This message is intended to start the final discussion on the question
of forcing AES to use RSA-OAEP in the AES draft.
At the face-to-face meeting, I indicated that it is still my belief that
we should prohibit the use of RSA PKCS#1 v1.5 to transport AES keys due
to the somewhat weaker security provided by this method. While I agree
that there is no known attack against RSA PKCS#1 v1.5 in the case of
S/MIME (as a store-and-forward mail system), I do believe that one can
construct an attack against an arbitrary CMS-based protocol. Since this
is a discussion of how to use AES with CMS and not just with S/MIME, I
believe that the more general case should rule what happens in this
Having done implementations of the RSA-OAEP padding already, I do NOT
believe that there is a serious development hurdle to getting RSA-OAEP
The face-to-face meeting was presented with the following choices:
1. Leave the ban on RSA PKCS#1 v1.5 as is currently present in the
2. Remove the ban, but allow the author to present a diatribe on why
it's a bad idea.
3. Remove the ban entirely and force an update to SMimeCapabilities to
allow for products to advise that the combination is not acceptable.
The vote on the face-to-face was unanimous on keeping the ban. The
discussion on this issue is now open on the list.