Re: [plasma] Who creates the 'keyIdentifier'?

"Jim Schaad" <> Wed, 18 July 2012 22:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1116611E81C0 for <>; Wed, 18 Jul 2012 15:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LXEEphFYUA2X for <>; Wed, 18 Jul 2012 15:22:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3BC4211E80BC for <>; Wed, 18 Jul 2012 15:22:34 -0700 (PDT)
Received: from Tobias ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 2A54238F06; Wed, 18 Jul 2012 15:23:25 -0700 (PDT)
From: Jim Schaad <>
To: 'Alan Borland' <>,
References: <>
In-Reply-To: <>
Date: Wed, 18 Jul 2012 15:21:59 -0700
Message-ID: <02d101cd6533$c0239fb0$406adf10$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_02D2_01CD64F9.13C711A0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGBSHVfCS46jvYtcH0EF1jjoC1EJJfH1m9g
Content-Language: en-us
Subject: Re: [plasma] Who creates the 'keyIdentifier'?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Jul 2012 22:22:36 -0000

The value is created by the client and passed to the server.  If there is no
field this is an oversight on my part.  I will look at this later today.


From: [] On Behalf Of
Alan Borland
Sent: Wednesday, July 18, 2012 1:32 AM
Subject: [plasma] Who creates the 'keyIdentifier'?


I'm trying to understand who generates the 'KeyIdentifier' element in the
'KEKIdentifier' structure of the 'RecipientInfo' created by the client.  


Is it the client?  The Plasma CMS Processing document, Page 8, describes how
the 'KeyIdentifier' is a random generated value (Created by the client?).  


Is it the Plasma Server?  On Page 13 the KekIdentifier is a value that
matches the KEKIdentifier.KeyIdentifier value in the recipient info
information (I have read this to mean that the EPS-LockBox version must
match the KeyIdentifier in the envelopedData created by the client, meaning
the KeyIdentifer must be transported between client and plasma server). 


>From this I thought the client created the random value and passed it across
to the server inside the 'GetCMSToken' request. However, I can't see this
described in the request.  Is this missing from the request documentation,
or does this Imply that the client has to extract the KeyIdentifer from the
EPS-KEK returned in the GetCMSToken response, but this is encrypted and only
the Plasma Server has access to this.  Or have I mis-read this completely?




Boldon James.