On Tue, Nov 07, 2023 at 02:44:00PM +0100, Orie Steele wrote: > Thanks for the review! > > I'm really supportive of getting a structure that can support hybrid kem, > but I feel we can get there faster without adding the key type or alg > points for stuff that has not yet settled in the HPKE registry fully.
I think splitting out hybrid KEM is a good idea. Not because the stuff is not stable (it is), but because: - The key stuff gets very annoying if one wants something that can be published as an RFC. - This stuff would test adding new ciphersuites to COSE-HPKE. One could also apply the same kinds of strategies as seen in CFRG and TLS with Kyber. This would enable cutting corners with the key stuff, making the thing much easier. > I am strongly supportive of only registering things in this draft that > people really want to use, and that are being used successfully elsewhere. > > It seems that there is a general desire to have: > > 1. NIST / not NIST > 2. Traditional / Hybrid > 3. Low / Mid / High security params. Regarding third point, I think folks mostly do two-level: - P256/P384 on NIST side (P521 is not used much). - X25519/X448 on non-NIST side. Oh, and with regards to HPKE KEMs, someone added the bitcoin curve. I an not exactly excited about that. > The only thing I feel sorta strongly about, is not waiting for hybrid, to > publish the envelope format. Waiting for hybrid is not an option. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
