Hi Illari, Thanks for the feedback, Please see inline
On Wed, 18 Sept 2024 at 13:11, Ilari Liusvaara <[email protected]> wrote: > On Sat, Sep 14, 2024 at 05:50:18PM -0300, Karen ODonoghue wrote: > > JOSE and COSE working group members, > > > > The following draft has been submitted for consideration by the JOSE > > working group. The chairs agreed, at IETF 120, to issue a call for > > adoption. > > > > https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-kem/ > > > > Please review the document and indicate (by responding to this email > > and keeping the subject line intact) whether or not you think this is > > a good place to start the development of this document. Please provide > > comments. > > Seems like reasonable starting point (even with flaws), adapt. > > > Some stuff I noticed in quick review: > > - ML-KEM is intended to be used directly. > KDF will alter the shared secret output from the KEM to match the required key size for the AES. It was discussed in the WG ( https://mailarchive.ietf.org/arch/msg/jose/dj0c4LJ7ApcEkd6fUlKS6KLv24Q/) to bind the JOSE/COSE context. > - The KDF is not FIPS-compliant. > We will update the draft to refer to KMAC defined in https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1-upd1.pdf which is NIST-compliant. > - Encoding of context structure in COSE needs to be canonical. > Yes, we will update the draft. > - Ways to use public-key cryptography with JWE are defined by JWE > itself. And there are three, not two. > I see two ways discussed in https://datatracker.ietf.org/doc/html/rfc7518#section-4.6. Please clarify. > - JWE does not require "enc"/"alg" to be in JWE protected header. > The section is referring to DKA where "alg' and "enc" need to be integrity protected. > - JWE does not allow using JWE Encrypted Key with DKA (no way to > avoid double-encoding in compact serialization). > Yes, the document says JWE Encrypted Key will be an empty octet sequence in case of DKA (aligns with step 5 in Section 5.1 of https://datatracker.ietf.org/doc/html/rfc7516). > - DKA in COSE does not use ciphertext (but I don't think it is > explicitly forbidden). > - If DKA in COSE produces CEK or KEK depends on layer it is on. > Yes, it is discussed in Section 7.2 of the draft. > - AES-192 is poorly supported and usually replaced by AES-256. > It matches the PQ security level for ML-KEM-768. -Tiru > > > > > -Ilari > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
