--- Begin Message ---
Dr Stephen Henson wrote:
Russ Housley wrote:
Eric & Steve
I would like to keep the key wrap algorithm as simple as possible. It is
getting too complex already.
Perhaps the key agreement AlgorithmIdentifier should have two paramters,
both AlgorithmIdentifiers. One alg id tells the key agreement technique
and the second tells the key wrap technique. This should make it more
flexible for the future.
What I was personally suggesting would make almost no changes to the
wrapping spec: more a modification than an additional complication. Two
ideas sprang to mind:
Currently we have in the spec:
"5. Generate the number of pad octets necessary to make the
result a multiple of the key-encryption algorithm block
size, then append them to the result."
If this is modified to:
"5. Pad the result using standard block padding (as described in
CMS 6.3) to make the result a multiple of the key-encryption
algorithm block size, then append them to the result."
with corresponding decoding the MEK length can be determined
unambiguously. This would apply to all cases: it is needed for RC2 but
it could perform an additional integrity check in other cases.
This would be my preference for how this should work. It will make RSA and
Diffie Hellman key exchanges more alike, and considerably simplify code that
has to deal with both.
--- End Message ---