It appears that we have reached at least preliminary consensus for the
mandatory to implement algorithms for S/MIME. Note that these mandatory to
implement algorithms are not for CMS in general, but for the S/MIME profile
of CMS.
1. The mandatory to implement algorithms should change in light of the
patent expiration for RSA.
2. The use of RSA as the mandatory to implement key wrapping algorithm is
acceptable, and the mode of operation will be PKCS #1 v1.5, not OAEP. This
seems to reflect the reasoned discussions of at least ten working group
participants. This will include adding a security consideration note that
explains the attack and points to a descriptive reference.
3. The use of Diffie-Hellman will only be included for backward
compatibility, and thus can be a SHOULD implement.
If we are going to use the PKCS #1 v1.5 implementation of RSA key wrapping,
then we should document the concerns about its use, and potentially point to
an RFC or other document that has a full explanation (as Paul pointed out
earlier).
Based on this list, I believe that enough information exists to move
draft-ramsdell-smime31-msg and draft-ramsdell-smime31-cert into the working
group, and start finishing this up.
Blake