On Sun, Apr 16, 2023 at 02:45:01PM -0500, Orie Steele wrote: > I decided to purchase a domain and make a demo. > > https://hpke.dev > > The demo shows how JWK can be valuable for working with HPKE even when JWE > is not used. > > The demo compares the current experience *using the exact same P-256 key* > with *ECDH-ES+A128KW* to HPKE with *APPLE-HPKE-v1 *aka* ... *DHKEM(P-256, > HKDF-SHA256), HKDF-SHA256, AES-128-GCM > > Based on: > https://developer.apple.com/documentation/passkit/wallet/verifying_wallet_identity_requests?language=objc > > The demo code hand waves over a number of important issues in how HPKE > might look in JOSE, Ilari has pointed a few of them out before, but I will > repeat them here just in case:
The nasty issue for HPKE in JOSE is the following: In COSE-HPKE, one can always use wrapping algorithm with no drawbacks. Whereas in JOSE, one sometimes requires non-wrapping algorithm, and sometimes wrapping algorithm. This is not about optimality, it is about getting things to work at all. This impiles that there is duplication among alg values, which causes trying to use alg to restrict keys to run into issues. The way to get non-wrapping algorithm with HPKE is to set AEAD to export only (0xFFFF) and then use exporter to export a key. This won't unify with the other alg even when parametrized. This might be able to be used as basis to build JOSE-HPKE. It will not be as elegant as COSE-HPKE, but at least it would technically work. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
