Thanks for your review, Ilari. My responses are inline below, prefixed by
"Mike>".
-- Mike
-----Original Message-----
From: [email protected] <[email protected]>
Sent: Saturday, September 14, 2024 1:01 AM
To: JOSE WG <[email protected]>; [email protected]
Subject: [COSE] Re: [jose] Re: 2nd WGLC for
draft-ietf-jose-fully-specified-algorithms (Fully Specified Algorithms)
On Fri, Sep 13, 2024 at 07:19:55AM +0100, Neil Madden wrote:
> As myself and Filip Skokan have pointed out, the wording of section
> 3.1 currently (I believe accidentally) outlaws all of the ECDH-ES
> encryption algorithms, and any future KEM-based algorithms. So no,
> even if you support the idea, the document is not ready.
What I think section 3.1 is trying to do is to prohibit algorithms depending on
each other. But it seems to accidentally extend that to all algorithms being
fully specifed.
Now, arguably RFC7516/RFC9052 already has some dependencies between algorithms,
involving Direct Encryption and Direct Key Agreement.
However, as having dependencies between algorithms can very easily cause
serious interoperability, implementation and interface issues, one should be
extremely careful in introducing any new kind of dependency. And in case of
JOSE, any such dependency seems to inevitably require updating RFC7516.
In addition, I think that RFC7516 already implcitly requires all "enc"
to be fully specified, and anything else would need to update RFC7516.
Mike> The dependencies allowed between "alg" and "enc" algorithms are now
explicitly described.
In COSE, algorithms with recipients are allowed to be polymorphic w.r.t.
headers. However, I think such algorithms are a bad idea.
Then section 3.2 looks like it should be appendix.
Mike> Section 3.2 is where what it means for encryption algorithms to be fully
specified is defined.
And section 3.2.2.
has:
"To convey a fully-specified Key Establishment with Direct Encryption algorithm
in JOSE, the "alg" value MUST be "dir", and the "enc" value MUST be fully
specified, specifying all essential parameters for both key establishment and
symmetric encryption. For example: 'ECDH-ES using P-256 and Concat-KDF with
A128GCM' or 'ECDH-ES using X25519 and Concat-KDF with A256GCM'."
This is illegal in JWE (enc is not symmetric AEAD). The correct way would be to
use "alg" like "ECDH-ES using P-256 and Concat-KDF" or "ECDH-ES using X25519
and Concat-KDF" and then leave the rest to "enc".
Mike> I've reworked the examples and the accompanying text to both tighten the
exposition and make it correct.
-Ilari
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
jose mailing list -- [email protected]
To unsubscribe send an email to [email protected]
