Internet Engineering Task Force (IETF) J. Schaad
Request for Comments: 8550 August Cellars
Obsoletes: 5750 B. Ramsdell
Category: Standards Track Brute Squad Labs, Inc.
ISSN: 2070-1721 S. Turner
sn3rd
April 2019
Internet Engineering Task Force (IETF) J. Schaad
Request for Comments: 8550 August Cellars
Obsoletes: 5750 B. Ramsdell
Category: Standards Track Brute Squad Labs, Inc.
ISSN: 2070-1721 S. Turner
sn3rd
April 2019
Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Certificate Handling
安全/多用途Internet邮件扩展(S/MIME)版本4.0证书处理
Abstract
摘要
This document specifies conventions for X.509 certificate usage by Secure/Multipurpose Internet Mail Extensions (S/MIME) v4.0 agents. S/MIME provides a method to send and receive secure MIME messages, and certificates are an integral part of S/MIME agent processing. S/MIME agents validate certificates as described in RFC 5280 ("Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"). S/MIME agents must meet the certificate-processing requirements in this document as well as those in RFC 5280. This document obsoletes RFC 5750.
本文档指定安全/多用途Internet邮件扩展(S/MIME)v4.0代理使用X.509证书的约定。S/MIME提供了一种发送和接收安全MIME消息的方法,证书是S/MIME代理处理的组成部分。S/MIME代理按照RFC 5280(“Internet X.509公钥基础结构证书和证书吊销列表(CRL)配置文件”)中的描述验证证书。S/MIME代理必须满足本文档以及RFC 5280中的证书处理要求。本文件淘汰RFC 5750。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8550.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8550.
Copyright Notice
版权公告
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
版权(c)2019 IETF信托基金和被确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Conventions Used in This Document . . . . . . . . . . . . 5
1.3. Compatibility with Prior Practice of S/MIME . . . . . . . 6
1.4. Changes from S/MIME v3 to S/MIME v3.1 . . . . . . . . . . 6
1.5. Changes from S/MIME v3.1 to S/MIME v3.2 . . . . . . . . . 7
1.6. Changes since S/MIME 3.2 . . . . . . . . . . . . . . . . 8
2. CMS Options . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1. Certificate Revocation Lists . . . . . . . . . . . . . . 9
2.2. Certificate Choices . . . . . . . . . . . . . . . . . . . 9
2.2.1. Historical Note about CMS Certificates . . . . . . . 9
2.3. Included Certificates . . . . . . . . . . . . . . . . . . 10
3. Using Distinguished Names for Internet Mail . . . . . . . . . 11
4. Certificate Processing . . . . . . . . . . . . . . . . . . . 12
4.1. Certificate Revocation Lists . . . . . . . . . . . . . . 13
4.2. Certificate Path Validation . . . . . . . . . . . . . . . 13
4.3. Certificate and CRL Signing Algorithms, and Key Sizes . . 14
4.4. PKIX Certificate Extensions . . . . . . . . . . . . . . . 15
4.4.1. Basic Constraints . . . . . . . . . . . . . . . . . . 16
4.4.2. Key Usage Extension . . . . . . . . . . . . . . . . . 16
4.4.3. Subject Alternative Name . . . . . . . . . . . . . . 17
4.4.4. Extended Key Usage Extension . . . . . . . . . . . . 17
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
6. Security Considerations . . . . . . . . . . . . . . . . . . . 18
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.1. Reference Conventions . . . . . . . . . . . . . . . . . . 20
7.1. Normative References . . . . . . . . . . . . . . . . . . 20
7.2. Informative References . . . . . . . . . . . . . . . . . 23
Appendix A. Historic Considerations . . . . . . . . . . . . . . 26
A.1. Signature Algorithms and Key Sizes . . . . . . . . . . . 26
Appendix B. Moving S/MIME v2 Certificate Handling to Historic
Status . . . . . . . . . . . . . . . . . . . . . . . 27
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Conventions Used in This Document . . . . . . . . . . . . 5
1.3. Compatibility with Prior Practice of S/MIME . . . . . . . 6
1.4. Changes from S/MIME v3 to S/MIME v3.1 . . . . . . . . . . 6
1.5. Changes from S/MIME v3.1 to S/MIME v3.2 . . . . . . . . . 7
1.6. Changes since S/MIME 3.2 . . . . . . . . . . . . . . . . 8
2. CMS Options . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1. Certificate Revocation Lists . . . . . . . . . . . . . . 9
2.2. Certificate Choices . . . . . . . . . . . . . . . . . . . 9
2.2.1. Historical Note about CMS Certificates . . . . . . . 9
2.3. Included Certificates . . . . . . . . . . . . . . . . . . 10
3. Using Distinguished Names for Internet Mail . . . . . . . . . 11
4. Certificate Processing . . . . . . . . . . . . . . . . . . . 12
4.1. Certificate Revocation Lists . . . . . . . . . . . . . . 13
4.2. Certificate Path Validation . . . . . . . . . . . . . . . 13
4.3. Certificate and CRL Signing Algorithms, and Key Sizes . . 14
4.4. PKIX Certificate Extensions . . . . . . . . . . . . . . . 15
4.4.1. Basic Constraints . . . . . . . . . . . . . . . . . . 16
4.4.2. Key Usage Extension . . . . . . . . . . . . . . . . . 16
4.4.3. Subject Alternative Name . . . . . . . . . . . . . . 17
4.4.4. Extended Key Usage Extension . . . . . . . . . . . . 17
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
6. Security Considerations . . . . . . . . . . . . . . . . . . . 18
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.1. Reference Conventions . . . . . . . . . . . . . . . . . . 20
7.1. Normative References . . . . . . . . . . . . . . . . . . 20
7.2. Informative References . . . . . . . . . . . . . . . . . 23
Appendix A. Historic Considerations . . . . . . . . . . . . . . 26
A.1. Signature Algorithms and Key Sizes . . . . . . . . . . . 26
Appendix B. Moving S/MIME v2 Certificate Handling to Historic
Status . . . . . . . . . . . . . . . . . . . . . . . 27
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
S/MIME (Secure/Multipurpose Internet Mail Extensions) v4.0, described in [RFC8551], provides a method to send and receive secure MIME messages. Before using a public key to provide security services, the S/MIME agent MUST verify that the public key is valid. S/MIME agents MUST use PKIX certificates to validate public keys as described in [RFC5280] ("Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"). S/MIME agents MUST meet the certificate-processing requirements specified in this document in addition to those stated in [RFC5280].
[RFC8551]中描述的S/MIME(安全/多用途Internet邮件扩展)v4.0提供了发送和接收安全MIME消息的方法。在使用公钥提供安全服务之前,S/MIME代理必须验证公钥是否有效。S/MIME代理必须使用PKIX证书来验证公钥,如[RFC5280](“Internet X.509公钥基础设施证书和证书吊销列表(CRL)配置文件”)中所述。除了[RFC5280]中规定的要求外,S/MIME代理还必须满足本文件中规定的证书处理要求。
This specification is compatible with the Cryptographic Message Syntax (CMS) [RFC5652] in that it uses the data types defined by CMS. It also inherits all the varieties of architectures for certificate-based key management supported by CMS.
本规范与加密消息语法(CMS)[RFC5652]兼容,因为它使用CMS定义的数据类型。它还继承了CMS支持的所有基于证书的密钥管理体系结构。
This document obsoletes [RFC5750]. The most significant changes revolve around changes in recommendations around the cryptographic algorithms used by the specification. More details can be found in Section 1.6.
本文件废除了[RFC5750]。最重要的变化是围绕规范使用的加密算法的建议变化。更多详情见第1.6节。
This specification contains a number of references to documents that have been obsoleted or replaced. This is intentional, as the updated documents often do not have the same information or protocol requirements in them.
本规范包含大量已废弃或替换文件的参考资料。这是有意的,因为更新的文档中通常没有相同的信息或协议要求。
For the purposes of this document, the following definitions apply.
在本文件中,以下定义适用。
ASN.1: Abstract Syntax Notation One, as defined in ITU-T X.680 [X.680].
ASN.1:ITU-T X.680[X.680]中定义的抽象语法符号1。
Attribute certificate (AC): An X.509 AC is a separate structure from a subject's public key X.509 certificate. A subject may have multiple X.509 ACs associated with each of its public key X.509 certificates. Each X.509 AC binds one or more attributes with one of the subject's public key X.509 certificates. The X.509 AC syntax is defined in [RFC5755].
属性证书(AC):X.509 AC是主体公钥X.509证书的独立结构。一个主体可能有多个与其公钥X.509证书相关联的X.509 ACs。每个X.509 AC将一个或多个属性与主体的公钥X.509证书之一绑定。[RFC5755]中定义了X.509 AC语法。
Certificate: A type that binds an entity's name to a public key with a digital signature. This type is defined in [RFC5280]. This type also contains the distinguished name of the certificate issuer (the signer), an issuer-specific serial number, the issuer's signature algorithm identifier, a validity period, and extensions also defined in that document.
证书:用数字签名将实体名称绑定到公钥的类型。此类型在[RFC5280]中定义。此类型还包含证书颁发者(签名者)的可分辨名称、特定于颁发者的序列号、颁发者的签名算法标识符、有效期以及该文档中定义的扩展名。
Certificate Revocation List (CRL): A type that contains information about certificates whose validity an issuer has revoked. The information consists of an issuer name, the time of issue, the next scheduled time of issue, a list of certificate serial numbers and their associated revocation times, and extensions as defined in [RFC5280]. The CRL is signed by the issuer. The type intended by this specification is the one defined in [RFC5280].
证书吊销列表(CRL):一种类型,包含有关颁发者已吊销其有效性的证书的信息。该信息包括发行人名称、发行时间、下一个计划发行时间、证书序列号列表及其相关撤销时间,以及[RFC5280]中定义的扩展名。CRL由发行人签署。本规范规定的类型为[RFC5280]中定义的类型。
Receiving agent: Software that interprets and processes S/MIME CMS objects, MIME body parts that contain CMS objects, or both.
接收代理:解释和处理S/MIME CMS对象、包含CMS对象的MIME主体部分或两者的软件。
Sending agent: Software that creates S/MIME CMS objects, MIME body parts that contain CMS objects, or both.
发送代理:创建S/MIME CMS对象、包含CMS对象的MIME身体部位或两者的软件。
S/MIME agent: User software that is a receiving agent, a sending agent, or both.
S/MIME代理:作为接收代理、发送代理或两者兼有的用户软件。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。
We define the additional requirement levels:
我们定义了额外的需求级别:
SHOULD+ This term means the same as SHOULD. However, the authors expect that a requirement marked as SHOULD+ will be promoted at some future time to be a MUST.
SHOULD+这个词的意思与SHOULD相同。然而,作者希望标记为SHOULD+的需求将在将来的某个时候被提升为必须的。
SHOULD- This term means the same as SHOULD. However, the authors expect that a requirement marked as SHOULD- will be demoted to a MAY in a future version of this document.
应-该术语的含义与应相同。然而,作者预计,在本文档的未来版本中,标记为“应该”的需求将降级为“可能”。
MUST- This term means the same as MUST. However, the authors expect that this requirement will no longer be a MUST in a future document. Although its status will be determined at a later time, it is reasonable to expect that if a future revision of a document alters the status of a MUST-requirement, it will remain at least a SHOULD or a SHOULD-.
必须-该术语的含义与必须相同。然而,作者希望这一要求在未来的文件中不再是必须的。尽管其状态将在稍后确定,但可以合理预期,如果未来的文件修订改变了必须要求的状态,则至少应保持为应该或应该。
The term "RSA" in this document almost always refers to the PKCS #1 v1.5 RSA signature algorithm even when not qualified as such. There are a couple of places where it refers to the general RSA cryptographic operation; these can be determined from the context where it is used.
本文档中的术语“RSA”几乎总是指PKCS#1 v1.5 RSA签名算法,即使不符合此要求。有几个地方提到了一般的RSA加密操作;这些可以从使用它的上下文中确定。
S/MIME version 4.0 agents ought to attempt to have the greatest interoperability possible with agents for prior versions of S/MIME.
S/MIME版本4.0代理应该尝试与S/MIME早期版本的代理具有尽可能大的互操作性。
- S/MIME version 2 is described in RFC 2311 through RFC 2315 inclusive [SMIMEv2].
- RFC 2311至RFC 2315(含)中描述了S/MIME版本2[SMIMEv2]。
- S/MIME version 3 is described in RFC 2630 through RFC 2634 inclusive and RFC 5035 [SMIMEv3].
- S/MIME版本3在RFC 2630至RFC 2634(含)和RFC 5035[SMIMEv3]中进行了描述。
- S/MIME version 3.1 is described in RFC 2634, RFC 3850, RFC 3851, RFC 3852, and RFC 5035 [SMIMEv3.1].
- RFC 2634、RFC 3850、RFC 3851、RFC 3852和RFC 5035[SMIMEv3.1]中描述了S/MIME版本3.1。
- S/MIME version 3.2 is described in RFC 2634, RFC 5035, RFC 5652, RFC 5750, and RFC 5751 [SMIMEv3.2].
- RFC 2634、RFC 5035、RFC 5652、RFC 5750和RFC 5751[SMIMEv3.2]中描述了S/MIME版本3.2。
- RFC 2311 also has historical information about the development of S/MIME.
- RFC2311也有关于S/MIME发展的历史信息。
Appendix A contains information about algorithms that were used for prior versions of S/MIME but are no longer considered to meet modern security standards. Support of these algorithms may be needed to support historic S/MIME artifacts such as messages or files but SHOULD NOT be used for new artifacts.
附录A包含有关用于S/MIME早期版本但不再被认为符合现代安全标准的算法的信息。支持这些算法可能需要支持历史S/MIME工件(如消息或文件),但不应用于新工件。
This section reflects the changes that were made when S/MIME v3.1 was released. The language of RFC 2119 ("MUST", "SHOULD", etc.) used for S/MIME v3 may have been superseded in later versions.
本节反映了S/MIME v3.1发布时所做的更改。用于S/MIME v3的RFC 2119语言(“必须”、“应该”等)可能已在更高版本中被取代。
- Version 1 and version 2 CRLs MUST be supported.
- 必须支持版本1和版本2 CRL。
- Multiple certification authority (CA) certificates with the same subject and public key, but with overlapping validity periods, MUST be supported.
- 必须支持具有相同主题和公钥但有效期重叠的多个证书颁发机构(CA)证书。
- Version 2 ACs SHOULD be supported, and version 1 ACs MUST NOT be used.
- 应支持版本2 ACs,不得使用版本1 ACs。
- The use of the MD2 digest algorithm for certificate signatures is discouraged, and security language was added.
- 不鼓励对证书签名使用MD2摘要算法,并添加了安全语言。
- Clarified email address use in certificates. Certificates that do not contain an email address have no requirements for verifying the email address associated with the certificate.
- 澄清了证书中使用的电子邮件地址。不包含电子邮件地址的证书不需要验证与证书关联的电子邮件地址。
- Receiving agents SHOULD display certificate information when displaying the results of signature verification.
- 接收代理在显示签名验证结果时应显示证书信息。
- Receiving agents MUST NOT accept a signature made with a certificate that does not have at least one of the digitalSignature or nonRepudiation bits set.
- 接收代理不得接受使用未设置至少一个数字签名或非否认位的证书进行的签名。
- Added clarifications for the interpretation of the key usage and extended key usage extensions.
- 增加了对密钥用法和扩展密钥用法扩展的解释说明。
This section reflects the changes that were made when S/MIME v3.2 was released. The language of RFC 2119 ("MUST", "SHOULD", etc.) used for S/MIME v3.1 may have been superseded in later versions.
本节反映了S/MIME v3.2发布时所做的更改。用于S/MIME v3.1的RFC 2119语言(“必须”、“应该”等)可能已在更高版本中被取代。
Note that the section numbers listed here (e.g., "Section 6") are from [RFC5750].
请注意,此处列出的章节编号(例如,“第6节”)来自[RFC5750]。
- Moved "Conventions Used in This Document" to Section 1.2. Added definitions for SHOULD+, SHOULD-, and MUST-.
- 将“本文件中使用的约定”移至第1.2节。增加了SHOULD+、SHOULD-和MUST-的定义。
- Section 1.1: Updated ASN.1 definition and reference.
- 第1.1节:更新的ASN.1定义和参考。
- Section 1.3: Added text about v3.1 RFCs.
- 第1.3节:添加了关于v3.1 RFC的文本。
- Section 3: Aligned email address text with RFC 5280. Updated note to indicate that the emailAddress IA5String upper bound is 255 characters. Added text about matching email addresses.
- 第3节:与RFC 5280对齐的电子邮件地址文本。更新了说明,以指示emailAddress IA5String的上限为255个字符。添加了有关匹配电子邮件地址的文本。
- Section 4.2: Added text to indicate how S/MIME agents locate the correct user certificate.
- 第4.2节:添加文本以指示S/MIME代理如何定位正确的用户证书。
- Section 4.3: RSA with SHA-256 (PKCS #1 v1.5) added as MUST; DSA with SHA-256 added as SHOULD+; RSA with SHA-1, DSA with SHA-1, and RSA with MD5 changed to SHOULD-; and RSASSA-PSS with SHA-256 added as SHOULD+. Updated key sizes and changed pointer to PKIX RFCs.
- 第4.3节:必须添加带有SHA-256(PKCS#1 v1.5)的RSA;添加SHA-256的DSA应为+;带有SHA-1的RSA、带有SHA-1的DSA和带有MD5的RSA更改为“应”;和RSASSA-PSS,应添加SHA-256+。更新了密钥大小并更改了指向PKIX RFC的指针。
- Section 4.4.1: Aligned with PKIX on the use of a basicConstraints extension in CA certificates. Clarified which extension is used to constrain end entities from using their keys to perform issuing-authority operations.
- 第4.4.1节:在CA证书中使用basicConstraints扩展时与PKIX保持一致。阐明了用于约束终端实体使用其密钥执行颁发机构操作的扩展。
- Section 5: Updated security considerations.
- 第5节:更新的安全注意事项。
- Section 6: Moved references from Appendix A of RFC 3850 to this section. Updated the references.
- 第6节:将RFC 3850附录A中的参考文件移至本节。更新了参考资料。
- Appendix A: Added Appendix A to move S/MIME v2 Certificate Handling to Historic status.
- 附录A:添加附录A以将S/MIME v2证书处理移到历史状态。
This section reflects the changes that were made when S/MIME v4.0 was released. The language of RFC 2119 ("MUST", "SHOULD", etc.) used for S/MIME v3.2 may have been superseded by S/MIME v4.0 and may be superseded by future versions.
本节反映了S/MIME v4.0发布时所做的更改。用于S/MIME v3.2的RFC 2119语言(“必须”、“应该”等)可能已被S/MIME v4.0取代,并可能被未来版本取代。
- Section 3: Support for internationalized email addresses is required.
- 第3节:需要支持国际化电子邮件地址。
- Section 4.3: Mandated support for the Elliptic Curve Digital Signature Algorithm (ECDSA) with P-256 and the Edwards-curve Digital Signature Algorithm (EdDSA) with curve25519 [RFC8410]. SHA-1 and MD5 algorithms are marked as historical, as they are no longer considered secure. As the Digital Signature Algorithm (DSA) has been replaced by elliptic curve versions, support for DSA is now considered historical. Increased lower bounds on RSA key sizes.
- 第4.3节:强制支持具有P-256的椭圆曲线数字签名算法(ECDSA)和具有curve25519的爱德华兹曲线数字签名算法(EdDSA)[RFC8410]。SHA-1和MD5算法被标记为历史算法,因为它们不再被认为是安全的。由于数字签名算法(DSA)已被椭圆曲线版本取代,对DSA的支持现在被认为是历史性的。增加了RSA密钥大小的下限。
- Appendix A: Added Appendix A for algorithms that are now considered to be historical.
- 附录A:为现在被认为是历史的算法添加了附录A。
The CMS message format allows for a wide variety of options in content and algorithm support. This section puts forth a number of support requirements and recommendations in order to achieve a base level of interoperability among all S/MIME implementations. Most of the CMS format for S/MIME messages is defined in [RFC8551].
CMS消息格式允许在内容和算法支持方面有多种选择。本节提出了一些支持需求和建议,以实现所有S/MIME实现之间的基本互操作性。[RFC8551]中定义了S/MIME消息的大多数CMS格式。
Receiving agents MUST support the CRL format defined in [RFC5280]. If sending agents include CRLs in outgoing messages, the CRL format defined in [RFC5280] MUST be used. Receiving agents MUST support both v1 and v2 CRLs.
接收代理必须支持[RFC5280]中定义的CRL格式。如果发送代理在传出消息中包含CRL,则必须使用[RFC5280]中定义的CRL格式。接收代理必须同时支持v1和v2 CRL。
All agents MUST be capable of performing revocation checks using CRLs as specified in [RFC5280]. All agents MUST perform revocation status checking in accordance with [RFC5280]. Receiving agents MUST recognize CRLs in received S/MIME messages.
