Internet Draft Editor: Terry Harding draft-ietf-ediint-compression-08.txt Axway June 2007 Expires December 2007 Intended Status: Informational CMS - Compressed Data Content within an EDIINT 'AS' Message Status of this memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress. The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Harding [Page 1] INTERNET DRAFT Compressed Data within an EDIINT Message December 2007 Abstract The EDIINT(EDI over the INTernet) WG(Working Group) over several years developed the following 'AS'(Applicability Statements): AS1(RFC 3335), AS2(RFC 4130) and AS3(RFC 4823). These 'AS' documents discuss methods for securely transferring EDI(Electronic Data Interchange) and other electronic documents over the internet using different transfer protocols, SMTP(AS1, HTTP(AS2) and FTP(AS3). As more and more companies continue to use AS1, AS2 or AS3 to package their electronic messages, the EDIINT community is starting to see a dramatic increase in the size of files transferred between trading partners. Typical file sizes of 10k or less are no longer the norm as we start to see files larger than several megabytes(>500meg) transferred between trading partners. This document will explain the rules and procedures for utilizing compression(RFC 3274) within an EDIINT 'AS' message. It will also discuss the procedures for building, parsing and computing the MIC(Message Integrity Check) value of a message which is returned in the MDN(Message Disposition Notification) receipt to the originator of the message. 1. Introduction Historically, electronic messages produced by systems following the guidelines as outlined in AS1(RFC 3335), AS2(RFC 4130) and AS3(RFC 4823) did not have a way to provide a standardized transport neutral mechanism for compressing large payloads. However, with the development of RFC 3274 - Compressed Data Content Type for CMS, we now have a transport neutral mechanism for compressing large payloads. A typical EDIINT 'AS' message is a multi-layered MIME message, consisting of one or more of the following, payload layer, signature layer and/or the encryption layer. When an 'AS' message is received a MIC value must be computed based upon defined rules within the EDIINT 'AS' RFCs and returned to the sender of the message via an MDN. The addition of a new compression layer will require this document to outline new procedures for building/layering 'AS' messages and computing a MIC value that is returned in the MDN receipt. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.1 Compressed Data MIME Layer Harding [Page 2] INTERNET DRAFT Compressed Data within an EDIINT Message December 2007 The compressed-data CMS(Cryptographic Message Syntax) MIME entity as described in [COMPRESSED-DATA] will encapsulate a MIME entity which consists of either an unsigned or signed business document. Implementers are to follow the appropriate specifications identified under "References" in [MIME-TYPES], for the type of object being packaged. For example, to package an XML object, the MIME media type of "application/xml" is used in the Content-type MIME header field and the specifications for enveloping the object are contained in [XMLTYPES]; MIME entity example: Content-type: application/xml; charset="utf-8" The MIME entity will be compressed using [ZLIB] and placed inside a CMS compressed-data object as outlined in [COMPRESSED-DATA]. The compressed data object will be MIME encapsulated according to details outlined in [S/MIME3.1], RFC 3851, Section 3.5. Example: Content-Type: application/pkcs7-mime; smime-type=compressed-data; name=smime.p7z Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7z MIAGCyqGSIb3DQEJEAEJoIAwgAIBADANBgsqhkiG9w0BCRADCDCABgkqhkiG9w0BBwGg Hnic7ZRdb9owFIbvK/k/5PqVYPFXGK12YYyboVFASSp1vQtZGiLRACZE49/XHoUW7S/0 fU5ivWnasml72XFb3gb5druui7ytN803M570nii7C5r8tfwR281hy/p/KSM3+jzH5s3+ P3VT3QbLusnt8WPIuN5vN/vaA2+DulnXTXkXvNTr8j8ouZmkCmGI/UW+ZS/C8zP0bz2d UEk2M8mlaxjRMByAhZTj0RGYg4TvogiRASROsZgjpVcJCb1KV6QzQeDJ1XkoQ5Jm+C5P