The IESG has approved the following document: - 'Cryptographic Messages Syntax (CMS) Algorithm Identifier Protection Attribute' (draft-schaad-smime-algorithm-attribute-05.txt) as a Proposed Standard This document has been reviewed in the IETF but is not the product of an IETF Working Group. The IESG contact person is Sean Turner. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-schaad-smime-algorithm-attribute/ Technical Summary An authenticated/signed attribute is defined to protect the algorithm definitions of the message body and the signature. Currently this information is not included in the signature computation and could theoretically be changed without the signature validator knowing. This provides an attack avenue on CMS signature and authentication operations that currently has no known successful attacks. The new attribute is prophylactic. Working Group Summary There was a small amount of discussion on the working group list if this should be expanded to include the new authenticated encryption algorithms. It was decided that these should be treated separately by any interested community. The document was considered in the S/MIME working group, but there was no push for adoption as it was believed that the working group would be shutting down shortly. Document Quality The document has been implemented by the author and an example of using the attribute can be found in draft-schaad-smime-hash-experiment. There are no known plans for vendors to implement this, but I have received private email asking as to the status of the document. Personnel Jim Schaad (ietf@augustcellars.com) is the Document Shepherd. Sean Turner (turners@ieca.com) is the Responsible Area Director. _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www.ietf.org/mailman/listinfo/ietf-announce
