GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc3156

Network Working Group M. Elkins Request for Comments: 3156 Network Associates, Inc. Updates: 2015 D. Del Torto Category: Standards Track CryptoRights Foundation

                                                             R. Levien
                                  University of California at Berkeley
                                                           T. Roessler
                                                           August 2001
                     MIME Security with OpenPGP

Status of this Memo

 This document specifies an Internet standards track protocol for the
 Internet community, and requests discussion and suggestions for
 improvements.  Please refer to the current edition of the "Internet
 Official Protocol Standards" (STD 1) for the standardization state
 and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

 Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

 This document describes how the OpenPGP Message Format can be used to
 provide privacy and authentication using the Multipurpose Internet
 Mail Extensions (MIME) security content types described in RFC 1847.

1. Introduction

 Work on integrating PGP (Pretty Good Privacy) with MIME [3]
 (including the since withdrawn "application/pgp" content type) prior
 to RFC 2015 suffered from a number of problems, the most significant
 of which is the inability to recover signed message bodies without
 parsing data structures specific to PGP.  RFC 2015 makes use of the
 elegant solution proposed in RFC 1847, which defines security
 multipart formats for MIME.  The security multiparts clearly separate
 the signed message body from the signature, and have a number of
 other desirable properties.  This document revises RFC 2015 to adopt
 the integration of PGP and MIME to the needs which emerged during the
 work on the OpenPGP specification.
 This document defines three content types for implementing security
 and privacy with OpenPGP: "application/pgp-encrypted",
 "application/pgp-signature" and "application/pgp-keys".

Elkins, et al. Standards Track [Page 1] RFC 3156 MIME Security with OpenPGP August 2001

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in RFC 2119.

2. OpenPGP data formats

 OpenPGP implementations can generate either ASCII armor (described in
 [1]) or 8-bit binary output when encrypting data, generating a
 digital signature, or extracting public key data.  The ASCII armor
 output is the REQUIRED method for data transfer.  This allows those
 users who do not have the means to interpret the formats described in
 this document to be able to extract and use the OpenPGP information
 in the message.
 When the amount of data to be transmitted requires that it be sent in
 many parts, the MIME message/partial mechanism SHOULD be used rather
 than the multi-part ASCII armor OpenPGP format.

3. Content-Transfer-Encoding restrictions

 Multipart/signed and multipart/encrypted are to be treated by agents
 as opaque, meaning that the data is not to be altered in any way [2],
 [7].  However, many existing mail gateways will detect if the next
 hop does not support MIME or 8-bit data and perform conversion to
 either Quoted-Printable or Base64.  This presents serious problems
 for multipart/signed, in particular, where the signature is
 invalidated when such an operation occurs.  For this reason all data
 signed according to this protocol MUST be constrained to 7 bits (8-
 bit data MUST be encoded using either Quoted-Printable or Base64).
 Note that this also includes the case where a signed object is also
 encrypted (see section 6).  This restriction will increase the
 likelihood that the signature will be valid upon receipt.
 Additionally, implementations MUST make sure that no trailing
 whitespace is present after the MIME encoding has been applied.
    Note: In most cases, trailing whitespace can either be removed, or
    protected by applying an appropriate content-transfer-encoding.
    However, special care must be taken when any header lines - either
    in MIME entity headers, or in embedded RFC 822 headers - are
    present which only consist of whitespace: Such lines must be
    removed entirely, since replacing them by empty lines would turn
    them into header delimiters, and change the semantics of the
    message.  The restrictions on whitespace are necessary in order to
    make the hash calculated invariant under the text and binary mode
    signature mechanisms provided by OpenPGP [1].  Also, they help to
    avoid compatibility problems with PGP implementations which
    predate the OpenPGP specification.

Elkins, et al. Standards Track [Page 2] RFC 3156 MIME Security with OpenPGP August 2001

    Note: If any line begins with the string "From ", it is strongly
    suggested that either the Quoted-Printable or Base64 MIME encoding
    be applied.  If Quoted-Printable is used, at least one of the
    characters in the string should be encoded using the hexadecimal
    coding rule.  This is because many mail transfer and delivery
    agents treat "From " (the word "from" followed immediately by a
    space character) as the start of a new message and thus insert a
    right angle-bracket (>) in front of any line beginning with
    "From " to distinguish this case, invalidating the signature.
 Data that is ONLY to be encrypted is allowed to contain 8-bit
 characters and trailing whitespace and therefore need not undergo the
 conversion to a 7bit format, and the stripping of whitespace.
    Implementor's note: It cannot be stressed enough that applications
    using this standard follow MIME's suggestion that you "be
    conservative in what you generate, and liberal in what you
    accept."  In this particular case it means it would be wise for an
    implementation to accept messages with any content-transfer-
    encoding, but restrict generation to the 7-bit format required by
    this memo.  This will allow future compatibility in the event the
    Internet SMTP framework becomes 8-bit friendly.

