The COSE HPKE draft has this security consideration: The COSE_Encrypt structure MUST be authenticated using COSE constructs like COSE_Sign, COSE_Sign1, COSE_MAC, or COSE_MAC0.
It is really good this text is there, but I’d like to tweak it a bit: Change MUST to SHOULD because there are (theoretically) cases where authenticity is not needed. Perhaps some comment that most use cases will need authenticity to defend against forgery attacks — the attacker is likely to have access to the recipients public key. (Also prefer to avoid 2119 terms belong in security considerations). Say that the AEAD in HPKE base_mode is not a substitute for the authenticity provided by COSE_Sign and such. LL
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
