Housley, Russ <rhousley(_at_)rsasecurity(_dot_)com>:
Here is the next draft of the proposed working group charter. The
biggest change from the previous posting is that both OAEP and KEM become
standards track documents.
Are the differences between the attacks and mitigations presented by OAEP
and KEM really worth the high liklihood of lack of interoperability?
RSA using PKCS#1_v1.5, OAEP, and KEM all employ the same certificate, so
this choice does not require any adjustments in the PKI.
This makes it is pretty pointless to use "provably secure"
cryptography, though -- all security guarantees that OAEP, say, may
promise are voided if you use the same key for decrypting messages
using some other style of RSA.