> On Jan 18, 2023, at 1:11 PM, Ilari Liusvaara <[email protected]> wrote: > > On Wed, Jan 18, 2023 at 11:15:10AM -0700, Laurence Lundblade wrote: >> HPKE integrates into COSE in two ways: >> 1) As a COSE_Recipient where it encrypts the CEK — two-layer mode >> 2) As the content encryption “algorithm” — one-layer mode >> >> A more detailed description is here >> <https://mailarchive.ietf.org/arch/msg/cose/8Ga_-k_whir8Z4lzdpmPG6KDav4/>. >> >> draft-ietf-cose-aes-ctr-and-cbc works it for two-layer mode, but not >> for one-layer mode. >> >> To use non-AEAD for one-layer mode, it seems like HPKE will have to >> be modified. There will have to be a definition of algorithm IDs for >> non-AEAD algorithms in the HPKE algorithm ID space and such. > > I do not think such modifications are acceptable. > > > One technically could use HPKE in exporter-only to derive an encryption > key and then use that.
That would be a two-layer solution with a COSE_Recipient, right? I think it would work, but it doesn’t have the ability to support multiple recipients like the current two-layer proposal. The current two-layer solution seems preferred. So it seems the path forward for use of aes-ctr and aes-cbc is the current two-layer solution. If extra bytes on the wire for the COSE_Recipient structure are OK with everyone, there’s nothing to do. LL _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
