Internet-Drafts | 4 Jun 13:57 2003
Picon

I-D ACTION:draft-ietf-ediint-as2-13.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Electronic Data Interchange-Internet Integration Working Group of the IETF.

	Title		: MIME-based Secure Peer-to-Peer Business Data 
                          Interchange over the Internet Using HTTP AS2
	Author(s)	: D. Moberg, R. Drummond
	Filename	: draft-ietf-ediint-as2-13.txt
	Pages		: 28
	Date		: 2003-6-3
	
This document describes how to exchange structured business
data securely using HTTP transfer for XML, Binary,
Electronic Data Interchange, (EDI - either the American
Standards Committee X12 or UN/EDIFACT,  Electronic Data
Interchange for Administration, Commerce and Transport) or
other data describable in MIME used for business to business
data interchange. The data is packaged using standard MIME
content-types. Authentication and privacy are obtained by
using Cryptographic Message Syntax (S/MIME) security body
parts. Authenticated acknowledgements make use of
multipart/signed replies to the original HTTP message.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-ediint-as2-13.txt

To remove yourself from the IETF Announcement list, send a message to 
ietf-announce-request with the word unsubscribe in the body of the message.

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
(Continue reading)

lstoeckle | 5 Jun 15:58 2003
Picon

AS2-SMIME : has the certificate to be included inside the signatu re?

Hello,

 

I am new on this list - and I need your help.

 

AS2: when sending a signed message (the original message which can also be signed, or a signed MDN), has the signer's certificate to be included inside of the signature MIME part?

Is it mandatory or should AS2 compliant products accept both? (signed messages containing the cert, or not containing it, in which case they would try to find a certificate on the local key store etc.)

 

Regards,

-----------------------------------------
Ludan STOECKLE
DSI Groupe Casino - Etudes

04 77 45 48 01

lstoeckle <at> groupe-casino.fr
-----------------------------------------

 

 

Jess Sightler | 5 Jun 15:36 2003

Re: AS2-SMIME : has the certificate to be included inside the signatu re?


I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert.  I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess

On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
> 
>  
> 
> I am new on this list - and I need your help.
> 
>  
> 
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
> 
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.) 
> 
>  
> 
> Regards,
> 
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
> 
> 04 77 45 48 01
> 
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
> 
> 
>  
> 
> 
>  
--

-- 
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

Rishel,Wes | 5 Jun 16:23 2003
Picon

RE: AS2-SMIME : has the certificate to be included inside thesignatu re?


What is the benefit of sending the cert with the message? If you truly want to authenticate the originator
you have to acquire the cert by independent, trusted means, don't you?

-----Original Message-----
From: owner-ietf-ediint <at> mail.imc.org
[mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
Sent: Thursday, June 05, 2003 6:36 AM
To: lstoeckle <at> groupe-casino.fr
Cc: ietf-ediint <at> above.proper.com
Subject: Re: AS2-SMIME : has the certificate to be included inside
thesignatu re?

I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert.  I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess

On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
> 
>  
> 
> I am new on this list - and I need your help.
> 
>  
> 
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
> 
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.) 
> 
>  
> 
> Regards,
> 
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
> 
> 04 77 45 48 01
> 
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
> 
> 
>  
> 
> 
>  
--

-- 
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

Jess Sightler | 5 Jun 16:54 2003

RE: AS2-SMIME : has the certificate to be included inside thesignatu re?


I was primarily thinking to do so, because it seems like it is standard
convention with S/MIME to do that when used for email.

Anyway, as a side thought, of course, one certificate has to be acquired
through an independent, trusted means.  However, that certificate does
not necessarily have to be the certificate used for signing the message.

Ie, couldn't the trusted Cert be a signing authority, and the message
itself come with a separate Cert signed by that authority?

