At 1:05 PM -0500 11/13/08, Turner, Sean P. wrote:
One thing I noted is that to ensure interoperability of the SHOULD- for the
DH ephemeral-static requirement we need to pick a MUST key wrap algorithm
(note that E-S DH was a SHOULD in RFC 3851 but RFC 3851 did not include
requirements for a key wrap algorithm). The text should not only indicate
which key wrap algorithms to use but what kind of content encryption keys
the algorithm is "good" for. I suggest adding the following text to Section
2.3 right after the bullets (all of the references were already normative
references):
When DH ephemeral-static is used, a key wrap algorithm is also specified in
the KeyEncryptionAlgorithmIdentifier [CMS]. When DH ephemeral-static is
used with an AES content encryption algorithm (see Section 2.7), the key
wrap algorithm MUST be an AES key wrap algorithm from [CMSAES]. When DH
ephemeral-static is used with the Triple DES content encryption algorithm
(see Section 2.7), the key wrap algorithm MUST be either Triple DES key wrap
from [CMSALG] or one of the AES key wraps from [CMSAES]. The strength of
the key wrap algorithm MUST be as strong as the content encryption
algorithm:
- The Triple-DES key wrap algorithm can be used with the Triple-DES content
encryption algorithm,
- The AES 128 key wrap algorithm can be used with The Triple-DES and AES 128
content encryption algorithms,
- The AES 192 key wrap algorithm can be used with The Triple-DES, AES 128,
and AES 192 content encryption algorithms,
- The AES 256 key wrap algorithm can be used with The Triple-DES, AES 128,
AES 192, and AES 256 content encryption algorithms.
Wouldn't it be much simpler to say that the key wrap algorithm must be the same
as the content encryption algorithm? Yes, one *might* want a keywrap of greater
strength as you have above, but that forces implementations to have tables of
what "greater" means. Saying they need to be the same is much more straight
forward.