- From: Magnus Nyström <magnus@rsa.com>
- Date: Mon, 18 May 2009 23:58:30 +0200 (W. Europe Daylight Time)
- To: public-xmlsec@w3.org
All, This is in response to ACTION-290 that I took during the f2f last week. When looking at this, the basic requirement would seem to be allowing use of key encapsulation when transporting encryption keys. A design goal should probably also be to allow re-use of the existing EncryptedKeyType. One possibility is to define a new URI "KEM-KTS" (Key Encapsulation Method - Key Transport Scheme) for use as the "Algorithm" value in xenc:EncryptionMethod. Then, using the extensibility of the EncryptionMethodType, one could define a KeyEncapsulationMethodType that would define the necessary parameters: - KeyDerivationMethod (re-using what is defined in Derived Key) - KeyLength (possibly the "KeySize" element of EncryptionMethodType may be re-used) - KeyWrapMethod (the algorithm used to wrap the actual content-encryption key using the derived key) - Other (extensibility point) KeyInfo would in the case of RSA contain the recipient's public key and in the case of ECC, it would contain a value of type AgreementMethod that in turn would contain the two ECDH params. Here's a possible schema: <element name="KeyEncapsulationMethod" type="kem:KeyEncapsulationMethodType"/> <complexType name="KeyEncapsulationMethodType"> <sequence> <element ref="dkey:KeyDerivationMethod"/> <element ref="kem:KeyWrapMethod"/> <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Algorithm" type="anyURI" use="required"/> </complexType> <element name="KeyWrapMethod" type="kem:KeyWrapMethodType"/> <complexType name="KeyWrapMethodType"> <sequence> <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Algorithm" type="anyURI" use="required"/> </complexType> Comments? -- Magnus
Received on Monday, 18 May 2009 21:58:55 UTC