Thanks,
Jess

On Thu, 2003-06-05 at 10:23, Rishel,Wes wrote:
> What is the benefit of sending the cert with the message? If you truly want to authenticate the originator
you have to acquire the cert by independent, trusted means, don't you?
> 
> -----Original Message-----
> From: owner-ietf-ediint <at> mail.imc.org
> [mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
> Sent: Thursday, June 05, 2003 6:36 AM
> To: lstoeckle <at> groupe-casino.fr
> Cc: ietf-ediint <at> above.proper.com
> Subject: Re: AS2-SMIME : has the certificate to be included inside
> thesignatu re?
> 
> 
> 
> I can't speak 100% from the spec on this, but I know that iSoft makes
> sending the Certificate with a signature optional.
> 
> Based on that, I believe that it is an option to not send the cert.  I
> believe that sending the Cert would be a good practice, however.
> 
> Thanks,
> Jess
> 
> 
> On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> > Hello,
> > 
> >  
> > 
> > I am new on this list - and I need your help.
> > 
> >  
> > 
> > AS2: when sending a signed message (the original message which can
> > also be signed, or a signed MDN), has the signer's certificate to be
> > included inside of the signature MIME part?
> > 
> > Is it mandatory or should AS2 compliant products accept both? (signed
> > messages containing the cert, or not containing it, in which case they
> > would try to find a certificate on the local key store etc.) 
> > 
> >  
> > 
> > Regards,
> > 
> > -----------------------------------------
> > Ludan STOECKLE
> > DSI Groupe Casino - Etudes
> > 
> > 04 77 45 48 01
> > 
> > lstoeckle <at> groupe-casino.fr
> > -----------------------------------------
> > 
> > 
> >  
> > 
> > 
> >  
--

-- 
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

Dale Moberg | 5 Jun 17:29 2003

RE: AS2-SMIME : has the certificate to be included inside the signature?

PKCS7/CMS always has a the issuer serial number to identify and retrieve a certificate (from a local store or whatever) so that it is not essential to include a certificate or certificate chain.
 
While it is normal to check or verify signer certificate validity with respect to a site's trusted roots no matter how a certificate is retrieved (so including or not including a certificate is not a security gap), two considerations point to opposite conclusions on including the certificate/certificate chain. First, saving bandwidth favors omitting the certificate and chain.  Second, having the certificates in the message may for some implementations speed up some message processing operations. 
 
An application should be able to deal with either case. 
 RFC 2633 is the operative RFC that is cited in AS2 and should also be consulted.
 See for example section 3.7 which says:
 
  A sending agent that signs messages MUST have a certificate for the
   signature so that a receiving agent can verify the signature. There
   are many ways of getting certificates, such as through an exchange
   with a certificate authority, through a hardware token or diskette,
   and so on.
 
   S/MIME v2 [SMIMEV2] specified a method for "registering" public keys
   with certificate authorities using an application/pkcs10 body part.
   The IETF's PKIX Working Group is preparing another method for
   requesting certificates; however, that work was not finished at the
   time of this memo. S/MIME v3 does not specify how to request a
 
   certificate, but instead mandates that every sending agent already
   has a certificate. Standardization of certificate management is being
   pursued separately in the IETF.
 
And between 1999,  when that was published, and now, the situation remains about the same on PKI setup, alignment, and maintenance.

So, if you are an implementer, do not depend on receiving a cert chain in the message whose signature you will be checking.
As far as sending certificates, implementers might be well advised to be able to configure their software to either include or omit.
The choice of a default behavior is not specified in AS2. But the motto "Be conservative in what you send, liberal in what you can receive"
probably favors including the cert chain, and then allowing an optimization to omit for bandwidth conservation where it is not necessary.
 
 
 
 
-----Original Message-----
From: lstoeckle <at> groupe-casino.fr [mailto:lstoeckle <at> groupe-casino.fr]
Sent: Thursday, June 05, 2003 6:58 AM
To: ietf-ediint <at> above.proper.com
Subject: AS2-SMIME : has the certificate to be included inside the signature?

Hello,

 

I am new on this list - and I need your help.

 

AS2: when sending a signed message (the original message which can also be signed, or a signed MDN), has the signer's certificate to be included inside of the signature MIME part?

Is it mandatory or should AS2 compliant products accept both? (signed messages containing the cert, or not containing it, in which case they would try to find a certificate on the local key store etc.)

