Peter:
>This document defines a mechanism for "wrapping" (aka encrypting) an
HMAC key
>with either Triple-DES or the Advanced Encryption Standard (AES). Standards
>already exist for wrapping Triple-DES keys in Triple-DES and AES keys in
AES.
>However no standard exists for wrapping HMAC keys, which is what this
document
>addresses.
Actually a standard does exist for wrapping HMAC keys with any kind of key,
formerly RFC 3211, now a part of RFC 3369. This was pointed out over a year
ago during the draft process, but ignored by the RFC authors. So now we have
two incompatible ways to wrap HMAC keys, one in RFC 3369, the other in this
new RFC.
Ignored is not a correct characterization. I recall a discussion on the
S/MIME list.
The protocol includes an algorithm identifier that tells the recipient
which of the algorithms was employed by the originator. So, I take issue
with your characterization of the incompatibility. Certainly, the two
algorithms generate different outputs, and both the originator and the
recipient need to implement the same algorithm to achieve interoperability.
As I recall, without searching the mail list archive, no one else voiced a
concern about publishing a second wrapping technique. Several people
voiced approval for alignment with the NIST AES Key Wrap algorithm. And,
as is often the case in these matters, many people voiced no opinion one
way or the other.
As working group chair at the time, I made the decision to proceed, after a
brief verbal consultation with the Security Area Director. I still believe
that the right decision was made.
Russ