|
|
TOTAL
Passing: 78 Failing: 194 |
|
|
|
|
|
Implemenation |
|
|
|
| RFC |
Section |
Feature |
Passes |
CMSExample |
Senders |
Receivers |
|
Microsoft |
VanDyke (V) |
Deming |
Baltimore |
|
|
VDA Comments |
| 2630 |
|
Passing:
45 Failing: 51 |
|
|
|
|
|
|
|
|
|
|
|
Note1: "N/A" signifies that crypto
library used by SFL or application that calls SFL is responsible
for implementing N/A-designated feature. |
|
3. General Syntax |
|
|
|
|
|
|
|
|
|
|
|
Note
2: VDA developed sample objects that illustrate
each SFL-supported feature. The file
name for the test object is included in this column. |
|
|
Generate ContentInfo w/ data content |
FAIL |
5.1 |
|
2 |
YY |
Y |
Y |
|
|
|
|
|
|
|
Generate ContentInfo w/ signed-data content |
PASS |
5.4 |
3
|
2 |
VDMMV |
VD |
M |
MV |
|
|
|
|
|
|
Generate ContentInfo w/ enveloped-data content |
PASS |
6.1 |
3
|
2 |
VDMMV |
VD |
M |
MV |
|
|
|
|
|
|
Generate ContentInfo w/ digested-data content |
FAIL |
|
|
1 |
Y |
Y |
|
|
|
|
|
SFL does not support |
|
|
Generate ContentInfo w/ encrypted-data content |
FAIL |
|
|
2 |
YY |
Y |
Y |
|
|
|
|
dataRfc2630.d/3_CIEncryptedData.bin |
|
|
Generate ContentInfo w/ authenticated-data content |
FAIL |
|
|
1 |
Y |
Y |
|
|
|
|
|
SFL does not support |
|
|
SignedAttributes are internally DER encoded on
emission |
PASS |
5.4 |
|
1 |
YY |
|
Y |
Y |
|
BOOLEAN |
|
|
|
Authenticated Attributes are internally DER encoded on
emission |
FAIL |
|
|
|
|
|
|
|
|
BOOLEAN |
SFL does not support |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4. Data Content Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5. Signed-Data Content Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
5.1 SignedData Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generate id-data content - Verify version=1 |
PASS |
5.1 |
3
|
2 |
DVMMV |
DV |
M |
MV |
|
|
|
|
|
|
Generate non-id-data content - Verify version=3 |
PASS |
11.2.signedReceipt |
2
|
2 |
VM |
V |
M |
|
|
|
|
|
|
|
Generate w/ certs |
PASS |
5.1 |
3
|
2 |
VDMMV |
VD |
M |
MV |
|
|
|
|
|
|
SignedData w/ CRLs |
FAIL |
4.5 |
1
|
1 |
M |
|
M |
|
|
|
|
|
|
|
Generate w/ attribute certificate |
FAIL |
|
|
2 |
YY |
Y |
Y |
|
|
|
|
SFL supports, but not yet tested |
|
5.2 EncapsulatedContentInfo |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generate w/ encapsulated content |
PASS |
5.4 |
3
|
2 |
DVMM |
DV |
M |
M |
|
|
|
|
|
|
Generate w/ detached content |
PASS |
5.3 |
3
|
2 |
DVMM |
DV |
M |
M |
|
|
|
|
|
|
Generate w/ data content |
PASS |
5.4 |
3
|
2 |
DVMM |
DV |
M |
M |
|
|
|
|
|
|
Generate w/ non-data content |
PASS |
11.2.signedReceipt |
2
|
2 |
VM |
V |
M |
|
|
|
|
|
|
|
Degenerate message w/ data content type and no
content |
FAIL |
|
|
2 |
YY |
Y |
Y |
|
|
|
|
SFL supports |
|
5.3
Signed Data |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generate Issuer/Serial SID |
PASS |
5.3 |
3
|
2 |
DVMMV |
DV |
M |
MV |
|
|
|
|
|
|
Generate SKI SID |
PASS |
5.7 |
2
|
2 |
VM |
V |
M |
|
|
|
|
|
|
|
Generate w/o AuthAttrs |
PASS |
5.1 |
2
|
2 |
VM |
V |
M |
|
|
|
|
|
|
|
Generate w/ AuthAttrs |
PASS |
5.4.CSSD |
3
|
2 |
DVMMV |
DV |
M |
MV |
|
|
|
|
|
|
Message Digest algorithm(s) in the
digestAlgorithm field |
PASS |
5.1 |
3
|
2 |
DVMMV |
DV |
M |
MV |
|
|
|
|
|
|
signedAttributes present for non id-data content |
PASS |
11.2.signedReceipt |
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
|
|
|
SignedAttribute is DER encoded |
PASS |
5.4.CSSD |
3
|
2 |
DVMMV |
DV |
M |
MV |
|
|
|
|
|
|
signedAttributes includes content-type and
message-digest |
PASS |
5.4.CSSD |
3
|
2 |
DVMMV |
DV |
M |
MV |
|
|
|
|
|
|
Unsigned Attributes present |
PASS |
5.4.CSSD |
2
|
2 |
VM |
V |
M |
|
|
|
|
|
|
5.4 Message Digest Calculation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
id-data, no Attrs |
PASS |
5.1 |
2
|
2 |
VM |
V |
M |
|
|
|
|
|
|
|
id-data, auth attrs |
PASS |
5.4.CSSD |
3
|
2 |
DVM |
DV |
M |
|
|
|
|
|
|
|
non-id-data |
PASS |
11.2.signedReceipt |
2
|
2 |
VM |
V |
M |
|
|
|
|
|
|
5.5 Message Signature Generation Process |
|
|
|
|
|
|
|
|
|
|
|
|
|
5.6 Message Siganture Verification process |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Verify Signature on message (3 flavors) |
