Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling
RFC 3850

• Document
• IESG evaluation record
• IESG writeups
• Email expansions
• History

• Versions
• 07

Document	Type		RFC - Proposed Standard (July 2004; No errata) Obsoleted by RFC 5750 Obsoletes RFC 2632 Was draft-ietf-smime-rfc2632bis (smime WG)
	Last updated		2015-10-14
	Stream		IETF
	Formats		plain text pdf html bibtex
Stream	WG state		(None)
	Document shepherd		No shepherd assigned
IESG	IESG state		RFC 3850 (Proposed Standard)
	Consensus Boilerplate		Unknown
	Telechat date
	Responsible AD		Russ Housley
	Send notices to		turners@ieca.com

Network Working Group                                B. Ramsdell, Editor
Request for Comments: 3850                                Sendmail, Inc.
Obsoletes: 2632                                                July 2004
Category: Standards Track

   Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1
                          Certificate Handling

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).

Abstract

   This document specifies conventions for X.509 certificate usage by
   Secure/Multipurpose Internet Mail Extensions (S/MIME) agents.  S/MIME
   provides a method to send and receive secure MIME messages, and
   certificates are an integral part of S/MIME agent processing.  S/MIME
   agents validate certificates as described in RFC 3280, the Internet
   X.509 Public Key Infrastructure Certificate and CRL Profile.  S/MIME
   agents must meet the certificate processing requirements in this
   document as well as those in RFC 3280.

Table of Contents

   1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Definitions. . . . . . . . . . . . . . . . . . . . . . .  2
       1.2.  Compatibility with Prior Practice of S/MIME. . . . . . .  3
       1.3.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  3
       1.4.  Changes Since S/MIME v3 (RFC 2632) . . . . . . . . . . .  3
   2.  CMS Options. . . . . . . . . . . . . . . . . . . . . . . . . .  4
       2.1 . CertificateRevocationLists . . . . . . . . . . . . . . .  4
       2.2.  CertificateChoices . . . . . . . . . . . . . . . . . . .  4
       2.3.  CertificateSet . . . . . . . . . . . . . . . . . . . . .  5
   3. Using Distinguished Names for Internet Mail . . . . . . . . . .  6
   4.  Certificate Processing . . . . . . . . . . . . . . . . . . . .  7
       4.1.  Certificate Revocation Lists . . . . . . . . . . . . . .  8
       4.2.  Certification Path Validation. . . . . . . . . . . . . .  8
       4.3.  Certificate and CRL Signing Algorithms . . . . . . . . .  9

Ramsdell                    Standards Track                     [Page 1]
RFC 3850            S/MIME 3.1 Certificate Handling            July 2004

       4.4.  PKIX Certificate Extensions. . . . . . . . . . . . . . .  9
   5.  Security Considerations. . . . . . . . . . . . . . . . . . . . 11
   A.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
       A.1.  Normative References . . . . . . . . . . . . . . . . . . 13
       A.2.  Informative References . . . . . . . . . . . . . . . . . 14
   B.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15
   C.  Editor's Address . . . . . . . . . . . . . . . . . . . . . . . 15
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 16

1.  Overview

   S/MIME (Secure/Multipurpose Internet Mail Extensions), described in
   [SMIME-MSG], provides a method to send and receive secure MIME
   messages.  Before using a public key to provide security services,
   the S/MIME agent MUST verify that the public key is valid.  S/MIME
   agents MUST use PKIX certificates to validate public keys as
   described in the Internet X.509 Public Key Infrastructure (PKIX)
   Certificate and CRL Profile [KEYM].  S/MIME agents MUST meet the
   certificate processing requirements documented in this document in
   addition to those stated in [KEYM].

   This specification is compatible with the Cryptographic Message
   Syntax [CMS] in that it uses the data types defined by CMS.  It also
   inherits all the varieties of architectures for certificate-based key
   management supported by CMS.

1.1.  Definitions

   For the purposes of this document, the following definitions apply.

   ASN.1: Abstract Syntax Notation One, as defined in ITU-T X.208
   [X.208-88].

   Attribute Certificate (AC): An X.509 AC is a separate structure from
   a subject's public key X.509 Certificate.  A subject may have
   multiple X.509 ACs associated with each of its public key X.509
   Certificates.  Each X.509 AC binds one or more Attributes with one of
   the subject's public key X.509 Certificates.  The X.509 AC syntax is
   defined in [ACAUTH].

   Certificate:  A type that binds an entity's name to a public key with
   a digital signature.  This type is defined in the Internet X.509
   Public Key Infrastructure (PKIX) Certificate and CRL Profile [KEYM].
   This type also contains the distinguished name of the certificate

Show full document text