Introductions - Russ Housley
 
Russ reviewed the agenda.  Nobody objected to the agenda.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CMS Draft Discussion - Russ Housley

Russ presented the status of the February 1999 Cryptographic Message 
Syntax (CMS-11) Internet-Draft (I-D).  CMS-11 is in IETF Last Call.  
The majority of the comments received since the last meeting have 
focused on Section 12. (This is the section on algorithms and key 
wrapping support.)  CMS-11 includes new key wrap algorithms that 
resolve the issues raised on the S/MIME WG mail list regarding 
possible cryptographic vulnerabilities such as Burt Kaliski's comments 
regarding the "birthday attack". The completion of CMS depends on the 
Diffie-Hellman (D-H) Key Agreement Method I-D (X9.42 I-D).

Russ reviewed the highlights of the CMS-11 Key Wrapping Algorithm 
sections.  CMS-11 documents a mandatory-to-implement key wrapping 
algorithm that describes the process of wrapping a Triple-DES content 
encryption key (CEK) with a Triple-DES key encryption key (KEK). It 
documents another (optional) key wrapping algorithm that describes the 
process of wrapping an RC2 CEK with an RC2 KEK.  Each key wrapping 
algorithm includes instructions for key checksum, key wrap and key 
unwrap.  

The CMS-11 Checksum Algorithm is used to provide a CEK integrity check 
value.  The algorithm is:
   1.  Compute a 20 octet SHA-1 message digest on the CEK.
   2.  Use the most significant (first) eight octets of the message 
       digest value as the checksum value.

The Triple-DES key wrap algorithm encrypts a Triple-DES CEK with a 
Triple-DES KEK.  The CMS-11 Triple-DES key wrap algorithm is:
   1.  Set odd parity for each of the DES key octets comprising the 
       CEK, call the result CEK.
   2.  Compute an 8 octet key checksum value on CEK as described 
       above, call the result ICV.
   3.  Let CEKICV = CEK || ICV.
   4.  Generate 8 octets at random, call the result IV.
   5.  Encrypt CEKICV in CBC mode using the key-encryption key.  Use 
       the random value generated in the previous step as the 
       initialization vector (IV).  Call the ciphertext TEMP1.
   6.  Let TEMP2 = IV || TEMP1.
   7.  Reverse the order of the octets in TEMP2.  That is, the most 
       significant (first) octet is swapped with the least significant 
       (last) octet, and so on.  Call the result TEMP3.
   8.  Encrypt TEMP3 in CBC mode using the key-encryption key.  Use IV 
       of 0x4adda22c79e82105.  The ciphertext is 40 octets long.

The Triple-DES key unwrap algorithm decrypts a Triple-DES CEK using a 
Triple-DES KEK.  The CMS-11 DES key unwrap algorithm is:
   1.  If the wrapped CEK is not 40 octets, then error.
   2.  Decrypt the wrapped CEK in CBC mode using the KEK.  Use an IV 
       of 0x4adda22c79e82105.  Call the output TEMP3.
   3.  Reverse the order of the octets in TEMP3.  That is, the most 
       significant (first) octet is swapped with the least significant 
       (last) octet, and so on.  Call the result TEMP2.
   4.  Decompose the TEMP2 into IV and TEMP1.  IV is the most 
       significant (first) 8 octets, and TEMP1 is the least 
       significant (last) 32 octets.
   5.  Decrypt TEMP1 in CBC mode using the key-encryption key.  Use     
       the IV value from the previous step as the initialization 
       vector.  Call the ciphertext CEKICV.
   6.  Decompose the CEKICV into CEK and ICV. CEK is the most 
       significant (first) 24 octets, and ICV is the least significant 
       (last) 8 octets.
   7.  Compute an 8 octet key checksum value on CEK as described 
       above.  If the computed key checksum value does not match the 
       decrypted key checksum value, ICV, then error.
   8.  Check for odd parity each of the DES key octets comprising CEK.  
       If parity is incorrect, then there is an error.

Jim Schaad sent comments to the mail list regarding the CMS-11 RC2 Key 
Wrap Algorithm.  Russ briefed the following RC2 Key Wrap algorithm 
that includes Jim's comments:
1. Let LCEKPAD = LENGTH || CEK || RANDOM_PAD.
2. Compute checksum on LCEKPAD, call result ICV.
3. Let LCEKPADICV = CEK || ICV.
4. Generate 8 octets at random, call the result IV.
5. Encrypt LCEKPADICV in CBC mode using above IV. Call ciphertext 
   TEMP1. 
6. Let TEMP2 = IV || TEMP1.
7. Let TEMP3 = REVERSE(TEMP2)
8. Encrypt TEMP3 in CBC mode using IV of 0x4adda22c79e82105.

