S/MIME Working Group                                         R. Housley
Internet Draft                                         RSA Laboratories
expires in six months                                       August 2001


Intended Recipients Attribute for the Cryptographic Message Syntax (CMS)

                     <draft-ietf-smime-ira-00.txt>


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

     The list of current Internet-Drafts can be accessed at
     http://www.ietf.org/1id-abstracts.html

     The list of Internet-Draft Shadow Directories can be accessed at
     http://www.ietf.org/shadow.html.


   To view the entire list of current Internet-Drafts, please check the
   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
   Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
   Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).


Abstract

   This document describes the intended recipients attribute for use
   with the Cryptographic Message Syntax (CMS) [CMS].  The intended
   recipients attribute can be used as a signed attribute or as an
   authenticated attribute.

   This draft is being discussed on the "ietf-smime" mailing list.  To
   join the list, send a message to <ietf-smime-request@imc.org> with
   the single word "subscribe" in the body of the message.  Also, there
   is a Web site for the mailing list at <http://www.imc.org/ietf-
   smime/>.

1  Introduction

   Don Davis has demonstrated that recipients of signed and encrypted
   messages can decrypt the message, preserving the original signature,
   then resend the message to a new recipient [MALFWD].  The new



Housley                                                         [Page 1]


INTERNET DRAFT                                               August 2001


   recipient may act inappropriately based on the fact that they
   received a message signed by the originator.

   Consider this illustrative example:

      Bob wants to have dinner with Alice.  He writes a note, "Meet me
      at the Iron Gate at 7:00 tonight", signs it, encrypts it for
      Alice, and sends it to Alice.

      Alice the decrypts the message, validates the signature, and reads
      the message.  She does not want to have dinner with Bob tonight,
      so for fun Alice encrypts the signed message for Carol, and sends
      it to Carol.

      Carol the decrypts the message, validates the signature, and reads
      the message.

      Carol and Bob meet for dinner.

   The problem is that Bob did not state the intended recipient in his
   message.  Simply saying, "Alice, please meet me at the Iron Gate at
   7:00 tonight," would have fixed the problem.

   In many situations, the signed message will provide adequate
   indication of the intended recipients to avoid malicious forwarding
   of signed content.  For example, a Purchase Order includes
   information about the supplier and the purchaser.

   The intended recipients attribute is being defined to protect against
   malicious forwarding when the message content does not inherently
   provide a clear indication of the intended recipients.  Further, the
   intended recipients attribute can protect an originator of an
   interpersonal message in face of name collisions and typographical
   error.  Suppose that Alice begins her message with "Dear Bill."  Such
   a message is susceptible to forwarding to other recipients named
   Bill.  Further, if Alice made an simple typographic error and
   intended to begin here message with "Dear Will," then Will (the
   intended recipient) is unsure if Alice meant to send him the message,
   and the message is easily forwarded to a person named Bill.

   The problem of intent that as expressed in [MALFWD] is beyond the
   control of S/MIME protocol or its implementers.  The use of the
   digital signatures and encryption is correctly in the hands of the
   user.  However, the intended recipients attribute offers a mechanism
   to reduce the likelihood of undetected malicious forwarding.






Housley                                                         [Page 2]


INTERNET DRAFT                                               August 2001


2  Terminology

   In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as
   described by Scott Bradner in [STDWORDS].

3  Intended Recipients Attribute Syntax

   The intended-recipients attribute type specifies the list of
   recipients that the message originator intended to receive the
   message.  It includes the members of the TO list and the CC list.
   However, members of the BCC list are not included.  Including members
   of the BCC list would disclose the membership to the other
   recipients.

   The intended-recipients attribute MUST be a signed attribute or an
   authenticated attribute; it MUST NOT be an unsigned attribute or
   unauthenticated attribute.

   In the triple wrapper model described in RFC 2634 [ESS], the
   intended-recipients attribute MUST only appear in the inner
   signature.

   The following object identifier identifies the intended-recipients
   attribute:

      id-aa-intendedRecipients OBJECT IDENTIFIER ::=
          { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
            pkcs-9(9) smime(16) aa(2) 33 }

   The intended-recipients attribute values have ASN.1 type
   GeneralNames.  GeneralNames is specified in [PROFILE], but the
   definition is repeated here for reader convenience:

      GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

      GeneralName ::= CHOICE {
         otherName                   [0] OtherName,
         rfc822Name                  [1] IA5String,
         dNSName                     [2] IA5String,
         x400Address                 [3] ORAddress,
         directoryName               [4] Name,
         ediPartyName                [5] EDIPartyName,
         uniformResourceIdentifier   [6] IA5String,
         iPAddress                   [7] OCTET STRING,
         registeredID                [8] OBJECT IDENTIFIER}

      OtherName ::= SEQUENCE {



Housley                                                         [Page 3]


INTERNET DRAFT                                               August 2001


         type-id       OBJECT IDENTIFIER,
         value     [0] EXPLICIT ANY DEFINED BY type-id }

      EDIPartyName ::= SEQUENCE {
         nameAssigner   [0] DirectoryString OPTIONAL,
         partyName      [1] DirectoryString }

   An intended-recipients attribute MUST have a single attribute value,
   even though the syntax is defined as a SET OF AttributeValue.