4. OpenPGP encrypted data

 Before OpenPGP encryption, the data is written in MIME canonical
 format (body and headers).
 OpenPGP encrypted data is denoted by the "multipart/encrypted"
 content type, described in [2], and MUST have a "protocol" parameter
 value of "application/pgp-encrypted".  Note that the value of the
 parameter MUST be enclosed in quotes.
 The multipart/encrypted MIME body MUST consist of exactly two body
 parts, the first with content type "application/pgp-encrypted".  This
 body contains the control information.  A message complying with this
 standard MUST contain a "Version: 1" field in this body.  Since the
 OpenPGP packet format contains all other information necessary for
 decrypting, no other information is required here.
 The second MIME body part MUST contain the actual encrypted data.  It
 MUST be labeled with a content type of "application/octet-stream".
 Example message:
    From: Michael Elkins <elkins@aero.org>
    To: Michael Elkins <elkins@aero.org>
    Mime-Version: 1.0

Elkins, et al. Standards Track [Page 3] RFC 3156 MIME Security with OpenPGP August 2001

    Content-Type: multipart/encrypted; boundary=foo;
       protocol="application/pgp-encrypted"
  1. -foo

Content-Type: application/pgp-encrypted

    Version: 1
  1. -foo

Content-Type: application/octet-stream

  1. —-BEGIN PGP MESSAGE—–

Version: 2.6.2

    hIwDY32hYGCE8MkBA/wOu7d45aUxF4Q0RKJprD3v5Z9K1YcRJ2fve87lMlDlx4Oj
    eW4GDdBfLbJE7VUpp13N19GL8e/AqbyyjHH4aS0YoTk10QQ9nnRvjY8nZL3MPXSZ
    g9VGQxFeGqzykzmykU6A26MSMexR4ApeeON6xzZWfo+0yOqAq6lb46wsvldZ96YA
    AABH78hyX7YX4uT1tNCWEIIBoqqvCeIMpp7UQ2IzBrXg6GtukS8NxbukLeamqVW3
    1yt21DYOjuLzcMNe/JNsD9vDVCvOOG3OCi8=
    =zzaA
    -----END PGP MESSAGE-----
  1. -foo–

5. OpenPGP signed data

 OpenPGP signed messages are denoted by the "multipart/signed" content
 type, described in [2], with a "protocol" parameter which MUST have a
 value of "application/pgp-signature" (MUST be quoted).
 The "micalg" parameter for the "application/pgp-signature" protocol
 MUST contain exactly one hash-symbol of the format "pgp-<hash-
 identifier>", where <hash-identifier> identifies the Message
 Integrity Check (MIC) algorithm used to generate the signature.
 Hash-symbols are constructed from the text names registered in [1] or
 according to the mechanism defined in that document by converting the
 text name to lower case and prefixing it with the four characters
 "pgp-".
 Currently defined values are "pgp-md5", "pgp-sha1", "pgp-ripemd160",
 "pgp-md2", "pgp-tiger192", and "pgp-haval-5-160".
 The multipart/signed body MUST consist of exactly two parts.  The
 first part contains the signed data in MIME canonical format,
 including a set of appropriate content headers describing the data.
 The second body MUST contain the OpenPGP digital signature.  It MUST
 be labeled with a content type of "application/pgp-signature".

Elkins, et al. Standards Track [Page 4] RFC 3156 MIME Security with OpenPGP August 2001

