All,
I believe that the group should choose the Ephemeral-Static D-H algorithm as
the "mandatory-to-implement" key management algorithm to be included in CMS
for the following reasons:
1) I believe that if a user requires the security service of data origin
authentication, then the user should digitally sign the data and encapsulate
the signed data within a signedData object. I don't believe that the data
origin authentication service needs to be provided by the key management
algorithm. Therefore, I do not object to the fact that the E-S D-H
algorithm does not provide the data origin authentication service.
2) Many organizations levy a requirement that each X.509 certificate must be
validated before the public key contained within that certificate is used
for cryptographic processing. In the case of the S-S D-H algorithm, the
originator's D-H public key is conveyed in an X.509 certificate contained in
the envelopedData heading. Many organizations will require that the
originator's D-H X.509 certificate must be validated before the originator's
D-H public key is used to form the pairwise key required to decrypt the
message encryption key. This implies that the originator's entire
certification path must be validated. Therefore, I believe that the E-S D-H
algorithm's use of an ephemeral originator's public key is a significant
advantage because there is not an originator's D-H X.509 certificate to be
validated. This will save a significant amount of time during the
decryption process.
3) As Russ points out, the S-S D-H algorithm restricts an originator from
forming a pairwise key with a user whose public key is formed using
different p/q/g parameters. The E-S D-H algorithm allows a user to form a
pairwise key with any user's D-H public key regardless of the p/q/g values.
I believe that this is a signifignat advantage of E-S D-H over S-S D-H.
4) There are no known patents or pending patents that apply to the E-S D-H.
I believe that this is a significant advantage of the E-S D-H option over
the S-S D-H option.
5) At the present time, Certicom states that they will offer a royalty-free
license covering S-S D-H. What happens if they change their mind and stop
issuing such licsences? Has Certicom completed the royalty-free license
offer? How long will it take for Certicom to do so? In summary, I believe
that we should avoid the "license path" if at all possible.
======================================================
John Pawling jsp(_at_)jgvandyke(_dot_)com
J.G. Van Dyke & Associates, Inc. www.jgvandyke.com
======================================================