VeriSign CLASS 1 BETA S/MIME Auto-Responder Interface Specification Please send any questions or comments to: alex@verisign.com ------------------------------------------------------------------ Overview The S/MIME Class 1 Certificate Auto-Responder provides a mechanism for users of S/MIME user agents to obtain certificates via the VeriSign Class 1 Unaffiliated CA (UCA). This document describes the format of the enrollment messages required to requst a certificate from this CA. Assurance VeriSign does not authenticate applicants for Class 1 certificates. Rather, it undertakes a simple check of thet uniqueness of the submitted subject DN within the Class 1 repository. These certificates provide the lowest level of assurances of all VeriSign Certificates. These certificates are to be used primarily for casual and preliminary Web browser and E-mail exploration and experimentation. Class 1 S/MIME Unaffiliated CA (UCA) Enrollment Requests The S/MIME access method shall support a MIME application/x-pkcs10 message delivered over any message transport channel to a set of mailboxes: smime-cert-request@services.verisign.com smime-cert-request-admin@services.verisign.com subject to the following restrictions: * The definition of application/x-pkcs10 requires that the enrollment request message convey a PKCS#10 defined CertificationRequest value. The S/MIME specification specifies the detailed procedures which a conformant S/MIME user agent must follow when generating a conformant application/x-pkcs10 message. * The application/x-pkcs10 body must be encoded using base64, and a 4content transfer syntax of base64 shall be specified. The bodypart shall conform to the MIME bodypart syntax, though shall contain no field other than content-type and content-transfer-encoding. * The S/MIME UA shall create a value for the E-mail address (e-mailAddress) attribute of the user to be enrolled using local means. In many cases, this value will be obtained from configuration options of the implementation. This attribute should be used to form a single relative distinguished name. This RDN forms the "subject" distinguished name field of the CertificationRequestInfo. Multiple attribute values for e-mailAddress attributes are not allowed. * The S/MIME auto-responder will verify that the e-mail address specified in DN field of the CertificationRequestInfo matches the e-mail address used to submit the certificate request. The value from the RFC822 "Reply-To: " field will be used to obtain this value. If the "Reply-To:" field does not exist, the value from the "From:" field will be used. The S/MIME auto-responder will reject enrollment requests which do not meet this requirement. * The S/MIME UA shall enable the user to specify a value for a Challenge-password (challengePassword) attribute during the process of enrollment request preparation. The Challenge-password attribute shall be added to the set of attributes forming the value of the "attributes" field of the PKCS#10 CertificationRequestInfo value. The challenge password value shall be of type PrintableString. * The S/MIME UA may enable the product to automatically specify a value for an Unstructured Name (unstructuredName) attribute during the process of enrollment request preparation. The Unstructured Name attribute will be added to the set of attributes forming the value of the "attributes" field of the PKCS#10 CertificationRequestInfo value. The value of the name is a free-form vendor-specific value which names the vendors product by trademark and version identifier. Details of the format of this attribute will be published shortly. * The UCA S/MIME access method may reject enrollment requests which communicate additional information attributes other than those listed in this note. * See Appendix A for an example of an S/MIME request. S/MIME PKCS #10 Request Attributes Attribute Description Type ChallengePassword (Required)PKCS #9 PrintableString or T61String UnstructuredName (Optional) PKCS #9 IA5String Required Subject Name Attributes Attribute Description Type e-mailAddressPKCS #9 IA5String UCA S/MIME Response Upon receiving an S/MIME enrollment request, an immediate S/MIME message shall be returned signed by the CA administrator. This message shall acknowledge the enrollment. In so doing, the certificate of the CA administrator shall be conveyed to the user for subsequent use in the case of sending an incident report to the CA. Having successfully completed the enrollment request processing, an application/x-pkcs7 PKCS #7 certs-only message shall be sent to the user conveying the newly issued user certificate. See Appendix B for an example. The S/MIME UAs shall import this certificate into the locally defined key management system for the user, and validate that the keying material in the certificate corresponds to the private keying material used to sign the enrollment request message. Subject Name Certificates issued by the UCA whose enrollment requests arrive through the S/MIME access method shall have a subject name constructed by the responder from fixed and supplied subject naming parameters. The auto-responder shall ensure that the first, and fixed-value RDN of the subject name is an attribute of type Locality with a value of "Internet". It will also ensure that second fixed-value RDN is a copy of the single RDN supplied in the CertificationRequestInfo subject field. This second RDN shall contain only a single AVA, and the assertion must propose a value for an e-mailAddress attribute. The UCA operating policy may interpret the e-mailAddress attribute to enforce additional properties, and may reject a request when properties are found to be absent. Subject Name Uniqueness The Class 1 policy of the S/MIME UCA will base uniqueness upon the "pure" internet e-mail address contained in the e-mailAddress attribute of the subject name. For example, the following valid RFC822 email addresses: alex@verisign.com "Alex Deacon" Alex Deacon alex@verisign.com (Alex Deacon) will be canonicalized to alex@verisign.com and considered the same by the S/MIME UCA. This value shall not be present in any previously issued and unrevoked certificate of the UCA. Validity Period The date of issuance of the returned certificate shall be determined by the time of signing plus a random positive offset less than 1 day. The date of expiry shall initially be 30 days from this date. RFC 1422 recommended rules of date encoding are required, explicitly. Serial Numbers Each certificate issued by the UCA shall specify a serial number which is an element of a unique and secret permutation of the integers from 0 to 100,000,000. As each certificate is issued, the next number in the permuted series shall be used. A block cipher shall be used to compute the permutation. Version Number Certificates issued by the UCA whose enrollment requests arrive through the VEF S/MIME access method shall have version number "v1988 (0)". S/MIME UAs must conform to Technical Corrigendum 2 Recommendation X.509 (1990 & 1993) in their handling of version numbers other than v1988(0) else behave as v3-minimal S/MIME UAs. Signature Algorithm The returned certificate will be signed using the md5WithRSAEncryption signature algorithms. Issuer Information For the testing and interoperability period from approximatly January 1996 to late March 1996, all S/MIME certificates will be issued under the following root and issuer certificate. Developers wishing to obtain the public key and name for this root can access that information at URL TBD. VeriSign has recently generated its production Class 