On Mon, Jul 08, 2024 at 02:20:54AM +0000, Michael Jones wrote: > Thanks a bunch for taking this on, Orie. To your point about "alg" > names, I would certainly rather see > > "alg": "HPKE-P256-SHA256", > "enc": "A128GCM", > > than > > "alg": "HPKE-P256-SHA256-A128GCM", > "enc": "A128GCM", > > The extra "-A128GCM" in the latter "alg" value is redundant and would > contribute to an unnecessary combinatorial explosion of algorithm > identifiers. Let's make it a point to eliminate such redundancy > during IETF 120.
The "-A128GCM" is not redundant in JWE (RFC7516), those two really mean different things: - The first means to use algorithm "HPKE-P256-SHA256" (presumably Direct Key Agreement) to derive key for "A128GCM" (which is defined by RFC7518) bulk encryption. - The second means to use algorithm "HPKE-P256-SHA256-A128GCM" (presumably Key Encryption) to derive key for the same bulk encryption. Currently, the ways bulk encryption algorithm and key mangment algorithm interact are very minimal, limited to algorithm value in DKA context and length of key requested from DKA. The section 5 of fully specified algorithms draft prohibits alg and enc depending on each other (which I very much agree with). The idea behind using "enc":"dir" is that "dir" is not a valid bulk encryption algorithm in JWE (and it is already magic as key management algorithm), so it would signal that something special is going on (with key managment algorithm taking over bulk encryption). -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