    Note: Implementations can either generate "signatures of a
    canonical text document" or "signatures of a binary document", as
    defined in [1].  The restrictions on the signed material put forth
    in section 3 and in this section will make sure that the various
    MIC algorithm variants specified in [1] and [5] will all produce
    the same result.
 When the OpenPGP digital signature is generated:
 (1)   The data to be signed MUST first be converted to its content-
       type specific canonical form.  For text/plain, this means
       conversion to an appropriate character set and conversion of
       line endings to the canonical <CR><LF> sequence.
 (2)   An appropriate Content-Transfer-Encoding is then applied; see
       section 3.  In particular, line endings in the encoded data
       MUST use the canonical <CR><LF> sequence where appropriate
       (note that the canonical line ending may or may not be present
       on the last line of encoded data and MUST NOT be included in
       the signature if absent).
 (3)   MIME content headers are then added to the body, each ending
       with the canonical <CR><LF> sequence.
 (4)   As described in section 3 of this document, any trailing
       whitespace MUST then be removed from the signed material.
 (5)   As described in [2], the digital signature MUST be calculated
       over both the data to be signed and its set of content headers.
 (6)   The signature MUST be generated detached from the signed data
       so that the process does not alter the signed data in any way.
    Note: The accepted OpenPGP convention is for signed data to end
    with a <CR><LF> sequence.  Note that the <CR><LF> sequence
    immediately preceding a MIME boundary delimiter line is considered
    to be part of the delimiter in [3], 5.1.  Thus, it is not part of
    the signed data preceding the delimiter line.  An implementation
    which elects to adhere to the OpenPGP convention has to make sure
    it inserts a <CR><LF> pair on the last line of the data to be
    signed and transmitted (signed message and transmitted message
    MUST be identical).
 Example message:
       From: Michael Elkins <elkins@aero.org>
       To: Michael Elkins <elkins@aero.org>
       Mime-Version: 1.0

Elkins, et al. Standards Track [Page 5] RFC 3156 MIME Security with OpenPGP August 2001

       Content-Type: multipart/signed; boundary=bar; micalg=pgp-md5;
         protocol="application/pgp-signature"
  1. -bar

& Content-Type: text/plain; charset=iso-8859-1

    & Content-Transfer-Encoding: quoted-printable
    &
    & =A1Hola!
    &
    & Did you know that talking to yourself is a sign of senility?
    &
    & It's generally a good idea to encode lines that begin with
    & From=20because some mail transport agents will insert a greater-
    & than (>) sign, thus invalidating the signature.
    &
    & Also, in some cases it might be desirable to encode any   =20
    & trailing whitespace that occurs on lines in order to ensure  =20
    & that the message signature is not invalidated when passing =20
    & a gateway that modifies such whitespace (like BITNET). =20
    &
    & me
  1. -bar
    Content-Type: application/pgp-signature
  1. —-BEGIN PGP MESSAGE—–

Version: 2.6.2

    iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC//
    jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq
    uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn
    HOxEa44b+EI=
    =ndaj
    -----END PGP MESSAGE-----
  1. -bar–
 The "&"s in the previous example indicate the portion of the data
 over which the signature was calculated.
 Upon receipt of a signed message, an application MUST:
 (1)   Convert line endings to the canonical <CR><LF> sequence before
       the signature can be verified.  This is necessary since the
       local MTA may have converted to a local end of line convention.

Elkins, et al. Standards Track [Page 6] RFC 3156 MIME Security with OpenPGP August 2001

 (2)   Pass both the signed data and its associated content headers
       along with the OpenPGP signature to the signature verification
       service.

6. Encrypted and Signed Data

 Sometimes it is desirable to both digitally sign and then encrypt a
 message to be sent.  This protocol allows for two methods of
 accomplishing this task.

6.1. RFC 1847 Encapsulation

 In [2], it is stated that the data is first signed as a
 multipart/signature body, and then encrypted to form the final
 multipart/encrypted body.  This is most useful for standard MIME-
 compliant message forwarding.
 Example:
       Content-Type: multipart/encrypted;
          protocol="application/pgp-encrypted"; boundary=foo
  1. -foo

Content-Type: application/pgp-encrypted

       Version: 1
  1. -foo

Content-Type: application/octet-stream

  1. —-BEGIN PGP MESSAGE—–

& Content-Type: multipart/signed; micalg=pgp-md5

    &     protocol="application/pgp-signature"; boundary=bar
    &
    & --bar
    & Content-Type: text/plain; charset=us-ascii
    &
    & This message was first signed, and then encrypted.
    &
    & --bar
    & Content-Type: application/pgp-signature
    &
    & -----BEGIN PGP MESSAGE-----
    & Version: 2.6.2
    &
    & iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC//
    & jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq
    & uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn

Elkins, et al. Standards Track [Page 7] RFC 3156 MIME Security with OpenPGP August 2001

    & HOxEa44b+EI=
    & =ndaj
    & -----END PGP MESSAGE-----
    &
    & --bar--
      -----END PGP MESSAGE-----
  1. -foo–
 (The text preceded by '&' indicates that it is really encrypted, but
 presented as text for clarity.)

6.2. Combined method

 The OpenPGP packet format [1] describes a method for signing and
 encrypting data in a single OpenPGP message.  This method is allowed
 in order to reduce processing overhead and increase compatibility
 with non-MIME implementations of OpenPGP.  The resulting data is
 formatted as a "multipart/encrypted" object as described in Section
 4.
 Messages which are encrypted and signed in this combined fashion are
 REQUIRED to follow the same canonicalization rules as
 multipart/signed objects.
 It is explicitly allowed for an agent to decrypt a combined message
 and rewrite it as a multipart/signed object using the signature data
 embedded in the encrypted version.

