On Tue, Jan 09, 2024 at 03:42:56PM +0000, Aritra Banerjee (Nokia) wrote: > Hi Ilari, > Please find my responses (in green) > I note that the -01 version does nothing to fix the flaws, just > specifies the flawed construction more precisely. > We made the changes in -01 as suggested and put the 'encapsulated_key' > parameter in the protected header for the Direct Key Agreement mode. > Stick HPKE "enc" output in "JWE Encrypted Key" field. > > The "enc" output is carried in the "encapsulated_key" parameter in > alignment with COSE draft. JWE Encrypted Key will carry ct in Key > Agreement with Key Wrapping mode. > > Prohibit "enc" parameter, with a major warning about controverting a > MUST in JWE. > We will prohibit the "enc" parameter.
Basically, one must sacrifice one of: - Alignment with COSE-HPKE. - JWE requirements. What I think would work: 1) If using JWE compact serialization: * The aad for HPKE SHALL be UTF-8 encoding of the JWE protected header. * If JWE protected heder has "zip" parameter, the plaintext for HPKE SHALL be the raw payload compresed using the specified algorithm. Otherwise plaintext for HPKE SHALL be the raw payload. * JWE protected header SHALL contain a JOSE-HPKE algorithm as parameter "alg". * JWE protected header MUST NOT contain parameter "enc". * JWE encrypted key SHALL be raw enc output from HPKE. * JWE initialization vector SHALL be empty. * JWE ciphertext SHALL be raw ciphertext from HPKE. * JWE authentication tag SHALL be empty. This is modification to JWE as specified in RFC7516. The original JWE does not allow for integrated asymmetric encryption. 2) If using JWE JSON Serialization, for each recipient: * The aad for HPKE SHALL be empty. * The plaintext for HPKE SHALL be the raw CEK value. * JWE per-recipient headers SHALL contain a JOSE-HPKE algorithm as parameter "alg". * JWE per-recipient headers SHALL contain BASE64URL encoding of the HPKE enc output as "epk" parameter. - JWE encrypted key SHALL be raw ciphertext from HPKE. This chooses JWE requirements to be sacrificed. What this specifies for compact serialization breaks JWE in number of ways (the JSON serialization stuff should be compliant). -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
