Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling
RFC 3850
Document | Type |
RFC - Proposed Standard
(July 2004; No errata)
Obsoleted by RFC 5750
Obsoletes RFC 2632
|
|
---|---|---|---|
Author | Blake Ramsdell | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3850 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | turners@ieca.com |
Network Working Group B. Ramsdell, Editor Request for Comments: 3850 Sendmail, Inc. Obsoletes: 2632 July 2004 Category: Standards Track Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2004). Abstract This document specifies conventions for X.509 certificate usage by Secure/Multipurpose Internet Mail Extensions (S/MIME) agents. S/MIME provides a method to send and receive secure MIME messages, and certificates are an integral part of S/MIME agent processing. S/MIME agents validate certificates as described in RFC 3280, the Internet X.509 Public Key Infrastructure Certificate and CRL Profile. S/MIME agents must meet the certificate processing requirements in this document as well as those in RFC 3280. Table of Contents 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Definitions. . . . . . . . . . . . . . . . . . . . . . . 2 1.2. Compatibility with Prior Practice of S/MIME. . . . . . . 3 1.3. Terminology. . . . . . . . . . . . . . . . . . . . . . . 3 1.4. Changes Since S/MIME v3 (RFC 2632) . . . . . . . . . . . 3 2. CMS Options. . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1 . CertificateRevocationLists . . . . . . . . . . . . . . . 4 2.2. CertificateChoices . . . . . . . . . . . . . . . . . . . 4 2.3. CertificateSet . . . . . . . . . . . . . . . . . . . . . 5 3. Using Distinguished Names for Internet Mail . . . . . . . . . . 6 4. Certificate Processing . . . . . . . . . . . . . . . . . . . . 7 4.1. Certificate Revocation Lists . . . . . . . . . . . . . . 8 4.2. Certification Path Validation. . . . . . . . . . . . . . 8 4.3. Certificate and CRL Signing Algorithms . . . . . . . . . 9 Ramsdell Standards Track [Page 1] RFC 3850 S/MIME 3.1 Certificate Handling July 2004 4.4. PKIX Certificate Extensions. . . . . . . . . . . . . . . 9 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 11 A. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 A.1. Normative References . . . . . . . . . . . . . . . . . . 13 A.2. Informative References . . . . . . . . . . . . . . . . . 14 B. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 C. Editor's Address . . . . . . . . . . . . . . . . . . . . . . . 15 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 16 1. Overview S/MIME (Secure/Multipurpose Internet Mail Extensions), described in [SMIME-MSG], provides a method to send and receive secure MIME messages. Before using a public key to provide security services, the S/MIME agent MUST verify that the public key is valid. S/MIME agents MUST use PKIX certificates to validate public keys as described in the Internet X.509 Public Key Infrastructure (PKIX) Certificate and CRL Profile [KEYM]. S/MIME agents MUST meet the certificate processing requirements documented in this document in addition to those stated in [KEYM]. This specification is compatible with the Cryptographic Message Syntax [CMS] in that it uses the data types defined by CMS. It also inherits all the varieties of architectures for certificate-based key management supported by CMS. 1.1. Definitions For the purposes of this document, the following definitions apply. ASN.1: Abstract Syntax Notation One, as defined in ITU-T X.208 [X.208-88]. Attribute Certificate (AC): An X.509 AC is a separate structure from a subject's public key X.509 Certificate. A subject may have multiple X.509 ACs associated with each of its public key X.509 Certificates. Each X.509 AC binds one or more Attributes with one of the subject's public key X.509 Certificates. The X.509 AC syntax is defined in [ACAUTH]. Certificate: A type that binds an entity's name to a public key with a digital signature. This type is defined in the Internet X.509 Public Key Infrastructure (PKIX) Certificate and CRL Profile [KEYM]. This type also contains the distinguished name of the certificate issuer (the signer), an issuer-specific serial number, the issuer's signature algorithm identifier, a validity period, and extensions also defined in that document. Ramsdell Standards Track [Page 2]Show full document text