所有代理必须能够使用[RFC5280]中规定的CRL执行撤销检查。所有代理必须根据[RFC5280]执行撤销状态检查。接收代理必须识别接收到的S/MIME消息中的CRL。
Agents SHOULD store CRLs received in messages for use in processing later messages.
代理应该存储在消息中接收的CRL,以便在以后处理消息时使用。
Receiving agents MUST support v1 X.509 and v3 X.509 certificates as profiled in [RFC5280]. End-entity certificates MAY include an Internet mail address, as described in Section 3.
接收代理必须支持[RFC5280]中描述的v1 X.509和v3 X.509证书。终端实体证书可能包括互联网邮件地址,如第3节所述。
Receiving agents SHOULD support X.509 version 2 ACs. See [RFC5755] for details about the profile for ACs.
接收代理应支持X.509版本2 ACs。有关ACs配置文件的详细信息,请参阅[RFC5755]。
The CMS message format supports a choice of certificate formats for public key content types: PKIX, PKCS #6 extended certificates [PKCS6], and PKIX ACs.
CMS消息格式支持公钥内容类型的证书格式选择:PKIX、PKCS#6扩展证书[PKCS6]和PKIX ACs。
The PKCS #6 format is not in widespread use. In addition, PKIX certificate extensions address much of the same functionality and flexibility as was intended in the PKCS #6 certificate extensions. Thus, sending and receiving agents MUST NOT use PKCS #6 extended certificates. Receiving agents MUST be able to parse and process a message containing PKCS #6 extended certificates, although ignoring those certificates is expected behavior.
PKCS#6格式没有得到广泛使用。此外,PKIX证书扩展解决了与PKCS#6证书扩展相同的功能和灵活性。因此,发送和接收代理不得使用PKCS#6扩展证书。接收代理必须能够解析和处理包含PKCS#6扩展证书的消息,尽管忽略这些证书是预期行为。
X.509 version 1 ACs are also not widely implemented and have been superseded by version 2 ACs. Sending agents MUST NOT send version 1 ACs.
X.509版本1 ACs也没有得到广泛实施,已被版本2 ACs取代。发送代理不能发送版本1 ACs。
Receiving agents MUST be able to handle an arbitrary number of certificates of arbitrary relationship to the message sender and to each other in arbitrary order. In many cases, the certificates included in a signed message may represent a chain of certification from the sender to a particular root. There may be, however, situations where the certificates in a signed message may be unrelated and included for convenience.
接收代理必须能够处理任意数量的证书,这些证书与消息发送方以及彼此之间的关系是任意的。在许多情况下,签名消息中包含的证书可能表示从发送方到特定根的证书链。然而,可能存在这样的情况,即签名消息中的证书可能是无关的,并且为了方便而包括在内。
Sending agents SHOULD include any certificates for the user's public key(s) and associated issuer certificates. This increases the likelihood that the intended recipient can establish trust in the originator's public key(s). This is especially important when sending a message to recipients that may not have access to the sender's public key through any other means or when sending a signed message to a new recipient. The inclusion of certificates in outgoing messages can be omitted if S/MIME objects are sent within a group of correspondents that have established access to each other's certificates by some other means such as a shared directory or manual certificate distribution. Receiving S/MIME agents SHOULD be able to handle messages without certificates by using a database or directory lookup scheme to find them.
发送代理应包括用户公钥和相关颁发者证书的任何证书。这增加了预期接收者对发端人公钥建立信任的可能性。当向可能无法通过任何其他方式访问发件人公钥的收件人发送邮件或向新收件人发送签名邮件时,这一点尤为重要。如果S/MIME对象是在通过共享目录或手动证书分发等其他方式建立了对彼此证书的访问权限的一组通信者中发送的,则可以忽略在传出消息中包含证书。接收S/MIME代理应该能够通过使用数据库或目录查找方案来查找没有证书的消息。
A sending agent SHOULD include at least one chain of certificates up to, but not including, a CA that it believes that the recipient may trust as authoritative. A receiving agent MUST be able to handle an arbitrarily large number of certificates and chains.
发送代理应至少包括一个证书链,该证书链最多包括但不包括它认为接收方可以信任为权威的CA。接收代理必须能够处理任意数量的证书和链。
Agents MAY send CA certificates -- that is, cross-certificates, self-issued certificates, and self-signed certificates. Note that receiving agents SHOULD NOT simply trust any self-signed certificates as valid CAs but SHOULD use some other mechanism to determine if this is a CA that should be trusted. Also note that when certificates contain DSA public keys the parameters may be located in the root certificate. This would require that the recipient possess both the end-entity certificate and the root certificate to perform a signature verification, and is a valid example of a case where transmitting the root certificate may be required.
代理可以发送CA证书——即交叉证书、自颁发证书和自签名证书。请注意,接收代理不应该简单地将任何自签名证书作为有效CA来信任,而应该使用其他机制来确定这是否是一个应该信任的CA。还要注意,当证书包含DSA公钥时,参数可能位于根证书中。这将要求接收方同时拥有终端实体证书和根证书以执行签名验证,这是可能需要传输根证书的情况的有效示例。
Receiving agents MUST support chaining based on the distinguished name fields. Other methods of building certificate chains MAY be supported.
接收代理必须支持基于可分辨名称字段的链接。可以支持构建证书链的其他方法。
Receiving agents SHOULD support the decoding of X.509 ACs included in CMS objects. All other issues regarding the generation and use of X.509 ACs are outside the scope of this specification. One specification that addresses AC use is defined in [RFC3114].
接收代理应支持对CMS对象中包含的X.509 ACs进行解码。与X.509 ACs的生成和使用有关的所有其他问题不在本规范的范围内。[RFC3114]中定义了一个解决交流使用的规范。
End-entity certificates MAY contain an Internet mail address. Email addresses restricted to 7-bit ASCII characters use the pkcs-9-at-emailAddress object identifier (OID) (see below) and are encoded as described in Section 4.2.1.6 of [RFC5280]. Internationalized email address names use the OID defined in [RFC8398] and are encoded as described therein. The email address SHOULD be in the subjectAltName extension and SHOULD NOT be in the subject distinguished name.
终端实体证书可能包含Internet邮件地址。限制为7位ASCII字符的电子邮件地址使用pkcs-9-at-emailAddress对象标识符(OID)(见下文),并按照[RFC5280]第4.2.1.6节所述进行编码。国际化电子邮件地址名称使用[RFC8398]中定义的OID,并按照其中所述进行编码。电子邮件地址应位于subjectAltName扩展名中,而不应位于subject可分辨名称中。
Receiving agents MUST recognize and accept certificates that contain no email address. Agents are allowed to provide an alternative mechanism for associating an email address with a certificate that does not contain an email address, such as through the use of the agent's address book, if available. Receiving agents MUST recognize both ASCII and internationalized email addresses in the subjectAltName extension. Receiving agents MUST recognize email addresses in the distinguished name field in the PKCS #9 [RFC2985] emailAddress attribute:
接收代理必须识别并接受不包含电子邮件地址的证书。允许代理提供将电子邮件地址与不包含电子邮件地址的证书相关联的替代机制,例如通过使用代理的通讯簿(如果可用)。接收代理必须识别subjectAltName扩展名中的ASCII和国际化电子邮件地址。接收代理必须识别PKCS#9[RFC2985]emailAddress属性中可分辨名称字段中的电子邮件地址:
pkcs-9-at-emailAddress OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1 }
pkcs-9-at-emailAddress OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1 }
Note that this attribute MUST be encoded as IA5String and has an upper bound of 255 characters. The comparing of email addresses is fraught with peril. [RFC8398] defines the procedure for doing the comparison of internationalized email addresses. For ASCII email addresses, the domain component (right-hand side of the '@') MUST be compared using a case-insensitive function. The local name component (left-hand side of the '@') SHOULD be compared using a case-insensitive function. Some localities may perform other transformations on the local name component before doing the comparison; however, an S/MIME client cannot know what specific localities do.
请注意,此属性必须编码为IA5String,并具有255个字符的上限。比较电子邮件地址充满了危险。[RFC8398]定义了对国际化电子邮件地址进行比较的过程。对于ASCII电子邮件地址,必须使用不区分大小写的函数比较域组件(@的右侧)。应该使用不区分大小写的函数来比较本地名称组件(“@”)的左侧。一些地方可能在进行比较之前对本地名称组件执行其他转换;但是,S/MIME客户端无法知道特定的位置在做什么。
Sending agents SHOULD make the address in the From or Sender header in a mail message match an Internet mail address in the signer's certificate. Receiving agents MUST check that the address in the From or Sender header of a mail message matches an Internet mail address in the signer's certificate, if mail addresses are present in the certificate. A receiving agent SHOULD provide some explicit alternate processing of the message if this comparison fails; this might be done by displaying or logging a message that shows the recipient the mail addresses in the certificate or other certificate details.
发送代理应使邮件消息中“发件人”或“发件人”标题中的地址与签名者证书中的Internet邮件地址匹配。接收代理必须检查邮件消息的发件人或发件人标头中的地址是否与签名者证书中的Internet邮件地址匹配(如果证书中存在邮件地址)。如果比较失败,接收代理应该提供一些明确的消息替代处理;这可以通过显示或记录一条消息来完成,该消息向收件人显示证书中的邮件地址或其他证书详细信息。
A receiving agent SHOULD display a subject name or other certificate details when displaying an indication of successful or unsuccessful signature verification.
当显示签名验证成功或失败的指示时,接收代理应显示主题名称或其他证书详细信息。
All subject and issuer names MUST be populated (i.e., not an empty SEQUENCE) in S/MIME-compliant X.509 certificates, except that the subject distinguished name in a user's (i.e., an end entity's) certificate MAY be an empty SEQUENCE, in which case the subjectAltName extension will include the subject's identifier and MUST be marked as critical.
必须在S/MIME兼容的X.509证书中填充所有使用者和颁发者名称(即非空序列),但用户(即终端实体)证书中的使用者可分辨名称可能是空序列,在这种情况下,使用者的subjectAltName扩展将包括使用者的标识符,并且必须标记为关键。
S/MIME agents need to provide some certificate retrieval mechanism in order to gain access to certificates for recipients of digital envelopes. There are many ways to implement certificate retrieval mechanisms. [X.500] directory service is an excellent example of a certificate retrieval-only mechanism that is compatible with classic X.500 distinguished names. The IETF has published [RFC8162], which describes an experimental protocol to retrieve certificates from the Domain Name System (DNS). Until such mechanisms are widely used, their utility may be limited by the small number of the correspondent's certificates that can be retrieved. At a minimum, for initial S/MIME deployment, a user agent could automatically generate a message to an intended recipient requesting the recipient's certificate in a signed return message.
