On Sun, Feb 11, 2024 at 08:04:20AM -0600, Orie Steele wrote: > Sorry for 2 messages, I hit send early on the last one. > > I was just adding the comment about validated enc, see > https://datatracker.ietf.org/doc/html/rfc8725#name-validate-cryptographic-inpu > > > The JWS/JWE library itself must validate these inputs before using them, > or it must use underlying cryptographic libraries that do so (or both!). > > It could be cool to trust the HPKE implementation to validate the "enc" > value, or you might validate it before even invoking a single shot API.
One can trust the HPKE implementation to do that. RFC 9180, section 7.1.4. (Validation of Inputs and Outputs). > I like the design of transported "encapsulated keys" in protected headers > when possible. Normally that is OK, because KEM and AEAD steps are separate. E.g., with Direct Key Agreement. > Even if it's redundant to the internals of HPKE, as the JWT BCP notes, > redundant security checks are ok. However, HPKE couples KEM and AEAD steps in single-shot, so it is not a redundant security check anymore. And HPKE multi-shot is intended for things that will not work with JOSE anyway. (It is just that HPKE allows mixup between single-shot messages and the first multi-shot message.) -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
