Network Working Group                                       S. Santesson
Request for Comments: 4262                                     Microsoft
Category: Standards Track                                  December 2005
        
Network Working Group                                       S. Santesson
Request for Comments: 4262                                     Microsoft
Category: Standards Track                                  December 2005
        

X.509 Certificate Extension for Secure/Multipurpose Internet Mail Extensions (S/MIME) Capabilities

用于安全/多用途Internet邮件扩展(S/MIME)功能的X.509证书扩展

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

Abstract

摘要

This document defines a certificate extension for inclusion of Secure/Multipurpose Internet Mail Extensions (S/MIME) Capabilities in X.509 public key certificates, as defined by RFC 3280. This certificate extension provides an optional method to indicate the cryptographic capabilities of an entity as a complement to the S/MIME Capabilities signed attribute in S/MIME messages according to RFC 3851.

本文档定义了一个证书扩展,用于在RFC 3280定义的X.509公钥证书中包含安全/多用途Internet邮件扩展(S/MIME)功能。此证书扩展提供了一种可选方法,用于指示实体的加密功能,作为根据RFC 3851在S/MIME消息中签名的S/MIME能力属性的补充。

1. Introduction
1. 介绍

This document defines a certificate extension for inclusion of S/MIME Capabilities in X.509 public key certificates, as defined by RFC 3280 [RFC3280].

本文档定义了一个证书扩展,用于在X.509公钥证书中包含S/MIME功能,如RFC 3280[RFC3280]所定义。

The S/MIME Capabilities attribute, defined in RFC 3851 [RFC3851], is defined to indicate cryptographic capabilities of the sender of a signed S/MIME message. This information can be used by the recipient in subsequent S/MIME secured exchanges to select appropriate cryptographic properties.

RFC 3851[RFC3851]中定义的S/MIME能力属性用于指示签名S/MIME消息的发送方的加密能力。收件人可以在后续S/MIME安全交换中使用此信息来选择适当的加密属性。

However, S/MIME does involve also the scenario where, for example, a sender of an encrypted message has no prior established knowledge of the recipient's cryptographic capabilities through recent S/MIME exchanges.

然而,S/MIME确实也涉及这样的场景,例如,加密消息的发送方通过最近的S/MIME交换事先不知道接收方的加密能力。

In such a case, the sender is forced to rely on out-of-band means or its default configuration to select a content encryption algorithm for encrypted messages to recipients with unknown capabilities. Such default configuration may, however, be incompatible with the recipient's capabilities and/or security policy.

在这种情况下,发送方被迫依赖带外方式或其默认配置来为发送给具有未知功能的接收方的加密消息选择内容加密算法。然而,这种默认配置可能与接收方的能力和/或安全策略不兼容。

The solution defined in this specification leverages the fact that S/MIME encryption requires possession of the recipient's public key certificate. This certificate already contains information about the recipient's public key and the cryptographic capabilities of this key. Through the extension mechanism defined in this specification, the certificate may also identify the subject's cryptographic S/MIME capabilities. This may then be used as an optional information resource to select appropriate encryption settings for the communication.

本规范中定义的解决方案利用了S/MIME加密要求拥有接收方的公钥证书这一事实。此证书已包含有关收件人公钥和该密钥的加密功能的信息。通过本规范中定义的扩展机制,证书还可以识别主体的加密s/MIME功能。然后可将其用作可选信息资源,以为通信选择适当的加密设置。

This document is limited to the "static" approach where asserted cryptographic capabilities remain unchanged until the certificate expires or is revoked. Other "dynamic" approaches, which allow retrieval of certified dynamically updateable capabilities during the lifetime of a certificate, are out of scope of this document.

本文档仅限于“静态”方法,其中断言的加密功能在证书过期或吊销之前保持不变。其他“动态”方法(允许在证书生命周期内检索经认证的动态可更新功能)不在本文档的范围内。

1.1. Terminology
1.1. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [STDWORDS].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[STDWORDS]中所述进行解释。

2. S/MIME Capabilities Extension
2. S/MIME功能扩展

This section defines the S/MIME Capabilities extension.

本节定义了S/MIME功能扩展。

The S/MIME Capabilities extension data structure used in this specification is identical to the data structure of the SMIMECapabilities attribute defined in RFC 3851 [RFC3851]. (The ASN.1 structure of smimeCapabilities is included below for illustrative purposes only.)

