Internet Draft Editor: Terry Harding draft-ietf-ediint-compression-05.txt Cyclone Commerce Inc. August 2005 August 2005 Expires February 2006 Target Category: Informational Compressed Data for EDIINT Status of this memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than a "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract The intent of this document is to be placed on the RFC track as an Informational RFC. The EDIINT AS1 and AS2 message formats don't currently contain any transport neutral provisions for compressing data when utilizing S/MIME as the secure packaging standard. Compressing data before transmission provides a number of advantages including 1. reducing data redundancy, and so reducing opportunities for attacks exploiting redundancy, and 2. reducing the amount of data and so speeding up cryptographic processing such as signing, encryption, archiving, and 3. reducing the overall transmitted message size, reducing both time and bandwidth needed for transport. 1. Introduction This document describes an additional mime layer of compressed data utilizing a new ContentInfo type for S/MIME. This new compressed-data content type is defined in S/MIME 3.1, RFC RFC 3851. Further Harding [Page 1] INTERNET DRAFT Compressed Data For EDIINT February 2005 reference can be found in the reference section under [COMPRESSED-DATA]. The method of compression outlined in this document will support any type of business related media. Documents containing a large percentage of ASCII characters like xml, x12 or edifact will experience greater compression ratios than documents consisting largely of binary data. Ex: MSWord documents. The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.1 Compressed-Data Mime Wrapper The compressed-data cms object will encapsulate a mime wrapped business document. Implementors are to follow the appropriate specifications identified under "References" in [MIME-TYPES], for the type of object being transmitted. For example, to send an XML object, the MIME media type of application/xml is used in the Content-type MIME header and the specifications for enveloping the object are contained in [XMLTYPES]; for example: Content-type: application/xml; charset="utf-8" The mime wrapped object will be compressed and placed inside a CMS compressed-data object as outlined in [COMPRESSED-DATA]. The compressed data object will be mime wrapped according to details outlined in [S/MIME3.1], RFC 3851, Section 3.5. Working Example: Content-Type: application/pkcs7-mime; smime-type=compressed-data; name=smime.p7z Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7z MIAGCyqGSIb3DQEJEAEJoIAwgAIBADANBgsqhkiG9w0BCRADCDCABgkqhkiG9w0BBwGggCSABIIC Hnic7ZRdb9owFIbvK/k/5PqVYPFXGK12YYyboVFASSp1vQtZGiLRACZE49/XHoUW7S/0tXP8Efux fU5ivWnasml72XFb3gb5druui7ytN803M570nii7C5r8tfwR281hy/p/KSM3+jzH5s3+pbQ90xSb P3VT3QbLusnt8WPIuN5vN/vaA2+DulnXTXkXvNTr8j8ouZmkCmGI/UW+ZS/C8zP0bz2dz0zwLt+1 UEk2M8mlaxjRMByAhZTj0RGYg4TvogiRASROsZgjpVcJCb1KV6QzQeDJ1XkoQ5Jm+C5PbOHZZGRi v+ORAcshOGeCcdFJyfgFxdtCdEcmOrbinc/+BBMzRThEYpwl+jEBpciSGWQkI0TSlREmD/eOHb2D SGLuESm/iKUFt1y4XHBO2a5oq0IKJKWLS9kUZTA7vC5LSxYmgVL46SIWxIfWBQd6AdrnjLmH94UT vGxVibLqRCtIpp4g2qpdtqK1LiOeolpVK5wVQ5P7+QjZAlrh0cePYTx/gNZuB9Vhndtgujl9T/tg W9ogK+3rnmg3YWygnTuF5GDS+Q/jIVLnCcYZFc6Kk/+c80wKwZjwdZIqDYWRH68MuBQSXLgXYXj2 3CAaYOBNJMliTl0X7eV5DnoKIFSKYdj3cRpD/cK/JWTHJRe76MUXnfBW8m7Hd5zhQ4ri2NrVF/WL +kV1/3AGSlJ32bFPd2BsQD8uSzIx6lObkjdz95c0AAAAAAAAAAAAAAAA Note: Content-Transfer-Encoding would only be required if the mime wrapped CMS object was transferred via a 7-bit protocol like SMTP and it was visible in the outer layer of the mime message. If the compressed-data mime bodypart was place inside of an encrypted mime bodypart, content-transfer-encoding would not be required on the Harding [Page 2] INTERNET DRAFT Compressed Data For EDIINT February 2005 compressed-data mime bodypart, but would be required on the encrypted mime bodypart. 1.2 Structure of an EDI MIME message utilizing compression When compressing a document which will be signed, the application MAY compress the inner most MIME body before signing, see Section 1.2.2.1and 1.2.4.1 or MAY compress the outer multipart/signed mime body, see Section 1.2.2.2 and 1.2.4.2. but MUST not do both within the same document. The receiving application MUST support both methods of compression when unpackaging an inbound document. 