Hi Laurence, Hi Daisuke,
in a recent email you wrote: >> I think an Enc_structure (5.3 in 9052) with context “Enc_Recipient” is >> what should be given to SealBase for the aad parameter. Also, I think >> the info parameter to SealBase here should be “”. There are two cases to consider, namely * the one layer mode, and * the two layer mode. For the one layer mode using the Enc_structure as input to the aad parameter of SealBase seems correct to me. A caller can still put further aad information into the external_aad structure, one of the fields in the Enc_structure. For the two layer mode I believe you are wrong. When the COSE RFC was written HPKE did not exist. In no other place in the COSE spec you provide the Enc_structure to the recipient structures. Hence, Jim couldn't anticipate that there would be a HPKE spec asking for info and aad parameters. Instead, Section 5.3 of RFC 9052 talks about authenticated data structure in context of the AEAD cipher used at the lowest level -- the COSE_Encrypt and COSE_Encrypt0 structure rather than the recipient structures. The Enc_structure becomes the additional authenticated data for the AEAD. I also took a (very) brief look at Jim's code and I couldn't find the place where he puts the Enc_structure into the AAD of the recipient layer. What information is passed to the HPKE information at the recipient layer should be kept flexible, as it is currently the case in the COSE-HPKE draft (with the info structure) and as it is also done in RFC 9053 since the content is application dependent. Here is what Section 5.2 of RFC 9053 says about the information structure: " The context information structure is used to ensure that the derived keying material is "bound" to the context of the transaction. " Specifications using COSE-HPKE know about the context and will have to populate the fields accordingly. Ciao Hannes _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
