]> S/MIME Example Keys and Certificates American Civil Liberties Union
125 Broad St. New York, NY 10004 USA dkg@fifthhorseman.net
int lamps Internet-Draft The S/MIME development community benefits from sharing samples of signed or encrypted data. This document facilitates such collaboration by defining a small set of X.509v3 certificates and keys for use when generating such samples.
Introduction The S/MIME () development community, in particular the e-mail development community, benefits from sharing samples of signed and/or encrypted data. Often the exact key material used does not matter because the properties being tested pertain to implementation correctness, completeness or interoperability of the overall system. However, without access to the relevant secret key material, a sample is useless. This document defines a small set of X.509v3 certificates () and secret keys for use when generating or operating on such samples. An example RSA certification authority is supplied, and sample RSA certificates are provided for two "personas", Alice and Bob. Additionally, an Ed25519 () certification authority is supplied, along with sample Ed25519 certificates for two more "personas", Carlos and Dana. This document focuses narrowly on functional, well-formed identity and key material. It is a starting point that other documents can use to develop sample signed or encrypted messages, test vectors, or other artifacts for improved interoperability.
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Terminology
  • "Certification Authority" (or "CA") is a party capable of issuing X.509 certificates
  • "End-Entity" is a party that is capable of using X.509 certificates (and their corresponding secret key material)
  • "Mail User Agent" (or "MUA") is a program that generates or handles e-mail messages.
Prior Work contains some sample certificates, as well as messages of various S/MIME formats. That older work has unacceptably old algorithm choices that may introduce failures when testing modern systems: in 2019, some tools explicitly mark 1024-bit RSA and 1024-bit DSS as weak. This earlier document also does not use the now widely-accepted PEM encoding (see ) for the objects, and instead embeds runnable Perl code to extract them from the document. It also includes examples of messages and other structures which are greater in ambition than this document intends to be. includes an example X25519 certificate that is certified with Ed25519, but it appears to be self-issued, and it is not directly useful in testing an S/MIME-capable MUA.
Background
Certificate Usage These X.509 certificates () are designed for use with S/MIME protections () for e-mail (). In particular, they should be usable with signed and encrypted messages, as part of test suites and interoperability frameworks. All end-entity and intermediate CA certificates are marked with Certificate Policies from indicating that they are intended only for use in testing environments. End-entity certificates are marked with policy 2.16.840.1.101.3.2.1.48.1 and intermediate CAs are marked with policy 2.16.840.1.101.3.2.1.48.2.
Certificate Expiration The certificates included in this draft expire in 2052. This should be sufficiently far in the future that they will be useful for a few decades. However, when testing tools in the far future (or when playing with clock skew scenarios), care should be taken to consider the certificate validity window. Due to this lengthy expiration window, these certificates will not be particularly useful to test or evaluate the interaction between certificate expiration and protected messages.
Certificate Revocation Because these are expected to be used in test suites or examples, and we do not expect there to be online network services in these use cases, we do not expect these certificates to produce any revocation artifacts. As a result, none of the certificates include either an OCSP indicator (see id-ad-ocsp as defined in the Authority Information Access X.509 extension in S.4.2.2.1 of ) or a CRL indicator (see the CRL Disttribution Points X.509 extension as defined in S.4.2.1.13 of ).
Using the CA in Test Suites To use these end-entity certificates in a piece of software (for example, in a test suite or an interoperability matrix), most tools will need to accept either the Example RSA CA () or the Example Ed25519 CA () as a legitimate root authority. Note that some tooling behaves differently for certificates validated by "locally-installed root CAs" than for pre-installed "system-level" root CAs). For example, many common implementations of HPKP () only applied the designed protections when dealing with a certificate issued by a pre-installed "system-level" root CA, and were disabled when dealing with a certificate issued by a "locally-installed root CA". To test some tooling specifically, it may be necessary to install the root CA as a "system-level" root CA.
Certificate Chains In most real-world examples, X.509 certificates are deployed with a chain of more than one X.509 certificate. In particular, there is typically a long-lived root CA that users' software knows about upon installation, and the end-entity certificate is issued by an intermediate CA, which is in turn issued by the root CA. The example end-entity certificates in this document can be used with either a simple two-link certificate chain (they are directly certified by their corresponding root CA), or in a three-link chain. For example, Alice's encryption certificate (, alice.encrypt.crt) can be validated by a peer that directly trusts the Example RSA CA's root cert (, ca.rsa.crt): And it can also be validated by a peer that only directly trusts the Example Ed25519 CA's root cert (, ca.25519.crt), via an intermediate cross-signed CA cert (, ca.rsa.cross.crt): By omitting the cross-signed CA certs, it should be possible to test a "transvalid" certificate (an end-entity certificate that is supplied without its intermediate certificate) in some configurations.
Passwords Each secret key presented in this draft is unprotected (it has no password). As such, the secret key objects are not suitable for verifying interoperable password protection schemes. However, the PKCS#12 objects do have simple textual passwords, because tooling for dealing with passwordless PKCS#12 objects is underdeveloped at the time of this draft.
Secret key origins The secret RSA keys in this document are all deterministically derived using provable prime generation as found in , based on known seeds derived via from simple strings. The secret Ed25519 and X25519 keys in this document are all derived by hashing a simple string. The seeds and their derivation are included in the document for informational purposes, and to allow re-creation of the objects from appropriate tooling. All RSA seeds used are 224 bits long (the first 224 bits of the SHA-256 digest of the origin string), and are represented in hexadecimal.
Example RSA Certification Authority The example RSA Certification Authority has the following information:
  • Name: Sample LAMPS RSA Certification Authority
RSA Certification Authority Root Certificate This certificate is used to verify certificates issued by the example RSA Certification Authority.
RSA Certification Authority Secret Key This secret key material is used by the example RSA Certification Authority to issue new certificates. This secret key was generated using provable prime generation found in using the seed a5c1b7847614ed661a6b0522351428b4b7f09d8ccca2d99302dd62e9. This seed is the first 224 bits of the digest of the string draft-lamps-sample-certs-keygen.ca.rsa.seed.
RSA Certification Authority Cross-signed Certificate If an e-mail client only trusts the Ed25519 Certification Authority Root Certificate found in , they can use this intermediate CA certificate to verify any end entity certificate issued by the example RSA Certification Authority.
Alice's Sample Certificates Alice has the following information:
  • Name: Alice Lovelace
  • E-mail Address: alice@smime.example
Alice's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Alice.
Alice's Signing Private Key Material This private key material is used by Alice to create signatures. This secret key was generated using provable prime generation found in using the seed 92c89d4330d3d8e31d4fde9b9d0fe6e9fc142141dd65a45e5b436f05. This seed is the first 224 bits of the digest of the string draft-lamps-sample-certs-keygen.alice.sign.seed.
Alice's Encryption End-Entity Certificate This certificate is used to encrypt messages to Alice.
Alice's Decryption Private Key Material This private key material is used by Alice to decrypt messages. This secret key was generated using provable prime generation found in using the seed 1cf74849f7445f466c4272251f5f96b77fa0698b3e98b3f1ee8207bf. This seed is the first 224 bits of the digest of the string draft-lamps-sample-certs-keygen.alice.encrypt.seed.
PKCS12 Object for Alice This PKCS12 () object contains the same information as presented in , , , , and . It is locked with the simple five-letter password alice.
Bob's Sample Bob has the following information:
  • Name: Bob Babbage
  • E-mail Address: bob@smime.example
Bob's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Bob.
Bob's Signing Private Key Material This private key material is used by Bob to create signatures. This secret key was generated using provable prime generation found in using the seed f4afaacbb5473f360e06ac32e00188fe4173ae15c99bcf043a8b8f6e. This seed is the first 224 bits of the digest of the string draft-lamps-sample-certs-keygen.bob.sign.seed.
Bob's Encryption End-Entity Certificate This certificate is used to encrypt messages to Bob.
Bob's Decryption Private Key Material This private key material is used by Bob to decrypt messages. This secret key was generated using provable prime generation found in using the seed 98c8998652958929e889e3419f3bfd0edfe0aca15da3060dedf8a1e8. This seed is the first 224 bits of the digest of the string draft-lamps-sample-certs-keygen.bob.encrypt.seed.
PKCS12 Object for Bob This PKCS12 () object contains the same information as presented in , , , , and . It is locked with the simple three-letter password bob.
Example Ed25519 Certification Authority The example Ed25519 Certification Authority has the following information:
  • Name: Sample LAMPS Ed25519 Certification Authority
Ed25519 Certification Authority Root Certificate This certificate is used to verify certificates issued by the example Ed25519 Certification Authority.
