Having not attended the Minneapolis meeting I must say that I was very
surprised by your recommendation to drop OAEP as the MUST implement key
transport mechanism with AES in favour of KEM. It wasn't all that long ago
that you were attempting to get everyone (S/MIME, TLS, X9.44) to agree on
requiring OAEP with AES as a method of transitioning to OAEP from PKCS#1
v1.5. Partly as a result of that effort, implementations of OAEP have
started to appear (e.g. OpenSSL) and transitions to OAEP can actually now
start to occur. If we are going to introduce a new MUST algorithm, and thus
additional uncertainty about what to use and how to transition, we really
should have a good reason.
In your presentation you say that KEM has better security proofs. That may
be, however, OAEP is still secure. No actual weaknesses in it have been
found. On RSA's website there is a description of recent results on OAEP
that says "... it makes little sense replacing OAEP with a "more secure"
encoding method, because if a CCA2 adversary is able to break RSAEP-OAEP,
then she will be able to break RSAEP equipped with any encoding method (if
maybe slightly less efficiently)."
there is no need to introduce KEM for security reasons.
Your presentation also lists some standards that already include KEM.
However, all of the ones that are listed except TLS also specify OAEP (ANSI
X9.44, IEEE P1363, ISO/IEC 18033-2, PKCS#1, S/MIME). TLS, while it
specifies a variant of KEM, doesn't actually use anything that is compatible
with the KEM that S/MIME (and the other groups listed) would be using. I
would also like to point out that XML Encryption has OAEP as a required key
transport method. At this point it does seem like OAEP is starting to get
adopted by other groups and thus introducing KEM now seems to be
It is true that with OAEP the message length is bounded. However, for our
requirements here, is that really an issue?
For these reasons I think we should reconsider your proposal to use RSA-KEM
instead of RSA-OAEP in draft-ietf-smime-aes-alg.
From: Housley, Russ [mailto:rhousley(_at_)rsasecurity(_dot_)com]
Sent: Wednesday, April 17, 2002 4:57 PM
Subject: Charter Update
The S/MIME WG is very out of date. I propose the attached
charter as a
Note that I have assumed that the use of RSA OAEP key
management will be
published as a separate RFC (not combined with the AES draft). The
rationale for this assumption is available in the
presentation that I gave
in Minneapolis. The slides are on-line at
Please comment on the proposed charter.
S/MIME WG Chair