Network Working Group Steve Crocker Internet Draft Ned Freed Jim Galvin Sandy Murphy Marshall Rose MIME-PEM Interaction Oct 15, 1993 1. Status of this Memo This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet Drafts as reference material or to cite them other than as a "work in progress". 2. Abstract This memo defines a framework for interaction between MIME and PEM services. MIME, an acronym for "Multipurpose Internet Mail Extensions", defines the format of the contents of Internet mail messages and provides for multi-part textual and non-textual message bodies. PEM, an acronym for "Privacy Enhanced Mail", provides message encryption and message authentication/integrity services for Internet mail messages. draft MIME-PEM Interaction Oct 1993 3. Introduction An Internet electronic mail message consists of two parts: the headers and the body. The headers form a collection of field/value pairs structured according to RFC 822 [1], whilst the body, if structured, is defined according to MIME [2]. MIME does not provide encryption or authentication/integrity services. PEM [3-6] allows encryption and authentication/integrity enhancements to be applied to the contents of electronic mail messages but does not provide message structuring or type labelling facilities. This memo defines a framework whereby the services provided by MIME and PEM are used in a complementary fashion. The resulting combined service provides encryption and authentication/integrity services for single-part and multi- part textual and non-textual messages. We refer to the authentication/integrity service as a signature. The services of encryption and signature are separated. This differs from the service provided by [3], in that the encryption privacy enhancement in [3] also computes a signature of the message. To take full advantage of the functionality provided by MIME, canonicalization and transfer encoding operations are removed from the privacy enhancement and left to the MIME agent. The content domain header, defined in [3], is not included, as its functionality is subsumed by MIME. Transmission of certificate and certificate revocation lists is separated from the privacy enhancement. The message types no longer need be mentioned in the headers, as the information they impart is contained in the content types. The requests and responses of [6] are provided for in new content types. This represents a departure in mechanism, although not in effect, from the procedures identified in [3]. Expires Apr, 1994 [Page 2] draft MIME-PEM Interaction Oct 1993 MIME-PEM interaction is provided for by defining six new MIME content types: application/pem-keys, application/pem- signature, application/pem-encrypted, application/quoted-mime- entity, application/pem-request and application/certdata. The MIME-PEM interaction also uses another new MIME type, multipart/headerset, proposed by David Crocker. The relationship between MIME and PEM is described in terms of two functions, message composition and message delivery. The new content types have two different purposes. The first four types (application/pem-keys, application/pem-signature, application/pem-encrypted and application/quoted-mime-entity) are used to transmit and receive privacy enhanced messages and are always encapsulated in a multipart/headerset body part. The last two types (application/pem-request and application/ certdata) are used to transmit requests for certificate operations (retrieval, certification, revocation lists retrieval, etc.) and the responses to those requests. These two content types are independent body parts, not required to be encapsulated in any other body part. The two groups of content types are discussed in the two sections following. 4. Definition of new enhancement Content Types 4.1. Multipart/headerset Content Type Definition (1) MIME type name: multipart (2) MIME subtype name: headerset (3) Required parameters: boundary (4) Optional parameters: none (5) Encoding considerations: Either 7bit, 8bit, or binary encoding may be used, depending on the nested part encodings and transport limitations. (6) Security Considerations: see [3] Expires Apr, 1994 [Page 3] draft MIME-PEM Interaction Oct 1993 The headerset subtype of multipart always contains at least two body parts, where the first body part gives instructions in some way for the processing of all the body parts. In this use of the headerset subtype, there are always two body parts. The first part describes the privacy enhancement which was applied to the second body part. The first part's content type is application/pem-signature or application/pem-keys. The second body part contains a body part which contains the privacy-enhanced content. The second part's content type is either application/pem-encrypted, if the requested privacy enhancement is encryption, or application/quoted-mime-entity, if the requested privacy enhancement is signature. The syntax and semantics of the boundary parameter is defined in [2]. 