S/MIME代理需要提供一些证书检索机制,以便为数字信封的收件人获取证书。有许多方法可以实现证书检索机制。[X.500]目录服务是与经典的X.500可分辨名称兼容的仅证书检索机制的一个极好示例。IETF已经发布了[RFC8162],它描述了一个从域名系统(DNS)检索证书的实验协议。在这些机制被广泛使用之前,它们的实用性可能会受到可检索的少量通信方证书的限制。对于初始S/MIME部署,用户代理至少可以自动生成一条消息,发送给指定的收件人,在签名的返回消息中请求收件人的证书。
Receiving and sending agents SHOULD also provide a mechanism to allow a user to "store and protect" certificates for correspondents in such a way as to guarantee their later retrieval. In many environments, it may be desirable to link the certificate retrieval/storage mechanisms together in some sort of certificate database. In its simplest form, a certificate database would be local to a particular user and would function in a way similar to an "address book" that stores a user's frequent correspondents. In this way, the certificate retrieval mechanism would be limited to the certificates that a user has stored (presumably from incoming messages). A comprehensive certificate retrieval/storage solution might combine two or more mechanisms to allow the greatest flexibility and utility to the user. For instance, a secure Internet mail agent might resort to checking a centralized certificate retrieval mechanism for a certificate if it cannot be found in a user's local certificate storage/retrieval database.
接收和发送代理还应提供一种机制,允许用户为通讯员“存储和保护”证书,以保证其以后的检索。在许多环境中,可能需要在某种证书数据库中将证书检索/存储机制链接在一起。在最简单的形式中,证书数据库是特定用户的本地数据库,其功能类似于存储用户频繁通信者的“地址簿”。这样,证书检索机制将限于用户存储的证书(可能来自传入消息)。一个全面的证书检索/存储解决方案可以结合两个或多个机制,以便为用户提供最大的灵活性和实用性。例如,如果在用户的本地证书存储/检索数据库中找不到证书,则安全Internet邮件代理可能会求助于检查集中式证书检索机制以获取证书。
Receiving and sending agents SHOULD provide a mechanism for the import and export of certificates, using a CMS certs-only message. This allows for import and export of full certificate chains as opposed to just a single certificate. This is described in [RFC8551].
接收和发送代理应使用CMS certs only消息提供证书导入和导出机制。这允许导入和导出完整的证书链,而不仅仅是单个证书。这在[RFC8551]中有描述。
Agents MUST handle multiple valid CA certificates containing the same subject name and the same public keys but with overlapping validity intervals.
代理必须处理多个有效CA证书,这些证书包含相同的使用者名称和相同的公钥,但有效期间隔重叠。
In general, it is always better to get the latest CRL information from a CA than to get information stored in an incoming message. A receiving agent SHOULD have access to some CRL retrieval mechanism in order to gain access to certificate revocation information when validating certification paths. A receiving or sending agent SHOULD also provide a mechanism to allow a user to store incoming certificate revocation information for correspondents in such a way as to guarantee its later retrieval.
一般来说,从CA获取最新的CRL信息总比获取传入消息中存储的信息要好。接收代理应该可以访问某些CRL检索机制,以便在验证证书路径时访问证书吊销信息。接收或发送代理还应提供一种机制,允许用户为通信方存储传入的证书撤销信息,以保证其以后的检索。
Receiving and sending agents SHOULD retrieve and utilize CRL information every time a certificate is verified as part of a certification path validation even if the certificate was already verified in the past. However, in many instances (such as off-line verification), access to the latest CRL information may be difficult or impossible. The use of CRL information, therefore, may be dictated by the value of the information that is protected. The value of the CRL information in a particular context is beyond the scope of this specification but may be governed by the policies associated with particular certification paths.
接收和发送代理应在每次证书作为证书路径验证的一部分进行验证时检索和利用CRL信息,即使该证书在过去已经过验证。然而,在许多情况下(如离线验证),访问最新的CRL信息可能很困难或不可能。因此,CRL信息的使用可能由受保护信息的价值决定。特定上下文中CRL信息的值超出了本规范的范围,但可能受与特定认证路径相关联的策略控制。
All agents MUST be capable of performing revocation checks using CRLs as specified in [RFC5280]. All agents MUST perform revocation status checking in accordance with [RFC5280]. Receiving agents MUST recognize CRLs in received S/MIME messages.
所有代理必须能够使用[RFC5280]中规定的CRL执行撤销检查。所有代理必须根据[RFC5280]执行撤销状态检查。接收代理必须识别接收到的S/MIME消息中的CRL。
In creating a user agent for secure messaging, certificate, CRL, and certification path validation should be highly automated while still acting in the best interests of the user. Certificate, CRL, and path validation MUST be performed as per [RFC5280] when validating a correspondent's public key. This is necessary before using a public key to provide security services such as verifying a signature, encrypting a content-encryption key (e.g., RSA), or forming a pairwise symmetric key (e.g., Diffie-Hellman) to be used to encrypt or decrypt a content-encryption key.
在创建用于安全消息传递的用户代理时,证书、CRL和证书路径验证应该高度自动化,同时仍然符合用户的最佳利益。验证通信方公钥时,必须按照[RFC5280]执行证书、CRL和路径验证。这在使用公钥提供安全服务之前是必要的,例如验证签名、加密内容加密密钥(例如RSA)或形成用于加密或解密内容加密密钥的成对对称密钥(例如Diffie Hellman)。
Certificates and CRLs are made available to the path validation procedure in two ways: a) incoming messages and b) certificate and CRL retrieval mechanisms. Certificates and CRLs in incoming messages are not required to be in any particular order, nor are they required to be in any way related to the sender or recipient of the message (although in most cases they will be related to the sender). Incoming certificates and CRLs SHOULD be cached for use in path validation and optionally stored for later use. This temporary certificate and CRL cache SHOULD be used to augment any other certificate and CRL retrieval mechanisms for path validation on incoming signed messages.
证书和CRL可通过两种方式用于路径验证过程:a)传入消息和b)证书和CRL检索机制。传入邮件中的证书和CRL不需要按任何特定顺序排列,也不需要以任何方式与邮件的发件人或收件人相关(尽管在大多数情况下,它们将与发件人相关)。传入的证书和CRL应缓存以用于路径验证,并可选择存储以供以后使用。此临时证书和CRL缓存应用于增强任何其他证书和CRL检索机制,以便对传入的签名消息进行路径验证。
When verifying a signature and the certificates that are included in the message, if a signingCertificate attribute from RFC 2634 [ESS] or a signingCertificateV2 attribute from RFC 5035 [ESS] is found in an S/MIME message, it SHALL be used to identify the signer's certificate. Otherwise, the certificate is identified in an S/MIME message, using either (1) the issuerAndSerialNumber, which identifies the signer's certificate by the issuer's distinguished name and the certificate serial number or (2) the subjectKeyIdentifier, which identifies the signer's certificate by a key identifier.
验证消息中包含的签名和证书时,如果在S/MIME消息中发现来自RFC 2634[ESS]的signingCertificate属性或来自RFC 5035[ESS]的signingCertificateV2属性,则应使用该属性来标识签名者的证书。否则,在S/MIME消息中使用(1)issuerAndSerialNumber(通过颁发者的可分辨名称和证书序列号标识签名者的证书)或(2)subjectKeyIdentifier(通过密钥标识符标识签名者的证书)来标识证书。
When decrypting an encrypted message, if an SMIMEEncryptionKeyPreference attribute is found in an encapsulating SignedData, it SHALL be used to identify the originator's certificate found in OriginatorInfo. See [RFC5652] for the CMS fields that reference the originator's and recipient's certificates.
解密加密邮件时,如果在封装的SignedData中发现SMIMEEncryptionKeyPreference属性,则应使用该属性标识在OriginatorInfo中找到的发端人证书。参考发端人和接收方证书的CMS字段,请参见[RFC5652]。
Certificates and CRLs are signed by the certificate issuer. Receiving agents:
证书和CRL由证书颁发者签署。接收代理:
- MUST support ECDSA with curve P-256 with SHA-256.
- 必须支持曲线P-256和SHA-256的ECDSA。
- MUST support EdDSA with curve25519 using PureEdDSA mode.
- 必须使用PureEdDSA模式支持带有curve25519的EdDSA。
- MUST- support RSA PKCS #1 v1.5 with SHA-256.
- 必须-支持带有SHA-256的RSA PKCS#1 v1.5。
- SHOULD support the RSA Probabilistic Signature Scheme (RSASSA-PSS) with SHA-256.
- 应支持带有SHA-256的RSA概率签名方案(RSASSA-PSS)。
Implementations SHOULD use deterministic generation for the parameter 'k' for ECDSA as outlined in [RFC6979]. EdDSA is defined to generate this parameter deterministically.
如[RFC6979]所述,实现应为ECDSA的参数“k”使用确定性生成。定义EdDSA以确定地生成此参数。
The following are the RSA and RSASSA-PSS key size requirements for S/MIME receiving agents during certificate and CRL signature verification:
以下是证书和CRL签名验证期间S/MIME接收代理的RSA和RSASSA-PSS密钥大小要求:
key size <= 2047 : SHOULD NOT (see Appendix A)
2048 <= key size <= 4096 : MUST (see Security Considerations)
4096 < key size : MAY (see Security Considerations)
key size <= 2047 : SHOULD NOT (see Appendix A)
2048 <= key size <= 4096 : MUST (see Security Considerations)
4096 < key size : MAY (see Security Considerations)
The signature algorithm OIDs for RSA PKCS #1 v1.5 and RSASSA-PSS with SHA-256 using 1024-bit through 3072-bit public keys are specified in [RFC4055], and the signature algorithm definition is found in [FIPS186-2] with Change Notice 1.
[RFC4055]中规定了使用1024位到3072位公钥的RSA PKCS#1 v1.5和带有SHA-256的RSASSA-PSS的签名算法OID,签名算法定义见[FIPS186-2]中的更改通知1。
The signature algorithm OIDs for RSA PKCS #1 v1.5 and RSASSA-PSS with SHA-256 using 4096-bit public keys are specified in [RFC4055], and the signature algorithm definition is found in [RFC3447].
[RFC4055]中规定了使用4096位公钥的RSA PKCS#1 v1.5和带有SHA-256的RSASSA-PSS的签名算法OID,签名算法定义见[RFC3447]。
For RSASSA-PSS with SHA-256, see [RFC4056].
