> On Mar 14, 2023, at 1:28 PM, Ilari Liusvaara <[email protected]> wrote: > > On Tue, Mar 14, 2023 at 12:30:56PM -0700, Laurence Lundblade wrote: > >> The kid parameter is always optional in COSE. It shouldn’t be >> mandatory in 3.1.1 and 3.1.2. I think this is a mandatory change for >> this draft. Section 5.2 of 9052 even discourages use of kid in and >> Encrypt0: >> >> The COSE_Encrypt0 encrypted structure does not have the ability to >> specify recipients of the message. The structure assumes that the >> recipient of the object will already know the identity of the key >> to be used in order to decrypt the message. If a key needs to be >> identified to the recipient, the enveloped structure ought to be >> used. > > I think the COSE_Encrypt0 case here is actually analogous to Direct > Key Agreement, because COSE-HPKE smashes two layers together (as HPKE > makes that natural to do). And DKA usually uses kid. > > In my implementation, there is shortcoming[1] that causes things to blow > up if one tries to decrypt COSE_Encrypt0 messages without kid using > multiple decryption keys (it does kid matching, but can only try to > decrypt once, COSE_Encrypt does exhaustive trial decryption after > kid matching).
I think it’s fine for there to be a kid or some other header param(s) to the identify key for COSE_Encrypt0, as long as meltdowns are avoided :-). Just don’t think they should be mandated by COSE-HPKE. LL _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