   The SignedAttributes and AuthAttributes syntaxes are each defined as
   a SET OF Attributes.  The SignedAttributes in a signerInfo MUST NOT
   include multiple instances of the intended-recipients attribute.
   Similarly, the AuthAttributes in an AuthenticatedData MUST NOT
   include multiple instances of the intended-recipients attribute.

   One GeneralName MUST appear in the SEQUENCE for each intended
   recipient.  The order of the names is not important.  (A SEQUENCE is
   used instead of a SET to avoid the sorting associated with the
   distinguished encoding rules (DER) processing of SETs.)

   When used with S/MIME [MSG], the rfc822Name form of the recipient
   name SHOULD be used.  The other forms of the recipient name are
   permitted since the CMS is used in other protocols as well as S/MIME.

3.1  Originator Generation

   Inclusion of the intended-recipients attribute is OPTIONAL.  When a
   message content is signed but not encrypted, inclusion of the
   intended-recipients attribute may be counter to the originator's
   goal.  For example, when a press release is posted wide distribution
   is intended.  In such cases, inclusion of the intended-recipients
   attribute is undesirable.

   Originator generation of the intended-recipients attribute is simple
   and straightforward.  Each TO list and CC list recipient is
   represented by on GeneralName in the SEQUENCE.  Most of the time, the
   rfc822Name form of the recipient name is used.

3.2  Recipient Validation

   Recipient validation of the intended-recipients attribute is less
   straightforward than generation of the intended-recipients attribute.
   When a recipient receives the message as a member of a mail list or
   as a BCC list recipient, they will not be listed in the intended-
   recipients attribute, yet the originator does intend that this
   recipient receive the message content.




Housley                                                         [Page 4]


INTERNET DRAFT                                               August 2001


   In the normal case, the recipient will locate their own name in the
   intended-recipients attribute.  That is, no malicious forwarding is
   detected.

   If the received message includes a mlExpansionHistory attribute, then
   the recipient can presume that the message was received as a normal
   part of mail list distribution.  A particularly paranoid
   implementation MAY confirm membership in at least one of the mail
   lists named in the intended-recipients attribute.

   Unfortunately, the BCC case is indistinguishable from malicious
   forwarding.  Therefore, any display presented to a human user as a
   result of the recipient name not being on listed on the intended-
   recipient attribute SHOULD point out this possibility.

4  References

   CMS        Housley, R.  Cryptographic Message Syntax.  RFC <TBD>.  <Date>.
              {draft-ietf-smime-rfc2630bis-*.txt}

   ESS        Hoffman, P., Editor.  Enhanced Security Services for S/MIME.
              RFC 2634.  June 1999.

   MALFWD     Davis, D.  Sender Authentication and the Surreptitious
              Forwarding Attack in CMS and S/MIME.  RFC <TBD>.  <Date>.
              {draft-ietf-smime-<tbd>-*.txt}

   MSG        Ramsdell, B., Editor.  S/MIME Version 3 Message
              Specification.  RFC 2633.  June 1999.

   PROFILE    Housley, R., W. Ford, W. Polk, and D. Solo.  Internet
              X.509 Public Key Infrastructure: Certificate and CRL
              Profile.  RFC 2459.  January 1999.

   STDWORDS   Bradner, S.  Key Words for Use in RFCs to Indicate
              Requirement Levels.  RFC 2119.  March 1997.

5  Security Considerations

   This whole document is about a mechanism to detect the malicious
   forwarding of signed content [MALFWD].  The protections offered by
   the intended-recipients attribute are necessary when the signed
   content does not inherently provide an indication of the recipients
   that the signer intended to receive the content.







Housley                                                         [Page 5]


INTERNET DRAFT                                               August 2001


6  Acknowledgments

   I extend a special thanks to Don Davis and Burt Kaliski for their
   efforts and support.

7  Author Address

   Russell Housley
   RSA Laboratories
   918 Spring Knoll Drive
   Herndon, VA 20170
   USA

   rhousley@rsasecurity.com



Full Copyright Statement

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  In addition, the
   ASN.1 module presented in Appendix A may be used in whole or in part
   without inclusion of the copyright notice.  However, this document
   itself may not be modified in any way, such as by removing the
   copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process shall be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.  This
   document and the information contained herein is provided on an "AS
   IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
   FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
   LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL
   NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY
   OR FITNESS FOR A PARTICULAR PURPOSE.






Housley                                                         [Page 6]