On Sun, Mar 12, 2023 at 04:31:23PM +0100, Hannes Tschofenig wrote: > Hi Laurence, Hi Daisuke, > > > in a recent email you wrote: > > >> I think an Enc_structure (5.3 in 9052) with context “Enc_Recipient” is > >> what should be given to SealBase for the aad parameter. Also, I think > >> the info parameter to SealBase here should be “”. > > For the two layer mode I believe you are wrong. When the COSE RFC was > written HPKE did not exist. In no other place in the COSE spec you > provide the Enc_structure to the recipient structures. Hence, Jim > couldn't anticipate that there would be a HPKE spec asking for info and > aad parameters. Instead, Section 5.3 of RFC 9052 talks about > authenticated data structure in context of the AEAD cipher used at the > lowest level -- the COSE_Encrypt and COSE_Encrypt0 structure rather than > the recipient structures.
The way I read both RFC 8152 and RFC 9052 is that Enc_structure is always used when encrypting with AEAD algorithm, regardless of where. HPKE is AEAD algorithm. Moreover, some of the text in RFC 8152 and RFC 9052 makes absolutely no sense if one assumes Enc_structure is restricted to layer0, as there are contexts that only can appear on layer1 or layer2+, and nothing else uses those. > The Enc_structure becomes the additional authenticated data for the > AEAD. I also took a (very) brief look at Jim's code and I couldn't find > the place where he puts the Enc_structure into the AAD of the recipient > layer. I would guess that is because the code just does not support any AEAD algoritms at layer1 (that algorithm has usually been AES-KW, which is not AEAD). > What information is passed to the HPKE information at the recipient > layer should be kept flexible, as it is currently the case in the > COSE-HPKE draft (with the info structure) and as it is also done in RFC > 9053 since the content is application dependent. Here is what Section > 5.2 of RFC 9053 says about the information structure: > " > > The context information structure is used to ensure that the derived > keying material is "bound" to the context of the transaction. > > " > > Specifications using COSE-HPKE know about the context and will have to > populate the fields accordingly. I thought about some examples of things applications might want to do with context, and came up with nasty grab-bag of things, with almost no unifying theme (and not surprisingly COSE_KDF_Context is completely inadequate for that kind of stuff). Therefore, I think context is too complicated for base COSE-HPKE, and is best left to applications that need it. However, for interop, one needs to specify that info is empty unless specified otherwise. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
