On Mon, Jul 08, 2024 at 09:51:58PM -0500, Orie Steele wrote: > Thanks again for your comments. > > You have highlighted that choosing a different encryption algorithm for the > content encryption could make the examples clearer. > > You have also generally captured the intention of the 2 modes. > > If we were to register HPKE-P256-SHA256+A256GCM and HPKE-P256-SHA256 > > It would be essentially the same as ECDH-ES and ECDH-ES+A256KW.
This assumes that HPKE-P256-SHA256 works as Direct Key Agreement (like ECDH-ES is). This is technically possible via HPKE Secret Export API. > Arguing against fully specified encryption algorithms for a moment... We > might drop the curve and kdf parts, and set the kdf to be always sha-256 > for JOSE. > > This would reduce number of registrations. > > alg: HPKE, enc: A128GCM > alg: HPKE+A256KW, enc: A128GCM > > However, we would now not be able to negotiate for post quantum encryption > by algorithm alone. There is another problem: In some cases it is not possible to tell which KEM was used. Currently, the KEM used is always unique (even with things like P-256 versus CP-256), but in the future that might not always be the case. > Key generation would need to be aware of kty and crv... We might not have a > way to easily distinguish between ML-KEM-768 and other KEMs for the same > kty. ML-KEM-768 and other KEMs is easy, those can be told apart from the (horribly named) crv value. And even stuff like P-256 versus CP-256 can be told apart from the length of the encapsulated key (65 bytes versus 32 bytes). Where one gets into trouble is KEMs that only differ in internal KDF. Currently there are none, but that could change. > A benefit of fully specified HPKE algorithms is that negotiation is > simplified, and key generation can be aligned to what can be negotiated. > > If it's important to be able to negotiate for integrated vs key encryption, > it is important that they be implied by the algorithm registrations we > request. Yes, fully specified algorithms is about interop, not about security. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
