Russ Housley <housley(_at_)spyrus(_dot_)com>
I am a bit confused by your message. You say that you want to add support
for "a PIN-protected smart card or something similar."
First, this does not seem like an appropriate used of password-based key
management. The only password seems to be the local one used to gain access
to the KEK stored on the smart card.
In retrospect the term "PasswordRecipientInfo" used in the draft wasn't a very
good one, with the derivation info optional it's really more like a
GeneralisedKEKRecipientInfo. At the time the best I could come up with was
PW-RI.
Second, if the KEK stored on the smart card has an identifier, then
KEKRecipientInfo should work as already defined.
I'm not sure what the format is for the KEK on the card, but I suspect it's
just a raw PIN-protected key (I imagine it's something like a PKCS #11
secret key object, or more likely just a 16-byte linear file). In any case
it won't work with KEKRecipientInfo because it's only defined for RC2 and
3DES, you can't use it with IDEA unless you invent your own
AlgorithmIdentifier.
Peter.