On Feb 29, 2024, at 1:01 PM, Ilari Liusvaara <[email protected]> wrote:
On Thu, Feb 29, 2024 at 11:04:57AM -0600, Orie Steele wrote: I think we actually agree here. The remaining point is just what to do in HPKE. 1. New header parameters, mandatory processing rules, mix content encryption algorithm into the KDF (via HPKE INFO). HPKE does not allow using both INFO and AAD for one message (I do not know why), and INFO has a short length limit (because it is used in ways that pretty much require buffering). So only AAD can be used. Illari, even if you can’t say why, can you tell us where the text that prohibits use of both INFO and AAD is? Note that COSE -25 and -29 allow the input of a salt into the KDF outside of COSE_KDF_Context. If we wanted to do similar in COSE-HPKE, use of the info parameter is the obvious place. I can’t see any technical reason that both couldn’t be used and I wonder if there is some reason we might want to allow COSE-HPKE users to be able to supply inputs to the KDF function. Or asked another way, what are the security trade-offs between AAD and INFO? There’s lots of security considerations in RFC 9180, but none seem to discuss this. I don’t see an issue here, but it would be nice to understand. Thx! (RFC 9180 is impossible to search because the variable names used in the Python code are so short. “info” occurs almost 200 times) LL
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