4.2. Application/pem-keys Content Type Definition (1) MIME type name: application (2) MIME subtype name: pem-keys (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: 7bit is always sufficient. (6) Security Considerations: see [3] The canonical form of this content type corresponds to the following production for , which differs from the in [3] in that neither the nor the fields conveying certificates or related exclusively to signature are a part of the production. (The certificate fields appear in the application/certdata content type, see Section 5.2). The field is also eliminated. The field is replaced by the field, as the message types included in are imparted by the content type name of the body part. The productions , , Expires Apr, 1994 [Page 4] draft MIME-PEM Interaction Oct 1993 , and are as defined in section 9 of [3]. ::= (1*( *)) ; symmetric case /((1*) *()) ; asymmetric case ::= "Version" ":" "5" CRLF ::= [] ;asymmetric / [] ;symmetric This content type must be used as the first part of a multipart/headerset content type. It may not be used in any other context. 4.3. Application/pem-signature Content Type Definition (1) MIME type name: application (2) MIME subtype name: pem-signature (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: 7bit is always sufficient. (6) Security Considerations: see [3] The canonical form of this content type corresponds to the following production for , which differs from the in [3] in that neither the nor the fields conveying certificates or related exclusively to encryption are a part of the production. (The certificate fields appear in the application/certdata content type, see Section 5.2). The field is also eliminated. The field is replaced by the field, as the message types included in are imparted by the content type name of the body part. The productions , , Expires Apr, 1994 [Page 5] draft MIME-PEM Interaction Oct 1993 , and are as defined in section 9 of [3]. ::= (1*( *)) ; symmetric case /((1*) *()) ; asymmetric case ::= "Version" ":" "5" CRLF ::= [] ;asymmetric / [] ;symmetric This content type must be used as the first part of a multipart/headerset content type. It may not be used in any other context. 4.4. Application/pem-encrypted Content Type Definition (1) MIME type name: application (2) MIME subtype name: pem-encrypted (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: The encryption will produce binary data and may need to be encoded for transport. Any transport-compatible encoding capable of accommodating binary data may be used. A base64 encoding will be sufficient for all transport systems. (6) Security Considerations: see [3] The content of the application/pem-encrypted is an encrypted valid MIME object. Because it is encrypted, the canonical form of this content type is any arbitrary data. This content type must be used as the second part of a multipart/headerset content type. It may not be used in any Expires Jan, 1994 [Page 6] draft MIME-PEM Interaction Jul 1993 other context. 4.5. Application/quoted-mime-entity Content Type Definition (1) MIME type name: application (2) MIME subtype name: quoted-mime-entity (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: If the quoted mime body part has a quoted printable, 7bit, or base64 transfer encoding indicated, the transfer encoding of this body part should be 7bit to avoid nested encodings. Otherwise, any transport-compatible encoding capable of accommodating the content type of the quoted mime body part may be used. (6) Security Considerations: see [3] The application/quoted-mime-entity content is constrained to be a valid MIME object. The content of that body part must be in the canonical form for its content type. This content type must be used as the second part of a multipart/headerset content type. It may be used in any other context, as well. The application/quoted-mime-entity content type may on first inspection appear to be superfluous since the content it contains is itself constrained to be a valid MIME object. However, the use of application/quoted-mime-entity serves a vital function: it protects the inner MIME object from any changes that might be performed by messaging gateways. Such changes frequently disrupt header and boundary information, which in turn would lead to integrity check failures. Expires Apr, 1994 [Page 7] draft MIME-PEM Interaction Oct 1993 The use of application/quoted-mime-entity ensures that if a gateway is compelled to make encoding changes it will do so on the application/quoted-mime-entity object as a whole. Such encoding changes, if done properly, will leave the application/quoted-mime-entity content entirely intact. The application/quoted-mime-entity type may be generally useful outside PEM, as well. We intend for this to be a type that could be used anywhere in a MIME object and not restricted to PEM. 5. Definition of new certificate Content Types 5.1. Application/pem-request Content Type Definition (1) MIME type name: application (2) MIME subtype name: pem-request (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: 7bit is always sufficient. (6) Security Considerations: see [3] The canonical form of this content type corresponds to the following production. ::= ::= "Version" ":" "5" CRLF ( / / ) ::= "Subject" ":" CRLF ::= "Issuer" ":" CRLF ::= "Certification" ":" CRLF The purpose of this body part is to transmit a request. The request can be "Certification", which requests certification of a self-signed certificate, or "Subject", which requests the Expires Apr, 1994 [Page 8] draft MIME-PEM Interaction Oct 1993 certificate chain corresponding to a subject identified by a distinguished name, or "Issuer", which requests the revocation list chain issued by an issuer identified by a distinguished name. The "Subject" and "Issuer" fields each contain a value of type Name, encoded according to the Basic Encoding Rules, then in ASCII, as for the "Originator-ID-Asymmetric" field of [3]. In each case, the response can be transmitted in an application/certdata content type. This type is intended to provide for the requests described in [6]. The key certification request and CRL-retrieval request are provided for directly. The CRL-storage request is provided for by transmitting the CRL's to be stored in an application/certdata content type. 5.2. Application/certdata Content Type Definition (1) MIME type name: application (2) MIME subtype name: certdata (3) Required parameters: none (4) Optional parameters: none (5) Encoding considerations: 7bit is always sufficient. (6) Security Considerations: see [3] The canonical form of this content type corresponds to the following production built on top of the definitions in section 9 of [3]. ::= / ::= ( *([])) ::= 1*([ ::= "Certificate" ":" CRLF ::= "Version" ":" "5" CRLF Expires Apr, 1994 [Page 9] draft MIME-PEM Interaction Oct 1993 This content type is used to transfer certificate or certificate revocation list information. This information is entirely independent of any particular enhanced message. (Note that the converse is not true: the validity of an enhanced message cannot be determined without the proper certificates or current CRL information.) As such, the application/pem- certdata content type is an independent body part. It is not used in a multipart/headerset context containing PEM enhanced messages. The production contains one certificate chain. Each certificate chain starts with a certificate and continues with the certificates of subsequent issuers. Each issuer listed is presumed to have issued the preceding certificate. For each issuer, a CRL may be supplied. A CRL in the chain belongs to the immediately following issuer. Therefore, it potentially contains the immediately preceding certificate. The production contains one certificate revocation list chain. The CRLs in the chain begin with a requested CRL and continue with the CRLs of subsequent issuers. The issuer of each CRL is presumed to have issued a certificate for the issuer of the preceding CRL. For each CRL, the issuer's certificate may be supplied. A certificate in the chain must belong to the issuer of the immediately preceding CRL. The relationship between a certificate and an immediately preceding CRL is the same in both cases. In a the crl's are optional. In a , the certificates are optional. 