v+ORAcshOGeCcdFJyfgFxdtCdEcmOrbinc/+BBMzRThEYpwl+jEBpciSGWQkI0TSlREm SGLuESm/iKUFt1y4XHBO2a5oq0IKJKWLS9kUZTA7vC5LSxYmgVL46SIWxIfWBQd6Adrn vGxVibLqRCtIpp4g2qpdtqK1LiOeolpVK5wVQ5P7+QjZAlrh0cePYTx/gNZuB9Vhndtg W9ogK+3rnmg3YWygnTuF5GDS+Q/jIVLnCcYZFc6Kk/+c80wKwZjwdZIqDYWRH68MuBQS 3CAaYOBNJMliTl0X7eV5DnoKIFSKYdj3cRpD/cK/JWTHJRe76MUXnfBW8m7Hd5zhQ4ri +kV1/3AGSlJ32bFPd2BsQD8uSzIx6lObkjdz95c0AAAAAAAAAAAAAAAA Note: Content-Transfer-Encoding would only be required if the compressed-data MIME bodypart was transferred via a 7-bit protocol like SMTP and it was visible in the outer layer of the MIME message. If the compressed-data MIME bodypart was place inside of an encrypted MIME bodypart, content-transfer-encoding would not be required on the compressed-data MIME bodypart, but would be required on the encrypted MIME bodypart. Harding [Page 3] INTERNET DRAFT Compressed Data within an EDIINT Message December 2007 1.2 Structure of an EDI MIME compressed message When compressing a document which will be signed, the application MAY compress the inner most MIME body before signing, see Section 1.2.2.1 and 1.2.4.1 or MAY compress the outer multipart/signed MIME body, see Section 1.2.2.2 and 1.2.4.2. but MUST not do both within the same document. The receiving application MUST support both methods of compression when unpackaging an inbound document. Note: The following sections 1.2.1 - 1.2.4.2 show the individual layers of a properly formatted EDIINT MIME message with a compressed data layer. Please refer to the appropriate RFCs for the proper construction of the resulting MIME message. 1.2.1 No encryption, no signature -RFC2822/2045 -[COMPRESSED-DATA](application/pkcs7-mime) -[MIME-TYPES](application/xxxxxxx)(compressed) This section shows the layers of an unsigned, unencrypted compressed message. The first line indicates that the MIME message conforms to RFCs 2822 and RFC 2045 with a Content-Type of application/pkcs7-mime. Within the pkcs7-mime entity is a compressed MIME entity containing the electronic business document. 1.2.2.1 No encryption, signature -RFC2822/2045 -RFC1847 (multipart/signed) -[COMPRESSED-DATA](application/pkcs7-mime) -[MIME-TYPES](application/xxxxxxx)(compressed) -RFC2633 (application/pkcs7-signature) This section shows the layers of a signed, unencrypted compressed message where the payload is compressed before being signed. 1.2.2.2 No encryption, signature -RFC2822/2045 -[COMPRESSED-DATA](application/pkcs7-mime) -RFC1847 (multipart/signed)(compressed) -[MIME-TYPES](application/xxxxxxx)(compressed) -RFC2633 (application/pkcs7-signature)(compressed) This section shows the layers of a signed, unencrypted compressed message where a signed payload is compressed. 1.2.3 Encryption, no signature -RFC2822/2045 Harding [Page 4] INTERNET DRAFT Compressed Data within an EDIINT Message December 2007 -RFC2633 (application/pkcs7-mime) -[COMPRESSED-DATA](application/pkcs7-mime) (encrypted) -[MIME-TYPES](application/xxxxxxx)(compressed)(encrypted) This section shows the layers of an unsigned, encrypted compressed message where payload is compressed before it is encrypted. 1.2.4.1 Encryption, signature -RFC2822/2045 -RFC2633 (application/pkcs7-mime) -RFC1847 (multipart/signed) (encrypted) -[COMPRESSED-DATA](application/pkcs7-mime) (encrypted) -[MIME-TYPES](application/xxxxxxx) (compressed)(encrypted) -RFC2633 (application/pkcs7-signature) (encrypted) This section shows the layers of an signed, encrypted compressed message where the payload is compressed before being signed and encrypted. 1.2.4.2 Encryption, signature -RFC2822/2045 -RFC2633 (application/pkcs7-mime) -[COMPRESSED-DATA](application/pkcs7-mime) (encrypted) -RFC1847 (multipart/signed) (compressed)(encrypted) -[MIME-TYPES](application/xxxxxxx) (compressed)(encrypted) -RFC2633 (application/pkcs7-signature)(compressed)(encrypted) This section shows the layers of an signed, encrypted compressed message where the payload is compressed before being signed and encrypted. 