W3C home > Mailing lists > Public > public-xmlsec@w3.org > May 2009

ACTION-290: Key encapsulation in XML encryption

From: Magnus Nyström <magnus@rsa.com>
Date: Mon, 18 May 2009 23:58:30 +0200 (W. Europe Daylight Time)
To: public-xmlsec@w3.org
Message-ID: <Pine.WNT.4.64.0905182259140.5096@W-JNISBETTEST-1.tablus.com>
All,

This is in response to ACTION-290 that I took during the f2f last week.

When looking at this, the basic requirement would seem to be allowing use 
of key encapsulation when transporting encryption keys. A design goal 
should probably also be to allow re-use of the existing EncryptedKeyType.

One possibility is to define a new URI "KEM-KTS" (Key Encapsulation Method 
- Key Transport Scheme) for use as the "Algorithm" value in 
xenc:EncryptionMethod. Then, using the extensibility of the 
EncryptionMethodType, one could define a KeyEncapsulationMethodType that 
would define the necessary parameters:

- KeyDerivationMethod (re-using what is defined in Derived Key)
- KeyLength (possibly the "KeySize" element of EncryptionMethodType may be
   re-used)
- KeyWrapMethod (the algorithm used to wrap the actual content-encryption
   key using the derived key)
- Other (extensibility point)

KeyInfo would in the case of RSA contain the recipient's public key 
and in the case of ECC, it would contain a value of type AgreementMethod 
that in turn would contain the two ECDH params.

Here's a possible schema:

<element name="KeyEncapsulationMethod" type="kem:KeyEncapsulationMethodType"/>
<complexType name="KeyEncapsulationMethodType">
   <sequence>
     <element ref="dkey:KeyDerivationMethod"/>
     <element ref="kem:KeyWrapMethod"/>
     <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
   </sequence>
   <attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>

<element name="KeyWrapMethod" type="kem:KeyWrapMethodType"/>
<complexType name="KeyWrapMethodType">
   <sequence>
     <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
   </sequence>
   <attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>

Comments?

-- Magnus
Received on Monday, 18 May 2009 21:58:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:58 GMT