Rob,
I agree that RSA-OAEP is adequate, and I realize it's hard to argue for
something "better" when what's there is good enough already.
In several standards efforts I'm involved in (NESSIE, ISO 18033, ANSI X9F1),
and in the research community, a preference is emerging for RSA-KEM over
RSA-OAEP. Over time, formal standards bodies may therefore give preference
to RSA-KEM (while still acknowledging RSA-OAEP and perhaps even PKCS #1 v1.5
encryption for compatibility). Eventually, this will lead to a stronger
motivation to add RSA-KEM to S/MIME and other protocols. The issue here is
whether to do so sooner rather than later.
By the way, RSA has no proprietary interest in RSA-KEM, nor am I aware of
any patents claimed by others at this point.
-- Burt
-----Original Message-----
From: Robert Zuccherato [mailto:robert(_dot_)zuccherato(_at_)entrust(_dot_)com]
Sent: Tuesday, May 07, 2002 4:18 PM
To: Kaliski, Burt; 'ietf-smime(_at_)imc(_dot_)org'
Cc: Housley, Russ
Subject: RE: Why KEM?, RE: Charter Update
Burt;
I agree that those are definitely advantages of KEM over OAEP. However, a
number of standards (1363, PKCS#1, etc.) have already specified OAEP and
some people have already implemented it. S/MIME is currently on the -04
version of a draft that mandates OAEP with AES. Thus, without a demonstrated
weakness with OAEP I still don't see a reason to change. I don't see the
tighter bounds for KEM and the better architectural fit as being worth the
trouble of starting to specify a new encryption padding method. Doing so
will necessarily cause additional interoperability and implementation
issues. We already have an adequate replacement for PKCS #1 v1.5, why do we
need another one?
Robert.