1.2.1 No encryption, no signature -RFC822/2045 -[COMPRESSED-DATA](application/pkcs7-mime) -[MIME-TYPES](application/xxxxxxx)(compressed) 1.2.2 1.2.2.1 No encryption, signature -RFC822/2045 -RFC1847 (multipart/signed) -[COMPRESSED-DATA](application/pkcs7-mime) -[MIME-TYPES](application/xxxxxxx)(compressed) -RFC2633 (application/pkcs7-signature) 1.2.2.2 No encryption, signature -RFC822/2045 -[COMPRESSED-DATA](application/pkcs7-mime) -RFC1847 (multipart/signed)(compressed) -[MIME-TYPES](application/xxxxxxx)(compressed) -RFC2633 (application/pkcs7-signature)(compressed) 1.2.3 Encryption, no signature -RFC822/2045 -RFC2633 (application/pkcs7-mime) -[COMPRESSED-DATA](application/pkcs7-mime) (encrypted) -[MIME-TYPES](application/xxxxxxx)(compressed)(encrypted) 1.2.4.1 Encryption, signature -RFC822/2045 -RFC2633 (application/pkcs7-mime) -RFC1847 (multipart/signed) (encrypted) -[COMPRESSED-DATA](application/pkcs7-mime) (encrypted) -[MIME-TYPES](application/xxxxxxx) (compressed)(encrypted) -RFC2633 (application/pkcs7-signature) (encrypted) 1.2.4.2 Encryption, signature -RFC822/2045 -RFC2633 (application/pkcs7-mime) Harding [Page 3] INTERNET DRAFT Compressed Data For EDIINT February 2005 -[COMPRESSED-DATA](application/pkcs7-mime) (encrypted) -RFC1847 (multipart/signed) (compressed)(encrypted) -[MIME-TYPES](application/xxxxxxx) (compressed)(encrypted) -RFC2633 (application/pkcs7-signature) (compressed)(encrypted) 2. MIC Calculations For Compresed Messages Requesting Signed Receipts For any signed messages, the MIC to be returned is calculated over the same data that was signed in the original message as per AS1. For encrypted, unsigned messages, the MIC to be returned is calculated over the uncompressed data content including all mime headers and any applied Content-Transfer-Encoding. For unsigned, unencrypted messages, the MIC is calculated over the uncompressed data content including all mime headers and any applied Content-Transfer-Encoding. 3. Error Disposition Modifier For a received message where a signed receipt has been requested and decompression fails, the following disposition modifier will be returned in the signed mdn. "Error: decompression-failed" - the receiver could not decompress 4. AS2 Version Header Any application that supports the compression methods outlined within this document MUST use a version identifier value of "1.1" or greater within the AS2 or AS3 Version header as describe in HTTP Transport for Secure Peer-to-Peer EDI over the Internet, see reference[AS2] and FTP Transport for Secure Peer-to-Peer EDI over the Internet, see reference[AS3]. 5. Compression Formats Implementations SHOULD support ZLIB [RFC1950] which utilizes DEFLATE[RFC1951], and is free of any intellectual property restrictions and has a freely-available, portable and efficient reference implementation. 6. Security Considerations This document is not concerned with security, except for the fact that compressing data before encryption can enhance the security by reducing redundancy of the file. The lower the redundancy of the plaintext being encrypted, the more difficult the cryptanalysis, see reference[CRYPTANALYSIS]. Author Address Terry Harding Cyclone Commerce Inc. Harding [Page 4] INTERNET DRAFT Compressed Data For EDIINT February 2005 Scottsdale, Arizona, USA tharding@cyclonecommerce.com References [AS2] HTTP Transport for Secure Peer-to-Peer EDI over the Internet draft-ietf-ediint-as2-11.txt, 2002. [AS3] FTP Transport for Secure Peer-to-Peer EDI over the Internet draft-ietf-ediint-as3-03.txt, 2005. [ASN1] CCITT Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1), 1988. [RFC2119] Key Words for Use in RFC's to Indicate Requirement Levels, S.Bradner, March 1997. [ZLIB] RFC1950 ZLIB Compressed Data Format Specification version 3.3, P.Deutsch and J-L Gailly, May 1996. [DEFLATE] RFC1951 DEFLATE Compressed Data Format Specification version 1.3, P.Deutsch, May 1996. [CMS] RFC2630 Cryptographic Message Syntax, R.Housley, June 1999. [S/MIME]RFC2633 S/MIME Version 3 Message Specification, B.Ramsdell, June 1999. [S/MIME3.1]S/MIME Version 3.1 Message Specification, B.Ramsdell, July 2004. RFC 3851 [MIME-TYPES] "Media Types," http://www.isi.edu/in- notes/iana/assignments/media-types/media-types. [XMLTYPES] E. Whitehead, M. Murata, "XML Media Types", RFC 2376, July 1998. [COMPRESSED-DATA] P. Gutmann, "Compressed Data Content Type for CMS", RFC 3274, June 2002. [CRYPTANALYSIS] B. Schneier, "Self-Study Course in Block Cipher Cryptanalysis", http://www.counterpane.com/self-study.html, Jan 2000. Acknowledgements A number of the members of the EDIINT Working Group have also worked very hard and contributed to this document. The following people have made direct contributions to this document. David Fischer, Dale Moberg, Robert Asis and everyone involved in the AS1, AS2 Interop testing during 2002. Disclaimer Harding [Page 5] INTERNET DRAFT Compressed Data For EDIINT February 2005 This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Expires February 2006 Harding [Page 6]