FAIL |
CMS_Examples.d/5.1.bin,
5.3.bin, 5.4.CSSD.bin |
1
|
1 |
M |
|
M |
|
|
BOOLEAN |
|
|
|
Check Message digest againist Auth Attr |
PASS |
CMS_Examples.d/5.1.bin,
5.3.bin, 5.4.CSSD.bin |
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 Enveloped-data ContentType |
|
|
|
|
|
|
|
|
|
|
|
|
|
6.1 EnvelopedData Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EnvelopedData w/ unprotected attributes |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
SFL supports, but not yet tested |
|
|
EnvelopedData w/ CRLs in originator info |
FAIL |
6.2 |
|
1 |
Y |
|
Y |
|
|
|
|
|
|
|
EnvelopedData w/ X509 certs in orginator info |
FAIL |
6.2 |
1
|
1 |
M |
|
M |
|
|
|
|
|
|
|
EnvelopedData w/ Attribute certs in orginator info |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
SFL supports, but not yet tested |
|
|
EnvelopedData w/ all recipInfos of a version 0 |
PASS |
6.2 |
3
|
2 |
DVM |
DV |
M |
|
|
|
|
|
|
|
EnvelopedData w/o all recipInfos of a version 0 |
PASS |
6.1 |
2
|
2 |
VM |
V |
M |
|
|
|
|
|
|
|
EnvelopedData w/ encryptedContent |
PASS |
6.1 |
3
|
2 |
DVM |
DV |
M |
|
|
|
|
|
|
|
EnvelopedData w/o encryptedContent |
FAIL |
|
|
|
|
|
|
|
|
|
|
SFL supports, but not yet tested |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6.2 RecipientInfo Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
An example of each RecipientInfo in a single message |
FAIL |
ExInterop6.2.bin |
|
1 |
Y |
|
Y |
|
|
|
|
|
|
6.2.1 KeyTransRecipientInfo Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generate Issuer/Serial RID |
PASS |
6.2 |
3
|
2 |
DVM |
DV |
M |
|
|
|
|
|
|
|
Generate SKI RID |
FAIL |
|
1
|
2 |
VY |
V |
Y |
|
|
|
|
SFL supports, but yet tested |
|
6.2.2 KeyAgreeRecipientInfo Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generate Issuer/Serial RID |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/6.1.bin |
|
|
Generate SKI RID |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
SFL supports, but not yet tested |
|
|
Generate SKI RID w/Date & other |
FAIL |
|
|
2 |
YY |
Y |
Y |
|
|
|
|
SFL supports, but not yet tested |
|
|
Generate w/o UKM |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
SFL supports decrypting; adding ability to generate. |
|
|
Generate w/UKM |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/6.1.bin |
|
|
Generate 2 recipients w/ common UKM & params |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/ExInterop6.4.bin |
|
|
Generate 2 recipients w/o common UKM |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/ExInterop6.4.bin |
|
|
ID Originator key by Issuer/serial |
FAIL |
|
|
2 |
YY |
Y |
Y |
|
|
|
|
CMS_Examples.d/6.1.bin |
|
|
ID Originator key by SKI |
FAIL |
|
1
|
2 |
VY |
V |
Y |
|
|
|
|
SFL supports, but not yet tested. |
|
|
ID Originator key by PublicKey |
FAIL |
|
1
|
2 |
VY |
V |
Y |
|
|
|
|
CMS_Examples.d/ExInterop6.4.bin (ESDH) |
|
6.2.3 KEKRecipientInfo Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generate KEK w/o date & other |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/6.7_NOKEKDate.bin |
|
|
Generate KEK w/date & other |
FAIL |
|
|
2 |
YY |
Y |
Y |
|
|
|
|
CMS_Examples.d/6.7.bin |
|
6.3 Content-encrpytion Process |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generate w/correct padding |
PASS |
|
3
|
2 |
DVM |
DV |
M |
|
|
|
|
CMS_Examples.d/6.1.bin |
|
|
Fail read w/incorrect padding |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
SFL supports |
|
6.4 Key-encryption Process |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 Digested-data |
|
|
|
|
|
|
|
|
|
|
|
SFL does not support |
|
|
Generate id-data |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Generate non-id-data |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Generate w/ encapsulated content |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Generate w/o encapulated content |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 Encrypted-data Content Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generate w/o Unprotected Attrs |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInteropEncryptedData.bin |
|
|
Generate w/ Unprotected Attrs |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInteropEncryptedDataAttrs.bin |
|
|
Generate w/ encapsulated content |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
SFL supports |
|
|
Generate w/o encapsulated content |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
SFL supports, but not yet tested |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 Authenticated-data Content Type |
|
|
|
|
|
|
|
|
|
|
|
SFL does not support |
|
9.1AuthenticatedDataType |
|
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Generate Key Transport recipient |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Generate Key Agree recipient |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Generate KEK recipient |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
OriginatorInfo w/ Certificates |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
OriginatorInfo w/ CRLs |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
OriginatorInfo w/ Attr Certs |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
AuthenticatedData w/ encapsulated content |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
AuthenticatedData w/o encapsulated content |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
authenticatedAttributes requires content-type and
message-digest |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
authenticatedAttribute is DER encoded |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
AuthenticatedData w/ unauthenticated attributes |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
9.2 MAC Generation |
|
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Data w/o Auth Attrs |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Data w/ Auth Attrs |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Non-Data |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
9.3 MAC Verification |
|
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
Read w/ bad digest value |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 Useful Attributes |
|
|
|
|
|
|
|
|
|
|
|
|
|
11.1 Content Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Message w/Content type attribute |
PASS |
|
3
|
2 |
DVMMV |
DV |
M |
MV |
|
|
|
CMS_Examples.d/5.4.CSSD.bin |
|
11.2 Message Digest Attribute |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Message w/message digest attr |
PASS |
|
3
|
2 |
DVMMV |
DV |
M |
MV |
|
|
|
CMS_Examples.d/5.4.CSSD.bin |
|
11.3 Signing Time |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Message w/ signing time - YY > 50 |
PASS |
|
3
|
2 |
DVMMV |
DV |
M |
MV |
|
|
|
ExInterop_SigningTime2.bin |
|
|
Signing time YY < 50 |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInterop_SigningTime1.bin |
|
|
Signing time YYYY |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
CMS_Examples.d/5.4.SD.bin |
|
11.4 Countersignature |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Message w/Countersignature |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
SFL Test Cases |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 Supported Algorithms |
|
|
|
|
|
|
|
|
|
|
|
|
|
12.1 Digest Algorithms |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SHA1 Hash |
PASS |
|
3
|
2 |
DVMM |
DV |
M |
M |
|
|
|
CMS_Examples.d/5.4.CSSD.bin |
|
|
MD5 Hash (should) |
PASS |
|
2
|
2 |
DMM |
D |
M |
M |
|
|
|
CMS_Examples.d/6.3.bin |
|
12.2 Signature Algorithms |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DSA |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/5.4.CSSD.bin |
|
12.3.1 Key Agree Algorithms |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ES-DH w/3DES KEK & CEK |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/6.1.bin |
|
|
ES-DH w/RC2 KEK & CEK (should) |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/ExInterop6.1.bin |
|
12.3.2 Key Transport Algorithms |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RSA w/3DES CEK (should) |
PASS |
|
3
|
2 |
DVMM |
DV |
M |
M |
|
|
|
CMS_Examples.d/6.2.bin |
|
|
RSA w/RC2 CEK (should) |
PASS |
|
3
|
2 |
DVMM |
DV |
M |
M |
|
|
|
CMS_Examples.d/6.3.bin |
|
12.3.3 Symmetric Key-Encryption Key Alg |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3DES KEK & CEK (may/must) |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/ExInterop6.7.bin |
