CMS Symmetric Key Management and Distribution
RFC 5275

Document Type RFC - Proposed Standard (June 2008; Errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5275 (Proposed Standard)
Consensus Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Network Working Group                                          S. Turner
Request for Comments: 5275                                          IECA
Category: Standards Track                                      June 2008

             CMS Symmetric Key Management and Distribution

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document describes a mechanism to manage (i.e., set up,
   distribute, and rekey) keys used with symmetric cryptographic
   algorithms.  Also defined herein is a mechanism to organize users
   into groups to support distribution of encrypted content using
   symmetric cryptographic algorithms.  The mechanism uses the
   Cryptographic Message Syntax (CMS) protocol and Certificate
   Management over CMS (CMC) protocol to manage the symmetric keys.  Any
   member of the group can then later use this distributed shared key to
   decrypt other CMS encrypted objects with the symmetric key.  This
   mechanism has been developed to support Secure/Multipurpose Internet
   Mail Extensions (S/MIME) Mail List Agents (MLAs).

Turner                      Standards Track                     [Page 1]
RFC 5275                     CMS SymKeyDist                    June 2008

Table of Contents

   1. Introduction ....................................................4
      1.1. Conventions Used in This Document ..........................4
      1.2. Applicability to E-mail ....................................5
      1.3. Applicability to Repositories ..............................5
      1.4. Using the Group Key ........................................5
   2. Architecture ....................................................6
   3. Protocol Interactions ...........................................7
      3.1. Control Attributes .........................................8
           3.1.1. GL Use KEK .........................................10
           3.1.2. Delete GL ..........................................14
           3.1.3. Add GL Member ......................................14
           3.1.4. Delete GL Member ...................................15
           3.1.5. Rekey GL ...........................................16
           3.1.6. Add GL Owner .......................................16
           3.1.7. Remove GL Owner ....................................17
           3.1.8. GL Key Compromise ..................................17
           3.1.9. GL Key Refresh .....................................18
           3.1.10. GLA Query Request and Response ....................18
                  3.1.10.1. GLA Query Request ........................18
                  3.1.10.2. GLA Query Response .......................19
                  3.1.10.3. Request and Response Types ...............19
           3.1.11. Provide Cert ......................................19
           3.1.12. Update Cert .......................................20
           3.1.13. GL Key ............................................21
      3.2. Use of CMC, CMS, and PKIX .................................23
           3.2.1. Protection Layers ..................................23
                  3.2.1.1. Minimum Protection ........................23
                  3.2.1.2. Additional Protection .....................24
           3.2.2. Combining Requests and Responses ...................24
           3.2.3. GLA Generated Messages .............................26
           3.2.4. CMC Control Attributes and CMS Signed Attributes ...27
                  3.2.4.1. Using cMCStatusInfoExt ....................27
                  3.2.4.2. Using transactionId .......................30
                  3.2.4.3. Using Nonces and signingTime ..............30
                  3.2.4.4. CMC and CMS Attribute Support
                           Requirements ..............................31
           3.2.5. Resubmitted GL Member Messages .....................31
           3.2.6. PKIX Certificate and CRL Profile ...................31
   4. Administrative Messages ........................................32
      4.1. Assign KEK to GL ..........................................32
      4.2. Delete GL from GLA ........................................36
      4.3. Add Members to GL .........................................38
           4.3.1. GLO Initiated Additions ............................39
           4.3.2. Prospective Member Initiated Additions .............47
      4.4. Delete Members from GL ....................................49
           4.4.1. GLO Initiated Deletions ............................50
Show full document text