RE: ACTION-829: Provide additional proposal text regarding xml encryption changes for pkcs1.5 from Magnus Nystrom on 2011-09-14 (public-xmlsec@w3.org from September 2011)

From: Magnus Nystrom <mnystrom@microsoft.com>
Date: Wed, 14 Sep 2011 06:24:00 +0000
To: "Cantor, Scott" <cantor.2@osu.edu>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <D744D68428430B4F9C81DE8A4D59506812163C91@TK5EX14MBXW603.wingroup.windeploy.ntde>

On OAEP's use of SHA-1, maybe someone who participated in XML Encryption 1.0 can clarify the following for me:
- What is the OAEPparams element intended to carry? If it is a Base64-encoded DER-encoded ASN.1 value of type RSAES-OAEP-params from RFC 3447 then we should be fine since all parameters - including the MGF can be specified in it.
- OTOH, if I am correct above, then why was the MGF fixed to use SHA-1? This seems inconsistent.

-- Magnus


> -----Original Message-----
> From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org]
> On Behalf Of Cantor, Scott
> Sent: Tuesday, September 13, 2011 7:55 AM
> To: public-xmlsec@w3.org
> Subject: Re: ACTION-829: Provide additional proposal text regarding xml
> encryption changes for pkcs1.5
> 
> The WG preference was to leave the requirements more as is, so this is a
> modified proposal to clean up the text.
> 
> Remove the last paragraph in the section 5.5 intro that starts "The RSA
> v1.5 Key Transport algorithm given below..." It's misleading by implying you
> have to use 1.5 with 3DES, and the reference for V2 to AESWRAP isn't correct
> anyway. I think that text adds nothing.
> 
> Add a paragraph break leading to this text:
> 
> "Implementations must support this key transport algorithm for transporting
> 192-bit TRIPLEDES keys. Support of this algorithm for transporting other keys is
> optional. RSA-OAEP is recommended for the transport of AES keys, including
> 192-bit keys.
> 
> Replace the last paragraph in section 5.5.2 with:
> 
> "The transported key size is 192 bits for TRIPLEDES and 128, 192, or 256 bits for
> AES. Implementations MUST implement RSA-OAEP for the transport of all key
> types and sizes that are mandatory to implement for symmetric encryption. They
> MAY implement RSA-OAEP for the transport of other keys."
> 
> This question remains:
> 
> >Question: What, if anything, should be said about the DigestMethod(s)
> >to require in conjunction with OAEP. Today, one typically finds that
> >only
> >SHA-1 works and is used. That seems like a problem if we reach a future
> >state in which SHA-1 is totally broken and people want to turn it off
> >entirely rather than pick and choose places where its use isn't
> >suspect. I think even if we don't need SHA-256 here we ought to mandate
> >it for future proofing.
> 
> -- Scott
> 
>

Received on Wednesday, 14 September 2011 06:24:31 UTC