- From: Cantor, Scott <cantor.2@osu.edu>
- Date: Tue, 16 Aug 2011 14:50:46 +0000
- To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
The goal is to relegate PKCS 1.5 to legacy use, and promote OAEP/V2 as the RSA transport algorithm for all key types supported in the spec. I would suggest the following changes: Remove the last paragraph in the section 5.5 intro that starts "The RSA v1.5 Key Transport algorithm given below..." It's misleading by implying you have to use 1.5 with 3DES, and the reference for V2 to AESWRAP isn't correct anyway. I think that text adds nothing. Strike this text in 5.5.1: "Implementations must support this key transport algorithm for transporting 192-bit TRIPLEDES keys. Support of this algorithm for transporting other keys is optional. RSA-OAEP is recommended for the transport of AES keys." Add text below the CipherData example: "For backward compatibility, implementations MUST support this key transport algorithm for transporting 192-bit 3DES keys. It SHOULD NOT be used in new applications." Replace the last paragraph in section 5.5.2 with: "The transported key size is 192 bits for TRIPLEDES and 128, 192, or 256 bits for AES. Implementations MUST implement RSA-OAEP for the transport of all key types and sizes that are mandatory to implement for symmetric encryption. They MAY implement RSA-OAEP for the transport of other keys." Question: What, if anything, should be said about the DigestMethod(s) to require in conjunction with OAEP. Today, one typically finds that only SHA-1 works and is used. That seems like a problem if we reach a future state in which SHA-1 is totally broken and people want to turn it off entirely rather than pick and choose places where its use isn't suspect. I think even if we don't need SHA-256 here we ought to mandate it for future proofing. -- Scott
Received on Tuesday, 16 August 2011 14:52:28 UTC