本规范中使用的S/MIME能力扩展数据结构与RFC 3851[RFC3851]中定义的SMIMECapability属性的数据结构相同。(下面列出的ASN.1 smimeCapabilities结构仅供说明。)

      smimeCapabilities OBJECT IDENTIFIER ::=
         {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
         pkcs-9(9) 15}
        
      smimeCapabilities OBJECT IDENTIFIER ::=
         {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
         pkcs-9(9) 15}
        
      SMIMECapabilities ::= SEQUENCE OF SMIMECapability
        
      SMIMECapabilities ::= SEQUENCE OF SMIMECapability
        
      SMIMECapability ::= SEQUENCE {
         capabilityID OBJECT IDENTIFIER,
         parameters ANY DEFINED BY capabilityID OPTIONAL }
        
      SMIMECapability ::= SEQUENCE {
         capabilityID OBJECT IDENTIFIER,
         parameters ANY DEFINED BY capabilityID OPTIONAL }
        

All content requirements defined for the SMIMECapabilities attribute in RFC 3851 apply also to this extension.

RFC 3851中为SMIMECapabilities属性定义的所有内容要求也适用于此扩展。

There are numerous different types of S/MIME Capabilities that have been defined in various documents. While all of the different capabilities can be placed in this extension, the intended purpose of this specification is mainly to support inclusion of S/MIME Capabilities specifying content encryption algorithms.

各种文档中定义了许多不同类型的S/MIME功能。虽然所有不同的功能都可以放在这个扩展中,但本规范的目的主要是支持包含指定内容加密算法的S/MIME功能。

Certification Authorities (CAs) SHOULD limit the type of included S/MIME Capabilities in this extension to types that are considered relevant to the intended use of the certificate.

证书颁发机构(CA)应将此扩展中包含的S/MIME功能的类型限制为与证书的预期用途相关的类型。

Client applications processing this extension MAY at their own discretion ignore any present S/MIME Capabilities and SHOULD always gracefully ignore any present S/MIME Capabilities that are not considered relevant to the particular use of the certificate.

处理此扩展的客户端应用程序可自行决定忽略任何现有的S/MIME功能,并且应始终优雅地忽略与证书的特定使用无关的任何现有S/MIME功能。

This extension MUST NOT be marked critical.

此扩展不能标记为关键。

3. Use in Applications
3. 在应用中使用

Applications using the S/MIME Capabilities extension SHOULD NOT use information in the extension if more reliable and relevant authenticated capabilities information is available to the application.

如果应用程序可以获得更可靠和相关的经过身份验证的功能信息,则使用S/MIME功能扩展的应用程序不应使用扩展中的信息。

It is outside the scope of this specification to define what is, or is not, regarded as a more reliable source of information by the application that is using the certificate.

定义使用证书的应用程序是否认为什么是更可靠的信息源超出了本规范的范围。

4. Security Considerations
4. 安全考虑

The S/MIME Capabilities extension contains a statement about the subject's capabilities made at the time of certificate issuance. Implementers should therefore take into account any effect caused by the change of these capabilities during the lifetime of the certificate.

S/MIME Capabilities扩展包含一条关于主体在颁发证书时的能力的声明。因此,实现者应该考虑在证书的生命周期内这些功能的更改所引起的任何影响。

Change in the subject's capabilities during the lifetime of a certificate may require revocation of the certificate. Revocation should, however, only be motivated if a listed algorithm is considered broken or considered too weak for the governing security policy.

证书有效期内受试者能力的变化可能需要撤销证书。但是,只有当所列算法被认为已损坏或对于管理安全策略来说太弱时,才应激活撤销。

Implementers should take into account that the use of this extension does not change the fact that it is always the responsibility of the sender to choose sufficiently strong encryption for its information disclosure.

实现者应该考虑到,使用此扩展不会改变这样一个事实,即发送者始终有责任为其信息披露选择足够强的加密。

5. Normative References
5. 规范性引用文件

[STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[STDWORDS]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.

[RFC3280]Housley,R.,Polk,W.,Ford,W.,和D.Solo,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)概要”,RFC 32802002年4月。

[RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", RFC 3851, July 2004.

[RFC3851]Ramsdell,B.,“安全/多用途Internet邮件扩展(S/MIME)版本3.1消息规范”,RFC 38512004年7月。

Author's Address

作者地址

Stefan Santesson Microsoft Tuborg Boulevard 12 2900 Hellerup Denmark

Stefan Santesson Microsoft Tuborg大道12 2900号Hellerup丹麦

   EMail: stefans@microsoft.com
        
   EMail: stefans@microsoft.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。