 

Regards,

-----------------------------------------
Ludan STOECKLE
DSI Groupe Casino - Etudes

04 77 45 48 01

lstoeckle <at> groupe-casino.fr
-----------------------------------------

 

 

Paul V Ford-Hutchinson | 5 Jun 18:02 2003
Picon

RE: AS2-SMIME : has the certificate to be included inside thesignatu re?


No , that's one of the main points of X.509 certificates.

[Unless you are discussing self-signed certificates (the X.509 equivalent of "trust me, because I say so - signed me")]

so .....

Is there a published way for an AS-2 implementation to map the "AS2-From" field to an X.509 DN ?
Or does AS2 assume that there is always some OOB mechanism for establishing identity (AS2-To/From) to certificate mappings ?

If the former - who needs to bloat messages with certificates?
If the latter - why ?

Paul
--
Paul Ford-Hutchinson :  eCommerce application security : paulfordh <at> uk.ibm.com
MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL +44 (0)1926 462005
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html



"Rishel,Wes" <Wes.Rishel <at> gartner.com>
Sent by: owner-ietf-ediint <at> mail.imc.org

05/06/2003 15:23

       
        To:        "Jess Sightler" <jsightler <at> eximtechnologies.com>, <lstoeckle <at> groupe-casino.fr>
        cc:        <ietf-ediint <at> above.proper.com>
        Subject:        RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

       




What is the benefit of sending the cert with the message? If you truly want to authenticate the originator you have to acquire the cert by independent, trusted means, don't you?

-----Original Message-----
From: owner-ietf-ediint <at> mail.imc.org
[mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
Sent: Thursday, June 05, 2003 6:36 AM
To: lstoeckle <at> groupe-casino.fr
Cc: ietf-ediint <at> above.proper.com
Subject: Re: AS2-SMIME : has the certificate to be included inside
thesignatu re?



I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert.  I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess


On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
>
>
>
> I am new on this list - and I need your help.
>
>
>
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
>
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.)
>
>
>
> Regards,
>
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
>
> 04 77 45 48 01
>
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
>
>
>
>
>
>
--
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================





Dale Moberg | 5 Jun 18:29 2003

RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

Response or two in line.
-----Original Message-----
From: Paul V Ford-Hutchinson [mailto:paulfordh <at> uk.ibm.com]
Sent: Thursday, June 05, 2003 9:02 AM
To: Rishel,Wes
Cc: ietf-ediint <at> above.proper.com
Subject: RE: AS2-SMIME : has the certificate to be included inside thesignatu re?


No , that's one of the main points of X.509 certificates.

[Unless you are discussing self-signed certificates (the X.509 equivalent of "trust me, because I say so - signed me")]

so .....

Is there a published way for an AS-2 implementation to map the "AS2-From" field to an X.509 DN ?  
 
Not in IETF spec. Maybe someone has profiled AS2 for some community/vertical but I have not heard of one.
 
Or does AS2 assume that there is always some OOB mechanism for establishing identity (AS2-To/From) to certificate mappings ?  
 
SMIME/CMS/PKCS7 has in its SignerInfo structure fields that allow determination of the relevant signature used in producing the signature.
So the value for the AS2-From field is not involved in finding the certificate. Actually, the AS2-From value should not be considered a highly trusted piece of information-- no signature over it. Generally spoofing would be a lot harder if you use SSL though.

If the former - who needs to bloat messages with certificates?  
AS2 follows the CMS/PKCS7 approach on identifying the certificate used in signing.  So you are right, cert chain can be omitted.
If the latter - why ?  
 
Not applicable. If there were a mapping, then people might wonder what to do if the AS2-from value did not match up with the X.509 DN.
Should we discard the whole thing? 
 
We avoid this. What we have now is that the signed info is what counts only. So trust that the payload is OK if you accept the signature as one that checks out with respect to a certificate that chains up to one of your trust anchors (which will be itself if using self-signed certs.) 
 