对于带有SHA-256的RSASSA-PSS,请参见[RFC4056]。
For ECDSA, see [RFC5758] and [RFC6090]. The first reference provides the signature algorithm's OID, and the second provides the signature algorithm's definition. Curves other than curve P-256 MAY be used as well.
有关ECDSA,请参阅[RFC5758]和[RFC6090]。第一个参考提供了签名算法的OID,第二个参考提供了签名算法的定义。也可以使用曲线P-256以外的曲线。
For EdDSA, see [RFC8032] and [RFC8410]. The first reference provides the signature algorithm's OID, and the second provides the signature algorithm's definition. Curves other than curve25519 MAY be used as well.
有关EdDSA,请参见[RFC8032]和[RFC8410]。第一个参考提供了签名算法的OID,第二个参考提供了签名算法的定义。也可以使用曲线25519以外的曲线。
PKIX describes an extensible framework in which the basic certificate information can be extended and describes how such extensions can be used to control the process of issuing and validating certificates. The LAMPS Working Group has ongoing efforts to identify and create extensions that have value in particular certification environments. Further, there are active efforts underway to issue PKIX certificates for business purposes. This document identifies the minimum required set of certificate extensions that have the greatest value in the S/MIME environment. The syntax and semantics of all the identified extensions are defined in [RFC5280].
PKIX描述了一个可扩展的框架,其中可以扩展基本证书信息,并描述了如何使用这些扩展来控制证书的颁发和验证过程。LAMPS工作组正在努力确定并创建在特定认证环境中具有价值的扩展。此外,正在积极努力为商业目的颁发PKIX证书。本文档确定了在S/MIME环境中具有最大价值的最小所需证书扩展集。[RFC5280]中定义了所有已识别扩展的语法和语义。
Sending and receiving agents MUST correctly handle the basic constraints, key usage, authority key identifier, subject key identifier, and subject alternative name certificate extensions when they appear in end-entity and CA certificates. Some mechanism SHOULD exist to gracefully handle other certificate extensions when they appear in end-entity or CA certificates.
当基本约束、密钥使用、授权密钥标识符、使用者密钥标识符和使用者备用名称证书扩展出现在最终实体和CA证书中时,发送和接收代理必须正确处理它们。当其他证书扩展出现在最终实体或CA证书中时,应该存在一些机制来优雅地处理它们。
Certificates issued for the S/MIME environment SHOULD NOT contain any critical extensions (extensions that have the critical field set to TRUE) other than those listed here. These extensions SHOULD be marked as non-critical, unless the proper handling of the extension is deemed critical to the correct interpretation of the associated certificate. Other extensions may be included, but those extensions SHOULD NOT be marked as critical.
为S/MIME环境颁发的证书不应包含此处列出的以外的任何关键扩展(关键字段设置为TRUE的扩展)。这些扩展应标记为非关键扩展,除非正确处理扩展对相关证书的正确解释至关重要。可以包括其他扩展,但不应将这些扩展标记为关键扩展。
Interpretation and syntax for all extensions MUST follow [RFC5280], unless otherwise specified here.
除非此处另有规定,否则所有扩展的解释和语法必须遵循[RFC5280]。
The basicConstraints extension serves to delimit the role and position that an issuing-authority or end-entity certificate plays in a certification path.
basicConstraints扩展用于定义颁发机构或最终实体证书在证书路径中扮演的角色和位置。
For example, certificates issued to CAs and subordinate CAs contain a basicConstraints extension that identifies them as issuing-authority certificates. End-entity certificates contain the key usage extension, which restrains end entities from using the key when performing issuing-authority operations (see Section 4.4.2).
例如,颁发给CA和下级CA的证书包含basicConstraints扩展,该扩展将它们标识为颁发机构证书。终端实体证书包含密钥使用扩展,该扩展限制终端实体在执行颁发机构操作时使用密钥(参见第4.4.2节)。
As per [RFC5280], certificates MUST contain a basicConstraints extension in CA certificates and SHOULD NOT contain that extension in end-entity certificates.
根据[RFC5280],证书必须在CA证书中包含basicConstraints扩展,并且不应在最终实体证书中包含该扩展。
The key usage extension serves to limit the technical purposes for which a public key listed in a valid certificate may be used. Issuing-authority certificates may contain a key usage extension that restricts the key to signing certificates, CRLs, and other data.
密钥使用扩展用于限制有效证书中列出的公钥可用于的技术目的。颁发机构证书可能包含密钥使用扩展,该扩展将密钥限制为对证书、CRL和其他数据进行签名。
For example, a CA may create subordinate issuer certificates that contain a key usage extension that specifies that the corresponding public key can be used to sign end-user certificates and CRLs.
例如,CA可以创建包含密钥使用扩展的从属颁发者证书,该扩展指定可以使用相应的公钥对最终用户证书和CRL进行签名。
If a key usage extension is included in a PKIX certificate, then it MUST be marked as critical.
如果PKIX证书中包含密钥使用扩展,则必须将其标记为关键。
S/MIME receiving agents MUST NOT accept the signature of a message if it was verified using a certificate that contains a key usage extension without at least one of the digitalSignature or nonRepudiation bits set. Sometimes S/MIME is used as a secure message transport for applications beyond interpersonal messaging; in
如果使用包含密钥使用扩展且未设置至少一个digitalSignature或Nonpudiation位的证书对消息进行验证,则S/MIME接收代理不得接受消息的签名。有时,S/MIME被用作人际消息传递以外的应用程序的安全消息传输;在里面
such cases, the S/MIME-enabled application can specify additional requirements concerning the digitalSignature or nonRepudiation bits within this extension.
在这种情况下,支持S/MIME的应用程序可以指定与此扩展中的数字签名或不可否认性位有关的附加要求。
If the key usage extension is not specified, receiving clients MUST presume that both the digitalSignature and nonRepudiation bits are set.
如果未指定密钥使用扩展,则接收客户端必须假定设置了数字签名和非否认位。
The subject alternative name extension is used in S/MIME as the preferred means to convey the email address or addresses that correspond to the entity for this certificate. If the local portion of the email address is ASCII, it MUST be encoded using the rfc822Name CHOICE of the GeneralName type as described in [RFC5280], Section 4.2.1.6. If the local portion of the email address is not ASCII, it MUST be encoded using the otherName CHOICE of the GeneralName type as described in [RFC8398], Section 3. Since the SubjectAltName type is a SEQUENCE OF GeneralName, multiple email addresses MAY be present.
subject alternative name extension在S/MIME中用作传递电子邮件地址或与此证书的实体相对应的地址的首选方式。如果电子邮件地址的本地部分是ASCII,则必须使用[RFC5280]第4.2.1.6节中所述的通用名称类型的RFC822名称选择对其进行编码。如果电子邮件地址的本地部分不是ASCII,则必须使用[RFC8398]第3节中所述的一般名称类型的otherName选项对其进行编码。由于SubjectAltName类型是GeneralName的序列,因此可能存在多个电子邮件地址。
The extended key usage extension also serves to limit the technical purposes for which a public key listed in a valid certificate may be used. The set of technical purposes for the certificate therefore are the intersection of the uses indicated in the key usage and extended key usage extensions.
扩展密钥使用扩展还用于限制有效证书中列出的公钥可用于的技术目的。因此,证书的技术用途集是密钥使用和扩展密钥使用扩展中指示的用途的交叉点。
For example, if the certificate contains a key usage extension indicating a digital signature and an extended key usage extension that includes the id-kp-emailProtection OID, then the certificate may be used for signing but not encrypting S/MIME messages. If the certificate contains a key usage extension indicating a digital signature but no extended key usage extension, then the certificate may also be used to sign but not encrypt S/MIME messages.
例如,如果证书包含指示数字签名的密钥使用扩展名和包含id kp emailProtection OID的扩展密钥使用扩展名,则该证书可用于签名但不加密S/MIME消息。如果证书包含指示数字签名的密钥使用扩展,但没有扩展密钥使用扩展,则该证书也可用于签名但不加密S/MIME消息。
If the extended key usage extension is present in the certificate, then interpersonal-message S/MIME receiving agents MUST check that it contains either the id-kp-emailProtection OID or the anyExtendedKeyUsage OID as defined in [RFC5280]. S/MIME uses other than interpersonal messaging MAY require the explicit presence of the extended key usage extension, the presence of other OIDs in the extension, or both.
如果证书中存在扩展密钥使用扩展,则人际消息S/MIME接收代理必须检查其是否包含id kp emailProtection OID或[RFC5280]中定义的anyExtendedKeyUsage OID。除人际消息传递之外的S/MIME使用可能需要显式存在扩展密钥使用扩展、扩展中存在其他OID,或两者兼而有之。
This document has no IANA actions.
本文档没有IANA操作。
All of the security issues faced by any cryptographic application must be faced by an S/MIME agent. Among these issues are protecting the user's private key, preventing various attacks, and helping the user avoid mistakes such as inadvertently encrypting a message for the wrong recipient. The entire list of security considerations is beyond the scope of this document, but some significant concerns are listed here.
任何加密应用程序所面临的所有安全问题都必须由S/MIME代理来解决。这些问题包括保护用户的私钥、防止各种攻击以及帮助用户避免错误,例如无意中为错误的收件人加密消息。整个安全注意事项列表超出了本文档的范围,但此处列出了一些重要的注意事项。
When processing certificates, there are many situations where the processing might fail. Because the processing may be done by a user agent, a security gateway, or some other program, there is no single way to handle such failures. Just because the methods to handle the failures have not been listed, however, the reader should not assume that they are not important. The opposite is true: if a certificate is not provably valid and associated with the message, the processing software should take immediate and noticeable steps to inform the end user about it.
在处理证书时,有许多情况下处理可能会失败。由于处理可能由用户代理、安全网关或其他程序完成,因此没有单一的方法来处理此类故障。然而,仅仅因为没有列出处理故障的方法,读者就不应该认为它们不重要。反之亦然:如果证书不可证明有效且与消息关联,则处理软件应立即采取明显的步骤通知最终用户。
Some of the many places where signature and certificate checking might fail include the following:
签名和证书检查可能失败的许多地方包括:
- no Internet mail addresses in a certificate match the sender of a message, if the certificate contains at least one mail address
- 如果证书至少包含一个邮件地址,则证书中没有与邮件发件人匹配的Internet邮件地址
- no certificate chain leads to a trusted CA
- 没有证书链指向受信任的CA
- no ability to check the CRL for a certificate is implemented
- 没有实现检查CRL证书的功能
- an invalid CRL was received
- 收到无效的CRL
- the CRL being checked is expired
- 正在检查的CRL已过期
- the certificate is expired
- 证书过期了
- the certificate has been revoked
- 证书已被吊销
There are certainly other instances where a certificate may be invalid, and it is the responsibility of the processing software to check them all thoroughly and decide what to do if the check fails.
当然,在其他情况下,证书可能无效,处理软件有责任彻底检查所有证书,并决定如果检查失败怎么办。
It is possible for there to be multiple unexpired CRLs for a CA. If an agent is consulting CRLs for certificate validation, it SHOULD make sure that the most recently issued CRL for that CA is consulted, since an S/MIME message sender could deliberately include an older unexpired CRL in an S/MIME message. This older CRL might not include recently revoked certificates; this scenario might lead an agent to accept a certificate that has been revoked in a subsequent CRL.
CA可能存在多个未过期的CRL。如果代理正在咨询CRL以进行证书验证,则应确保咨询该CA最近发布的CRL,因为S/MIME消息发送方可能有意在S/MIME消息中包含较旧的未过期CRL。此旧CRL可能不包括最近吊销的证书;此场景可能会导致代理接受已在后续CRL中吊销的证书。
When determining the time for a certificate validity check, agents have to be careful to use a reliable time. In most cases, the time used SHOULD be the current time. Some exceptions to this would be as follows:
在确定证书有效性检查的时间时,代理必须小心使用可靠的时间。在大多数情况下,使用的时间应为当前时间。一些例外情况如下:
- The time the message was received is stored in a secure manner and is used at a later time to validate the message.
- 接收消息的时间以安全的方式存储,并在以后用于验证消息。
- The time in a SigningTime attribute is found in a countersignature attribute [RFC5652] that has been successfully validated.
- SigningTime属性中的时间可在已成功验证的会签属性[RFC5652]中找到。
The signingTime attribute could be deliberately set to a time where the receiving agent would (1) use a CRL that does not contain a revocation for the signing certificate or (2) use a certificate that has expired or is not yet valid. This could be done by either (1) the sender of the message or (2) an attacker that has compromised the key of the sender.
signingTime属性可以故意设置为接收代理(1)使用不包含签名证书吊销的CRL或(2)使用已过期或尚未生效的证书的时间。这可能由(1)邮件的发件人或(2)泄露发件人密钥的攻击者完成。
In addition to the security considerations identified in [RFC5280], caution should be taken when processing certificates that have not first been validated to a trust anchor. Certificates could be manufactured by untrusted sources for the purpose of mounting denial-of-service attacks or other attacks. For example, keys selected to require excessive cryptographic processing, or extensive lists of CRL Distribution Point (CDP) and/or Authority Information Access (AIA) addresses in the certificate, could be used to mount denial-of-service attacks. Similarly, attacker-specified CDP and/or AIA addresses could be included in fake certificates to allow the originator to detect receipt of the message even if signature verification fails.
除了[RFC5280]中确定的安全注意事项外,在处理尚未首先验证到信任锚的证书时,还应小心。证书可能由不受信任的来源制造,用于发起拒绝服务攻击或其他攻击。例如,选择需要过度加密处理的密钥,或证书中CRL分发点(CDP)和/或授权信息访问(AIA)地址的广泛列表,可用于发起拒绝服务攻击。类似地,攻击者指定的CDP和/或AIA地址可能包含在假证书中,以允许发端人检测到消息的接收,即使签名验证失败。
RSA keys of less than 2048 bits are now considered by many experts to be cryptographically insecure (due to advances in computing power) and SHOULD no longer be used to sign certificates or CRLs. Such keys were previously considered secure, so processing previously received signed and encrypted mail may require processing certificates or CRLs signed with weak keys. Implementations that wish to support previous versions of S/MIME or process old messages need to consider the security risks that result from accepting certificates and CRLs with smaller key sizes (e.g., spoofed certificates) versus the costs of
许多专家现在认为,小于2048位的RSA密钥在加密方面是不安全的(由于计算能力的提高),不应再用于签署证书或CRL。这些密钥以前被认为是安全的,因此处理以前收到的签名和加密邮件可能需要处理使用弱密钥签名的证书或CRL。希望支持以前版本的S/MIME或处理旧消息的实现需要考虑接受证书和具有较小密钥大小(例如,欺骗证书)的CRLs带来的安全风险,而不是成本。
denial of service. If an implementation supports verification of certificates or CRLs generated with RSA and DSA keys of less than 2048 bits, it MUST warn the user. Implementers should consider providing a stronger warning for weak signatures on certificates and CRLs associated with newly received messages than the one provided for certificates and CRLs associated with previously stored messages. Server implementations (e.g., secure mail list servers) where user warnings are not appropriate SHOULD reject messages with weak cryptography.
拒绝服务。如果实现支持验证使用小于2048位的RSA和DSA密钥生成的证书或CRL,则必须警告用户。实施者应该考虑对与新接收的消息相关联的证书和CRL上的弱签名提供更强的警告,而不是与先前存储的消息相关联的证书和CRL所提供的警告。用户警告不适用的服务器实现(例如,secure mail list服务器)应拒绝加密较弱的邮件。
If an implementation is concerned about compliance with National Institute of Standards and Technology (NIST) key size recommendations, then see [SP800-57].
如果实施涉及符合国家标准与技术研究所(NIST)关键尺寸建议,请参见[SP800-57]。
[ESS] refers to [RFC2634] and [RFC5035].
[ESS]指[RFC2634]和[RFC5035]。
[SMIMEv2] refers to [RFC2311], [RFC2312], [RFC2313], [RFC2314], and [RFC2315].
[SMIMEv2]指[RFC2311]、[RFC2312]、[RFC2313]、[RFC2314]和[RFC2315]。
[SMIMEv3] refers to [RFC2630], [RFC2631], [RFC2632], [RFC2633], [RFC2634], and [RFC5035].
[SMIMEv3]指[RFC2630]、[RFC2631]、[RFC2632]、[RFC2633]、[RFC2634]和[RFC5035]。
[SMIMEv3.1] refers to [RFC2634], [RFC3850], [RFC3851], [RFC3852], and [RFC5035].
[SMIMEv3.1]指的是[RFC2634]、[RFC3850]、[RFC3851]、[RFC3852]和[RFC5035]。
[SMIMEv3.2] refers to [RFC2634], [RFC5035], [RFC5652], [RFC5750], and [RFC5751].
[SMIMEv3.2]指的是[RFC2634]、[RFC5035]、[RFC5652]、[RFC5750]和[RFC5751]。
[SMIMEv4] refers to [RFC2634], [RFC5035], [RFC5652], [RFC8551], and this document.
[SMIMEv4]参考[RFC2634]、[RFC5035]、[RFC5652]、[RFC8551]和本文档。
[FIPS186-2] National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS) (also with Change Notice 1)", Federal Information Processing Standards Publication 186-2, January 2000, <https://csrc.nist.gov/publications/detail/fips/186/2/ archive/2000-01-27>.
[FIPS186-2]美国国家标准与技术研究所(NIST),“数字签名标准(DSS)(也包括变更通知1)”,联邦信息处理标准出版物186-2,2000年1月<https://csrc.nist.gov/publications/detail/fips/186/2/ 存档/2000-01-27>。
[FIPS186-3] National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS)", Federal Information Processing Standards Publication 186-3, June 2009, <https://csrc.nist.gov/csrc/media/publications/fips/186/3/ archive/2009-06-25/documents/fips_186-3.pdf>.
[FIPS186-3]国家标准与技术研究所(NIST),“数字签名标准(DSS)”,联邦信息处理标准出版物186-3,2009年6月<https://csrc.nist.gov/csrc/media/publications/fips/186/3/ 归档文件/2009-06-25/documents/fips_186-3.pdf>。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.
[RFC2634] Hoffman, P., Ed., "Enhanced Security Services for S/MIME", RFC 2634, DOI 10.17487/RFC2634, June 1999, <https://www.rfc-editor.org/info/rfc2634>.
[RFC2634]Hoffman,P.,Ed.“S/MIME的增强安全服务”,RFC 2634,DOI 10.17487/RFC2634,1999年6月<https://www.rfc-editor.org/info/rfc2634>.
[RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object Classes and Attribute Types Version 2.0", RFC 2985, DOI 10.17487/RFC2985, November 2000, <https://www.rfc-editor.org/info/rfc2985>.
[RFC2985]Nystrom,M.和B.Kaliski,“PKCS#9:选定对象类和属性类型版本2.0”,RFC 2985,DOI 10.17487/RFC2985,2000年11月<https://www.rfc-editor.org/info/rfc2985>.
[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April 2002, <https://www.rfc-editor.org/info/rfc3279>.
[RFC3279]Bassham,L.,Polk,W.,和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件的算法和标识符”,RFC 3279,DOI 10.17487/RFC3279,2002年4月<https://www.rfc-editor.org/info/rfc3279>.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February 2003, <https://www.rfc-editor.org/info/rfc3447>.
[RFC3447]Jonsson,J.和B.Kaliski,“公钥密码标准(PKCS)#1:RSA密码规范版本2.1”,RFC 3447,DOI 10.17487/RFC3447,2003年2月<https://www.rfc-editor.org/info/rfc3447>.
[RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, DOI 10.17487/RFC4055, June 2005, <https://www.rfc-editor.org/info/rfc4055>.
[RFC4055]Schaad,J.,Kaliski,B.,和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件中使用的RSA加密的其他算法和标识符”,RFC 4055,DOI 10.17487/RFC4055,2005年6月<https://www.rfc-editor.org/info/rfc4055>.
[RFC4056] Schaad, J., "Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS)", RFC 4056, DOI 10.17487/RFC4056, June 2005, <https://www.rfc-editor.org/info/rfc4056>.
[RFC4056]Schaad,J.“在加密消息语法(CMS)中使用RSASSA-PSS签名算法”,RFC 4056,DOI 10.17487/RFC4056,2005年6月<https://www.rfc-editor.org/info/rfc4056>.
[RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility", RFC 5035, DOI 10.17487/RFC5035, August 2007, <https://www.rfc-editor.org/info/rfc5035>.
[RFC5035]Schaad,J.,“增强安全服务(ESS)更新:添加CertID算法敏捷性”,RFC 5035,DOI 10.17487/RFC5035,2007年8月<https://www.rfc-editor.org/info/rfc5035>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/info/rfc5280>.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 5280,DOI 10.17487/RFC5280,2008年5月<https://www.rfc-editor.org/info/rfc5280>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, <https://www.rfc-editor.org/info/rfc5652>.
