-----Original Message-----
From: Paul Hoffman [mailto:phoffman(_at_)imc(_dot_)org]
Sent: Thursday, November 13, 2008 4:12 PM
To: Russ Housley; Turner, Sean P.; iesg(_at_)ietf(_dot_)org;
ietf-smime(_at_)imc(_dot_)org
Subject: RE: Last Call: draft-ietf-smime-3851bis
(Secure/Multipurpose Internet Mail Extensions (S/MIME) Version
3.2 Message Specification) to Proposed Standard
At 4:00 PM -0500 11/13/08, Russ Housley wrote:
Wouldn't it be much simpler to say that the key wrap
algorithm must be the same as the content encryption
algorithm? Yes, one *might* want a keywrap of greater strength
as you have above, but that forces implementations to have
tables of what "greater" means. Saying they need to be the
same is much more straight forward.
The keysize could be the same, but the mode will probably be
different. One would not want to use AES Key Wrap for the content.
Sorry, of course. I meant "same underlying encryption
function", not "same algorithm".
Paul,
Yes, it would be simpler.
When DH ephemeral-static is used, a key wrap algorithm is also specified in
the KeyEncryptionAlgorithmIdentifier [CMS]. The underlying encryption
functions for the key wrap and content encryption algorithms ([CMSALG] and
[CMSAES]) and the key sizes for the two algorithms MUST be the same (e.g.,
AES 128 key wrap algorithm with AES 128 content encryption algorithm). As
AES 128 CBC is the mandatory to implement content encryption algorithm thus,
when DH ephemeral-static is supported, AES-128 key wrap algorithm MUST also
be supported.
spt