On Wed, Jul 05, 2023 at 03:54:30PM -0500, Orie Steele wrote:
>
> Is it ok to convey the encapsulated key outside of the protected header?
It can not be in protected header, as that would cause cyclic
dependency.
(Ciphertext is output by single-shot encrypt call, but that call also
requires the protected header.)
(Now one could break that with multishot API, but COSE-HPKE does not
assume that API is available.)
> Is it ok to omit both `hkc` and `alg` in the case that `kid` is
> enough to discover a JWK or COSE key that specifies the same
> information?
>
> Seems like the answer is yes, based on the binding being redundant.
It is not possible to omit "alg" nor sender_info, due to COSE
requirements.
If the triple was communicated in some other way, sender_info could be
a bstr.
However, any x25519/x448/p256/p384/p521 key that does not assert alg
restriction could be used with COSE-HPKE, and those keys do not come
with extra data on how to use those in COSE-HPKE.
> Assuming all algorithms used are communicated out of band, what is the
> minimum information required in the protected header?
The absolute minimum is alg.
And then in unprotected headers, one MUST have sender_info and
SHOULD have kid.
Here is part of (commented) diagnostic dump of recipient structure from
my COSE-HPKE prototype (pretty minimal):
[
//Protected header: alg: -1 (HPKEv1-BASE)
h'A10120',
//Unprotected header.
{
//KID.
4: h'E60B34A4C19A19A0',
//HPKE Sender info.
-4: [
//X25519 with SHA-256 KEM
32,
//SHA-256 KDF
1,
//Chacha20-Poly1305
3,
//Ciphertext.
h'DD5A7E5573C485496E00C2406F1F5B71DF2D913DFB2CF1794F5F826C73DFFB25'
]
},
//Encrypted content encryption key.
h'F75001F6E076A11C8D9458BC270DEAEB217C48AA943B110A1CA3FEE9BCF24BEABB934EAC0F1A6DA6E17FE6D4959ABC36'
]
-Ilari
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose