On Fri, Sep 13, 2024 at 07:19:55AM +0100, Neil Madden wrote: > As myself and Filip Skokan have pointed out, the wording of section > 3.1 currently (I believe accidentally) outlaws all of the ECDH-ES > encryption algorithms, and any future KEM-based algorithms. So no, > even if you support the idea, the document is not ready.
What I think section 3.1 is trying to do is to prohibit algorithms depending on each other. But it seems to accidentally extend that to all algorithms being fully specifed. Now, arguably RFC7516/RFC9052 already has some dependencies between algorithms, involving Direct Encryption and Direct Key Agreement. However, as having dependencies between algorithms can very easily cause serious interoperability, implementation and interface issues, one should be extremely careful in introducing any new kind of dependency. And in case of JOSE, any such dependency seems to inevitably require updating RFC7516. In addition, I think that RFC7516 already implcitly requires all "enc" to be fully specified, and anything else would need to update RFC7516. In COSE, algorithms with recipients are allowed to be polymorphic w.r.t. headers. However, I think such algorithms are a bad idea. Then section 3.2 looks like it should be appendix. And section 3.2.2. has: "To convey a fully-specified Key Establishment with Direct Encryption algorithm in JOSE, the "alg" value MUST be "dir", and the "enc" value MUST be fully specified, specifying all essential parameters for both key establishment and symmetric encryption. For example: 'ECDH-ES using P-256 and Concat-KDF with A128GCM' or 'ECDH-ES using X25519 and Concat-KDF with A256GCM'." This is illegal in JWE (enc is not symmetric AEAD). The correct way would be to use "alg" like "ECDH-ES using P-256 and Concat-KDF" or "ECDH-ES using X25519 and Concat-KDF" and then leave the rest to "enc". -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
