X501]CCITT。建议X.501:目录--模型。1988
Appendix A: ASN.1 Module
附录A:ASN.1模块
The ASN.1 module contained in this appendix defines the structures that are needed to implement this specification. It is expected to be used in conjunction with the ASN.1 modules in [CMS] and [COMPRESS].
本附录中包含的ASN.1模块定义了实施本规范所需的结构。预计它将与[CMS]和[COMPRESS]中的ASN.1模块一起使用。
ContentCollectionModule { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) 26 }
ContentCollectionModule { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) 26 }
DEFINITIONS IMPLICIT TAGS ::= BEGIN
DEFINITIONS IMPLICIT TAGS ::= BEGIN
IMPORTS Attribute, ContentInfo FROM CryptographicMessageSyntax2004 -- [CMS] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2001(14) };
IMPORTS Attribute, ContentInfo FROM CryptographicMessageSyntax2004 -- [CMS] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2001(14) };
-- Content Collection Content Type and Object Identifier
--内容集合内容类型和对象标识符
id-ct-contentCollection OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 19 }
id-ct-contentCollection OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 19 }
ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo
ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo
-- Content With Attributes Content Type and Object Identifier
--具有属性内容类型和对象标识符的内容
id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 20 }
id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 20 }
ContentWithAttributes ::= SEQUENCE { content ContentInfo, attrs SEQUENCE SIZE (1..MAX) OF Attribute }
ContentWithAttributes ::= SEQUENCE { content ContentInfo, attrs SEQUENCE SIZE (1..MAX) OF Attribute }
END
终止
Author's Address
作者地址
Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA
Russell Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州,邮编20170
EMail: housley@vigilsec.com
EMail: housley@vigilsec.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。