[Standards-JIG] JEP-0136 Message Archiving
Ian Paterson
ian.paterson at clientside.co.uk
Wed Sep 13 11:37:58 CDT 2006
Matthias Wimmer wrote:
>>> BTW: What are the considerations for choosing the chosen
>>> cryptography schemes of JEP-0136?
>>>
>> Good question. I think they are particularly secure and very simple
>> to implement. For example, RSA-KEM is currently the only required
>> encapsulation scheme since it is NESSIE-recommended and its security
>> is tightly proven (unlike RSA-OAEP or PKCS #1 v1.5).
>
> Okay ... so it seems there is no special reason why we encrypt the
> data that way.
> May I ask another question? Why do we than invent our own definition
> for storing encrypted data? Is there any reason to not just use an
> already existing standard? I think of "XML Encryption" by the W3C
Well, "XML Encryption" requires RSA-OAEP and PKCS #1 v1.5 to be
implemented. That would mean extra work if we're going to recommend
RSA-KEM. [For what it's worth, "XML Encryption" is also verbose, a
single-line message collection will become rather heavy (for a mobile
client whose security constraints prevent it compressing the stream to
binary).]
I guess we could define a subset of the required functionality - like we
did with XHTML-IM.
I'll change JEP-0136 to use "XML Encryption" as you suggest.
- Ian
More information about the Standards-JIG
mailing list