Steve:
As I understand the ES DH description there are two separate OIDs:
id-alg-ESDHwithRC2 and id-alg-ESDHwith3DES. This specifies both the key
transport and the symmetric encryption algorithms. What if someone wants
to use a different symmetric algorithm? Do they need to register an
id-alg-ESDHwithXXX OID and does everyone need to change their code to
support it? If history is anything to go by this will result in lots of
incompatible id-alg-ESDHwithXXX OIDs used by different applications.
Yes, an new OID is needed for each ESDHwithXXX. We could have assigned one
OID with a parameter of the symmetric algorithm, but then the structure is
not quite right since the symmetric algorithm OID might require IVs or some
other parameter.
Is there some specific reason why we can't do the same as with RSA? That
is have an id-alg-ESDH OID and then a separate symmetric algorithm OID.
That way if someone wants to support some other algorithm with a
registered OID they can already do it in a compatible way.
With RSA, the symmetric algorithm OID is inside the encrypted structure.
With E-S D-H we would have to put the symmetric algorithm OID as a
parameter to the ESDH OID.
In 12.6:
The key-encryption key is generated by the key agreement algorithm or
distributed as a mail list key. With key agreement, the minimum
number of bits needed to form the key-encryption key must be used.
As an example, only the first 40 bits of Diffie-Hellman generated
keying material are used for a RC2/40 key-encryption key.
This appears to be the "RC2 key length X/8" option. This adds the
restriction that X/8 must always be used in mixed DH+RSA messages though
just RSA need not be restricted to X/8. Or am I misinterpreting this?
You're right about this. Based on Eric's message, I will change it to use
the Fixed-128 option.
Russ