Hi Ilari, Please find my responses (in green) I note that the -01 version does nothing to fix the flaws, just specifies the flawed construction more precisely. We made the changes in -01 as suggested and put the 'encapsulated_key' parameter in the protected header for the Direct Key Agreement mode. Stick HPKE "enc" output in "JWE Encrypted Key" field.
The "enc" output is carried in the "encapsulated_key" parameter in alignment with COSE draft. JWE Encrypted Key will carry ct in Key Agreement with Key Wrapping mode. Prohibit "enc" parameter, with a major warning about controverting a MUST in JWE. We will prohibit the "enc" parameter. Regards, Aritra. On 10.11.23, 15:01, "Ilari Liusvaara" <[email protected]> wrote: On Thu, Oct 12, 2023 at 06:18:41PM +0300, Ilari Liusvaara wrote: > On Thu, Oct 12, 2023 at 01:55:17PM +0000, Aritra Banerjee (Nokia) wrote: > > Hello all, > > > > We published a new draft draft-rha-jose-hpke-encrypt-00 - Use of > > Hybrid Public-Key Encryption (HPKE) with Javascript Object Signing > > and Encryption (JOSE) > > (ietf.org)<https://datatracker.ietf.org/doc/draft-rha-jose-hpke-encrypt/><https://datatracker.ietf.org/doc/draft-rha-jose-hpke-encrypt/%3e> > > to the JOSE WG. > > > > This document defines the use of the HPKE with JOSE. > > > > Feedback and suggestions are welcome. > > > > A new version of Internet-Draft draft-rha-jose-hpke-encrypt-00.txt has been > > successfully submitted by Tirumaleswar Reddy and posted to the > > IETF repository. > > > > Name: draft-rha-jose-hpke-encrypt > > Revision: 00 > > Title: Use of Hybrid Public-Key Encryption (HPKE) with Javascript Object > > Signing and Encryption (JOSE) > > URL: https://www.ietf.org/archive/id/draft-rha-jose-hpke-encrypt-00.txt > > Status: https://datatracker.ietf.org/doc/draft-rha-jose-hpke-encrypt/ > > HTML: > > https://www.ietf.org/archive/id/draft-rha-jose-hpke-encrypt-00.html > > HTMLized: https://datatracker.ietf.org/doc/html/draft-rha-jose-hpke-encrypt > > The way direct key agreement mode is done can not work: > > 1) Single-recipient mode has no unprotected header bucket. > 2) JWE always encrypts by itself. I note that the -01 version does nothing to fix the flaws, just specifies the flawed construction more precisely. I just came up with another possible[1] way to do the DKA mode: - Stick HPKE "enc" output in "JWE Encrypted Key" field. - Prohibit "enc" parameter, with a major warning about controverting a MUST in JWE. [1] As in, this should technically work. -Ilari
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