Dale 

Paul
--
Paul Ford-Hutchinson :  eCommerce application security : paulfordh <at> uk.ibm.com
MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL +44 (0)1926 462005
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html



"Rishel,Wes" <Wes.Rishel <at> gartner.com>
Sent by: owner-ietf-ediint <at> mail.imc.org

05/06/2003 15:23

       
        To:        "Jess Sightler" <jsightler <at> eximtechnologies.com>, <lstoeckle <at> groupe-casino.fr>
        cc:        <ietf-ediint <at> above.proper.com>
        Subject:        RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

       




What is the benefit of sending the cert with the message? If you truly want to authenticate the originator you have to acquire the cert by independent, trusted means, don't you?

-----Original Message-----
From: owner-ietf-ediint <at> mail.imc.org
[mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
Sent: Thursday, June 05, 2003 6:36 AM
To: lstoeckle <at> groupe-casino.fr
Cc: ietf-ediint <at> above.proper.com
Subject: Re: AS2-SMIME : has the certificate to be included inside
thesignatu re?



I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert.  I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess


On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
>
>
>
> I am new on this list - and I need your help.
>
>
>
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
>
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.)
>
>
>
> Regards,
>
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
>
> 04 77 45 48 01
>
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
>
>
>
>
>
>
--
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================





lstoeckle | 5 Jun 17:57 2003
Picon

RE : AS2-SMIME : has the certificate to be included inside thesig natu re?

The administration work could be reduced if all the certificates exchanges were dynamic; still the partner cert is always required to encrypt messages...

I agree with you. If you use the cert included in the message (assuming it is valid CA certified etc.) you can make clear that someone has signed the message and that it hasn't changed since, but how can you be sure of who is the signer?

I mean, there must be an identity check somewhere else?
If you use the good certificate that you trust to check the signature you can authenticate at the same time, can't you?


-----Message d'origine-----
De : Rishel,Wes [mailto:Wes.Rishel <at> gartner.com]
Envoyé : jeudi 5 juin 2003 15:24
À : Jess Sightler; lstoeckle <at> groupe-casino.fr
Cc : ietf-ediint <at> above.proper.com
Objet : RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

What is the benefit of sending the cert with the message? If you truly want to authenticate the originator you have to acquire the cert by independent, trusted means, don't you?

-----Original Message-----
From: owner-ietf-ediint <at> mail.imc.org
[mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
Sent: Thursday, June 05, 2003 6:36 AM
To: lstoeckle <at> groupe-casino.fr
Cc: ietf-ediint <at> above.proper.com
Subject: Re: AS2-SMIME : has the certificate to be included inside
thesignatu re?



I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert.  I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess


On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
>

>
> I am new on this list - and I need your help.
>

>
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
>
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.)
>

>
> Regards,
>
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
>
> 04 77 45 48 01
>
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
>
>

>
>

--
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================


lstoeckle | 5 Jun 17:27 2003
Picon

RE : AS2-SMIME : has the certificate to be included inside the si gnatu re?

Thanks for your answer.

In fact I have interoperability issues between OpenAS2 and a commercial AS2-certified product (I will not say which one).

I'm pretty sure OpenAS2 doesn't send the certificate inside the signature when it sends a message (the signature part is too short to be contain the certificate). But this produces a signature checking error on the commercial product, and I do believe it's due to the lack of certificate: this commercial product uses OpenSSL, and in the log the command line calls are visible; and with this command line OpenSSL is not able to check the signature even if it is available on the computer.

I'd really like to know what's inside the spec about this.


Thanks,
Ludan Stoecklé.


-----Message d'origine-----
De : Jess Sightler [mailto:jsightler <at> eximtechnologies.com]
Envoyé : jeudi 5 juin 2003 14:36
À : lstoeckle <at> groupe-casino.fr
Cc : ietf-ediint <at> above.proper.com
Objet : Re: AS2-SMIME : has the certificate to be included inside the signatu re?

I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert.  I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess


On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
>

>
> I am new on this list - and I need your help.
>

>
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
>
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.)
>

>
> Regards,
>
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
>
> 04 77 45 48 01
>
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
>
>

>
>

--
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================



Gmane