Re: [plasma] Encrypted KEK and/or encrypted
"Jim Schaad" <jimsch@nwlink.com> Thu, 28 June 2012 03:34 UTC
Return-Path: <jimsch@nwlink.com>
X-Original-To: plasma@ietfa.amsl.com
Delivered-To: plasma@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E11E11E8154 for <plasma@ietfa.amsl.com>; Wed, 27 Jun 2012 20:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWxHanHN+5V4 for <plasma@ietfa.amsl.com>; Wed, 27 Jun 2012 20:34:13 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 69E6121F8598 for <plasma@ietf.org>; Wed, 27 Jun 2012 20:04:15 -0700 (PDT)
Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 8E59E2C9BB; Wed, 27 Jun 2012 20:04:14 -0700 (PDT)
From: Jim Schaad <jimsch@nwlink.com>
To: 'Dan Griffin' <dan@jwsecure.com>, plasma@ietf.org
References: <B66E1F139A0F29418103E63A6124AC1C09FDFE4D@BY2PRD0511MB427.namprd05.prod.outlook.com>
In-Reply-To: <B66E1F139A0F29418103E63A6124AC1C09FDFE4D@BY2PRD0511MB427.namprd05.prod.outlook.com>
Date: Wed, 27 Jun 2012 20:02:54 -0700
Message-ID: <019e01cd54da$8518ef60$8f4ace20$@nwlink.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_019F_01CD549F.D8BADAB0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIBEGi/vb0IilwtWX6W18bWciwOE5ank1cQ
Content-Language: en-us
Subject: Re: [plasma] Encrypted KEK and/or encrypted
X-BeenThere: plasma@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <plasma.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/plasma>, <mailto:plasma-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/plasma>
List-Post: <mailto:plasma@ietf.org>
List-Help: <mailto:plasma-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:plasma-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2012 03:34:14 -0000
For privacy reasons, the Plasma server is not permitted to see the message content being sent from the sender to the recipient. The Plasma server gets the KEK and not the CEK. The Plasma server encrypts the OtherKeyAttribute not the message. I will need to re-read the documents but if you point out where this is not clear it would help. Jim From: plasma-bounces@ietf.org [mailto:plasma-bounces@ietf.org] On Behalf Of Dan Griffin Sent: Wednesday, June 27, 2012 1:54 PM To: plasma@ietf.org Subject: [plasma] Encrypted KEK and/or encrypted In the Plasma CMS extensions, the KEKRecipientInfo includes a member of type EncryptedKey. To confirm, is it intended that that KEK byte array be encrypted in addition to the outer P7 message being encrypted, both by the Plasma server? It would seem that the desired solution is for the Plasma server to encrypt the entire CMS data, for privacy purposes, and that therefore encrypting internal data members is redundant. Thanks.
- [plasma] Encrypted KEK and/or encrypted Dan Griffin
- Re: [plasma] Encrypted KEK and/or encrypted Jim Schaad