Russ briefed the following RC2 Key Wrap algorithm that includes Jim's 
comments:
1. If the wrapped key length is not a multiple of 8, then error.
2. Decrypt wrapped key in CBC mode using IV of 0x4adda22c79e82105.  
   Call the output TEMP3.
3. TEMP2 = REVERSE(TEMP3)
4. Decompose the TEMP2 into IV and TEMP1. 
5. Decrypt TEMP1 in CBC mode using IV from above.  Call the ciphertext 
   LCEKPADICV.
6. Decompose the LCEKPADICV into LCEKPAD and ICV. 
7. Validate ICV.
8. Decompose the LCEKPAD into LENGTH, CEK and PAD. 

Russ stated that he believes that Jim's proposed changes should be 
incorporated into CMS.  Nobody objected to the inclusion of Jim's 
proposals into CMS. 

Way Forward:  A new CMS draft (CMS-12) will include the harmonized 
Triple-DES and RC2 key wrap algorithms as stated above.  CMS-12 will 
be posted as soon as the repository opens for the submission of new 
IETF drafts.  CMS-12 is ready for discussion by the IESG when the 
X9.42 draft is completed.

Russ stated that Denis Pinkas submitted comments to the S/MIME WG 
mail list requesting additional text in CMS to explain how the correct
signer's public key used to perform signature verification is
obtained.  Russ stated that he would work with Denis to derive the 
exact words to be proposed for addition to CMS and then the S/MIME WG 
members would be given the opportunity to review the proposed 
changes.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

X9.42 Draft Discussion - Eric Rescorla

Eric discussed the status of the January 1999 D-H Key Agreement Method 
I-D (a.k.a. X9.42 I-D).  One change to be made is that the actual RC2 
key length will be the same as the effective key length.  Eric stated 
that he believes that this change resolves the RC2 partition attack.  

Eric also stated that Section 2.1.2, "Generation of Keying Material", 
will be changed to state that the KeySpecificInfo algorithm field will 
include the key wrap algorithm object identifier (OID) instead of the 
symmetric algorithm OID.  The examples will be enhanced to match this 
change.

Nobody objected to Eric's proposed changes.
  

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Small Subgroup Attacks on D-H      Robert Zuccherato

Robert is developing an informational draft that will describe 
situations that require protection from "small subgroup" attacks on 
D-H.  The draft will also provide guidance on how to provide 
protection.

When is protection required?  In general, for sender:
1) If key is ephemeral, then no protection is required.
2) If key is static, protection is required.

In general, for a recipient (assuming static key):
1) If no information on the success of the decryption is available, no 
   protection is required.
2) If information on the success of the decryption is available, 
   protection is required.

Methods of Protection: 
1) The process by which the recipient's public key is validated by the 
   originator is described in the X9.42 draft.  This strategy is 
   possibly encumbered. Certicom has applied for a patent 
   covering the use of methods to avoid small subgroup attacks.
2) Public key validation by the Certification Authority (CA) is only 
   realistic for static public keys.
3) Choose p-1=2*q*r where r is product of "large" primes.  Must still 
   check whether public key is +/- 1.
4) Compatible Cofactor Exponentiation is described in IEEE P1363. Also 
   possibly encumbered.

Russ stated that the purpose of this document is to inform people of 
when they need to worry about small subgroup attacks.  Certicom has 
notified the S/MIME WG that they have a pending patent regarding small
subgroup attack protection.  If implementers need to be concerned with 
small subgroup attack protection, then they may wish to watch for 
this patent.
  
Eric Rescorla asked about the status of Certicom's offer for a 
royalty-free license that would allow S/MIME vendors to use the 
technology covered by their pending patent.  Russ stated that Certicom 
had not yet offered any royalty-free licenses because they do not 
believe that their pending patent covers any mandatory S/MIME 
requirements.  Russ also stated that this issue is still being worked.



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MSG Draft Discussion - Blake Ramsdell

Blake stated that the 26 February 1999 S/MIME v3 Message Specification 
(MSG-07) I-D addresses the comments submitted to the mail list.  Blake 
stated that the MSG I-D has been submitted for IETF last call. Blake 
asked if anybody knew of any unresolved issued regarding MSG. 

Paul Hoffman proposed that the following statement should be added to 
Sec 2.2:  "Note that S/MIME v2 clients are only capable of verifying 
digital signatures using the rsaEncryption algorithm." Paul also 
proposed that the following statement should be added to Sec 2.3:  
"Note that S/MIME v2 clients are only capable of decrypting content 
encryption keys using the rsaEncryption algorithm."  Nobody objected 
to these changes.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CERT Draft Discussion - Blake Ramsdell

Blake stated that the 26 February 1999 S/MIME v3 Certificate Handling 
(CERT-07) I-D addresses the comments submitted to the mail list.  
Blake stated that the CERT I-D has been submitted for IETF last call. 

Blake asked if anybody knew of any unresolved issued regarding CERT.  
Denis Pinkas stated that he believed that CERT should be changed to 
state that a receiving agent "MUST support revocation" rather than 
"MUST support CRLs".  He said that his recommended wording would allow 
receiving agents to use other methods of revocation checking such as 
OCSP.  Eric Rescorla made the point that the CMS heading includes 
fields to carry CRLs, so the receiving agent must use them.  After 
several other attendees stated their opinions regarding the use of 
CRLs, Russ asked that the debate be put on hold until the end of the 
meeting so that the rest of the topics could be covered.