6. Message Composition When a user composes a message, it is the responsibility of the user agent to construct a valid MIME message. In particular, Content-Type: and Content-Transfer-Encoding: headers should be used wherever they are appropriate. This allows the receiving user agent to unambiguously interpret the Expires Apr, 1994 [Page 10] draft MIME-PEM Interaction Oct 1993 message body and process it accordingly. Each block of content headers associated with either an RFC822 or with a MIME represents a logical place where privacy enhancement can be requested. A privacy enhancement request associated with a particular or content is taken to apply to the entire content; it is not possible to privacy-enhance only a portion of a body part. The mechanism used to communicate privacy enhancement requests to the pre-submission processor described below is strictly a local implementation issue. However, the interface between the message composer and pre-submission processing MUST be trustworthy, since the message composer relies on pre- submission processing to either perform the requested privacy enhancement operation or return an error. Regardless of the mechanism chosen, great care should be taken to safeguard against both the release of information that has not received the requested type of privacy enhancement as well as tampering with the enhancement request itself. 6.1. Pre-Submission Algorithm The user agent first composes a MIME-compliant message and then applies this algorithm: (1) If the content at this (initially top) level has NOT been selected for privacy enhancement, the user agent sees if the content is either multipart or message. If so, it then recursively applies this algorithm to the encapsulated body parts; if not, it terminates processing for this content. (2) If the content at this level has been selected for privacy enhancement, then the content, including its headers, constitutes the object that receives privacy enhancement. The headers at a minimum will include a Content-Type header, either explicit or implicit. The object will eventually be replaced with the multipart/ Expires Apr, 1994 [Page 11] draft MIME-PEM Interaction Oct 1993 headerset content that is produced by the privacy enhancement operation. (3) The content of the object must be transformed from local form to its MIME binary canonical form. Also, if the requested privacy enhancement is signature, and if Content-Transfer-Encoding: headers were present in the headers of the object, the content encoding is reversed, leaving only 7BIT, 8BIT, and BINARY as possible encodings for all body parts. This is done so that any artifacts introduced by encoding are removed and consistent integrity checks will be generated. (4) Once an object in binary canonical form has been produced the selected privacy enhancement is performed. The privacy enhancement produces two data streams: the privacy enhanced object and a control stream comprised of a set of headers as defined in the or productions. (5) A new body part is then constructed, of content type multipart/headerset. The body part contains two body parts, whose content depends on the privacy enhancement requested. (a) If the requested privacy enhancement is encryption, then the first body part within the multipart/ headerset is labelled with a content type of application/pem-keys and contains the control stream produced by the privacy enhancement. The second body part within the multipart/headerset is labelled with a content type application/pem- encrypted, and contains the privacy enhanced object produced by the privacy enhancement. An appropriate transfer encoding is also applied to the content and a corresponding Content-Transfer-Encoding: header is added to the application/pem-encrypted body part. Base64 encoding is recommended in the case of encryption privacy enhancement in order to be backwards-compatible with the original PEM conventions. (b) If the requested privacy enhancement is signature, then the first body part within the multipart/ headerset is labelled with a content type of Expires Apr, 1994 [Page 12] draft MIME-PEM Interaction Oct 1993 application/pem-signature and contains the control stream produced by the privacy enhancement. The second body part within the multipart/headerset is labelled with a content type application/quoted- mime-entity, and contains the privacy enhanced object produced by the privacy enhancement. An appropriate transfer encoding is also applied to the content and a corresponding Content-Transfer-Encoding: header is added to the application/quoted-mime-entity bodypart. This multipart/headerset content replaces the original object. 