Hi Illari, Please see inline
On Tue, 9 Jan 2024 at 22:38, Ilari Liusvaara <[email protected]> wrote: > On Tue, Jan 09, 2024 at 03:42:56PM +0000, Aritra Banerjee (Nokia) wrote: > > Hi Ilari, > > Please find my responses (in green) > > I note that the -01 version does nothing to fix the flaws, just > > specifies the flawed construction more precisely. > > We made the changes in -01 as suggested and put the 'encapsulated_key' > > parameter in the protected header for the Direct Key Agreement mode. > > Stick HPKE "enc" output in "JWE Encrypted Key" field. > > > > The "enc" output is carried in the "encapsulated_key" parameter in > > alignment with COSE draft. JWE Encrypted Key will carry ct in Key > > Agreement with Key Wrapping mode. > > > > Prohibit "enc" parameter, with a major warning about controverting a > > MUST in JWE. > > We will prohibit the "enc" parameter. > Added the following text that use of "enc" parameter is prohibited: The 'enc' (Encryption Algorithm) parameter MUST NOT be present because the ciphersuite (KEM, KDF, AEAD) is fully-specified in the 'alg' parameter itself. If the 'enc' parameter is present, it MUST be ignored by implementations. This is a deviation from the rule in Section 4.1.2 of [RFC7516]. > > > Basically, one must sacrifice one of: > - Alignment with COSE-HPKE. > - JWE requirements. > > > What I think would work: > > 1) If using JWE compact serialization: > > * The aad for HPKE SHALL be UTF-8 encoding of the JWE protected header. > Yes, In the JWE compact serialization, the "aad" parameter will take the Additional Authenticated Data encryption parameter defined in Section 5.1 of RFC7518 as input. > * If JWE protected heder has "zip" parameter, the plaintext for HPKE > SHALL be the raw payload compresed using the specified algorithm. > Otherwise plaintext for HPKE SHALL be the raw payload. * JWE protected header SHALL contain a JOSE-HPKE algorithm as parameter > "alg". > * JWE protected header MUST NOT contain parameter "enc". > * JWE encrypted key SHALL be raw enc output from HPKE. > * JWE initialization vector SHALL be empty. > * JWE ciphertext SHALL be raw ciphertext from HPKE. > * JWE authentication tag SHALL be empty. > Thanks, updated draft to include all the above points. > > This is modification to JWE as specified in RFC7516. The original > JWE does not allow for integrated asymmetric encryption. > > > 2) If using JWE JSON Serialization, for each recipient: > > * The aad for HPKE SHALL be empty. > * The plaintext for HPKE SHALL be the raw CEK value. > * JWE per-recipient headers SHALL contain a JOSE-HPKE algorithm as > parameter "alg". > * JWE per-recipient headers SHALL contain BASE64URL encoding of the > HPKE enc output as "epk" parameter. > - JWE encrypted key SHALL be raw ciphertext from HPKE. > Updated draft, 'encapsulated_key' will contain the value of HPKE "enc" output in alignment with the COSE draft. Cheers, -Tiru > > > > This chooses JWE requirements to be sacrificed. What this specifies for > compact serialization breaks JWE in number of ways (the JSON > serialization stuff should be compliant). > > > > > -Ilari > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
