On Sun, Jul 10, 2022 at 10:48:53AM +0000, Hannes Tschofenig wrote:
> Unless someone else in the group objects, I will change the text in
> Section 3.4 ("Info Structure") to say that the aad and the info
> structures for SealBase() and OpenBase() functions are empty unless
> specified by an application-specific profile of the COSE-HPKE
> specification.There is a problem with leaving aad empty: It treats AEAD-capable HPKE as AE algorithm, causing limitations: - There is no protected bucket. - Nothing seems to prevent re-interpretting recipients as messages. What I think should be done is using canonical Enc_structure as aad input, like for any AEAD in RFC 8152(bis-struct). That approach would solve both of the above limitations. Now, it does have external_aad field, which needs to be empty unless the application specifies otherwise. Checking my code, this is exactly what it does (modulo the external aad on recipient always being empty). -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
