ietf-smime
[Top] [All Lists]

RE: RSA OAEP Public Key Identification

2002-08-09 13:03:04

Robert:

Your suggestion is consistent with RFC 3279, and I support it.

Russ

At 10:41 AM 8/2/2002 -0400, Robert Zuccherato wrote:

Russ;

I think that including the id-RSAES-OAEP be used in the certificate subject public key info field is the right way to go. The only other option that I see is Extended Key Usage, but I don't think that EKU was meant to deal with algorithm usages.

I do have one question though. If we go with your proposal, how would certificates with rsaEncryption in the SubjectPublicKeyInfo AlgorithmIdentifier be treated? My suggestion would be that any key transport method (PKCS #1, OAEP, etc) could be used with these keys. Anything else would be a redefinition of what that OID meant. Also, this would allow people who want to use both algorithms with one key to continue to do so. This would mean that id-RSAES-OAEP need only be included in the subject public key info of certificates whose key is to be used solely with OAEP, for everyone else nothing changes.

        Robert.

> -----Original Message-----
> From: Housley, Russ [<mailto:rhousley(_at_)rsasecurity(_dot_)com>mailto:rhousley(_at_)rsasecurity(_dot_)com]
> Sent: Thursday, August 01, 2002 5:01 PM
> To: ietf-smime(_at_)imc(_dot_)org
> Subject: RSA OAEP Public Key Identification
>
>
>
> At the meeting in Yokohama, we discussed the RSA OAEP draft.
> One of the
> areas that was discussed was the security considerations
> section, where the
> document recommends that a key pair only be used for one
> purpose.  Presently, we do not have a mechanism for
> identifying how a key
> holder would like to have their public key used.
>
> The certificate currently tells the message originator that
> the public key
> is an RSA key, and the key usage extension tells that the
> public key can be
> used for key transport.  There is nothing to tell the message
> originator
> whether RSA PKCS #1 v1.5 or RSA OAEP ought to be used with a
> particular
> key.  So, there is no indication to the message originator
> that will allow
> the security consideration to be implemented.
>
> Here is my proposed solution: use a different algorithm
> identifier in the
> certificate.
>
> I suggest that the id-RSAES-OAEP be used in the certificate
> subject public
> key info field to indicate that the public key should ONLY be
> used with RSA
> OAEP.
>
> This proposal may make transition from RSA PKCS #1 v1.5 to
> RSA OAEP a bit
> more difficult, since it would not allow one key pair to be
> used with both
> algorithms.  However, this is exactly what the security
> considerations
> recommend.
>
> Does anyone have concerns with this approach?
>
> If this approach is adopted, then a companion document in the
> PKIX working
> group for the proper handling of RSA OAEP (and probably RSA
> PSS) public
> keys will likely be needed.
>
> Russ
>

<Prev in Thread] Current Thread [Next in Thread>