I spent some more time thinking about this and diving in to implementation code and thinking about options, so for fear of being too noisy in this thread, I'll wrap up my final thoughts about this if it's helpful:
I *really* like how clean the following works from an implementation perspective - it makes it very easy to lookup and compose behavior as well as parse and produce HPKE string IDs: "alg": "HPKE", "kem": "P256", "kdf": "HKS256", // to differentiate from JWS mac identifier HS256 and avoid confusion "enc": "A256GCM" I personally appreciate how, for the union JWE JOSE Header, there is always an `alg` and `enc` value as expected, and the `enc` value retains the exact same semantics as existing JWE RFC values (i.e. an AEAD content encryption algorithm id). There are only new additions, no semantic changes. No confusion. With regards to key encryption/wrapping, you could have "alg" be any of the following: HPKE // integrated encryption, all others below are key encryption/wrapping HPKE+A128KW HPKE+A192KW HPKE+A256KW HPKE+A128GCMKW HPKE+A192GCMKW HPKE+A256GCMKW HPKE+... This has a few benefits: 1. The differentiator between integrated and key encryption is clear - either HPKE only or composite of HPKE + a key wrap/encryption algorithm 2. Wrap algorithms are the same as already defined in JWE/JWA 3. As you point out, ECDH-ES* already works the same way, so it's familiar. Taking this even further, to again avoid permutation registrations and easily support future wrap algorithms, this could all be represented as: "alg": "HPKE", "kem": "P256", "kdf": "HKS256", "kwa": "A256GCMKW", "enc": "A256GCM" where `kwa` (or similar) simply means the key wrap algorithm applied to the kdf output producing the cek ciphertext. No `kwa` parameter always means Integrated Encryption and thus no cek ciphertext. Anyway, I think I fully understand the design challenges and how they could impact implementations, thanks so much Orie for your time and explanations! Cheers, Les >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
