(as an individual) As an author I support adoption.
The main motivation I have for working on HPKE, is to ensure that encrypted JWT and CWT use cases that want to use PQ algorithms have a consistent path to achieve this. Both JWT and CWT share alignment regarding confirmation methods, so it is important that they share algorithms as well, and with a few exceptions that's mostly true today. I've implemented the current drafts for JOSE and COSE, I think it's been beneficial to both specifications to compare the approaches. It's true that currently DHKems feel very similar to ECDH-ES, but PQ or hybrid KEMS won't. Having a framework (JWT/CWT) in place, where JOSE and COSE can share PQ algorithms will reduce complexity in the long run, and enable easier security analysis and migration. This will make PQ resilience easier and safer for protocols that build on JOSE and COSE... Lots of protocols build on top of JWT and CWT. There was also a presentation on designated verifier signatures at 119, where HPKE was discussed in that context as well. I believe that direct mode auth HPKE JWEs might help enable post quantum KEMs to be used for those same use cases, whereas building on ECDH-ES + MAC as was recently proposed would need more changes to support post quantum or hybrid algorithms... So it's possible that this might save the need for future algorithm registrations which might be requested to support redudiable digital credentials use cases. Happy to share implementation experience, in a different thread. I've built this demo to help myself understand the differences between JOSE and COSE HPKE. https://hpke.dev Regards, OS On Thu, May 23, 2024, 4:32 AM Neil Madden <[email protected]> wrote: > I do not support adoption, for several reasons: > > 1. HPKE is an informational RFC, not a standard. I don’t think this meets > any of the criteria described in RFC 3967/BCP 97. > 2. The authenticated modes of HPKE are insecure for use in a > multi-recipient standard like JOSE due to the lack of Insider-Auth Security. > 3. The algorithms registered by this draft entirely duplicate existing > algorithms for no benefit whatsoever. > > If people want to use HPKE with JOSE, I think that should be done as an > Informational RFC not a standard. > > — Neil > > On 23 May 2024, at 04:41, Karen ODonoghue <[email protected]> wrote: > > JOSE working group, > > The following individual submission: > https://datatracker.ietf.org/doc/draft-rha-jose-hpke-encrypt/ > has received a fair amount of comment and discussion. > > This email starts a two week call for adoption. Please review the > document, provide feedback, and indicate whether you think this is a > document for the working group to pursue. Please reply by 5 June keeping > the subject line intact. In addition to any feedback, please be clear about > your position on adoption. > > Regards, > JOSE working group chairs. > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
