On Wed, Jul 10, 2024 at 10:45:11AM -0500, Orie Steele wrote: > Thanks to Ilari for capturing suggested changes to > draft-ietf-jose-hpke-encrypt-01 for "alg" and "enc". > > See: https://mailarchive.ietf.org/arch/msg/jose/AQPIjws_5cjnCb_3S7UR688W4uM/ > > ### For HPKE JWE Integrated Encryption Mode: > > The algorithm name SHALL be of the form "HPKE-P256-SHA256-A128GCM". > The "enc" value SHALL be "dir". > The working group SHALL draft text explaining what "enc:dir" means, and how > it related to "alg". > The algorithm name SHALL be of the form "HPKE-P256-SHA256-A128GCM". > The hpke-aad SHALL be of the form "protected (.aad)", as described in Step > 15 of RFC7516. > The hpke-info SHALL be the same as is provided to concatKDF info for > ECDH-ES, as described in > https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.2
Maybe I was unclear, I didn't suggest using hpke-info, or modifying aad for Integrated Encryption mode. Even if implementation supports multishot (and thus allows using both info and aad in the same message), there is still the 64 byte limit for info, which is too small for ECDH-ES context. > ## draft-ietf-jose-hpke-encrypt-01 call topic number 2 (Yes / No): > > ### For HPKE JWE Key Encryption Mode: > > The algorithm name SHALL be of the form "HPKE-P256-SHA256-A128GCM". > The "enc" value SHALL be any registered AEAD here - > https://www.iana.org/assignments/jose/jose.xhtml, per section of RFC7518. > The hpke-info SHALL be the same as is provided to concatKDF info for > ECDH-ES, as described in > https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.2 > The hpke-aad shall be empty. Again, maybe I was unclear, but I suggested using hpke-aad instead of hpke-info. The 64 byte size limit for hpke-info is too small. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
