Re: ACTION-317: Move derived keys into XML Enc v1.1. from Frederick Hirsch on 2009-06-19 (public-xmlsec@w3.org from June 2009)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Fri, 19 Jun 2009 17:06:18 -0400
To: ext Magnus Nyström <magnus@rsa.com>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, XMLSec WG Public List <public-xmlsec@w3.org>
Message-Id: <02A5D885-BE23-45D3-ACE4-6106E50412FC@nokia.com>

Magnus

  I have a couple of questions.

Questions related to 5.4:

http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.htm#sec-Alg-KeyDerivation

(1) Regarding section 5.4.1 in XML Encryption, why does the schema not  
also define SuppPrivInfo to correspond to that item in Section 5.8.1  
of NIST 800-56A, it seems this may also need to be optionally conveyed?

(2) Do we need to specify which alternative algorithm in Section 5.8.1  
of NIST 800-56A is used, the difference being how OtherInfo is  
encoded? Perhaps we need a sentence on which encoding is to be used?

(3) I must be misinterpreting section 5.8 of NIST 800-56A since it  
seems to read that you can only use a KDF once on a secret, yet I  
thought the secret could be retained and used with the KDF more than  
once to generate a variety of keys.

"Each call to the KDF requires a freshly computed shared secret, and  
this shared secret shall be zeroized immediately following its use. "

(4) Maybe it is better to include the Algorithm attribute with URI  
value in the PRF element, rather than relying on a default value from  
the schema?
Perhaps mandate this?

(5) I notice that the references related to PKCS#5 point to the  
generic RSA PKCS page rather than the specific PKCS documents. When I  
tried to access those documents I could not retrieve from the RSA  
site, had to find mirrors on the internet...

questions on 3.5.2 The DerivedKey Element

(6) What does it mean if there is more than one KeyDerivationMethod?  
Should there be a maxOccurs of 1?

(7) In the text " If no MasterKeyName is provided" the formatting of  
"no" seems wrong. (nit)

(8) Does having Recipient make sense for DerivedKey, given that the  
Derived Key is used in the same document? Does it make sense?

Thanks for updating the XML Encryption 1.1 specification with this  
material, it seems to be appropriate in this document.

regards, Frederick

Frederick Hirsch
Nokia

On Jun 17, 2009, at 6:49 PM, ext Magnus Nyström wrote:

> This is in response to ACTION-317 that I got during last week's call.
>
> I have now checked in a version of XML Encryption version 1.1 that
> includes key derivation. In particular, I have:
>
> - Created a new subsection 3.5.2
> - Created a new subsection 5.4 (and up-ed the numbering of remaining
>   subsections in Section 5)
> - Modified section 5.1
> - Modified section 5.6 - but there remains some work here,  
> especially for
>   "ordinary" DH - but this is Brian's and Kelvin's ACTION-319.
>
> The above also includes several new examples.
>
> I also added PKCS #5 v2.0 and PKCS #5 v2.0 Amd.1 to the references and
> updated the reference to PKCS #1 to v2.1 from v2.0.
>
> The schema file has been updated too (it validates) but I have not  
> created
> a redline version. I have also not changed the explain.html file as I
> wanted to give the group a chance to review this work before doing so.
>
> -- Magnus
>

Received on Friday, 19 June 2009 21:06:59 UTC