On Fri, Apr 14, 2023 at 11:04:46AM -0500, Orie Steele wrote: > > On Fri, Apr 14, 2023 at 2:44 AM Ilari Liusvaara <[email protected]> > wrote: > > > > I don't think this is allowed in COSE. Alg is mandatory at every layer, > > and the key restricting alg only works at the lowest layer, not > > constraining the higher layers at all. > > > > > alg is optional in COSE Key and JWK. > > AFAIK, it is mandatory in most envelope formats and it is usually not > accompanied with "extra parameterization / agility"... but this is what > COSE HPKE proposes to change.
It is already accompanied extra agility (multi-layer structures). If key allows those, there is no way to restrict algorithms used. And due to how JOSE works, it might not be possible to use alg in keys. > > I think ciphersuites would have been mess at best, very flawed at > > worst. For how-not-to on ciphersuites, check what MLS (-20) seems to > > do (by far the worst I have ever seen). > > > > > Apple seems to disagree on this point: > > https://developer.apple.com/documentation/passkit/wallet/verifying_wallet_identity_requests?language=objc > > Their algorithm "APPLE-HPKE-v1", does exactly what I have been suggesting: > > https://developer.apple.com/documentation/passkit/wallet/verifying_wallet_identity_requests#4036908 > > Encode the "HKC stuff, in the algorithm name, and register it". Estimating the number of algs required, it would be at least 12 with the present HPKE registeries, and at least 21 after adding all the ones that have drafts. Then if AEGIS gets added, that would be further 12 (bumping total to 33)... And then if someone gets the bright idea of adding SHA-3 support... That is going to at least double the number... And that is with nontrivial rules to determine the combinations. Without those, it is much worse. Not only those have to be registered, the registrations also have to be added to lookup tables in COSE-HPKE implementations. > > > > I think it was briefly mentioned at IETF 116, can we perhaps make > > > > "sender info" useful for COSE Key / JWK... or can we replace "sender > > > > info" with some version of "hkc". > > > > > > > > I don't think we need 2 different solutions here, even if the > > > > problems are different. > > > > Neither of the two is possible because the fields are different. And > > even if it were possible, it would not make sense, because header > > parameters and key parameters are separate things in COSE and JOSE. > > > > > I don't think this is true, I can imagine using Apple's "APPLE-HPKE-v1" in > both JWK and COSE Key. The algorithm is not even close to compatible with COSE, let alone JOSE. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
