Orie: I do not know if people see a need for KEM outside of HPKE in COSE and/or JOSE. However, if they do, we want to specify it in a way that allows a crypto library to support it and CMS KEMRecipientInfo with the same API.
Russ > On Feb 12, 2024, at 1:41 PM, Orie Steele <[email protected]> wrote: > > See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/ > > Do we expect to see RSA Kem support in JOSE and COSE without the use of HPKE? > > If so, how do we identify RSA keys for use with KEMS? How do we transport KEM > CT ? > > One option would be to reuse what we have in the JOSE HPKE draft, to > transport the KEM CT as an ephemeral encapsulated key: > > { > "protected": "eyJlbmMiOiJBMTI4R0NNIn0", > "encrypted_key": "W0nlNK0VztBrVSJo23vNEPcUKbSgRWYaisRpeAqHw5M", > "iv": "BvmzuI3ign3WgUVs", > "ciphertext": "1iqtwexTYT9lsxppkWVs...Udc0KgLXGvD4l8q_LVvodF", > "tag": "fJ1Mq0pP1j_ZrNP2kXDUsw", > "aad": "8J-SgCBhYWQ", > "recipients": [ > { > "encrypted_key": "W0nlNK0VztBrVSJo23vNEPcUKbSgRWYaisRpeAqHw5M", > "header": { > "kid": > "urn:ietf:params:oauth:jwk-thumbprint:sha-256:iCUZEezL_1kx3t3y9i_AW0LIOmojwr2tBgih7RCy-kE", > "alg": "HPKE-Base-P256-SHA256-AES128GCM", > "epk": { > "kty": "EK", // encapsulated key type > "ek": "BN1YNlivxeS3DayvCt...3HDoa1Orh1wqPmw3Pp6Y" // encapsulated > key > } > } > }, > // RSA KEM example goes here... looks like HPKE example above? > { > "encrypted_key": > "B9X-TifYXbA0fKHpASFT4N1_sLMf1...VmWjVhkfgaOvS9VCOzepEM02jFA", > "header": { > "alg": "RSA-OAEP-384" > } > }, > { > "encrypted_key": "MRtJFqzpSDoLwS2AW13dbuGcPWrnRl-r", > "header": { > "kid": > "urn:ietf:params:oauth:jwk-thumbprint:sha-256:qXy7xVrE0xm3tS9ilK74GadeD9HF1wnQUzY5ml4pWuY", > "alg": "ECDH-ES+A128KW", > "epk": { > "kty": "EC", > "crv": "P-256", > "x": "YzBl6tEBdqvkDxcGS7SWePD-oI4J9jMQX6qh3k7lGTw", > "y": "s8D6l21rlSCH5IZZF4kjPwGhcoHg3ENGSup3VpE7o_8" > } > } > } > ] > } > > or: > > { > / kid / > 4: h'3031', > / encapsulated_key / > -4: h'045df...73e', // new cose header, since cose does not support > transporting encapsulated keys as "epk" (-1). > }, > > > Similar to the discussions we have had for ECDH-ES+A128KW vs HPKE, let us > start a discussion for > > RSAES-OAEP w/ SHA-256 vs HPKE or Plain RSA Kem (TBD) > > - https://www.rfc-editor.org/rfc/rfc7518.html#section-4.3 > - https://www.rfc-editor.org/rfc/rfc8230.html#section-3 > > The reason I raise this, is that Ilari mentioned wanting to use JOSE HPKE's > Integrated Encryption and Key Encryption modes, without HPKE but with other > KEMs, so considering how RSA Kem might be supported in JOSE and COSE seems > worth discussing. > > Is it ok if JOSE uses "epk" and JWK, COSE uses a new header parameter instead > of using "epk" and COSE Key? > > Should JOSE do as COSE is doing? or vice versa? > > Regards, > > OS > > -- > > ORIE STEELE > Chief Technology Officer > www.transmute.industries > <https://transmute.industries/> > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
