On Thu, Oct 12, 2023 at 01:55:17PM +0000, Aritra Banerjee (Nokia) wrote: > Hello all, > > We published a new draft draft-rha-jose-hpke-encrypt-00 - Use of > Hybrid Public-Key Encryption (HPKE) with Javascript Object Signing > and Encryption (JOSE) > (ietf.org)<https://datatracker.ietf.org/doc/draft-rha-jose-hpke-encrypt/> > to the JOSE WG. > > This document defines the use of the HPKE with JOSE. > > Feedback and suggestions are welcome. > > A new version of Internet-Draft draft-rha-jose-hpke-encrypt-00.txt has been > successfully submitted by Tirumaleswar Reddy and posted to the > IETF repository. > > Name: draft-rha-jose-hpke-encrypt > Revision: 00 > Title: Use of Hybrid Public-Key Encryption (HPKE) with Javascript Object > Signing and Encryption (JOSE) > URL: https://www.ietf.org/archive/id/draft-rha-jose-hpke-encrypt-00.txt > Status: https://datatracker.ietf.org/doc/draft-rha-jose-hpke-encrypt/ > HTML: https://www.ietf.org/archive/id/draft-rha-jose-hpke-encrypt-00.html > HTMLized: https://datatracker.ietf.org/doc/html/draft-rha-jose-hpke-encrypt
The way direct key agreement mode is done can not work: 1) Single-recipient mode has no unprotected header bucket. 2) JWE always encrypts by itself. What has to be done for direct key agreement is using HPKE Secret Export (SendExportBase and ReceiveExportBase) with the export-only AEAD to derive encryption key for JWE. And put the encapsulated_key into protected bucket. The ciphersuites for this have no AEAD specified. This is very similar to how ECDH direct key agreement works. And ugh, those alg names are far too gnarly. -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
