Re: FW: Re: rsa/oaep

      In case anyone is in doubt, I regard option 1 as by far the weakest
of these three.  When hash functions with greater ranges than SHA-1 become
widely used (and they are clearly on the way), this will become a
significant issue.  I think we should prepare for that now.
      Is there anyone who thinks that it makes as much sense to use OAEP
with a 256-bit hash function and a 160-bit MGF as with the 256-bit hash
function and that same function as MGF's base?  The fact that RFC 2437
section 11.2.1 lists the default MGF as MGF-1 with SHA-1 in a structure
which also lists the hash's default as SHA-1 is not much of a warrant for
making the MGF fixed as SHA-1 even when the hash is something else.

      Last, is anybody today using OAEP with any hash function other than
SHA-1?  If nobody is, then switching to option 2 breaks nothing.

            Tom Gindin


Please respond to reagle@w3.org

To:    Jiandong Guo <jguo@phaos.com>, Tom Gindin/Watson/IBM@IBMUS
cc:    xml-encryption@w3.org, reagle@w3c.org
Subject:    Re: FW: Re: rsa/oaep


On Thursday 18 April 2002 11:29, Jiandong Guo wrote:
> The common sense is that if a parameter in a algorithm  is not present,
> then the default should be used if there is one.

As an aside, I'm likely to oppose this sort of specification as it is
counter to the rest of the spec where if some bit of variable syntax is not

present, the semantic is unkown (application defined) instead of an
implicit (default) semantic.

Otherwise, it looks like we have a couple of options:

1. (the present scheme): the hash is user specified; mgf is SHA-1.
2. the hash and mgf is user specified and they are always the same.
3. the hash and mgf are independently user specified.

--

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Thursday, 18 April 2002 14:20:02 UTC