Hi Laurence,
I added this issue to https://github.com/cose-wg/HPKE/issues/23. I don’t have an opinion about the two approaches and which one is better from a security point of view. I can see implementation benefits of using an empty AAD for the HPKE functions and to only use the AAD in layer 0. Ciao Hannes If I understand correctly Illari recently suggested that external_aad be an empty bstr in COSE_Recipients. I see some implementation benefits to this. The Externally Supplied AAD would only be processed at layer 0 and wouldn't have to be passed to COSE_Recipient creation saving some code. Theoretically, Externally Supplied AAD can be large which means you have to either have a buffer to hold the entire Enc_structure. While you can’t avoid this at layer 0 it might be nice to avoid it at layer 1. I don’t see a security issue here. The Externally Supplied AAD is covered just fine at layer 0. We could specify this only for HPKE. I don’t think this is a big deal either way and what’s in the -04 draft is OK, but thought I’d bring up the alternative. Also, It seems like there should be Errata for 9052 here. It could say either it is always Externally Supplied AAD, always an empty bstr or it varies with the key distribution method.
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