1-4 roots and has made informaion concering them available at URL TBD. It is suggested that developers of S/MIME enabled products hard code both roots into the product. Beta Class 1 Root Distinguished Name: c=3DUS o=3DVeriSign, Inc. ou=3DClass 1 Assurance Level Beta Class 1 S/MIME Issuer Distinguished name: l=3DInternet o=3DVeriSign, Inc. ou=3DClass 1 Assurance Level ou=3DPublic Policy Authority e-mailAddress=3Dclass1-incident@verisign.com Appendix A: Example S/MIME Certificate Request To: smime-cert-request@services.verisign.com From: example@verisign.com Reply-To: example@verisign.com Organization: VeriSign, Inc. Subject: Cert Request Mime-Version: 1.0 Content-Type: application/x-pkcs10 Content-Transfer-Encoding: base64 content-length: 421 MIIBMTCB3AIBADA9MQwwCgYDVQQDEwNSYXkxLTArBgkqhkiG9w0BCQEWHnN0cmF0d G9uQHNlcnZpY2VzLnZlcmlzaWduLmNvbTBbMA0GCSqGSIb3DQEBAQUAA0oAMEcCQA 7LvHEIAiQ5+4gDYvJGnGAqUM5GXyG11diEXmIEZTHUZhorooX5sr8IIjSXiPY59YY UFSvAaharFM1xaBN8zNECAwEAAaA7MBcGCSqGSIb3DQEJBzEKEwhwYXNzd29yZDAg BgIqhjEaFhhGcm9udGllclRlY2hub2xvZ2llc0NvcnAwDQYJKoZIhvcNAQECBQADQ QAJetbuOVfUg8t+mq7Dy6CjL1Q2eN45hAY4Sk7p8xq6fcDo52eaYyWuJDpEfb6Hkk nAg/99QQxiGwazD+lV94KR Appendix B: Example Successful S/MIME UCA Response Return-Path: smime-cert-request-administrator@services.verisign.com From: smime-cert-request-administrator@services.verisign.com Received: by services. (SMI-8.6/SMI-SVR4) id RAA07622; Mon, 19 Feb 1996 17:50:38 -0800 Date: Mon, 19 Feb 1996 17:50:38 -0800 Message-Id: <199602200150.RAA07622@services.> To: example@verisign.com Subject: Your S/MIME Certificate Mime-Version: 1.0 Content-Type: application/x-pkcs7-mime Content-Transfer-Encoding: base64 Content-Length: 1991 MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIICFDCCAX0C EEfNCcoaI91MLQhuYI8qBuIwDQYJKoZIhvcNAQEEBQAwgZ0xETAPBgNVBAcTCElu dGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEgMB4GA1UECxMXQ2xhc3Mg MSBBc3N1cmFuY2UgTGV2ZWwxIDAeBgNVBAsTF1B1YmxpYyBQb2xpY3kgQXV0aG9y aXR5MSswKQYJKoZIhvcNAQkBFhxjbGFzczEtaW5jaWRlbnRAdmVyaXNpZ24uY29t MB4XDTk2MDIyMDAxNTAzMFoXDTk2MDMyMTAxNTAzMFowPTEMMAoGA1UEAxMDUmF5 MS0wKwYJKoZIhvcNAQkBFh5zdHJhdHRvbkBzZXJ2aWNlcy52ZXJpc2lnbi5jb20w WzANBgkqhkiG9w0BAQEFAANKADBHAkAOy7xxCAIkOfuIA2LyRpxgKlDORl8htdXY hF5iBGUx1GYaK6KF+bK/CCI0l4j2OfWGFBUrwGoWqxTNcWgTfMzRAgMBAAEwDQYJ KoZIhvcNAQEEBQADgYEAEftb+Ru/BHpxiBHRmyFM1tl9zmXrm23ci5fu+RjlsfDi auHQXNKsFnO9uwP0ShDOrDm+NvWd5GH98Xrg46lmHI3WVjNwxlYo7o/MiUQbyj27 zGRJ3jpmdkntdo+FAUbA+cNXKHpZbeNgRUg/F2fCByH8y5RcTcTba0RBN4lhFg8w ggJZMIIBwgIFAnIAAAEwDQYJKoZIhvcNAQECBQAwSDELMAkGA1UEBhMCVVMxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMSAwHgYDVQQLExdDbGFzcyAxIEFzc3VyYW5j ZSBMZXZlbDAeFw05NTEyMDcwMDAwMDBaFw05OTEyMzEyMzU5NTlaMIGdMREwDwYD VQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xIDAeBgNVBAsT F0NsYXNzIDEgQXNzdXJhbmNlIExldmVsMSAwHgYDVQQLExdQdWJsaWMgUG9saWN5 IEF1dGhvcml0eTErMCkGCSqGSIb3DQEJARYcY2xhc3MxLWluY2lkZW50QHZlcmlz aWduLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4Hh64F75L1QdbUeO zhyHZPq8S9awIuC0eESnefaJJKzqRXWM8GwFFgO4waYaUg+8UrAVMYjo6eWGIUQy +cxMQAr3YiBAycT6sFL5pJjV2ACymhmFryVrMQC7ZNAaX/NstLsUplK7HR4q0hqW hZXh9w9gIhLGDAoUO5KQVtb7OS0CAwEAATANBgkqhkiG9w0BAQIFAAOBgQCkTgau 8JOGJ8dQ1yLbeBMAuv3OkXJ1NkbaROv7sbILWBbWj6ElKrZf95I6L1lBRA0Xvgwb ugHt1Zt8d5JJRfW/Q6vfiFCLqw06rcd9G2E3Lg3Xzbt1fHM/fwhTXlAB2/kQK3pr rN7P5rIA77sqPTcs5EllJT47KqJUT7NUvf8guAAAoYAwggEMMHcwDQYJKoZIhvcN AQECBQAwSDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMSAw HgYDVQQLExdDbGFzcyAxIEFzc3VyYW5jZSBMZXZlbBcNOTUxMjA3MDEwNTEwWhcN OTYwNDAxMDEwNDI4WjANBgkqhkiG9w0BAQIFAAOBgQAwAT1ysrfJUGJ2SziC4Lk/ TIEBdpgp70aQaJ49/DyFbHAUT/+dVaCXgcHYtDho6qQsI538UL5FZegU/0gsPT14 tpzfeJSDSUU5fLSf/gXlNTx/7k4rr/g9aLhD0QO5wQ+uo/cRv48vKyClpujDcyS/ 8CNP61a5N5jCOvWOTQvYkwAAMYAAAAAAAAAAAA=3D=3D [Copyright =A9 1996] Last modified: 2/19/96 by alex@verisign.com