Ed25519 Certification Authority Secret Key This secret key material is used by the example Ed25519 Certification Authority to issue new certificates. This secret key is the digest of the ASCII string draft-lamps-sample-certs-keygen.ca.25519.seed.
Ed25519 Certification Authority Cross-signed Certificate If an e-mail client only trusts the RSA Certification Authority Root Certificate found in , they can use this intermediate CA certificate to verify any end entity certificate issued by the example Ed25519 Certification Authority.
Carlos's Sample Certificates Carlos has the following information:
  • Name: Carlos Turing
  • E-mail Address: carlos@smime.example
Carlos's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Carlos.
Carlos's Signing Private Key Material This private key material is used by Carlos to create signatures. This secret key is the digest of the ASCII string draft-lamps-sample-certs-keygen.carlos.sign.25519.seed.
Carlos's Encryption End-Entity Certificate This certificate is used to encrypt messages to Carlos. It contains an SMIMECapabilities extension to indicate that Carlos's MUA expects ECDH with HKDF using SHA-256; uses AES-128 key wrap, as indicated in .
Carlos's Decryption Private Key Material This private key material is used by Carlos to decrypt messages. This secret key is the digest of the ASCII string draft-lamps-sample-certs-keygen.carlos.encrypt.25519.seed.
PKCS12 Object for Carlos This PKCS12 () object contains the same information as presented in , , , , and . It is locked with the simple five-letter password carlos.
Dana's Sample Certificates Dana has the following information:
  • Name: Dana Hopper
  • E-mail Address: dna@smime.example
Dana's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Dana.
Dana's Signing Private Key Material This private key material is used by Dana to create signatures. This secret key is the digest of the ASCII string draft-lamps-sample-certs-keygen.dana.sign.25519.seed.
Dana's Encryption End-Entity Certificate This certificate is used to encrypt messages to Dana. It contains an SMIMECapabilities extension to indicate that Dana's MUA expects ECDH with HKDF using SHA-256; uses AES-128 key wrap, as indicated in .
Dana's Decryption Private Key Material This private key material is used by Dana to decrypt messages. This seed is the digest of the ASCII string draft-lamps-sample-certs-keygen.dana.encrypt.25519.seed.
PKCS12 Object for Dana This PKCS12 () object contains the same information as presented in , , , , and . It is locked with the simple four-letter password dana.
Security Considerations The keys presented in this document should be considered compromised and insecure, because the secret key material is published and therefore not secret. Any application which maintains a denylist of invalid key material SHOULD include these keys in its list.
IANA Considerations IANA has nothing to do for this document.
Document Considerations [ RFC Editor: please remove this section before publication ] This document is currently edited as markdown. Minor editorial changes can be suggested via merge requests at https://gitlab.com/dkg/lamps-samples or by e-mail to the author. Please direct all significant commentary to the public IETF LAMPS mailing list: spasm@ietf.org
Document History
Substantive Changes from draft-ietf-*-04 to draft-ietf-*-05
  • Added outbound references for acronyms PEM, CRL, and OCSP, thanks Stewart Brant.
Substantive Changes from draft-ietf-*-04 to draft-ietf-*-05
  • Switch from SHA512 to SHA1 as MAC checksum in PKCS#12 objects, for interop with Keychain Access on macOS.
Substantive Changes from draft-ietf-*-03 to draft-ietf-*-04
  • Order subject/issuer DN components by scope.
  • Put cross-signed intermediate CA certificates into PKCS#12 instead of self-signed root CA certificates.
Substantive Changes from draft-ietf-*-02 to draft-ietf-*-03
  • Correct encoding of S/MIME Capabilities extension.
  • Change "Certificate Authority" to "Certification Authority".
  • Add CertificatePolicies to all intermediate and end-entity certificates.
  • Add organization and organizational unit to all certificates.
Substantive Changes from draft-ietf-*-01 to draft-ietf-*-02
  • Added cross-signed certificates for both CAs
  • Added S/MIME Capabilities extension for Carlos and Dana's encryption keys, indicating preferred ECDH parameters.
  • Ensure no serial numbers are negative.
  • Encode keyUsage extensions in minimum-length BIT STRINGs.
