I think there is no need to repeat this, but I fully agree with Ilari on this matter.
As a final note, the contents of the registry do matter. I consider HPKE to > be a fairly low-level primitive, whereas I (perhaps naively) view COSE as a > higher-level application protocol. We have the expertise to be opinionated > about what goes into that registry for applications to use, and we should > exercise that opinion to provide folks with a very limited set of options, > ideally target precisely one. The > "HPKEv1-Base-DHKEM(P256,HKDFSHA256)-HKDFSHA256-AES128GCM" label seems like > a perfectly fine candidate for that. I can't agree with that. COSE-HPKE might be a high-level application layer standard, but it's not specific to a particular application. Whether or not we can limit the cipher suites should be decided based on whether the specification is premised on a limited use case or environment, and whether it's specific to a certain application. The COSE-HPKE spec should be a generic standard that doesn't assume a specific use case, and limiting the cipher suites is not the right choice. I wouldn't object to limiting the cipher suites in the ”Firmware Encryption with SUIT Manifests" specification that utilizes COSE-HPKE. This is because the use case is limited and it is possible to restrict ciphersuites based on reasonable grounds. I suggest requesting registrations only for the algorithm suites that > people want to use in COSE-HPKE OK. Let's register 72(6*3*4) cryptographic suites then. In the future, it's difficult to determine which cryptographic algorithms may become insecure, whether due to specification or implementation. If we are considering removing some algorithms, I would like to request a reasonable justification. Can such a thing be done in this specification, which does not assume any specific use cases? Best, AJITOMI Daisuke 2023年6月1日(木) 18:52 Carsten Bormann <[email protected]>: > On 2023-06-01, at 11:07, John Mattsson <john.mattsson= > [email protected]> wrote: > > > > I don’t think COSE in the past had something that can be described as > cipher suites. > > To me anything that has a “w/” or a “+” (mostly) in > https://www.iana.org/assignments/cose/cose.xhtml#algorithms > is a cipher suite. > Sorry if that term is not rigorously defined... > > Grüße, Carsten > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose >
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
