Protocol Action: 'Algorithms for Cryptographic Message Syntax (CMS) Encrypted Key Package Content Type' to Proposed Standard

The IESG <iesg-secretary@ietf.org> Mon, 24 May 2010 17:19 UTC

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Protocol Action: 'Algorithms for Cryptographic Message Syntax (CMS) Encrypted Key Package Content Type' to Proposed Standard
Message-Id: <20100524171915.D2D483A6C7D@core3.amsl.com>
Date: Mon, 24 May 2010 10:19:15 -0700
Cc: Internet Architecture Board <iab@iab.org>, RFC Editor <rfc-editor@rfc-editor.org>
Precedence: list

The IESG has approved the following document:

- 'Algorithms for Cryptographic Message Syntax (CMS) Encrypted Key
Package Content Type '
<draft-turner-encryptedkeypackagecontenttype-algs-02.txt> as a Proposed Standard

This document has been reviewed in the IETF but is not the product of an
IETF Working Group.

The IESG contact person is Tim Polk.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-turner-encryptedkeypackagecontenttype-algs-02.txt

Technical Summary

This document specifies algorithms to secure the encrypted key content
type defined in draft-turner-encryptedkeypackagecontenttype. The
algorithm choices and key sizes are based on RFC 5751, with
the exception of content encryption algorithm and key wrap algorithm
being AES Key Wrap with Padding. This rationale for the choice is in
the security considerations.

This document is headed for standards track, but there are normative
references to two informative RFCs. RFC3394 if for AES Key Wrap and
RFC5649 and is for AES Key Wrap with Padding. Both are in the downref
registry.

Working Group Summary

This document is not the product of an IETF Working Group.

Document Quality

The document is short and lists the algorithms to be used based on the
encapsulation mechanism.

Personnel

Carl Wallace is the document Shepherd. Tim Polk is the
responsible Security Area AD.

RFC Editor Note

In Section 2, please make the following substitution:

OLD:

Regardless of the key management technique choice, implementations
MUST support AES-128 Key Wrap with Padding [RFC5649]. Implementations
SHOULD support AES-256 Key Wrap with Padding [RFC5649].

NEW:

Since the content type is used to carry a cryptographic key
and its attributes, an algorithm that is traditionally used to encrypt
one
key with another is employed. Regardless of the key management
technique
choice, implementations MUST support AES-128 Key Wrap with Padding
[RFC5649] as the content encryption algorithm. Implementations SHOULD
support AES-256 Key Wrap with Padding [RFC5649] as the
content-encryption
algorithm.

In Section 3, please make the following substitution:

OLD

EncryptedData [RFC5652] requires that keys be managed by other means;

therefore, the only algorithm specified is the content encryption
algorithm. Implementations MUST support AES-128 Key Wrap with Padding
[RFC5649]. Implementations SHOULD support AES-256 Key Wrap with
Padding [RFC5649].

NEW

EncryptedData [RFC5652] requires that keys be managed by other
means; therefore, the only algorithm specified is the content
encryption
algorithm. Since the content type is used to carry a cryptographic key
and its attributes, an algorithm that is traditionally used to encrypt
one key with another is employed. Implementations MUST support
AES-128 Key Wrap with Padding [RFC5649]. Implementations SHOULD
support AES-256 Key Wrap with Padding [RFC5649].

Protocol Action: 'Algorithms for Cryptographic Me… The IESG