Re: [plasma] Who creates the 'keyIdentifier'?
"Jim Schaad" <firstname.lastname@example.org> Mon, 30 July 2012 22:34 UTC
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1E711E80A4 for <email@example.com>; Mon, 30 Jul 2012 15:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([18.104.22.168]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XeKaD3qB356v for <firstname.lastname@example.org>; Mon, 30 Jul 2012 15:34:43 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [22.214.171.124]) by ietfa.amsl.com (Postfix) with ESMTP id A1C9E11E809C for <email@example.com>; Mon, 30 Jul 2012 15:34:43 -0700 (PDT)
Received: from Tobias (dhcp-10a6.meeting.ietf.org [126.96.36.199]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: firstname.lastname@example.org) by smtp2.pacifier.net (Postfix) with ESMTPSA id 60BFE2C9C5; Mon, 30 Jul 2012 15:34:43 -0700 (PDT)
From: "Jim Schaad" <email@example.com>
To: "'Alan Borland'" <firstname.lastname@example.org>, <email@example.com>
Date: Mon, 30 Jul 2012 15:33:17 -0700
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00BD_01CD6E68.A5301BA0"
X-Mailer: Microsoft Outlook 14.0
Subject: Re: [plasma] Who creates the 'keyIdentifier'?
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <plasma.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/plasma>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2012 22:34:44 -0000
Alan, Sorry for the delay on getting back with a fuller response on this issue. I managed to fall off of my stack of issues. The KeyIdentifier in the CMS KEKIdentifier field is generated by the client and populated by the client. The field originally was not sent to the Plasma server as it was not thought necessary. When doing implementations, for some reason I can no longer remember I thought it was necessary so added it to the schema without also putting in the documentation. Since that point I have gone back to the point of wondering if the field is needed or not. It may be that it is just local to the client and never needs to be sent to the server. Part of the issue is a question on the ability to have two different KEK objects in a single MIME message that is done over multiple CMS objects each with a different KEKIdentifier (or the same one). If this is the case then it might be needed, but it would also require a couple of other changes that I have not completely worked out yet. Jim From: firstname.lastname@example.org [mailto:email@example.com] On Behalf Of Alan Borland Sent: Wednesday, July 18, 2012 1:32 AM To: firstname.lastname@example.org Subject: [plasma] Who creates the 'keyIdentifier'? I'm trying to understand who generates the 'KeyIdentifier' element in the 'KEKIdentifier' structure of the 'RecipientInfo' created by the client. Is it the client? The Plasma CMS Processing document, Page 8, describes how the 'KeyIdentifier' is a random generated value (Created by the client?). Is it the Plasma Server? On Page 13 the KekIdentifier is a value that matches the KEKIdentifier.KeyIdentifier value in the recipient info information (I have read this to mean that the EPS-LockBox version must match the KeyIdentifier in the envelopedData created by the client, meaning the KeyIdentifer must be transported between client and plasma server). >From this I thought the client created the random value and passed it across to the server inside the 'GetCMSToken' request. However, I can't see this described in the request. Is this missing from the request documentation, or does this Imply that the client has to extract the KeyIdentifer from the EPS-KEK returned in the GetCMSToken response, but this is encrypted and only the Plasma Server has access to this. Or have I mis-read this completely? Alan. Boldon James.