On Thu, Oct 12, 2023 at 06:18:41PM +0300, Ilari Liusvaara wrote: > On Thu, Oct 12, 2023 at 01:55:17PM +0000, Aritra Banerjee (Nokia) wrote: > > Hello all, > > > > We published a new draft draft-rha-jose-hpke-encrypt-00 - Use of > > Hybrid Public-Key Encryption (HPKE) with Javascript Object Signing > > and Encryption (JOSE) > > (ietf.org)<https://datatracker.ietf.org/doc/draft-rha-jose-hpke-encrypt/> > > to the JOSE WG. > > > > This document defines the use of the HPKE with JOSE. > > > > Feedback and suggestions are welcome. > > > > A new version of Internet-Draft draft-rha-jose-hpke-encrypt-00.txt has been > > successfully submitted by Tirumaleswar Reddy and posted to the > > IETF repository. > > > > Name: draft-rha-jose-hpke-encrypt > > Revision: 00 > > Title: Use of Hybrid Public-Key Encryption (HPKE) with Javascript Object > > Signing and Encryption (JOSE) > > URL: https://www.ietf.org/archive/id/draft-rha-jose-hpke-encrypt-00.txt > > Status: https://datatracker.ietf.org/doc/draft-rha-jose-hpke-encrypt/ > > HTML: > > https://www.ietf.org/archive/id/draft-rha-jose-hpke-encrypt-00.html > > HTMLized: https://datatracker.ietf.org/doc/html/draft-rha-jose-hpke-encrypt > > The way direct key agreement mode is done can not work: > > 1) Single-recipient mode has no unprotected header bucket. > 2) JWE always encrypts by itself.
I note that the -01 version does nothing to fix the flaws, just specifies the flawed construction more precisely. I just came up with another possible[1] way to do the DKA mode: - Stick HPKE "enc" output in "JWE Encrypted Key" field. - Prohibit "enc" parameter, with a major warning about controverting a MUST in JWE. [1] As in, this should technically work. -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
