> > No need for next_alg in that case.
> Looking at the algorithm list, I see 8 AES-CCM algorithms. Those are also > section 5.3 (AEAD) algorithms. Not needing next_alg applies to any section > 5.3. algorithm. Thanks. I think it would be ideal if we could restrict the use of layer0 algs to the algs you've mentioned, but after seeing Laurence's message, I've realized that it's difficult. Daisuke 2024年3月20日(水) 1:00 Ilari Liusvaara <[email protected]>: > On Tue, Mar 19, 2024 at 09:13:36PM +0900, AJITOMI Daisuke wrote: > > Thanks, Ilari. > > > > My question was not correct. When we restrict the algorithms at layer0 > for > > "HPKE key encryption" to AEAD algorithms, specifically A{128,192, 256}GCM > > and ChaCha20Poly1305, are there any reasons why we need next_alg? > > No need for next_alg in that case. > > Looking at the algorithm list, I see 8 AES-CCM algorithms. Those are also > section 5.3 (AEAD) algorithms. Not needing next_alg applies to any section > 5.3. algorithm. > > > I think that for layer0, one should require any encryption to be capable > of aad, and any symmetric encryption to be AEAD. Otherwise attackers > can cause some weird stuff to happen (which might or might not be > exploitable). > > For other layers, the requirement is for any symmetric encryption to be > AE or AEAD. > > > The reason for not outright requiring AEAD on layer0 is that HPKE would > fail such requirement, because it is not symmetric, but can still appear > on layer0. > > > > > -Ilari > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose >
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