|
|
RC2 KEK & CEK (may/should) |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/6.7_NOKEKDate.bin |
|
12.5 Message Authentication Code |
|
|
|
|
|
|
|
|
|
|
|
SFL does not support |
|
|
HMAC w/SHA-1 |
FAIL |
|
|
|
|
|
|
|
|
|
|
" " "
" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| RFC 2631 |
Passing:
0 Failing: 13 |
|
|
|
|
|
|
|
|
|
|
|
Implemented in underlying crypto library |
|
2.1.2 Generation of Keying Material |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Leading zeros must be preseved on ZZ |
FAIL |
|
|
2 |
YCrypto++ |
Y |
Crypto++ |
|
|
BOOLEAN |
N/A |
|
|
Other Info encoded w/o partyAInfo |
FAIL |
|
1
|
2 |
VCrypto++ |
V |
Crypto++ |
|
|
|
|
N/A |
|
|
OtherInfo encoded w/ partyAInfo |
FAIL |
|
|
1 |
Crypto++ |
|
Crypto++ |
|
|
|
|
N/A |
|
|
partyAInfo is 512 bits |
FAIL |
|
|
2 |
YCrypto++ |
Y |
Crypto++ |
|
|
BOOLEAN |
N/A |
|
|
Counter non-zero value |
FAIL |
|
|
2 |
YCrypto++ |
Y |
Crypto++ |
|
|
BOOLEAN |
N/A |
|
|
partyAInfo required for Static-Static |
FAIL |
|
|
1 |
Crypto++ |
|
Crypto++ |
|
|
BOOLEAN |
N/A |
|
2.1.4 Keylengths for common Algs |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RC2 Effiective Key Length == Real Key Length |
FAIL |
|
|
1 |
Crypto++ |
|
Crypto++ |
|
|
|
|
Fixing bug (4/00) |
|
2.2 Key and parameter requirements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|q| >= 160 bits |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
|p| >= 512 bits |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
2.2.1 Group Parameter Generation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generate parameter from this algorithm |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
2.3 Ephemeral-Static Mode |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Must implement ES mode |
FAIL |
|
1
|
2 |
YCrypto++, M |
Y |
Crypto++, M |
|
|
|
CMS_Examples.d/6.1.bin |
|
2.4 Static-Static Mode |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Must have non-null partyAInfo |
FAIL |
|
|
1 |
Crypto++ |
|
Crypto++ |
|
|
|
|
N/A |
|
|
Perform validation or reply on CA validation |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| RFC 2632 |
Passing:
16 Failing: 5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
1. Overview |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Public keys MUST be validated |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
BOOLEAN |
Implemented in CML |
|
|
MUST do RFC2633 certificate validation |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
" " " |
|
2.1 CertificateRevocationList |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MUST support CRLs |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
Implemented in CML |
|
|
MUST get CRLs from CMS |
FAIL |
|
|
1 |
Y |
Y |
|
|
|
BOOLEAN |
N/A
|
|
|
MUST perform CRL checking |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
Implemented in CML |
|
|
MUST
support Cas w/same key & name |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
" " " |
|
2.2 Certificate Choices |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MUST support V1 certificates |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
SFL supports |
|
|
MUST support V3 certificates |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
SFL supports |
|
|
SHOULD support receipt of ACs |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
BOOLEAN |
SFL supports, but not yet tested |
|
2.3 CertificateSet |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MUST support random certs in bag |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
SFL supports |
|
|
MUST support name based chaining |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
Implemented in CML |
|
3. Distingished Names for Internet Mail |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MUST get email name in SubjectAltName |
PASS |
|
|
1 |
YY |
Y |
|
Y |
|
BOOLEAN |
N/A |
|
|
MUST get email name in Distinguished Name |
PASS |
|
|
1 |
YY |
Y |
|
Y |
|
BOOLEAN |
N/A |
|
|
MUST check From/Sender address againist cert
email name |
FAIL |
|
|
|
Y |
|
|
Y |
|
BOOLEAN |
N/A |
|
|
Issuer&Subject names MUST be populated |
FAIL |
|
|
|
|
|
|
|
|
BOOLEAN |
N/A |
|
4.
Certifcate Processing |
|
|
|
|
|
|
|
|
|
|
|
|
|
4.3 Certificate and CRL signing Algorithms |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MUST support DSS signed certificates |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
Implemented in CML |
|
4.4 PKIX Certificate Extensions |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(M) Basic Constraints in EE certs |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
Implemented in CML |
|
|
(M) Key Usage in EE certs |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
" " " |
|
|
(M) Authority Key ID in EE certs |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
" " " |
|
|
(M) Subject Key ID in EE certs |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
" " " |
|
|
(M) Subject Alt Name in EE certs |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
" "
" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| RFC 2633 |
Passing:
17 Failing: 44 |
|
|
|
|
|
|
|
|
|
|
|
|
|
2.1 Digest Algorithm Identifier |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Supports SHA-1 |
PASS |
|
3
|
2 |
VDMM |
VD |
M |
M |
|
|
|
CMS_Examples.d/5.4.CSSD.bin |
|
|
(SSR) Supports MD5 |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/6.3.bin |
|
2.2 SignatureAlgorithmIdentifier |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Supports DSA |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/5.4.CSSD.bin |
|
|
(SSR) Supports RSA |
PASS |
|
3
|
2 |
VDMM |
VD |
M |
M |
|
|
|
CMS_Examples.d/5.2.bin |
|
3.2 KeyEncryptionAlgorithm |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Supports D-H |
PASS |
|
2
|
2 |
VM |
V |
M |
|
|
|
|
CMS_Examples.d/6.1.bin |
|
|
(SSR) Supports RSA |
PASS |
|
3
|
2 |
VDMM |
VD |
M |
M |
|
|
|
CMS_Examples.d/6.3.bin |
|
2.4.1 Data Content Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Use id-data for eContentType |
PASS |
|
2
|
2 |
DMM |
D |
M |
M |
|
|
|
CMS_Examples.d/5.3.bin |
|
|
(MS) Content Embedded for blob signed |
PASS |
|
2
|
2 |
DMM |
D |
M |
M |
|
|
|
CMS_Examples.d/5.4.bin |
|
|
(MS) No Embedded content for clear signed |
PASS |
|
2
|
2 |
DMM |
D |
M |
M |
|
|
|
CMS_Examples.d/5.3.bin |
|
|
(MS) Content embedded for encrypted |
PASS |
|
2
|
2 |
DMM |
D |
M |
M |
|
|
|
CMS_Examples.d/6.2.bin |
|
2.4.2 SignedData Content Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) use signedData for signed messages |
PASS |
|
2
|
2 |
DMM |
D |
M |
M |
|
|
|
SFL supports |
|
2.5 Attribute SignerInfo Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(SR) Handle zero or one signingCertificate |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
CMS_Examples.d/5.4.bin |
|
|
(SS) Insert one signingCertificate attribute |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.6.bin |
|
|
(SR) Handle Unknown attribute |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
BOOLEAN |
ExInterop_Attrs.bin |
|
|
(SS) Display unlisted attributes to user |
FAIL |
|
|
1 |
Y |
Y |
|
|
|
BOOLEAN |
N/A |
|
2.5.1 Signing-Time Attribute |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Encode YY signing time |
PASS |
|
3
|
2 |
VDM |
VD |
M |
|
|
|
|
ExInterop_SigningTime2.bin |
|
|
(MS) Encode YYYY signing Time post 2049 |
FAIL |
|
|
|
|
|
|
|
|
|
|
SFL supports, but not yet tested; CMS_Examples.d/5.4.SD.bin |
|
|
(MSR) <50 - 20YY |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInterop_SigningTime1.bin |
|
|
(MSR) >=50 - 19YY |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_SigningTime2.bin |
|
2.5.2 SMIMECapabilities Attribute |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(?R) Handle unknown capabilities gracefully |
PASS |
|
|
2 |
YY |
Y |
Y |
|
|
BOOLEAN |
ExInterop_Attrs.bin |
|
|
(MS) is a signed attribute |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(MS) single Attribute Value only |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
|
(SS) Capabilities are partitioned |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MS) All included attributes are properly encoded |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
|
(MS) Include Alg Parameters in capability |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
2.5.3 Encryption Key Preference Attribute |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) is a signed attribute |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(SS) include certificate in bag |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
|
(SS) include if Sign cert != KeyEx cert |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(SR) store on receipt |
FAIL |
|
|
1 |
Y |
Y |
|
|
|
BOOLEAN |
N/A |
|
|
(SR) respect attribute when received |
FAIL |
|
|
1 |
Y |
Y |
|
|
|
BOOLEAN |
N/A |
|
2.5.3.1 Selection of Key Management Cert |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(SS) Follow steps |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
2.6 SignerIdentifier SignerInfo Type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Must use Isssuer/Serial |
PASS |
|
2
|
2 |
DM |
D |
M |
|
|
|
|
SFL supports |
|
2.7 ContentEncrptionAlgorithm |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Support 3DES |
PASS |
|
2
|
2 |
DM |
D |
M |
|
|
|
|
CMS_Examples.d/ExInterop6.7.bin |
|
|
(SSR) Support RC2/40 |
PASS |
|
2
|
2 |
DM |
D |
M |
|
|
|
|
CMS_Examples.d/6.3.bin |
|
2.7.1 Which Encryption Alg to use |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(SS) Follow steps |
FAIL |
|
|
|
|
|
|
|
|
BOOLEAN |
N/A |
|
3.1.1 Canonicalization |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Canonicalize all mime parts |
FAIL |
|
1
|
1 |
D |
D |
|
|
|
|
|
N/A |
|
|
(MS) Canonicalize Sign & Encrypt |
FAIL |
|
1
|
1 |
D |
D |
|
|
|
|
|
N/A |
|
|
(SS) List char set in body headers |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MS) Canonicalize multiple representations of single
characters |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
3.1.2 Transfer Encoding |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Handle all CTEs |
FAIL |
|
|
1 |
Y |
Y |
|
|
|
BOOLEAN |
N/A |
|
3.1.3 Transfer Encoding for
Multipart/signed |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Encode as 7-bit text |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
3.2 application/pkcs7-mime type |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(SS) include smime-type parameter |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MS) use CT of application/pkcs7-mime |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
3.2.1 Name and filename parameters |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(SS) Emit CT name parameter |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(SS) Emit Content-Disposition field |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(SS) Restrict file name to 8.3 |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(SS) Use smime.* for file name |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
3.4 Signed-only message |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(SR) Handle clear & blob signed |
FAIL |
|
|
1 |
Y |
Y |
|
|
|
BOOLEAN |
N/A |
|
3.4.3.1 application/pkcs7-signature |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Omit body from CMS object |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MS) Include protocol parameter |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MS) quote protocol |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MS) emit micalg parameter |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(SS) emit from included list |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(SR) recover from bad micalg |
FAIL |
|
|
|
|
|
|
|
|
BOOLEAN |
N/A |
|
3.6 Cetificates-only Message |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) omit content |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInterop_CertsOnly.bin |
|
|
(MS) omit signerInfos |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInterop_CertsOnly.bin |
|
3.7 Registration Requests |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Signing cert required to sign a message |
FAIL |
|
|
|
|
|
|
|
|
BOOLEAN |
N/A |
|
4. Certificate Processing |
|
|
|
1 |
Y |
|
Y |
|
|
|
|
CML supports |
|
|
(MS) Provide certificate retrieval mechanism |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
BOOLEAN |
CML supports |
|
|
(SR) Storage of certificates for correspondents |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
BOOLEAN |
CML supports |
|
4.1 Key Pair Generation |
|
|
|
|
|
|
|
|
|
|
|
Underlying crypto lib supports |
|
|
(MS) Generate good random protected DH/DSS keys |
FAIL |
|
|
1 |
Crypto++ |
|
Crypto++ |
|
|
BOOLEAN |
N/A |
|
|
(SS) Generate sized RSA keys |
FAIL |
|
1
|
1 |
BSAFE |
|
BSAFE |
|
|
BOOLEAN |
N/A |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| RFC
2634 - Enhanced Security Services |
Passing:
0 Failing: 81 |
|
|
|
|
|
|
|
|
|
|
|
|
|
1.2 Format of Triple Wrapped Messages |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MR) Read both signed formats |
FAIL |
|
|
|
|
|
|
|
|
BOOLEAN |
N/A |
|
1.3.1 Signed Receipts & Triple
Wrapping |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Receipt request only in inner signed content |
FAIL |
|
|
|
|
|
|
|
|
BOOLEAN |
N/A |
|
1.3.4 Placment of Attributes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) See table in document |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
BOOLEAN |
SFL supports all attributes. |
|
|
(MS) Countersignature in unauth attrs |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
BOOLEAN |
CMS_Examples.d/11.1.bin |
|
|
(MS) Copy forward mlExpansionHistory &
eSSSecurityLabel on add new signerInfo |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
BOOLEAN |
N/A |
|
2.1 Signed Receipt Concepts |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(SR) Auto gen of receipts on request |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
BOOLEAN |
CMS_Examples.d/11.1.bin |
|
|
(SR) Only send one receipt |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
BOOLEAN |
CMS_Examples.d/11.1.bin |
|
2.2 Receipt Request Creation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Populate receiptsTo field |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.1.bin |
|
|
(MS) ReceiptsTo includes destination address |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.1.bin |
|
2.2.1 |
(MSR) Verify receipt requests are identical |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
BOOLEAN |
SFL supports |
|
2.2.2 (MS) Retail either original message or
digest thereof |
|
|
|
|
|
|
|
|
|
|
|
N/A |
|
2.3 Receipt Request Processing |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MR) Verify signature of singerInfo w/request |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.1.bin |
|
|
(MR) No receipt on different requests |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
VDA SFL Test Cases |
|
|
(SR) Return receipt if any signerInfo w/request
verifies |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.1.bin |
|
|
(SR) mlExpansion Present/mlReceiptPolcy
absent/use receipt request |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
VDA SFL Test Cases |
|
|
(MR) mlExpansion Present/mlReceiptPolicy
none/No receipt generated |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
VDA SFL Test Cases |
|
|
(SR) mlExpansion present/mlReceiptPolcy
insteadOf/inAdditionTo/Use mlReceiptPolicy From and To lists |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
VDA SFL Test Cases |
|
|
(SR) allReceipts - generate receipt |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
VDA SFL Test Cases |
|
|
(MR) firstTier/mlExpansionHistory Present/No receipt
generated |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
VDA SFL Test Cases |
|
|
(SR) firstTier/mlExpansionHistory
absent/Generate Receipt |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
VDA SFL Test Cases |
|
|
(SR) receiptsFrom list - receiver in list - generate
receipt |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
VDA SFL Test Cases |
|
|
(MR) receiptsFrom list - receiver not in list - No
generate receipt |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
VDA SFL Test Cases |
|
2.4 Signed Receipt Creation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Verify signerInfo object w/receipt in it |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.2.signedReceipt.bin |
|
|
(MS) content type in receipt signedData is
id-ct-receipt |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.2.bin |
|
|
(SS) Receipt contains signing time |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.2.signedReceipt.bin ADD SigningTime |
|
|
(MS) Content DER encoded and included in
eContent field |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.2.signedReceipt.bin |
|
|
(MS) No mime wrapping occurs on receipt content |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.2.signedReceipt.bin |
|
|
(MS) Must outer sign if signed receipt is encrypted |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MS) If outer signed, include Content Hint |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MS) Support encrypted receipts |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
2.4.1 |
(MS) MLExpansion History must not occur |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
SFL supports |
|
2.5 Determining the recipients of a signed
receipt |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Following procedure in text |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
2.6 Signed Receipt Validation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(SR) Accept multiple receipts from same sender |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MR) Validate according to procedure in text |
FAIL |
|
1
|
1 |
Y,M |
|
Y,M |
|
|
|
|
CMS_Examples.d/11.2.signedReceipt.bin |
|
2.7 Receipt Request Syntax |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Encode/decode basic request |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.1.bin |
|
|
(MS) create signedContentIdentifier |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.1.bin |
|
|
(SS) Recommended source for signedContentIdentifier |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.1.bin |
|
|
(MS) Populate receiptsTo field |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.1.bin |
|
|
(MS) Include self to get receipt |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.1.bin |
|
2.8 Receipt Syntax |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Encode/Decode basic receipt |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.2.signedReceipt.bin |
|
2.9 Content Hints |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Encode/decode basic hint |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(SSR) Encode/decode hint w/content description |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
VDA SFL Test Cases |
|
|
(SS) Include hint on E(S(non-id-data)) |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A
|
|
|
(MS) Add hint on receipt for E(S(R)) |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A
|
|
2.10 Message Signature Digest Attribute |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Encode/decode attribute |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
CMS_Examples.d/11.2.signedReceipt.bin |
|
2.11 Signed Content Reference Attribute |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Encode/decode basic attribute |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(MS) Verify original message has signedContentID
attribute |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInterop_Attrs.bin |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Security Labels |
|
|
|
|
|
|
|
|
|
|
|
|
|
3.1 Processing rules |
|
|
|
|
|
|
|
|
|
|
|
|
|
3.1.1 Adding security labels |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Put label in auth attrs |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(MS) All signerInfos MUST have label if any has
label |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
Adding check to SFL in 4/00 |
|
3.1.2 Processing Security Lables |
|
|
|
1 |
Y |
|
Y |
|
|
|
|
SFL supports |
|
|
(MR) Validate signature if applying label |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MR) Process label if present |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MR) Inform user if not all labels in a signedData are
the same |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(SR) Local policy on show for unknown label policy |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(SR) Stop & Error process on unknown label
policy |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
3.2 Syntax of EssSecurityLabel |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MSR) Encode basic label |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(SSR) Encode/decode extended label |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
3.3 Security Label Components |
|
|
|
|
|
|
|
|
|
|
|
|
|
3.3.1 Security Policy Identifier |
|
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
3.3.2 Security Classification |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MS) Include policy id w/classification |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(MS) Clasification values are hierarchial (but not
ascending) |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
3.3.3 Privacy Mark |
|
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
3.3.4 Security Categories |
|
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
3.4 Equivalent Security Labels |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(SR) Recognize equivalent labels |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(MSR) Basic encode/decode of equivant labels |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(MS) If any signerInfo has label/all have label |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
Adding check to SFL in 4/00 |
|
|
(MS) Include one or more security labels in eq.
Label |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(MSR) No two policy ids are same in eq. Label |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(MR) Enforces no two policy ids are the same |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
Adding check to SFL in 4/00 |
|
|
(MS) Wrap not use eq label if symantics are
different |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MS) Eq labels are authenticated attrs |
FAIL |
|
|
1 |
Y |
|
Y |
|
|
|
|
ExInterop_Attrs.bin |
|
3.4.2 Processing Equivalent Labels |
|
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
|
(SR) process ESSSecurityLabel before Eq label |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MR) If EssLabel understood - it must be what
is used |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MR) validate signature on Eq label used |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
|
(SR) User first Eq label found in processing |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
4. Mail List Management |
|
|
|
|
|
|
|
|
|
|
|
|
|
4.1 Mail List Expansion |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MA) Add MLData record with MLA's identity info |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
ExInterop_Attrs.bin |
|
|
(MA) Must add mlExpansionHistory if not present |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MA) Must append info to end of existing
mlExpansionHistory |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MA) All mlExpansionHistories added by agent are
identical |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MR) Enforce all mlExpansionHistory elements are
identical |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MR) Inform user if not all histories in a signedData are
the same |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
4.2 Mail List Agent Processing |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(MA) Parse all layers |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MA) Process all security labels |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MA) Verify signature if contains label |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MA) Add new SignedData layer |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
(MA) Add/update mlExpansionHistory |
FAIL |
|
1
|
1 |
M |
|
M |
|
|
|
|
SFL supports |
|
|
(MA) Move all authenticated attributes forward |
FAIL |
|
|
|
|
|
|
|
|
|
|
N/A |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|