Re: [plasma] Who creates the 'keyIdentifier'?

"Jim Schaad" <jimsch@nwlink.com> Mon, 30 July 2012 22:34 UTC

Return-Path: <jimsch@nwlink.com>
X-Original-To: plasma@ietfa.amsl.com
Delivered-To: plasma@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1E711E80A4 for <plasma@ietfa.amsl.com>; Mon, 30 Jul 2012 15:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XeKaD3qB356v for <plasma@ietfa.amsl.com>; Mon, 30 Jul 2012 15:34:43 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id A1C9E11E809C for <plasma@ietf.org>; Mon, 30 Jul 2012 15:34:43 -0700 (PDT)
Received: from Tobias (dhcp-10a6.meeting.ietf.org [130.129.16.166]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 60BFE2C9C5; Mon, 30 Jul 2012 15:34:43 -0700 (PDT)
From: "Jim Schaad" <jimsch@nwlink.com>
To: "'Alan Borland'" <alan.b.borland@googlemail.com>, <plasma@ietf.org>
References: <CALtitoaWM2AwJR3JWFjUiAmc7yKMU4O2sV6tm=s65ibLi7r2iA@mail.gmail.com>
In-Reply-To: <CALtitoaWM2AwJR3JWFjUiAmc7yKMU4O2sV6tm=s65ibLi7r2iA@mail.gmail.com>
Date: Mon, 30 Jul 2012 15:33:17 -0700
Message-ID: <00bc01cd6ea3$518dbb20$f4a93160$@nwlink.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00BD_01CD6E68.A5301BA0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGBSHVfCS46jvYtcH0EF1jjoC1EJJfatH2A
Content-Language: en-us
Subject: Re: [plasma] Who creates the 'keyIdentifier'?
X-BeenThere: plasma@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <plasma.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/plasma>, <mailto:plasma-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/plasma>
List-Post: <mailto:plasma@ietf.org>
List-Help: <mailto:plasma-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plasma>, <mailto:plasma-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2012 22:34:44 -0000

Alan,

 

Sorry for the delay on getting back with a fuller response on this issue.  I
managed to fall off of my stack of issues.

 

The KeyIdentifier in the CMS KEKIdentifier field is generated by the client
and populated by the client.  The field originally was not sent to the
Plasma server as it was not thought necessary.  When doing implementations,
for some reason I can no longer remember I thought it was necessary so added
it to the schema without also putting in the documentation.

 

Since that point I have gone back to the point of wondering if the field is
needed or not.  It may be that it is just local to the client and never
needs to be sent to the server.  Part of the issue is a question on the
ability to have two different KEK objects in a single MIME message that is
done over multiple CMS objects each with a different KEKIdentifier (or the
same one).  If this is the case then it might be needed, but it would also
require a couple of other changes that I have not completely worked out yet.

 

Jim

 

 

From: plasma-bounces@ietf.org [mailto:plasma-bounces@ietf.org] On Behalf Of
Alan Borland
Sent: Wednesday, July 18, 2012 1:32 AM
To: plasma@ietf.org
Subject: [plasma] Who creates the 'keyIdentifier'?

 

I'm trying to understand who generates the 'KeyIdentifier' element in the
'KEKIdentifier' structure of the 'RecipientInfo' created by the client.  

 

Is it the client?  The Plasma CMS Processing document, Page 8, describes how
the 'KeyIdentifier' is a random generated value (Created by the client?).  

 

Is it the Plasma Server?  On Page 13 the KekIdentifier is a value that
matches the KEKIdentifier.KeyIdentifier value in the recipient info
information (I have read this to mean that the EPS-LockBox version must
match the KeyIdentifier in the envelopedData created by the client, meaning
the KeyIdentifer must be transported between client and plasma server). 

 

>From this I thought the client created the random value and passed it across
to the server inside the 'GetCMSToken' request. However, I can't see this
described in the request.  Is this missing from the request documentation,
or does this Imply that the client has to extract the KeyIdentifer from the
EPS-KEK returned in the GetCMSToken response, but this is encrypted and only
the Plasma Server has access to this.  Or have I mis-read this completely?

 

Alan.

 

Boldon James.