I think that we should not use the side effect of authentication in the
SS variant as a feature, and I as a vendor consider it to be annoying
(and potentially impossible) to mandate a keypair on the part of the
originator of an outbound encrypted message.
IMHO, I believe that there should be no evidence of the recipient other
than information identifying the certificate that contained the "keying
material" that was used to encrypt (IssuerAndSerialNumber or equivalent)
and no evidence at all of the sender. This to me was the original
beauty(?!) of X.509 certificates -- the SubjectPublicKeyInfo contained
all of the information necessary to do an operation for the subject of
the certificate (in this case, symmetric key protection). Plain and
simple. Unless, of course I don't understand the religion yet.
The "unknown" nature of any patents regarding the ES variant is somewhat
troubling, but will potentially iron itself out during this decision
process. Unfortunately, the penalty for not coming forward right now is
minor (black-balled in the IETF), so just because no one comes forward
right now doesn't mean that no one ever will. The known nature of SS
patents is more encouraging in this regard.
The number of exponentiations and the size of the "keying material" are
not a factor, since I am a piggy desktop application and server
application vendor and I scoff at such limitations of processing power,
storage space and bandwidth.
In short if there are no major discoveries of patents regarding ES (that
make it worse than SS), then I would prefer it over SS.
Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103 Fax +1 425 882 8060