7. Post-Delivery Algorithm When a user receives a message containing a multipart/ headerset content, the user agent may transform the content back into its original form prior to privacy-enhancement. This operation, the post-delivery algorithm, is performed by reversing the steps performed during the pre-submission algorithm. When the original content is reconstituted into its MIME binary canonical form, it may use octet values outside of the US-ASCII repertoire and may contain body parts without line breaks. If the user agent replaces the multipart/headerset content with the original content, then it must select appropriate Content-Transfer-Encodings for each body part and add corresponding Content-Transfer-Encoding: headers. Upon successful completion of the post-delivery algorithm for each content, the type of privacy enhancement that was in effect for that content must be communicated to the user. The mechanism used to do this is a local implementation issue. As with requests for privacy enhancement to the pre-submission algorithm, the path between post-delivery processing and actual display of the message must be a trusted one, lest a message be presented that purports to have undergone some form of privacy enhancement it did not in fact receive. 8. Examples For example, suppose the following body part was selected for Expires Apr, 1994 [Page 13] draft MIME-PEM Interaction Oct 1993 privacy enhancement: Content-Type: message/rfc822 To: ned@innosoft.com Subject: example #1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi Ned. See how much nicer this works! After applying pre-submission algorithm with a request that signature privacy enhancement be applied to the body part, the body part submitted for delivery would appear as: Content-Type: multipart/headerset; boundary="Privacy Boundary" --Privacy Boundary Content-Type: application/pem-signature Version: 5 Originator-ID-Asymmetric: ...,09 MIC-Info: RSA-MD5,RSA,... --Privacy Boundary Content-Type: application/quoted-mime-entity Content-Type: message/rfc822 To: ned@innosoft.com Subject: example #1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi Ned. See how much nicer this works! --Privacy Boundary-- After applying the post-delivery algorithm, the resulting body part would once again appear as: Expires Apr, 1994 [Page 14] draft MIME-PEM Interaction Oct 1993 Content-Type: message/rfc822 To: ned@innosoft.com Subject: example #1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi Ned. See how much nicer this works! The body part need not be ascii text. For example, the following audio body part could be privacy enhanced: Content-Type: audio Content-Transfer-Encoding: base64 JFJFGJGJJjfjgjgjghjJFGJGJKSKFJFG739475fgfhelkJHDJJGH GJKjfdjjJHUjfjd27485jjJDGHj3j4jjHDJjfh5566kfjhJFDHDD kwpritufnLKDJWYRIk6n47382oJDHFK4ie3y49JCBCMBVUei3hj producing the following body part: Content-Type: multipart/headerset; boundary="Privacy Boundary" --Privacy Boundary Content-Type: application/pem-signature Version: 5 Originator-ID-Asymmetric: ...,09 MIC-Info: RSA-MD5,RSA,... --Privacy Boundary Content-Type: application/quoted-mime-entity Content-Transfer-Encoding: 7bit Content-Type: audio Content-Transfer-Encoding: base64 JFJFGJGJJjfjgjgjghjJFGJGJKSKFJFG739475fgfhelkJHDJJGH GJKjfdjjJHUjfjd27485jjJDGHj3j4jjHDJjfh5566kfjhJFDHDD kwpritufnLKDJWYRIk6n47382oJDHFK4ie3y49JCBCMBVUei3hj Expires Apr, 1994 [Page 15] draft MIME-PEM Interaction Jul 1993 --Privacy Boundary-- The following privacy-enhanced message illustrates how an enhanced body part can itself receive enhancement. Date: Mon, 29 Mar 93 13:57:08 -0500 From: Greg Vaudreuil To: Marshall Rose Subject: Forwarded integrity Message MIME-Version: 1.0 Content-Type: multipart/headerset; boundary="Privacy Boundary" --Privacy Boundary Content-Type: application/pem-signature Version: 5 Originator-ID-Asymmetric: ...,09 MIC-Info: RSA-MD5,RSA,... --Privacy Boundary Content-Type: application/quoted-mime-entity Content-Type: multipart/mixed; boundary="Middle Boundary" --Middle boundary Content-Type: text/plain; charset=us-ascii The enclosed message was integrity enhanced. Greg V. --Middle Boundary Content-Type: multipart/headerset; boundary="Forwarded Message" --Forwarded Message Content-Type: application/pem-signature Version: 5 Originator-ID-Asymmetric: ...,09 Expires Apr, 1994 [Page 16] draft MIME-PEM Interaction Jul 1993 MIC-Info: RSA-MD5,RSA,... --Forwarded Message Content-Type: application/quoted-mime-entity Content-Type: message/RFC822 Date: Mon, 29 Mar 93 13:53:02 -0500 From: Ned Freed To: Greg Vaudreuil Subject: Minimal PEM Message This is a signed message using MIME-PEM. Greg V. --Forwarded Message-- --Middle Boundary-- --Privacy Boundary-- The following privacy-enhanced body part illustrates the use of encryption and the application/pem-encrypted content type. Content-Type: multipart/headerset; boundary="PEM Boundary" --PEM Boundary Content-Type: application/pem-keys Version: 5 DEK-Info: DES-CBC,4C776432D61A9829 Originator-ID-Asymmetric: ...,09 Key-Info: RSA,... --PEM Boundary Content-Type: application/pem-encrypted Content-Transfer-Encoding: base64 8R/EVhZy7OU= --PEM Boundary-- Expires Apr, 1994 [Page 17] draft MIME-PEM Interaction Jul 1993 If it was desired to produce a signed and encrypted body part, the signature would be done first, producing: Content-Type: multipart/headerset; boundary="Sign Boundary" --Sign Boundary Content-Type: application/pem-signature Version: 5 Originator-ID-Asymmetric: ...,09 MIC-Info: RSA-MD5,RSA,... --Sign Boundary Content-Type: application/quoted-mime-entity Content-Type: message/RFC822 To: Ned Freed Subject: Strongly Protected Message This will be signed and encrypted. Let the bad guys do their worst! Jim --Sign Boundary-- and then it would be encrypted, producing: Content-Type: multipart/headerset; boundary="Enc Boundary" --Enc Boundary Content-Type: application/pem-keys Version: 5 DEK-Info: DES-CBC,4C776432D61A9829 Originator-ID-Asymmetric: ...,09 Key-Info: RSA,... --Enc Boundary Expires Apr, 1994 [Page 18] draft MIME-PEM Interaction Jul 1993 Content-Type: application/pem-encrypted Content-Transfer-Encoding: base64 9S/FWjAz8P=V --Enc Boundary-- where the encrypted contents, 9S/FWjAz8P=V, are the encryption of the first multipart/headerset. 9. Observations The use of the pre-submission and post-delivery algorithms to combine PEM and MIME capabilities exhibit several properties: (1) It allows privacy-enhancement of an arbitrary content, not just an entire RFC 822 message. (2) For a multipart or message content, it allows the user to decide whether the structure of the content should receive what sort of privacy-enhancement. (3) It provides for messages containing several privacy enhanced contents, thereby removing the requirement for PEM software to be able to generate or interpret a single content which intermixes both unenhanced and enhanced components. The use of a MIME-capable user agent makes complex nesting of enhanced message body parts much easier. For example, the user can separately sign and encrypt a message. This motivates a complete separation of the confidentiality security service from the authentication/message integrity security service. That is, different keys could be used for the different services and protected separately. In the asymmetric case, this means an employee's company could be given access to the (private) decryption key, granting the company the ability to decrypt messages addressed to the employee in emergencies, without also granting the company the ability to sign messages as the employee. Expires Apr, 1994 [Page 19] draft MIME-PEM Interaction Jul 1993 The use of two private keys requires the ability to maintain multiple certificates for each user. 10. Acknowledgements David H. Crocker suggested the use of a multipart structure for MIME-PEM interaction. 11. References [1] D.H. Crocker, Standard for the Format of ARPA Internet Text Messages, RFC 822, August, 1982. [2] N. Borenstein, N. Freed, Multipurpose Internet Mail Extensions, RFC 1341, June 1992. [3] J. Linn, Privacy Enhancement for Internet Electronic Mail -- Part I: Message Encryption and Authentication Procedures, RFC 1421, DEC, February 1993. [4] S. Kent, Privacy Enhancement for Internet Electronic Mail -- Part II: Certificate-Based Key Management, RFC 1422, BBN, February 1993. [5] D. Balenson, Privacy Enhancement for Internet Electronic Mail -- Part III: Algorithms, Modes, and Identifiers, RFC 1423, TIS, February 1993. [6] B. Kaliski, Privacy Enhancement for Internet Electronic Mail -- Part IV: Key Certification and Related Services, RFC 1424, RSA Laboratories, February 1993. [7] R. Braden, Editor, Requirements for Internet Hosts -- Application and Support, RFC 1123, October 1989. 12. Author Addresses Steve Crocker Trusted Information Systems 3060 Washington Road Glenwood, MD 21738 email: crocker@tis.com Expires Apr, 1994 [Page 20] draft MIME-PEM Interaction Jul 1993 Ned Freed Innosoft International, Inc. 250 West First Street, Suite 240 Claremont, CA 91711 USA Tel: +1 909 624 7907 Fax: +1 909 621 5319 email: ned@innosoft.com Jim Galvin Trusted Information Systems 3060 Washington Road Glenwood, MD 21738 email: galvin@tis.com Sandra Murphy Trusted Information Systems 3060 Washington Road Glenwood, MD 21738 email: murphy@tis.com Marshall T. Rose Dover Beach Consulting, Inc. 420 Whisman Court Mountain View, CA 94043-2186 Tel: +1 415 968 1052 Fax: +1 415 968 2510 email: mrose@dbc.mtview.ca.us Expires Apr, 1994 [Page 21]