Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling
RFC 3850
Document Type RFC - Proposed Standard (July 2004; No errata)
Obsoleted by RFC 5750
Obsoletes RFC 2632
Author Blake Ramsdell 
Last updated 2015-10-14
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3850 (Proposed Standard)
Action Holders
(None)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to turners@ieca.com
Email authors Email WG IPR 4 References Referenced by Nits 
Network Working Group                                B. Ramsdell, Editor
Request for Comments: 3850                                Sendmail, Inc.
Obsoletes: 2632                                                July 2004
Category: Standards Track

   Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1
                          Certificate Handling

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).

Abstract

   This document specifies conventions for X.509 certificate usage by
   Secure/Multipurpose Internet Mail Extensions (S/MIME) agents.  S/MIME
   provides a method to send and receive secure MIME messages, and
   certificates are an integral part of S/MIME agent processing.  S/MIME
   agents validate certificates as described in RFC 3280, the Internet
   X.509 Public Key Infrastructure Certificate and CRL Profile.  S/MIME
   agents must meet the certificate processing requirements in this
   document as well as those in RFC 3280.

Table of Contents

   1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Definitions. . . . . . . . . . . . . . . . . . . . . . .  2
       1.2.  Compatibility with Prior Practice of S/MIME. . . . . . .  3
       1.3.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  3
       1.4.  Changes Since S/MIME v3 (RFC 2632) . . . . . . . . . . .  3
   2.  CMS Options. . . . . . . . . . . . . . . . . . . . . . . . . .  4
       2.1 . CertificateRevocationLists . . . . . . . . . . . . . . .  4
       2.2.  CertificateChoices . . . . . . . . . . . . . . . . . . .  4
       2.3.  CertificateSet . . . . . . . . . . . . . . . . . . . . .  5
   3. Using Distinguished Names for Internet Mail . . . . . . . . . .  6
   4.  Certificate Processing . . . . . . . . . . . . . . . . . . . .  7
       4.1.  Certificate Revocation Lists . . . . . . . . . . . . . .  8
       4.2.  Certification Path Validation. . . . . . . . . . . . . .  8
       4.3.  Certificate and CRL Signing Algorithms . . . . . . . . .  9

Ramsdell                    Standards Track                     [Page 1]
RFC 3850            S/MIME 3.1 Certificate Handling            July 2004

       4.4.  PKIX Certificate Extensions. . . . . . . . . . . . . . .  9
   5.  Security Considerations. . . . . . . . . . . . . . . . . . . . 11
   A.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
       A.1.  Normative References . . . . . . . . . . . . . . . . . . 13
       A.2.  Informative References . . . . . . . . . . . . . . . . . 14
   B.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15
   C.  Editor's Address . . . . . . . . . . . . . . . . . . . . . . . 15
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 16

1.  Overview

   S/MIME (Secure/Multipurpose Internet Mail Extensions), described in
   [SMIME-MSG], provides a method to send and receive secure MIME
   messages.  Before using a public key to provide security services,
   the S/MIME agent MUST verify that the public key is valid.  S/MIME
   agents MUST use PKIX certificates to validate public keys as
   described in the Internet X.509 Public Key Infrastructure (PKIX)
   Certificate and CRL Profile [KEYM].  S/MIME agents MUST meet the
   certificate processing requirements documented in this document in
   addition to those stated in [KEYM].

   This specification is compatible with the Cryptographic Message
   Syntax [CMS] in that it uses the data types defined by CMS.  It also
   inherits all the varieties of architectures for certificate-based key
   management supported by CMS.

1.1.  Definitions

   For the purposes of this document, the following definitions apply.

   ASN.1: Abstract Syntax Notation One, as defined in ITU-T X.208
   [X.208-88].

   Attribute Certificate (AC): An X.509 AC is a separate structure from
   a subject's public key X.509 Certificate.  A subject may have
   multiple X.509 ACs associated with each of its public key X.509
   Certificates.  Each X.509 AC binds one or more Attributes with one of
   the subject's public key X.509 Certificates.  The X.509 AC syntax is
   defined in [ACAUTH].

   Certificate:  A type that binds an entity's name to a public key with
   a digital signature.  This type is defined in the Internet X.509
   Public Key Infrastructure (PKIX) Certificate and CRL Profile [KEYM].
   This type also contains the distinguished name of the certificate
   issuer (the signer), an issuer-specific serial number, the issuer's
   signature algorithm identifier, a validity period, and extensions
   also defined in that document.

Ramsdell                    Standards Track                     [Page 2]
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools