3.2.4.3 Cryptographic Processing
The DRS Protocol Extensions for SMTP MUST perform a certificate service (as specified in [MS-WCCE]) cryptographic operation on the Send-Message-Compressed-Data byte stream. All cryptographic operations MUST employ the Abstract Syntax Notation One (ASN.1) encoding, as specified in [MS-WCCE].
The certificate-based cryptographic operation consists of a conditional encryption step followed by an unconditional message-signature step. The extension MUST perform encryption on response messages and MUST NOT perform encryption on request messages.
If the value of the Send-Message-Type working variable indicates the message is of type Response, the implementation MUST encrypt the compressed data prior to signing, as follows:
The abstract working variable Send-Recipient-Certificate MUST be set to the value of SMTP-ADDR-DC-CERT-MAP (Send-Recipient-Mail-Address). Implementations make the certificate available in the map by either populating the certificate at initialization time or populating the certificate during previous receive-processing (see section 3.3.5.3).
The extension MUST invoke certificate-based cryptographic encryption on the Send-Message-Compressed-Data byte stream by using either the RSA RC4 encryption algorithm or the AES128 encryption algorithm and the Send-Recipient-Certificate, as specified in [SCHNEIER]. <13>
The extension MUST use the encrypted result as the input to the subsequent signature operation.
For a Response message, the result of the encryption step defined above MUST be cryptographically signed. For Request messages, the Send-Message-Compressed-Data byte stream MUST be cryptographically signed. The result of the cryptographic signature operation MUST be in "PKCS #7 Format" as specified in [RFC2315]. The hash function used in the signature operation MUST be either RSA MD5 or SHA256. <14> The result MUST include Local-DC-Certificate in the list of associated certificates. The result of the signing operation is the Send-Message-Data-Authenticated byte stream.