Substantive Changes from draft-ietf-*-00 to draft-ietf-*-01
  • Added Curve25519 sample certificates (new CA, Carlos, and Dana)
Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00
  • WG adoption (dkg moves from Author to Editor)
Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05
  • PEM blobs are now sourcecode, not artwork
Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04
  • Describe deterministic key generation
  • label PEM blobs with filenames in XML
Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03
  • Alice and Bob now each have two distinct certificates: one for signing, one for encryption, and public keys to match.
Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02
  • PKCS#12 objects are deliberately locked with simple passphrases
Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01
  • changed all three keys to use RSA instead of RSA-PSS
  • set keyEncipherment keyUsage flag instead of dataEncipherment in EE certs
Acknowledgements This draft was inspired by similar work in the OpenPGP space by Bjarni Runar and juga at . Eric Rescorla helped spot issues with certificate formats. Sean Turner pointed to as prior work. Deb Cooley suggested that Alice and Bob should have separate certificates for signing and encryption. Wolfgang Hommel helped to build reproducible encrypted PKCS#12 objects. Carsten Bormann got the XML sourcecode markup working for this draft. David A. Cooper identified problems with the certificates and suggested corrections. Lijun Liao helped get the terminology right. Stewart Brant and Roman Danyliw provided editorial suggestions.
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] Internet Message Format This document specifies the Internet Message Format (IMF), a syntax for text messages that are sent between computer users, within the framework of "electronic mail" messages. This specification is a revision of Request For Comments (RFC) 2822, which itself superseded Request For Comments (RFC) 822, "Standard for the Format of ARPA Internet Text Messages", updating it to reflect current practice and incorporating incremental changes that were specified in other RFCs. [STANDARDS-TRACK] PKCS #12: Personal Information Exchange Syntax v1.1 PKCS #12 v1.1 describes a transfer syntax for personal identity information, including private keys, certificates, miscellaneous secrets, and extensions. Machines, applications, browsers, Internet kiosks, and so on, that support this standard will allow a user to import, export, and exercise a single set of personal identity information. This standard supports direct transfer of personal information under several privacy and integrity modes. This document represents a republication of PKCS #12 v1.1 from RSA Laboratories' Public Key Cryptography Standard (PKCS) series. By publishing this RFC, change control is transferred to the IETF. Edwards-Curve Digital Signature Algorithm (EdDSA) This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification This document defines Secure/Multipurpose Internet Mail Extensions (S/MIME) version 4.0. S/MIME provides a consistent way to send and receive secure MIME data. Digital signatures provide authentication, message integrity, and non-repudiation with proof of origin. Encryption provides data confidentiality. Compression can be used to reduce data size. This document obsoletes RFC 5751. Informative References Digital Signature Standard (DSS) OpenPGP Example Keys and Certificates Mailpile ehf Independent American Civil Liberties Union The OpenPGP development community benefits from sharing samples of signed or encrypted data. This document facilitates such collaboration by defining a small set of OpenPGP certificates and keys for use when generating such samples. Examples of S/MIME Messages This document gives examples of message bodies formatted using S/MIME. Specifically, it has examples of Cryptographic Message Syntax (CMS) objects and S/MIME messages (including the MIME formatting). It includes examples of many common CMS formats. The purpose of this document is to help increase interoperability for S/MIME and other protocols that rely on CMS. This memo provides information for the Internet community. Textual Encodings of PKIX, PKCS, and CMS Structures This document describes and discusses the textual encodings of the Public-Key Infrastructure X.509 (PKIX), Public-Key Cryptography Standards (PKCS), and Cryptographic Message Syntax (CMS). The textual encodings are well-known, are implemented by several applications and libraries, and are widely deployed. This document articulates the de facto rules by which existing implementations operate and defines them so that future implementations can interoperate. Public Key Pinning Extension for HTTP This document defines a new HTTP header that allows web host operators to instruct user agents to remember ("pin") the hosts' cryptographic identities over a period of time. During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities. Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure This document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided. Use of the Elliptic Curve Diffie-Hellman Key Agreement Algorithm with X25519 and X448 in the Cryptographic Message Syntax (CMS) This document describes the conventions for using the Elliptic Curve Diffie-Hellman (ECDH) key agreement algorithm with curve25519 and curve448 in the Cryptographic Message Syntax (CMS). Secure Hash Standard Test Certificate Policy to Support PKI Pilots and Testing NIST - Computer Security Divisiion (CSD)