Hi Stefan, Just as a security note, the "salt" input to HKDF must not be under attacker control (as it is in this draft), per section 3.4 of RFC 5869:
"In particular, an application needs to make sure that salt values are not chosen or manipulated by an attacker. As an example, consider the case (as in IKE) where the salt is derived from nonces supplied by the parties in a key exchange protocol. Before the protocol can use such salt to derive keys, it needs to make sure that these nonces are authenticated as coming from the legitimate parties rather than selected by the attacker (in IKE, for example this authentication is an integral part of the authenticated Diffie-Hellman exchange)." In the current draft the salt parameter is a header and so is not authenticated until after it is used in the KDF, which is unsafe. The Security Considerations section should also mention that the scheme is subject to Key Compromise Impersonation attacks. Best wishes, Neil > On 31 Oct 2025, at 00:58, Stefan Santesson <[email protected]> wrote: > > Hi, > > I presented Designated Verifier Signatures for JOSE at IETF 123. > I was then asked if we are ready for a call for adoption. I responded yes to > that question in a way that I have learned recently ended up in a NO in the > minutes. > > Since last IETF the name of the draft is changed (As I said it would be). The > name is now Public-Key derived HMAC for JOSE. The draft has a Github page > here: https://github.com/paulbastian/draft-bastian-jose-pkdh > > We have since last IETF addressed the input from the last IETF and we feel > that we are ready for a call for adoption. This draft clearly adress a need > for HMAC signatures in JOSE where you want to bind the signature to a public > key, rather than a shared secret. > > I will personally be present at the IETF 124 in Montreal and I would be happy > to present the updates at that meeting. > > So by this e-mail, I do request on behalf of all the editors both a call for > adoption and a slot in JOSE in Montreal if possible. I can make it short. > > -- > ________________ > Stefan Santesson > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
