[plasma] Encrypted KEK and/or encrypted

Dan Griffin <dan@jwsecure.com> Wed, 27 June 2012 20:54 UTC

Return-Path: <dan@jwsecure.com>
X-Original-To: plasma@ietfa.amsl.com
Delivered-To: plasma@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8B28D21F86B1 for <plasma@ietfa.amsl.com>; Wed, 27 Jun 2012 13:54:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.282
X-Spam-Status: No, score=-4.282 tagged_above=-999 required=5 tests=[AWL=-0.684, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id kFYTA8LbmIyz for <plasma@ietfa.amsl.com>; Wed, 27 Jun 2012 13:54:12 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe004.messaging.microsoft.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2D5A621F86FD for <plasma@ietf.org>; Wed, 27 Jun 2012 13:54:12 -0700 (PDT)
Received: from mail168-va3-R.bigfish.com ( by VA3EHSOBE002.bigfish.com ( with Microsoft SMTP Server id; Wed, 27 Jun 2012 20:52:27 +0000
Received: from mail168-va3 (localhost []) by mail168-va3-R.bigfish.com (Postfix) with ESMTP id 1AAE060502 for <plasma@ietf.org>; Wed, 27 Jun 2012 20:52:27 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI; H:BY2PRD0511HT001.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: 0
X-BigFish: PS0(zzc85fhzz1202hzz8275bh8275dhz2fh2a8h668h839hd25hf0ah)
Received-SPF: pass (mail168-va3: domain of jwsecure.com designates as permitted sender) client-ip=; envelope-from=dan@jwsecure.com; helo=BY2PRD0511HT001.namprd05.prod.outlook.com ; .outlook.com ;
Received: from mail168-va3 (localhost.localdomain []) by mail168-va3 (MessageSwitch) id 134083034659477_7227; Wed, 27 Jun 2012 20:52:26 +0000 (UTC)
Received: from VA3EHSMHS003.bigfish.com (unknown []) by mail168-va3.bigfish.com (Postfix) with ESMTP id 01D64380046 for <plasma@ietf.org>; Wed, 27 Jun 2012 20:52:26 +0000 (UTC)
Received: from BY2PRD0511HT001.namprd05.prod.outlook.com ( by VA3EHSMHS003.bigfish.com ( with Microsoft SMTP Server (TLS) id; Wed, 27 Jun 2012 20:52:23 +0000
Received: from BY2PRD0511MB427.namprd05.prod.outlook.com ([]) by BY2PRD0511HT001.namprd05.prod.outlook.com ([]) with mapi id 14.16.0164.004; Wed, 27 Jun 2012 20:54:06 +0000
From: Dan Griffin <dan@jwsecure.com>
To: "plasma@ietf.org" <plasma@ietf.org>
Thread-Topic: Encrypted KEK and/or encrypted
Thread-Index: Ac1UpnBFwmXpSs+2Q8Oc/17QqOeUjQ==
Date: Wed, 27 Jun 2012 20:54:05 +0000
Message-ID: <B66E1F139A0F29418103E63A6124AC1C09FDFE4D@BY2PRD0511MB427.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_B66E1F139A0F29418103E63A6124AC1C09FDFE4DBY2PRD0511MB427_"
MIME-Version: 1.0
X-OriginatorOrg: jwsecure.com
Subject: [plasma] Encrypted KEK and/or encrypted
X-BeenThere: plasma@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <plasma.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/plasma>, <mailto:plasma-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/plasma>
List-Post: <mailto:plasma@ietf.org>
List-Help: <mailto:plasma-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:plasma-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2012 20:54:13 -0000

In the Plasma CMS extensions, the KEKRecipientInfo includes a member of type EncryptedKey. To confirm, is it intended that that KEK byte array be encrypted in addition to the outer P7 message being encrypted, both by the Plasma server?

It would seem that the desired solution is for the Plasma server to encrypt the entire CMS data, for privacy purposes, and that therefore encrypting internal data members is redundant.