Eric Rescorla wrote:
Russ has requested that I summarize the results of the RC2 keylength
strawpoll and close out this issue. Unfortunately, the strawpoll
reached no clear consensus. (It's pretty much dead even).
Consequently, we're going to leave things more or less as-is. RC2
keys MUST be 16 octets, both when used as KEKs (the output of DH
computations) and MEKs. Implementations SHOULD accept other length
MEKs when RSA encrypted, in the interest of backwards compatibility.
If you have an objection to this (admittedly flawed) decision
procedure (I.e. I as document editor just decide), speak up now.
This isn't the time for substantive technical argument, however.
Fair enough. Just a few comments.
For the record what was the actual result?
IMHO CMS needs a specific comment re RC2. Currently it doesn't
specifically exclude RC2 with keylength > 128 in DH.
Is this going to apply to the other two possibilities, E-S and S-S DH?
There was never any mention of why the key wrapping standard or CMS
couldn't be changed to allow the MEK length to be determined explicitly
and thus enable current RSA implementations to be unchanged in mixed RSA
and DH environments. As I recall one parameter in CMS or the alteration
of key wrap to use standard block padding would allow this. Did you see
this discussion Russ?
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
PGP key: via homepage.