I know this is off topic, but... > however, it does combine KDF with AEAD, which I do not think is a good idea
+1 OHTTP also uses the same code points as ECH and I asked one of the authors the reason why it does combine KDF with AEAD. There did not seem to be any particular rationale for this, so I'm thinking KDF and AEAD should be independent of each other. 2022年11月18日(金) 19:49 Ilari Liusvaara <[email protected]>: > On Fri, Nov 18, 2022 at 09:08:53AM +0000, Hannes Tschofenig wrote: > > > > If you talk about "nasty combinatorial explosion" then you need to > > explain how "nasty" it is, i.e. what the potential number of > > combinations we could have. In practice, none of these algorithm > > combinations have been bad in the past since most people are > > interested only in a small number of combination rather than anything > > that is theoretically possible (see TLS ciphersuites). > > Currently, there are 45 (60) possible combinations. And that increases > rapidly if HPKE adds anything new: A reasonable set of additions (CP-*, > X25519+Kyber768, plus SHA-3 KDF) would push that to 108 (144). > > The numbers in parenthesis are if exporters are also considered (needed > for JOSE, but not COSE). > > > Yes, many of those combinations make little sense, but the problems > are to pick those combinations that make sense (some of which are not > obvious). Each added HPKE algorithm would be fair amount of work for > the WG. And secondarily, ciphersuites are difficult to configure. > > Currently, I count 12 (17) combinations that I think make sense (but > I might be missing some). A reasonable set of additions would bring > that to 22 (31). > > > And the main problem with TLS ciphersuites is that it is _not_ > "everything possible". There are gaps, either due to some combination > just not having a ciphersuite, or such ciphersuite existing, but client > not advertising it. And handling that is very difficult, with most > implementations being buggy. > > > And on TLS, there is TLS ECH, which uses HPKE in way somewhat similar > to COSE-HPKE. It does reuse the HPKE registeries instead of defining > its own codepoints (however, it does combine KDF with AEAD, which I > do not think is a good idea, KDF should combine with KEM if it is > combined with anything). > > > > -Ilari > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose >
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