7. Distribution of OpenPGP public keys

 Content-Type: application/pgp-keys
 Required parameters: none
 Optional parameters: none
 A MIME body part of the content type "application/pgp-keys" contains
 ASCII-armored transferable Public Key Packets as defined in [1],
 section 10.1.

8. Security Considerations

 Signatures of a canonical text document as defined in [1] ignore
 trailing white space in signed material.  Implementations which
 choose to use signatures of canonical text documents will not be able
 to detect the addition of whitespace in transit.
 See [3], [4] for more information on the security considerations
 concerning the underlying protocols.

Elkins, et al. Standards Track [Page 8] RFC 3156 MIME Security with OpenPGP August 2001

9. IANA Considerations

 This document defines three media types: "application/pgp-encrypted",
 "application/pgp-signature" and "application/pgp-keys".  The
 following sections specify the IANA registrations for these types.

9.1. Registration of the application/pgp-encrypted media type

 MIME media type name: application
 MIME subtype name: pgp-encrypted
 Required parameters: none
 Optional parameters: none
 Encoding considerations:
    Currently this media type always consists of a single 7bit text
    string.
 Security considerations:
    See Section 8 and RFC 2440 Section 13.
 Interoperability considerations: none
 Published specification:
    This document.
 Additional information:
    Magic number(s): none
    File extension(s): none
    Macintosh File Type Code(s): none
 Person & email address to contact for further information:
    Michael Elkins
    Email: me@cs.hmc.edu
 Intended usage: common
 Author/Change controller:
    Michael Elkins
    Email: me@cs.hmc.edu

Elkins, et al. Standards Track [Page 9] RFC 3156 MIME Security with OpenPGP August 2001

9.2. Registration of the application/pgp-signature media type

 MIME media type name: application
 MIME subtype name: pgp-signature
 Required parameters: none
 Optional parameters: none
 Encoding considerations:
    The content of this media type always consists of 7bit text.
 Security considerations:
    See Section 8 and RFC 2440 Section 13.
 Interoperability considerations: none
 Published specification:
    RFC 2440 and this document.
 Additional information:
    Magic number(s): none
    File extension(s): asc, sig
    Macintosh File Type Code(s): pgDS
 Person & email address to contact for further information:
    Michael Elkins
    Email: me@cs.hmc.edu
 Intended usage: common
 Author/Change controller:
    Michael Elkins
    Email: me@cs.hmc.edu

9.3. Registration of the application/pgp-keys media type

 MIME media type name: application
 MIME subtype name: pgp-keys
 Required parameters: none
 Optional parameters: none

Elkins, et al. Standards Track [Page 10] RFC 3156 MIME Security with OpenPGP August 2001

 Encoding considerations:
    The content of this media type always consists of 7bit text.
 Security considerations:
    See Section 8 and RFC 2440 Section 13.
 Interoperability considerations: none
 Published specification:
    RFC 2440 and this document.
 Additional information:
    Magic number(s): none
    File extension(s): asc
    Macintosh File Type Code(s): none
 Person & email address to contact for further information:
    Michael Elkins
    Email: me@cs.hmc.edu
 Intended usage: common
 Author/Change controller:
    Michael Elkins
    Email: me@cs.hmc.edu

Elkins, et al. Standards Track [Page 11] RFC 3156 MIME Security with OpenPGP August 2001

10. Notes

 "PGP" and "Pretty Good Privacy" are registered trademarks of Network
 Associates, Inc.

11. Acknowledgements

 This document relies on the work of the IETF's OpenPGP Working
 Group's definitions of the OpenPGP Message Format.  The OpenPGP
 message format is currently described in RFC 2440 [1].
 Special thanks are due: to Philip Zimmermann for his original and
 ongoing work on PGP; to Charles Breed, Jon Callas and Dave Del Torto
 for originally proposing the formation of the OpenPGP Working Group;
 and to Steve Schoenfeld for helpful feedback during the draft
 process.  The authors would also like to thank the engineers at
 Pretty Good Privacy, Inc (now Network Associates, Inc), including
 Colin Plumb, Hal Finney, Jon Callas, Mark Elrod, Mark Weaver and
 Lloyd Chambers, for their technical commentary.
 Additional thanks are due to Jeff Schiller and Derek Atkins for their
 continuing support of strong cryptography and PGP freeware at MIT; to
 Rodney Thayer of Sable Technology; to John Noerenberg, Steve Dorner
 and Laurence Lundblade of the Eudora team at QUALCOMM, Inc; to Bodo
 Moeller for proposing the approach followed with respect to trailing
 whitespace; to John Gilmore, Hugh Daniel and Fred Ringel (at
 Rivertown) and Ian Bell (at Turnpike) for their timely critical
 commentary; and to the international members of the IETF's OpenPGP
 mailing list, including William Geiger, Lutz Donnerhacke and Kazu
 Yamamoto.  The idea to use multipart/mixed with multipart/signed has
 been attributed to James Galvin.  Finally, our gratitude is due to
 the many members of the "Cypherpunks," "Coderpunks" and "pgp-users"
 <http://cryptorights.org/pgp-users> mailing lists and the many users
 of PGP worldwide for helping keep the path to privacy open.

Elkins, et al. Standards Track [Page 12] RFC 3156 MIME Security with OpenPGP August 2001

12. Addresses of the Authors and OpenPGP Working Group Chair

 The OpenPGP working group can be contacted via the current chair:
 John W. Noerenberg II
 Qualcomm, Inc.
 5775 Morehouse Dr.
 San Diego, CA 92121 USA
 Phone: +1 619 658 3510
 EMail: jwn2@qualcomm.com
 The principal authors of this document are:
 Dave Del Torto
 CryptoRights Foundation
 80 Alviso Street, Mailstop: CRF
 San Francisco, CA 94127 USA
 Phone: +1.415.334.5533, vm: #2
 EMail: ddt@cryptorights.org, ddt@openpgp.net
 Michael Elkins
 Network Associates, Inc.
 3415 S. Sepulveda Blvd Suite 700
 Los Angeles, CA 90034 USA
 Phone: +1.310.737.1663
 Fax:   +1.310.737.1755
 Email: me@cs.hmc.edu, Michael_Elkins@NAI.com
 Raph Levien
 University of California at Berkeley
 579 Soda Hall
 Berkeley, CA 94720 USA
 Phone: +1.510.642.6509
 EMail: raph@acm.org
 Thomas Roessler
 Nordstrasse 99
 D-53111 Bonn, Germany
 Phone: +49-228-638007
 EMail: roessler@does-not-exist.org

Elkins, et al. Standards Track [Page 13] RFC 3156 MIME Security with OpenPGP August 2001

References

 [1]   Callas, J., Donnerhacke, L., Finney, H. and R. Thayer, "OpenPGP
       Message Format", RFC 2440, November 1998.
 [2]   Galvin, J., Murphy, G., Crocker, S. and N. Freed, "Security
       Multiparts for MIME: Multipart/Signed and Multipart/Encrypted",
       RFC 1847, October 1995.
 [3]   Freed, N. and N. Borenstein, "Multipurpose Internet Mail
       Extensions (MIME) Part Two: Media Types", RFC 2046, November
       1996.
 [4]   Galvin, J., Murphy, G., Crocker, S. and N. Freed, "MIME Object
       Security Services", RFC 1848, October 1995.
 [5]   Atkins, D., Stallings, W. and P. Zimmermann, "PGP Message
       Exchange Formats", RFC 1991, August 1996.
 [6]   Elkins, M., "MIME Security with Pretty Good Privacy (PGP)", RFC
       2015, October 1996.
 [7]   Freed, N., "Gateways and MIME Security Multiparts", RFC 2480,
       January 1999.

Elkins, et al. Standards Track [Page 14] RFC 3156 MIME Security with OpenPGP August 2001

Full Copyright Statement

 Copyright (C) The Internet Society (2001).  All Rights Reserved.
 This document and translations of it may be copied and furnished to
 others, and derivative works that comment on or otherwise explain it
 or assist in its implementation may be prepared, copied, published
 and distributed, in whole or in part, without restriction of any
 kind, provided that the above copyright notice and this paragraph are
 included on all such copies and derivative works.  However, this
 document itself may not be modified in any way, such as by removing
 the copyright notice or references to the Internet Society or other
 Internet organizations, except as needed for the purpose of
 developing Internet standards in which case the procedures for
 copyrights defined in the Internet Standards process must be
 followed, or as required to translate it into languages other than
 English.
 The limited permissions granted above are perpetual and will not be
 revoked by the Internet Society or its successors or assigns.
 This document and the information contained herein is provided on an
 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

 Funding for the RFC Editor function is currently provided by the
 Internet Society.

Elkins, et al. Standards Track [Page 15]

/data/webs/external/dokuwiki/data/pages/rfc/rfc3156.txt · Last modified: 2001/08/10 19:45 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki