Russ Housley <housley(_at_)vigilsec(_dot_)com> writes:
I have no objection to the proposed unauthenicated attribute. It seems like
a straightforward addition.
OK, I'll get to work on it.
I think that authenticated encryption (like AES-CCM and AES-GCM) are also
highly desirable solutions. I would like to see a CMS protection content
type that supports these. The AES-CCM and AES-GCM algorithms are not
encumbered, but as you say, other authenticated encryption modes are.
In the long run using encrypt+authenticate modes would definitely be
preferable, and I'll get this sentiment into the text. The reason I went for
the MDC approach is because (hopefully) anything that can understand
EnvelopedData with version number 2 or 3 will be able to process (or at least
not break when it encounters) the MDC, so it can be introduced right now
without causing too much breakage. AES-CCM/GCM are definitely the better
longer-term solutions, but then the other problem there is that support for
these modes could take awhile to appear, particularly in HSMs. PKCS #11 (the
litmus paper for crypto hardware support) has only just added AES-CTR in the
latest draft amendment and doesn't do -CCM or -GCM at all, so it could be
quite awhile before we see these modes widely deployed.
Peter.