This is not implementing a new KDF in any way shape or form. This is defining a way to know what the IDs that are to be included in the NIST KDF function are supposed to be.
Jim From: [email protected] [mailto:[email protected]] On Behalf Of Mike Jones Sent: Sunday, June 23, 2013 5:25 PM To: Jim Schaad; 'Russ Housley' Cc: [email protected] Subject: Re: [jose] Concat KDF The problem with that is that we're inventing our own KDF at that point. The upsides of Concat are that it is known to work, is known to be implemented, and is known to meet NIST and other existing security criteria. At least as I see it, we shouldn't give up those advantages without a compelling reason to do so. -- Mike From: Jim Schaad [mailto:[email protected]] Sent: Sunday, June 23, 2013 4:11 PM To: Mike Jones; 'Russ Housley' Cc: [email protected] Subject: RE: [jose] Concat KDF I have been thinking about this and I am going to make a different proposal. The proposal is as follows: 1. We eliminate the two partyX fields from the specification 2. We define a new "ID" field which MUST be present for ECDH keys. 3. We say that you take the ID field from the sender/recipient respectively and use them in the PartyX fields when doing the KDC. The only down side of this, is that if one has a certificate then we should use the DER encoded subject name of the certificate but I am not sure how this would be encoded in the case you have a JWK which contains an x5c member. It might be that we will need to defined an ID and an IDb64 field to allow for a binary ID to be used. There would still need to be a requirement that the ID field be length prefixed in the discussion. Jim From: [email protected] [mailto:[email protected]] On Behalf Of Mike Jones Sent: Sunday, June 23, 2013 2:57 PM To: Russ Housley Cc: [email protected] Subject: Re: [jose] Concat KDF Good idea, Russ. How about this? "In the general case, the specific identifiers used to tie the key derivation to the sender (Party U) and the receiver (Party V) are application specific and beyond the scope of this specification. As an illustration of one possible usage, when the JWE is a JSON Web Token (JWT) [JWT], applications might specify that the "iss" (issuer) value be used as the "apu" value and the primary "aud" (audience) value be used as the "apv' value." -- Mike From: Russ Housley [mailto:[email protected]] Sent: Sunday, June 23, 2013 7:43 AM To: Mike Jones Cc: [email protected] Subject: Re: [jose] Concat KDF Mike: I can add a sentence along the lines of the following to make Jim's points below clearer to non-expert readers: "The specific identifiers used to tie the key derivation to the sender (Party U) and the receiver (Party V) are application specific and beyond the scope of this specification." I see the attraction of this approach, but I wonder if it would be possible to also include some advice to applications that make use of JOSE. If the parties that are trying to form a pairwise key make different assumptions, then we do not get interoperability. I am just trying to improve the likelihood of interoperability. Russ
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
