RE: Last Call: draft-ietf-smime-3851bis (Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification) to Proposed Standard

["Turner, Sean P." <turners@xxxxxxxx>]

>-----Original Message-----
>From: Paul Hoffman [mailto:phoffman@xxxxxxx] 
>Sent: Thursday, November 13, 2008 4:12 PM
>To: Russ Housley; Turner, Sean P.; iesg@xxxxxxxx; ietf-smime@xxxxxxx
>Subject: RE: Last Call: draft-ietf-smime-3851bis 
>(Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 
>3.2 Message Specification) to Proposed Standard
>
>At 4:00 PM -0500 11/13/08, Russ Housley wrote:
>>>Wouldn't it be much simpler to say that the key wrap 
>algorithm must be the same as the content encryption 
>algorithm? Yes, one *might* want a keywrap of greater strength 
>as you have above, but that forces implementations to have 
>tables of what "greater" means. Saying they need to be the 
>same is much more straight forward.
>>
>>The keysize could be the same, but the mode will probably be 
>different.  One would not want to use AES Key Wrap for the content.
>
>Sorry, of course. I meant "same underlying encryption 
>function", not "same algorithm".

Paul,

Yes, it would be simpler.

When DH ephemeral-static is used, a key wrap algorithm is also specified in
the KeyEncryptionAlgorithmIdentifier [CMS].  The underlying encryption
functions for the key wrap and content encryption algorithms ([CMSALG] and
[CMSAES]) and the key sizes for the two algorithms MUST be the same (e.g.,
AES 128 key wrap algorithm with AES 128 content encryption algorithm). As
AES 128 CBC is the mandatory to implement content encryption algorithm thus,
when DH ephemeral-static is supported, AES-128 key wrap algorithm MUST also
be supported.

spt