ietf-smime
[Top] [All Lists]

RE: Last Call: draft-ietf-smime-3851bis (Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification) to Proposed Standard

2008-11-13 16:12:17


>One thing I noted is that to ensure interoperability of the SHOULD- for the
>DH ephemeral-static requirement we need to pick a MUST key wrap algorithm
>(note that E-S DH was a SHOULD in RFC 3851 but RFC 3851 did not include
>requirements for a key wrap algorithm).  The text should not only indicate
>which key wrap algorithms to use but what kind of content encryption keys
>the algorithm is "good" for.  I suggest adding the following text to Section
>2.3 right after the bullets (all of the references were already normative
>references):
>
>When DH ephemeral-static is used, a key wrap algorithm is also specified in
>the KeyEncryptionAlgorithmIdentifier [CMS].  When DH ephemeral-static is
>used with an AES content encryption algorithm (see Section 2.7), the key
>wrap algorithm MUST be an AES key wrap algorithm from [CMSAES].  When DH
>ephemeral-static is used with the Triple DES content encryption algorithm
>(see Section 2.7), the key wrap algorithm MUST be either Triple DES key wrap
>from [CMSALG] or one of the AES key wraps from [CMSAES].  The strength of
>the key wrap algorithm MUST be as strong as the content encryption
>algorithm:
>
>- The Triple-DES key wrap algorithm can be used with the Triple-DES content
>  encryption algorithm,
>- The AES 128 key wrap algorithm can be used with The Triple-DES and AES 128
>  content encryption algorithms,
>- The AES 192 key wrap algorithm can be used with The Triple-DES, AES 128,
>  and AES 192 content encryption algorithms,
>- The AES 256 key wrap algorithm can be used with The Triple-DES, AES 128,
>  AES 192, and AES 256 content encryption algorithms.

Wouldn't it be much simpler to say that the key wrap algorithm must be the same as the content encryption algorithm? Yes, one *might* want a keywrap of greater strength as you have above, but that forces implementations to have tables of what "greater" means. Saying they need to be the same is much more straight forward.

The keysize could be the same, but the mode will probably be different. One would not want to use AES Key Wrap for the content.

Russ