Agreeing with Neil, I do not think AES-GMAC should ever be offered bare, in fact even FIPS effectively prohibits its use outside of AES-GCM.
The speed of the MAC algorithm is generally not critical for JOSE environments which do not perform streaming operations anyway. KMAC is also probably redundant given HMAC works just fine, however KMAC at least is not a sharp razor blade in developers hands so it should not be as actively harmful as GMAC. As an implementer I will definitely *not* make GMAC available, so I would definitely prefer if these two are proposed in separate documents, so they can be independently evaluated and accepted/rejected independently. On Mon, 2024-12-16 at 09:39 -0500, Brian Sipos wrote: > Neil, > The original motivation is for using AES-GMAC in a high-volume, > high-throughput, hardware-accelerated environment; like you say it's fast > at the expense of other aspects. > During pre-internet-draft review Russ had asked if KMAC could be added here > as well, and I obliged as both of these code point registrations are pretty > lightweight with just a simple set of parameters for each. > > If there is a WG preference for keeping algorithm registrations strictly > separated by topic/family then I can pull these apart as separate drafts. > Please let me know any opinions. > Brian S. > > On Fri, Dec 13, 2024 at 5:20 PM Neil Madden <[email protected]> wrote: > > > What’s the motivation for adding these? They seem poles apart in terms of > > security properties: GMAC is the live fast, die young of MACs, while KMAC > > is slow and conservative. IMO GMAC should not be used outside of GCM. > > > > — Neil > > > > On 13 Dec 2024, at 21:39, Brian Sipos <[email protected]> wrote: > > > > > > All, > > A real first personal draft of adding GMAC and KMAC into the COSE and JOSE > > ecosystems has now been created, linked below. Thanks to John and Russ for > > earlier feedback. > > I think this document is actually in good enough shape to start creating > > some examples using a library such as pycose. If there are any > > recommendations or other feedback please let me know. > > Brian S. > > > > ---------- Forwarded message --------- > > From: <[email protected]> > > Date: Thu, Dec 12, 2024 at 10:41 PM > > Subject: New Version Notification for draft-sipos-cose-gmac-kmac-00.txt > > To: Brian Sipos <[email protected]> > > > > > > A new version of Internet-Draft draft-sipos-cose-gmac-kmac-00.txt has been > > successfully submitted by Brian Sipos and posted to the > > IETF repository. > > > > Name: draft-sipos-cose-gmac-kmac > > Revision: 00 > > Title: GMAC and KMAC for COSE and JOSE > > Date: 2024-12-12 > > Group: Individual Submission > > Pages: 12 > > URL: > > https://www.ietf.org/archive/id/draft-sipos-cose-gmac-kmac-00.txt > > Status: https://datatracker.ietf.org/doc/draft-sipos-cose-gmac-kmac/ > > HTML: > > https://www.ietf.org/archive/id/draft-sipos-cose-gmac-kmac-00.html > > HTMLized: https://datatracker.ietf.org/doc/html/draft-sipos-cose-gmac-kmac > > > > > > Abstract: > > > > This document registers JOSE and COSE algorithm code points for using > > two new Message Authentication Code (MAC) algorithm families. One is > > the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) > > to generate a MAC (AES-GMAC), the other is the SHA-3-derived Keccak > > MAC (KMAC). > > > > > > > > The IETF Secretariat > > > > > > _______________________________________________ > > jose mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > > > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
