[Standards-JIG] JEP-0136 Message Archiving

Ian Paterson ian.paterson at clientside.co.uk
Wed Sep 13 16:37:58 UTC 2006


Matthias Wimmer wrote:
>>> BTW: What are the considerations for choosing the chosen 
>>> cryptography schemes of JEP-0136?
>>>
>> Good question. I think they are particularly secure and very simple 
>> to implement. For example, RSA-KEM is currently the only required 
>> encapsulation scheme since it is NESSIE-recommended and its security 
>> is tightly proven (unlike RSA-OAEP or PKCS #1 v1.5).
>
> Okay ... so it seems there is no special reason why we encrypt the 
> data that way.
> May I ask another question? Why do we than invent our own definition 
> for storing encrypted data? Is there any reason to not just use an 
> already existing standard? I think of "XML Encryption" by the W3C
Well, "XML Encryption" requires RSA-OAEP and PKCS #1 v1.5 to be 
implemented. That would mean extra work if we're going to recommend 
RSA-KEM. [For what it's worth, "XML Encryption" is also verbose, a 
single-line message collection will become rather heavy (for a mobile 
client whose security constraints prevent it compressing the stream to 
binary).]

I guess we could define a subset of the required functionality - like we 
did with XHTML-IM.

I'll change JEP-0136 to use "XML Encryption" as you suggest.

- Ian




More information about the Standards mailing list