> On Feb 27, 2023, at 12:22 PM, Ilari Liusvaara <[email protected]> > wrote: > > On Mon, Feb 27, 2023 at 09:55:02AM -0800, [email protected] wrote: >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This Internet-Draft is a work item of the CBOR Object Signing and Encryption >> WG of the IETF. >> >> Title : Use of Hybrid Public-Key Encryption (HPKE) with >> CBOR Object Signing and Encryption (COSE) >> Authors : Hannes Tschofenig >> Brendan Moran >> Filename : draft-ietf-cose-hpke-03.txt >> Pages : 14 >> Date : 2023-02-27 > > > I think this version has contradictionary requirements (at least unless > overridden by application profile): > > 1) Alg parameter MUST be in protected header. > 2) AAD is optional, so this is AE algorithm. > 3) RFC 9052 requires AE encryption to fail if there is protected header. > So the encryption would always fail. > > > I think the way to fix this would be to specify that value of aad input > is enc_structure, making this an AEAD algorithm. (One could also include > a note that the context is "Encrypt0" for the single-layer structure, > and "Enc_Recipient" for the two layer one.)
Yes, this seems right. HPKE Seal is integrated in to COSE where there is usually an AEAD. Thus, the AAD argument of HPKE Seal MUST always be the COSE Enc_structure. This is true for HPKE in COSE_Encryp0 and for HPKE in a COSE_Recipient. I would also say that the info argument to HPKE Seal MUST always be “”. The AAD input to COSE is optional as always, but that is different from the AAD argument to HPKE Seal. LL _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
