Replying only to COSE, since Ilari's comments are about COSE. Replies are inline below, prefixed by "Mike>".
-----Original Message----- From: [email protected] <[email protected]> Sent: Monday, December 1, 2025 6:26 AM To: [email protected]; [email protected] Subject: [jose] Re: Design Team Decisions Applied to JOSE HPKE Specification While those decisions made sense for JOSE, I do not think those decisions make sense for COSE: * Not use "enc" when performing Integrated Encryption. COSE does not have "enc". The closest equivalent is layer 0 algorithm, which has to be present, unless it can be inferred somehow (usually it can not). Mike> Yes, this one obviously doesn't apply to COSE. * Define one new Key Management Mode for Integrated Encryption There is no need to explicitly define a new Key Managment Mode, even if HPKE in COSE requires one - HPKE in COSE does not fit any existing COSE Key Managment Mode for various reasons. And as noted later, there are some security pitfalls here. * Integrate the new mode into the Message Encryption and Message Decryption instructions from RFC 7516 and replace them. COSE does not have any analogous instructions. Mike> Yes, COSE does not have explicit Key Management Modes. That said, the spec already clearly differentiates between Integrated Encryption and Key Encryption modes, so I believe there's nothing additional that needs to be done on this point. * Utilize distinct algorithm identifiers for the use of HPKE for Integrated Encryption and HPKE for Key Encryption. This would actually be dangerous. In COSE, any bulk encryption can be applied to CEK, so any bulk encryption algorithm needs to be able to deal with CEKs properly. Mike> I maintain that since encryption of the plaintext and encryption of the CEK are different operations with different outputs, they need to be different algorithms in order to be fully-specified. There's nothing dangerous about that - quite the opposite; it removes ambiguity in the processing rules that could be a source of danger. Mike> Can you cite normative text saying that any bulk encryption algorithm can also be applied to the CEK, Ilari? * Only use the Recipient_structure when doing Key Encryption and not when doing Integrated Encryption. COSE has per-level protected headers and application AADs, so aad structures are required at every level. What could make sense is always using Recipient_structure, setting next_layer_alg to NULL on layer 0. Hannes' PR https://github.com/cose-wg/draft-ietf-cose-hpke/pull/96 has COSE HPKE secure the authenticated data in the normal COSE way. See if you agree with that approach. -Ilari Thanks, -- Mike _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
