I have a general comment concerning the use of open syntaxes concerning
the parameters of an algorithm.
I transpose the problem into an ASN.1 view which may be easier to
understand.
If one defines (in old syntax for simplicity) some syntax
like
algopolicystuff ::= SEQUENCE
{ oid OJECT IDENTIFIER,
specificforalogo ANY DEFINED BY ALGORITHM }
this creates problems for any routine that wants to check the actual
policy in the case of a new algorithm. One needs to compile code
into such algorithm for each new syntax.
But what is actually needed by a policy checker? it doesn't even
know keylength or hash size or whatever else. It only has to
know that for each algorithm there are some values defined.
I think one should have an approach like in Mibs in SNMP so
one would say (now in XML) something like
<Algorithm Name="urifor RSA" Oid="xxx">
<param>1024</param>
<param>4096</param>
</Algorithm>
in a policy one would only specify value constraints parameters for an
actual algorithms,
a kind of pattern which can always be checked, examplefirst parameter must be greater than 1023, second less than 8192 or whatever.
An implementation of crypto algorithms would provide a list of algorithm with the actual values of the parameters. In the opposite direction, an implementation would also take a policy as an input for example for key generation or signature validation. Even if an implementation does provide smaller keys, one can tell it not to do so. I am not sure whether I am suffiociently clear. Peter
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature