[plasma] Who creates the 'keyIdentifier'?

Alan Borland <alan.b.borland@googlemail.com> Wed, 18 July 2012 08:30 UTC

Return-Path: <alan.b.borland@googlemail.com>
X-Original-To: plasma@ietfa.amsl.com
Delivered-To: plasma@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E471221F873C for <plasma@ietfa.amsl.com>; Wed, 18 Jul 2012 01:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.942
X-Spam-Status: No, score=-2.942 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id E8-WmoAdjKZ3 for <plasma@ietfa.amsl.com>; Wed, 18 Jul 2012 01:30:52 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id ED1C521F8738 for <plasma@ietf.org>; Wed, 18 Jul 2012 01:30:51 -0700 (PDT)
Received: by pbcwy7 with SMTP id wy7so2317304pbc.31 for <plasma@ietf.org>; Wed, 18 Jul 2012 01:31:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=8HfEXRaWVzXvkK1MpJv+SugA4bKueMoW4DPDteQyO48=; b=qRcnGzjr/tHotU+C3C2vR0o/9yVmJYT/62sTutmkabSl0haxlaD3AIx2IEmEPTXF23 Qz3iM3c03M444Db0WD03c9ttSxXoU/eggIN1H9zWhuTS7F74Kal8XJtMFkywBHpZ2CcU ruMgXOZNR+x6fXQEhgb8gXhhvLiJRy5O6OTgmP/jIeUE1iGGbLdc6d5+x4Sk2DmTkxfQ 5LMr8piHk8tgY6X7PpjMeyuZ/pR94slofzZMq04TSy4lGw07rn7Mlqxnmky9TNbmX9cr Fqhu6qK5mtuBd8SC4fPHjWjg2vqZP5/A5vkk/4BtmwQAnwvrbWKPXyLX16ijmGOk++7Q IEYA==
MIME-Version: 1.0
Received: by with SMTP id hs4mr5150997pbc.128.1342600301694; Wed, 18 Jul 2012 01:31:41 -0700 (PDT)
Received: by with HTTP; Wed, 18 Jul 2012 01:31:41 -0700 (PDT)
Date: Wed, 18 Jul 2012 09:31:41 +0100
Message-ID: <CALtitoaWM2AwJR3JWFjUiAmc7yKMU4O2sV6tm=s65ibLi7r2iA@mail.gmail.com>
From: Alan Borland <alan.b.borland@googlemail.com>
To: plasma@ietf.org
Content-Type: multipart/alternative; boundary="047d7b15a8a50ece1b04c5167e05"
Subject: [plasma] Who creates the 'keyIdentifier'?
X-BeenThere: plasma@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <plasma.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/plasma>, <mailto:plasma-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/plasma>
List-Post: <mailto:plasma@ietf.org>
List-Help: <mailto:plasma-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:plasma-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 08:30:53 -0000

I'm trying to understand who generates the 'KeyIdentifier' element in the
'KEKIdentifier' structure of the 'RecipientInfo' created by the client.

Is it the client?  The Plasma CMS Processing document, Page 8, describes
how the 'KeyIdentifier' is a random generated value (Created by the

Is it the Plasma Server?  On Page 13 the KekIdentifier is a value that
matches the KEKIdentifier.KeyIdentifier value in the recipient info
information (I have read this to mean that the EPS-LockBox version must
match the KeyIdentifier in the envelopedData created by the client, meaning
the KeyIdentifer must be transported between client and plasma server).

>From this I thought the client created the random value and passed it
across to the server inside the 'GetCMSToken' request. However, I can't see
this described in the request.  Is this missing from the request
documentation, or does this Imply that the client has to extract the
KeyIdentifer from the EPS-KEK returned in the GetCMSToken response, but
this is encrypted and only the Plasma Server has access to this.  Or have I
mis-read this completely?


Boldon James.