[RFC5652]Housley,R.,“加密消息语法(CMS)”,STD 70,RFC 5652,DOI 10.17487/RFC5652,2009年9月<https://www.rfc-editor.org/info/rfc5652>.
[RFC5750] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Certificate Handling", RFC 5750, DOI 10.17487/RFC5750, January 2010, <https://www.rfc-editor.org/info/rfc5750>.
[RFC5750]Ramsdell,B.和S.Turner,“安全/多用途Internet邮件扩展(S/MIME)版本3.2证书处理”,RFC 5750,DOI 10.17487/RFC5750,2010年1月<https://www.rfc-editor.org/info/rfc5750>.
[RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet Attribute Certificate Profile for Authorization", RFC 5755, DOI 10.17487/RFC5755, January 2010, <https://www.rfc-editor.org/info/rfc5755>.
[RFC5755]Farrell,S.,Housley,R.和S.Turner,“授权的互联网属性证书配置文件”,RFC 5755,DOI 10.17487/RFC5755,2010年1月<https://www.rfc-editor.org/info/rfc5755>.
[RFC5758] Dang, Q., Santesson, S., Moriarty, K., Brown, D., and T. Polk, "Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA", RFC 5758, DOI 10.17487/RFC5758, January 2010, <https://www.rfc-editor.org/info/rfc5758>.
[RFC5758]Dang,Q.,Santesson,S.,Moriarty,K.,Brown,D.,和T.Polk,“互联网X.509公钥基础设施:DSA和ECDSA的附加算法和标识符”,RFC 5758,DOI 10.17487/RFC5758,2010年1月<https://www.rfc-editor.org/info/rfc5758>.
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August 2013, <https://www.rfc-editor.org/info/rfc6979>.
[RFC6979]Pornin,T,“数字签名算法(DSA)和椭圆曲线数字签名算法(ECDSA)的确定性使用”,RFC 6979,DOI 10.17487/RFC6979,2013年8月<https://www.rfc-editor.org/info/rfc6979>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.
[RFC8398] Melnikov, A., Ed. and W. Chuang, Ed., "Internationalized Email Addresses in X.509 Certificates", RFC 8398, DOI 10.17487/RFC8398, May 2018, <https://www.rfc-editor.org/info/rfc8398>.
[RFC8398]Melnikov,A.,Ed.和W.Chuang,Ed.,“X.509证书中的国际化电子邮件地址”,RFC 8398,DOI 10.17487/RFC8398,2018年5月<https://www.rfc-editor.org/info/rfc8398>.
[RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification", RFC 8551, DOI 10.17487/RFC8551, April 2019, <https://www.rfc-editor.org/info/rfc8551>.
[RFC8551]Schaad,J.,Ramsdell,B.,和S.Turner,“安全/多用途互联网邮件扩展(S/MIME)版本4.0消息规范”,RFC 8551,DOI 10.17487/RFC8551,2019年4月<https://www.rfc-editor.org/info/rfc8551>.
[X.680] "Information Technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T Recommendation X.680, ISO/IEC 8824-1:2015, August 2015, <https://www.itu.int/rec/T-REC-X.680>.
[X.680]“信息技术-抽象语法符号一(ASN.1):基本符号规范”,ITU-T建议X.680,ISO/IEC 8824-1:2015,2015年8月<https://www.itu.int/rec/T-REC-X.680>.
[PKCS6] RSA Laboratories, "PKCS #6: Extended-Certificate Syntax Standard", November 1993.
[PKCS6]RSA实验室,“PKCS#6:扩展证书语法标准”,1993年11月。
[RFC2311] Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L., and L. Repka, "S/MIME Version 2 Message Specification", RFC 2311, DOI 10.17487/RFC2311, March 1998, <https://www.rfc-editor.org/info/rfc2311>.
[RFC2311]Dusse,S.,Hoffman,P.,Ramsdell,B.,Lundblade,L.,和L.Repka,“S/MIME版本2消息规范”,RFC 2311,DOI 10.17487/RFC2311,1998年3月<https://www.rfc-editor.org/info/rfc2311>.
[RFC2312] Dusse, S., Hoffman, P., Ramsdell, B., and J. Weinstein, "S/MIME Version 2 Certificate Handling", RFC 2312, DOI 10.17487/RFC2312, March 1998, <https://www.rfc-editor.org/info/rfc2312>.
[RFC2312]Dusse,S.,Hoffman,P.,Ramsdell,B.,和J.Weinstein,“S/MIME版本2证书处理”,RFC 2312,DOI 10.17487/RFC2312,1998年3月<https://www.rfc-editor.org/info/rfc2312>.
[RFC2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC 2313, DOI 10.17487/RFC2313, March 1998, <https://www.rfc-editor.org/info/rfc2313>.
[RFC2313]Kaliski,B.,“PKCS#1:RSA加密版本1.5”,RFC 2313,DOI 10.17487/RFC2313,1998年3月<https://www.rfc-editor.org/info/rfc2313>.
[RFC2314] Kaliski, B., "PKCS #10: Certification Request Syntax Version 1.5", RFC 2314, DOI 10.17487/RFC2314, March 1998, <https://www.rfc-editor.org/info/rfc2314>.
[RFC2314]Kaliski,B.,“PKCS#10:认证请求语法版本1.5”,RFC 2314,DOI 10.17487/RFC2314,1998年3月<https://www.rfc-editor.org/info/rfc2314>.
[RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax Version 1.5", RFC 2315, DOI 10.17487/RFC2315, March 1998, <https://www.rfc-editor.org/info/rfc2315>.
[RFC2315]Kaliski,B.,“PKCS#7:加密消息语法版本1.5”,RFC 2315,DOI 10.17487/RFC2315,1998年3月<https://www.rfc-editor.org/info/rfc2315>.
[RFC2630] Housley, R., "Cryptographic Message Syntax", RFC 2630, DOI 10.17487/RFC2630, June 1999, <https://www.rfc-editor.org/info/rfc2630>.
[RFC2630]Housley,R.,“加密消息语法”,RFC 2630,DOI 10.17487/RFC2630,1999年6月<https://www.rfc-editor.org/info/rfc2630>.
[RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, DOI 10.17487/RFC2631, June 1999, <https://www.rfc-editor.org/info/rfc2631>.
[RFC2631]Rescorla,E.,“Diffie-Hellman密钥协商方法”,RFC 2631,DOI 10.17487/RFC26311999年6月<https://www.rfc-editor.org/info/rfc2631>.
[RFC2632] Ramsdell, B., Ed., "S/MIME Version 3 Certificate Handling", RFC 2632, DOI 10.17487/RFC2632, June 1999, <https://www.rfc-editor.org/info/rfc2632>.
[RFC2632]Ramsdell,B.,Ed.,“S/MIME版本3证书处理”,RFC 2632,DOI 10.17487/RFC2632,1999年6月<https://www.rfc-editor.org/info/rfc2632>.
[RFC2633] Ramsdell, B., Ed., "S/MIME Version 3 Message Specification", RFC 2633, DOI 10.17487/RFC2633, June 1999, <https://www.rfc-editor.org/info/rfc2633>.
[RFC2633]拉姆斯代尔,B.,编辑,“S/MIME版本3消息规范”,RFC 2633,DOI 10.17487/RFC2633,1999年6月<https://www.rfc-editor.org/info/rfc2633>.
[RFC3114] Nicolls, W., "Implementing Company Classification Policy with the S/MIME Security Label", RFC 3114, DOI 10.17487/RFC3114, May 2002, <https://www.rfc-editor.org/info/rfc3114>.
[RFC3114]Nicols,W.“使用S/MIME安全标签实施公司分类政策”,RFC 3114,DOI 10.17487/RFC3114,2002年5月<https://www.rfc-editor.org/info/rfc3114>.
[RFC3850] Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling", RFC 3850, DOI 10.17487/RFC3850, July 2004, <https://www.rfc-editor.org/info/rfc3850>.
[RFC3850]Ramsdell,B.,Ed.“安全/多用途Internet邮件扩展(S/MIME)版本3.1证书处理”,RFC 3850,DOI 10.17487/RFC3850,2004年7月<https://www.rfc-editor.org/info/rfc3850>.
[RFC3851] Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", RFC 3851, DOI 10.17487/RFC3851, July 2004, <https://www.rfc-editor.org/info/rfc3851>.
[RFC3851]Ramsdell,B.,Ed.“安全/多用途Internet邮件扩展(S/MIME)版本3.1消息规范”,RFC 3851,DOI 10.17487/RFC3851,2004年7月<https://www.rfc-editor.org/info/rfc3851>.
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, DOI 10.17487/RFC3852, July 2004, <https://www.rfc-editor.org/info/rfc3852>.
[RFC3852]Housley,R.,“加密消息语法(CMS)”,RFC 3852,DOI 10.17487/RFC3852,2004年7月<https://www.rfc-editor.org/info/rfc3852>.
[RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification", RFC 5751, DOI 10.17487/RFC5751, January 2010, <https://www.rfc-editor.org/info/rfc5751>.
[RFC5751]Ramsdell,B.和S.Turner,“安全/多用途Internet邮件扩展(S/MIME)版本3.2消息规范”,RFC 5751,DOI 10.17487/RFC5751,2010年1月<https://www.rfc-editor.org/info/rfc5751>.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/RFC6090, February 2011, <https://www.rfc-editor.org/info/rfc6090>.
[RFC6090]McGrew,D.,Igoe,K.,和M.Salter,“基本椭圆曲线密码算法”,RFC 6090,DOI 10.17487/RFC6090,2011年2月<https://www.rfc-editor.org/info/rfc6090>.
[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms", RFC 6151, DOI 10.17487/RFC6151, March 2011, <https://www.rfc-editor.org/info/rfc6151>.
[RFC6151]Turner,S.和L.Chen,“MD5消息摘要和HMAC-MD5算法的更新安全注意事项”,RFC 6151,DOI 10.17487/RFC6151,2011年3月<https://www.rfc-editor.org/info/rfc6151>.
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, <https://www.rfc-editor.org/info/rfc6194>.
[RFC6194]Polk,T.,Chen,L.,Turner,S.,和P.Hoffman,“SHA-0和SHA-1消息摘要算法的安全考虑”,RFC 6194,DOI 10.17487/RFC6194,2011年3月<https://www.rfc-editor.org/info/rfc6194>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, <https://www.rfc-editor.org/info/rfc8032>.
[RFC8032]Josefsson,S.和I.Liusvaara,“爱德华兹曲线数字签名算法(EdDSA)”,RFC 8032,DOI 10.17487/RFC8032,2017年1月<https://www.rfc-editor.org/info/rfc8032>.
[RFC8162] Hoffman, P. and J. Schlyter, "Using Secure DNS to Associate Certificates with Domain Names for S/MIME", RFC 8162, DOI 10.17487/RFC8162, May 2017, <https://www.rfc-editor.org/info/rfc8162>.
[RFC8162]Hoffman,P.和J.Schlyter,“使用安全DNS将证书与S/MIME域名关联”,RFC 8162,DOI 10.17487/RFC8162,2017年5月<https://www.rfc-editor.org/info/rfc8162>.
[RFC8410] Josefsson, S. and J. Schaad, "Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure", RFC 8410, DOI 10.17487/RFC8410, August 2018, <https://www.rfc-editor.org/info/rfc8410>.
[RFC8410]Josefsson,S.和J.Schaad,“用于互联网X.509公钥基础设施的Ed25519、Ed448、X25519和X448的算法标识符”,RFC 8410,DOI 10.17487/RFC8410,2018年8月<https://www.rfc-editor.org/info/rfc8410>.
[SP800-57] National Institute of Standards and Technology (NIST), "Recommendation for Key Management - Part 1: General", NIST Special Publication 800-57 Revision 4, DOI 10.6028/NIST.SP.800-57pt1r4, January 2016, <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-57pt1r4.pdf>.
[SP800-57]国家标准与技术研究所(NIST),“关键管理建议-第1部分:概述”,NIST特别出版物800-57第4版,DOI 10.6028/NIST.SP.800-57pt1r4,2016年1月<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-57pt1r4.pdf>。
[X.500] "Information technology - Open Systems Interconnection - The Directory - Part 1: Overview of concepts, models and services", ITU-T Recommendation X.500, ISO/IEC 9594-1:2017.
[X.500]“信息技术-开放系统互连-目录-第1部分:概念、模型和服务概述”,ITU-T建议X.500,ISO/IEC 9594-1:2017。
There are a number of problems with validating certificates on sufficiently historic messages. For this reason, it is strongly suggested that user agents treat these certificates differently from those on current messages. These problems include the following:
在验证具有足够历史记录的消息上的证书时存在许多问题。因此,强烈建议用户代理将这些证书与当前消息上的证书区别对待。这些问题包括:
- CAs are not required to keep certificates on a CRL beyond one update after a certificate has expired. This means that unless CRLs are cached as part of the message it is not always possible to check to see if a certificate has been revoked. The same problems exist with Online Certificate Status Protocol (OCSP) responses, as they may be based on a CRL rather than on the certificate database.
- 证书过期后,CA无需在CRL上保存超过一次更新的证书。这意味着,除非CRL作为消息的一部分被缓存,否则并不总是能够检查证书是否已被吊销。在线证书状态协议(OCSP)响应也存在同样的问题,因为它们可能基于CRL而不是证书数据库。
- RSA and DSA keys of less than 2048 bits are now considered by many experts to be cryptographically insecure (due to advances in computing power). Such keys were previously considered secure, so the processing of historic certificates will often result in the use of weak keys. Implementations that wish to support previous versions of S/MIME or process old messages need to consider the security risks that result from smaller key sizes (e.g., spoofed messages) versus the costs of denial of service.
- RSA和DSA密钥少于2048位,现在许多专家认为它是加密不安全的(由于计算能力的进步)。此类密钥以前被认为是安全的,因此处理历史证书通常会导致使用弱密钥。希望支持以前版本的S/MIME或处理旧消息的实现需要考虑由较小的密钥大小(例如,欺骗消息)导致的安全风险与拒绝服务的代价。
[SMIMEv3.2] set the lower limit on suggested key sizes for creating and validation at 1024 bits. [SMIMEv3.1] set the lower limit at 768 bits. Prior to that, the lower bound on key sizes was 512 bits.
[SMIMEv3.2]将创建和验证的建议密钥大小的下限设置为1024位。[SMIMEv3.1]将下限设置为768位。在此之前,密钥大小的下限是512位。
- Hash functions used to validate signatures on historic messages may no longer be considered to be secure (see below). While there are not currently any known practical pre-image or second pre-image attacks against MD5 or SHA-1, the fact that they are no longer considered to be collision resistant implies that the security level of any signature that is created with these hash algorithms should also be considered as suspect.
- 用于验证历史消息签名的哈希函数可能不再被认为是安全的(见下文)。虽然目前还没有针对MD5或SHA-1的任何已知实际预映像或第二预映像攻击,但它们不再被视为抗冲突的事实意味着,使用这些哈希算法创建的任何签名的安全级别也应被视为可疑。
The following algorithms have been called out for some level of support by previous S/MIME specifications:
以前的S/MIME规范要求以下算法提供一定程度的支持:
- RSA with MD5 was dropped in [SMIMEv4]. MD5 is no longer considered to be secure, as it is no longer collision resistant. Details can be found in [RFC6151].
- [SMIMEv4]中删除了带有MD5的RSA。MD5不再被认为是安全的,因为它不再抗碰撞。有关详细信息,请参见[RFC6151]。
- RSA and DSA with SHA-1 were dropped in [SMIMEv4]. SHA-1 is no longer considered to be secure, as it is no longer collision resistant. The IETF statement on SHA-1 can be found in [RFC6194], but it is out of date relative to the most recent advances.
- [SMIMEv4]中删除了带有SHA-1的RSA和DSA。SHA-1不再被认为是安全的,因为它不再抗碰撞。关于SHA-1的IETF声明可在[RFC6194]中找到,但与最新进展相比已过时。
- DSA with SHA-256 support was dropped in [SMIMEv4]. DSA was dropped as part of a general movement from finite fields to elliptic curves. Issues related to dealing with non-deterministic generation of the parameter 'k' have come up (see [RFC6979]).
- [SMIMEv4]中删除了支持SHA-256的DSA。DSA作为从有限域到椭圆曲线的一般运动的一部分被丢弃。出现了与参数“k”的非确定性生成相关的问题(参见[RFC6979])。
For 512-bit RSA with SHA-1, see [RFC3279] and [FIPS186-2] without Change Notice 1; for 512-bit RSA with SHA-256, see [RFC4055] and [FIPS186-2] without Change Notice 1. The first reference provides the signature algorithm's OID, and the second provides the signature algorithm's definition.
对于带SHA-1的512位RSA,请参见[RFC3279]和[FIPS186-2],无更改通知1;对于带有SHA-256的512位RSA,请参见[RFC4055]和[FIPS186-2],无需更改通知1。第一个参考提供了签名算法的OID,第二个参考提供了签名算法的定义。
For 512-bit DSA with SHA-1, see [RFC3279] and [FIPS186-2] without Change Notice 1; for 512-bit DSA with SHA-256, see [RFC5758] and [FIPS186-2] without Change Notice 1; for 1024-bit DSA with SHA-1, see [RFC3279] and [FIPS186-2] with Change Notice 1; and for 1024-bit through 3072-bit DSA with SHA-256, see [RFC5758] and [FIPS186-3]. The first reference provides the signature algorithm's OID, and the second provides the signature algorithm's definition.
对于带有SHA-1的512位DSA,请参见[RFC3279]和[FIPS186-2],无更改通知1;对于带有SHA-256的512位DSA,请参见[RFC5758]和[FIPS186-2],无更改通知1;对于带有SHA-1的1024位DSA,请参见[RFC3279]和[FIPS186-2]以及更改通知1;对于带有SHA-256的1024位到3072位DSA,请参见[RFC5758]和[FIPS186-3]。第一个参考提供了签名算法的OID,第二个参考提供了签名算法的定义。
Appendix B. Moving S/MIME v2 Certificate Handling to Historic Status
附录B.将S/MIME v2证书处理移动到历史状态
The S/MIME v3 [SMIMEv3], v3.1 [SMIMEv3.1], v3.2 [SMIMEv3.2], and v4.0 (this document) specifications are backward compatible with the S/MIME v2 Certificate Handling Specification [SMIMEv2], with the exception of the algorithms (dropped RC2/40 requirement, and added DSA and RSASSA-PSS requirements). Therefore, RFC 2312 [SMIMEv2] was moved to Historic status.
S/MIME v3[SMIMEv3]、v3.1[SMIMEv3.1]、v3.2[SMIMEv3.2]和v4.0(本文档)规范与S/MIME v2证书处理规范[SMIMEv2]向后兼容,但算法除外(删除了RC2/40要求,并添加了DSA和RSASSA-PSS要求)。因此,RFC 2312[SMIMEv2]被移至历史状态。
Acknowledgements
致谢
Many thanks go out to the other authors of the S/MIME v2 Certificate Handling RFC: Steve Dusse, Paul Hoffman, and Jeff Weinstein. Without v2, there wouldn't be a v3, v3.1, v3.2, or v4.0.
非常感谢S/MIME v2证书处理RFC的其他作者:Steve Dusse、Paul Hoffman和Jeff Weinstein。没有v2,就不会有v3、v3.1、v3.2或v4.0。
A number of the members of the S/MIME Working Group have also worked very hard and contributed to this document. Any list of people is doomed to omission, and for that I apologize. In alphabetical order, the following people stand out in my mind because they made direct contributions to this document.
S/MIME工作组的一些成员也非常努力地工作,为本文件作出了贡献。任何人的名单都注定会被遗漏,对此我深表歉意。按字母顺序排列,以下人员在我心目中脱颖而出,因为他们对本文件作出了直接贡献。
Bill Flanigan, Trevor Freeman, Elliott Ginsburg, Alfred Hoenes, Paul Hoffman, Russ Housley, David P. Kemp, Michael Myers, John Pawling, and Denis Pinkas.
比尔·弗拉尼根、特雷弗·弗里曼、艾略特·金斯堡、阿尔弗雷德·霍恩斯、保罗·霍夫曼、罗斯·霍斯利、大卫·P·肯普、迈克尔·迈尔斯、约翰·帕林和丹尼斯·平卡斯。
The version 4 update to the S/MIME documents was done under the auspices of the LAMPS Working Group.
S/MIME文件的第4版更新是在LAMPS工作组的主持下完成的。
Authors' Addresses
作者地址
Jim Schaad August Cellars
吉姆·沙德八月酒窖
Email: ietf@augustcellars.com
Email: ietf@augustcellars.com
Blake Ramsdell Brute Squad Labs, Inc.
布莱克·拉姆斯代尔野蛮小队实验室有限公司。
Email: blaker@gmail.com
Email: blaker@gmail.com
Sean Turner sn3rd
肖恩·特纳
Email: sean@sn3rd.com
Email: sean@sn3rd.com