- From: Ryan Sleevi <sleevi@google.com>
- Date: Mon, 25 Feb 2013 13:50:44 -0800
- To: Mark Watson <watsonm@netflix.com>
- Cc: "public-webcrypto@w3.org Group" <public-webcrypto@w3.org>
On Mon, Feb 25, 2013 at 1:18 PM, Mark Watson <watsonm@netflix.com> wrote: > > ________________________________________ > From: Ryan Sleevi [sleevi@google.com] > Sent: Wednesday, January 16, 2013 7:13 PM > To: Mark Watson > Cc: public-webcrypto@w3.org Group > Subject: Re: Proposal for key wrap/unwrap (ISSUE-35) > > Can you provide more design rationale for choosing RSA-KEM, rather > than the much more widely supported RSA-OAEP (eg: RFC 3560). I don't > know of a single well-tested, CORRECT implementation of RSA-KEM in the > popular cryptographic libraries and bindings. > > MW> Ryan, we looked in detail at RSA-OAEP key transport and there is an issue in that it does not support payloads of arbitrary size - as required for JWK format payloads. At least not without using RSA keys of arbitrary size. I'm not sure I follow. In the JOSE space, you perform an RSA-OAEP transport of the CMK, and the CMK protects the message. This is conceptually similar to RSA-KEM. Certainly, given that OAEP, but not KEM, is supported by JOSE, it seems more in line with your needs? > > Do you have any other suggestions for RSA-based key wrap/unwrap ? > > We also looked in detail at RSA-KEM and it doesn't look so bad after all. In fact it's much easier to understand than the RSA-OAEP documentation. > > ...Mark
Received on Monday, 25 February 2013 21:51:11 UTC