2. MIC Calculations For Compressed Messages Requesting Signed Receipts 2.1 MIC Calculation For Signed Message For any signed message, the MIC to be returned is calculated over the same data that was signed in the original message as per [AS1]. 2.2 MIC Calculation For Encrypted, Unsigned Message For encrypted, unsigned messages, the MIC to be returned is calculated over the uncompressed data content including all MIME header fields and any applied Content-Transfer-Encoding. 2.3 MIC Calculation For Unencrypted, Unsigned Message For unsigned, unencrypted messages, the MIC is calculated over the uncompressed data content including all MIME header fields and any applied Content-Transfer-Encoding. Harding [Page 5] INTERNET DRAFT Compressed Data within an EDIINT Message December 2007 3. Error Disposition Modifier For a received message where a signed receipt has been requested and decompression fails, the following disposition modifier will be returned in the signed MDN. "Error: decompression-failed" - the receiver could not decompress 4. EDIINT Version Header Field Any application that supports the compression methods outlined within this document MUST use a version identifier value of "1.1" or greater within the AS2 or AS3 Version header field as describe in [AS2] and [AS3]. 5. Compression Formats Implementations SHOULD support ZLIB [ZLIB] which utilizes DEFLATE[DEFLATE], and is free of any intellectual property restrictions and has a freely-available, portable and efficient reference implementation. 6. Security Considerations This document is not concerned with security, except for the fact that compressing data before encryption can enhance the security by reducing redundancy of the file. The lower the redundancy of the plaintext being encrypted, the more difficult the cryptanalysis, see reference[CRYPTANALYSIS]. 7. IANA Considerations This document has no actions for IANA. Author's Addresses Terry Harding Axway Scottsdale, Arizona, USA tharding@us.axway.com References Normative References [AS1] T. Harding, R. Drummond, C. Shih, MIME-based Secure Peer-to-Peer Business Data Interchange over the Internet, RFC 3335, Sept 2002 [AS2] D. Moberg, R. Drummond, MIME-Based Secure Peer-to-Peer Business Data Interchange Using HTTP, Applicability Statement 2 (AS2), RFC 4130, July 2005. Harding [Page 6] INTERNET DRAFT Compressed Data within an EDIINT Message December 2007 [AS3] T. Harding, R. Scott, FTP Transport for Secure Peer-to-Peer EDI over the Internet, RFC 4823, May 2007. [ZLIB] RFC1950 ZLIB Compressed Data Format Specification version 3.3, P.Deutsch and J-L Gailly, May 1996. [DEFLATE] RFC1951 DEFLATE Compressed Data Format Specification version 1.3, P.Deutsch, May 1996. [MIME-TYPES] "Media Types," http://www.isi.edu/in- notes/iana/assignments/media-types/media-types. [RFC2119] Key Words for Use in RFC's to Indicate Requirement Levels, S.Bradner, March 1997. [S/MIME]RFC2633 S/MIME Version 3 Message Specification, B.Ramsdell, June 1999. [S/MIME3.1]S/MIME Version 3.1 Message Specification, B.Ramsdell, July 2004. RFC 3851 [XMLTYPES] M. Murata, S. St.Laurent, D. Kohn, "XML Media Types", RFC 3023, January 2001. [COMPRESSED-DATA] P. Gutmann, "Compressed Data Content Type for CMS", RFC 3274, June 2002. Informative References [CRYPTANALYSIS] B. Schneier, "Self-Study Course in Block Cipher Cryptanalysis", http://www.counterpane.com/self-study.html, Jan 2000. Acknowledgements A number of the members of the EDIINT Working Group have also worked very hard and contributed to this document. The following people have made direct contributions to this document. David Fischer, Dale Moberg, Robert Asis and everyone involved in the AS1, AS2 Interop testing during 2002. Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an Harding [Page 7] INTERNET DRAFT Compressed Data within an EDIINT Message December 2007 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Expires December 2007 Harding [Page 8]