On Mon, Feb 12, 2024 at 12:41:52PM -0600, Orie Steele wrote: > See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/ > > Do we expect to see RSA Kem support in JOSE and COSE without the use of > HPKE? > > If so, how do we identify RSA keys for use with KEMS? How do we transport > KEM CT ?
I would imagine keys specify which KEM those keys use. And then there would be KEM algorithms analogous to ECDH-ES ones (there are a few details about ECDH-ES algorithms that need tweaking for things to work with KEMs). IIRC, only three differences are needed: - KEM shared secret goes where ECDH result used to go. - Where one sticks the KEM ciphertext. - Some trivial encaps/decaps process stuff. Things like KDFs can just be reused as-is. > One option would be to reuse what we have in the JOSE HPKE draft, to > transport the KEM CT as an ephemeral encapsulated key: If HPKE uses a header, I would imagine it uses the same one. KEM CT can be assumed to be a byte string. > Similar to the discussions we have had for ECDH-ES+A128KW vs HPKE, let us > start a discussion for > > RSAES-OAEP w/ SHA-256 vs HPKE or Plain RSA Kem (TBD) > > - https://www.rfc-editor.org/rfc/rfc7518.html#section-4.3 > - https://www.rfc-editor.org/rfc/rfc8230.html#section-3 Well, there is already RSA support. However, stuff like this might be more interesting: https://github.com/lamps-wg/draft-composite-kem/pull/11 > The reason I raise this, is that Ilari mentioned wanting to use JOSE HPKE's > Integrated Encryption and Key Encryption modes, without HPKE but with other > KEMs, so considering how RSA Kem might be supported in JOSE and COSE seems > worth discussing. Integrated Encryption can not work with KEMs. In JWE and COSE, KEMs act similarly to ECDH-ES and have the same types (Direct Key Agreement, Key Agreement with Key Wrap(ping)). Anything one can use ECDH-ES for, one should be able to use KEM for. > Is it ok if JOSE uses "epk" and JWK, COSE uses a new header > parameter instead of using "epk" and COSE Key? Well, I think using new header parameter is easier for implementations than using a JWK (or COSE_Key). The JWK seems just pointless wrapping of a byte string. -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