Denis has a second comment that he believed that the possible absence 
of the subject DN in a leaf certificate could present a problem. A 
vast majority of the meeting attendees decided that the PKIX X.509
Certificate and CRL Profile (RFC2459) (referred to by the CERT I-D)
specifies how key validation is performed using certificates that
may omit the subject DN and that CMS should not replicate that 
information.  

Paul Hoffman pointed out that section 3 in CERT-07 needed
to be modified to delete the "3.1" sub-section title. 


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ESS Draft Discussion - Paul Hoffman

Paul stated that the 26 February 1999 Enhanced Security Services for 
SMIME (ESS-11) I-D addresses the comments submitted to the mail list.  
It has been submitted for IETF last call.  

Paul said that he will incorporate Francois Rousseau's comments sent 
to the mail list regarding the use of the signingCertificate 
attribute.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CERTDIST Draft Discussion - Jim Schaad

Jim stated that the 25 February 1999 Certificate Distribution 
(CERTDIST-03) I-D has not been significantly changed since the 
December 98 S/MIME WG meeting.  He said that he still needs to 
include example data in the document.  The next draft will be
submitted for S/MIME WG last call after the example data has been
added.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DOMSEC Draft Discussion - Bill Ottaway

Bill stated that the 17 November 1999 Domain Security Services using 
S/MIME (DOMSEC-01) I-D has been submitted to the mail list.  He stated  
that there has been no changes to the domsec draft since the December
98 S/MIME WG meeting. He is currently working on an implementation of 
domsec.  He intends to have a new draft, based on comments received
and experience gained, before the current draft expires in May 99.



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Security Policies and Labels    Russ Housley

Russ stated that Weston Nicolls is developing an Internet draft that 
will document the security policies of Whirlpool, Caterpillar and 
Amoco.  The draft will also document how the ESSSecurityLabel can be 
used to implement those corporations' security policies.  Russ stated 
that the S/MIME WG Charter will be expanded to cover this work.  
Nobody objected.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

S/MIME v3 Examples     Paul Hoffman

Paul stated that the 25 February 1999 Examples of CMS Message Bodies 
(EXAMPLES-00) I-D has been submitted to the mail list.  Paul stated 
that the document will include example keys, certificates and CRLs.  
The next draft will include CRLs.  The document will include some 
incorrect examples that flag common implementation errors. Paul is 
only going to coordinate putting this document together. He needs 
example data for the document and he needs people to volunteer to test 
the sample data.  Volunteers will be given credit in the document.  
Individuals would like to volunteer to do examples should contact Paul 
at phoffman@imc.org.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Wrap Up - Russ Housley

Russ stated that the CMS, ESS, MSG, CERT and X9.42 documents are in 
IETF Last Call.  He hopes to have these documents reviewed by the IESG 
as soon as possible.

John Pawling asked if there was a strategy for enhancing the S/MIME v3 
documents after they are approved by the IESG.  Russ stated that minor 
changes could be made in the documents when they progress from 
Proposed Standard to Draft Standard.  For example, the proposed change
to the CMS RecipientInfo syntax could be made when CMS progresses from
Proposed Standard to Draft Standard, if consensus is reached on the
handling of password-based key management.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Open Issues                     

The debate resumed regarding Denis Pinkas' proposal to change CERT so 
that it states that a receiving agent "MUST support revocation" rather 
than "MUST support CRLs".  After much exciting debate, the majority of 
the group reached consensus that CERT sections 2.1 and 4.1 must be 
changed to state the following:  "All agents MUST be capable of 
performing revocation checks using CRLs as specified in RFC2459.  All 
agents MUST perform revocation status checking in accordance with 
RFC2459."



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ACTION ITEMS (These changes will be included in the S/MIME v3
documents after they have been discussed on the S/MIME WG mail
list):

1. Enhance CMS I-D to include Jim's comments regarding the RC2 key 
   wrapping and unwrapping algorithms (Russ Housley).
2. Enhance X9.42 I-D to include changes regarding RC2 key length and 
   key wrap algorithm OIDs (Eric Rescorla).
3. Develop I-D regarding small subgroup attacks on D-H (Robert 
   Zuccherato).
4. Enhance MSG I-D to include Paul's comments regarding S/MIME v2 
   agents to MSG draft (Blake Ramsdell).
5. Enhance CERT I-D sections 2.1 and 4.1 as described above (Blake 
   Ramsdell).
6. Enhance ESS I-D to include Francois Rousseau's comments regarding 
   signingCertificate attribute (Paul Hoffman).
7. Develop I-D regarding security policies and labels (Weston 
   Nicolls).
8. Incorporate sample data into Example I-D (Paul Hoffman).