Re: [plasma] Encrypted KEK and/or encrypted

"Jim Schaad" <> Thu, 28 June 2012 03:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2E11E11E8154 for <>; Wed, 27 Jun 2012 20:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hWxHanHN+5V4 for <>; Wed, 27 Jun 2012 20:34:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 69E6121F8598 for <>; Wed, 27 Jun 2012 20:04:15 -0700 (PDT)
Received: from Tobias ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 8E59E2C9BB; Wed, 27 Jun 2012 20:04:14 -0700 (PDT)
From: Jim Schaad <>
To: 'Dan Griffin' <>,
References: <>
In-Reply-To: <>
Date: Wed, 27 Jun 2012 20:02:54 -0700
Message-ID: <019e01cd54da$8518ef60$8f4ace20$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_019F_01CD549F.D8BADAB0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIBEGi/vb0IilwtWX6W18bWciwOE5ank1cQ
Content-Language: en-us
Subject: Re: [plasma] Encrypted KEK and/or encrypted
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Jun 2012 03:34:14 -0000

For privacy reasons, the Plasma server is not permitted to see the message
content being sent from the sender to the recipient. 


The Plasma server gets the KEK and not the CEK.  The Plasma server encrypts
the OtherKeyAttribute not the message.  I will need to re-read the documents
but if you point out where this is not clear it would help.





From: [] On Behalf Of
Dan Griffin
Sent: Wednesday, June 27, 2012 1:54 PM
Subject: [plasma] Encrypted KEK and/or encrypted


In the Plasma CMS extensions, the KEKRecipientInfo includes a member of type
EncryptedKey. To confirm, is it intended that that KEK byte array be
encrypted in addition to the outer P7 message being encrypted, both by the
Plasma server? 


It would seem that the desired solution is for the Plasma server to encrypt
the entire CMS data, for privacy purposes, and that therefore encrypting
internal data members is redundant.