W3C home > Mailing lists > Public > public-webcrypto@w3.org > February 2013

Re: Proposal for key wrap/unwrap (ISSUE-35)

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 25 Feb 2013 13:50:44 -0800
Message-ID: <CACvaWva4Y-D+D6cObit=jikH8_pSfZ779-yZ9OrQTp_6707FXw@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: "public-webcrypto@w3.org Group" <public-webcrypto@w3.org>
On Mon, Feb 25, 2013 at 1:18 PM, Mark Watson <watsonm@netflix.com> wrote:
> ________________________________________
> From: Ryan Sleevi [sleevi@google.com]
> Sent: Wednesday, January 16, 2013 7:13 PM
> To: Mark Watson
> Cc: public-webcrypto@w3.org Group
> Subject: Re: Proposal for key wrap/unwrap (ISSUE-35)
> Can you provide more design rationale for choosing RSA-KEM, rather
> than the much more widely supported RSA-OAEP (eg: RFC 3560). I don't
> know of a single well-tested, CORRECT implementation of RSA-KEM in the
> popular cryptographic libraries and bindings.
> MW> Ryan, we looked in detail at RSA-OAEP key transport and there is an issue in that it does not support payloads of arbitrary size - as required for JWK format payloads. At least not without using RSA keys of arbitrary size.

I'm not sure I follow. In the JOSE space, you perform an RSA-OAEP
transport of the CMK, and the CMK protects the message. This is
conceptually similar to RSA-KEM.

Certainly, given that OAEP, but not KEM, is supported by JOSE, it
seems more in line with your needs?

> Do you have any other suggestions for RSA-based key wrap/unwrap ?
> We also looked in detail at RSA-KEM and it doesn't look so bad after all. In fact it's much easier to understand than the RSA-OAEP documentation.
> ...Mark
Received on Monday, 25 February 2013 21:51:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:15 UTC