At the meeting in Yokohama, we discussed the RSA OAEP draft. One of the
areas that was discussed was the security considerations section, where the
document recommends that a key pair only be used for one
purpose. Presently, we do not have a mechanism for identifying how a key
holder would like to have their public key used.
The certificate currently tells the message originator that the public key
is an RSA key, and the key usage extension tells that the public key can be
used for key transport. There is nothing to tell the message originator
whether RSA PKCS #1 v1.5 or RSA OAEP ought to be used with a particular
key. So, there is no indication to the message originator that will allow
the security consideration to be implemented.
Here is my proposed solution: use a different algorithm identifier in the
certificate.
I suggest that the id-RSAES-OAEP be used in the certificate subject public
key info field to indicate that the public key should ONLY be used with RSA
OAEP.
This proposal may make transition from RSA PKCS #1 v1.5 to RSA OAEP a bit
more difficult, since it would not allow one key pair to be used with both
algorithms. However, this is exactly what the security considerations
recommend.
Does anyone have concerns with this approach?
If this approach is adopted, then a companion document in the PKIX working
group for the proper handling of RSA OAEP (and probably RSA PSS) public
keys will likely be needed.
Russ