On Fri, Mar 06, 2026 at 04:47:23PM +0000, Michael Jones wrote: > Hi John, > > I'd be curious to have you elaborate on the reasons behind your statement: > > draft-ietf-cose-hpke is not suitable for LAKE and many other constrained > > uses of COSE. > > Is your assessment due to properties of HPKE itself or the way that COSE > uses it?
I presume mainly due how COSE uses it. Whereas draft-ietf-jose-pqc-kem can perform Direct Key Agreement, COSE-HPKE can not. However, HPKE itself could also be a factor in constrained implementations. However, reading RFC 9528 (which is EDHOC, the main protocol from LAKE), I am bit confused. From quick read, it seems to me that what is needed is a key format for PQ keys, which draft-ietf-jose-pqc-kem does not define. EDHOC seems to only use ECDH in ways that trivially map into KEMs (which is not true for COSE, due to how the spec is written). Futhermore, there seems to be opposition in COSE and JOSE WGs to defining PQ key formats for encryption. > From: John Mattsson <[email protected]> > Sent: Friday, March 6, 2026 8:34 AM > To: Aritra Banerjee (Nokia) <[email protected]>; [email protected]; cose > <[email protected]>; lake <[email protected]> > Subject: [Lake] COSE and LAKE needs draft-ietf-jose-pqc-ke (was Proposal: Use > HPKE for JWE PQ/PQT straight away) > > Adding COSE, LAKE > > LAKE WG is counting on draft-ietf-jose-pqc-kem, It is referenced by several > drafts, and has been discussed several times. > > draft-ietf-cose-hpke is not suitable for LAKE and many other constrained uses > of COSE. > > When I reviewed it last year it looked very much ready for WGLC. I would > suggest to start WGLC. > > Cheers, > John Preuß Mattsson > > From: Aritra Banerjee (Nokia) > <[email protected]<mailto:[email protected]>> > Date: Wednesday, 11 February 2026 at 18:20 > To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> > Subject: [jose] Re: Proposal: Use HPKE for JWE PQ/PQT straight away > Hello, > > The draft-ietf-jose-pqc-kem establishes a clear, HPKE-independent pathway for > systems aiming to transition to PQC-only Key Encapsulation Mechanisms (KEMs). > It does not depend on the new modes defined in draft-ietf-jose-hpke-encrypt. > Instead, draft-ietf-jose-pqc-kem mirrors the original JWE ECDH-style key > agreement model, making it the natural post-quantum analogue of ECDH-ES. > > While HPKE-based JOSE provides valuable capabilities, particularly for PQ/T > use cases, deployments seeking a PQC-only key establishment mechanism should > not be required to rely on the new modes introduced in jose-hpke. This draft > supports a minimal-change transition to PQC-only KEMs while remaining aligned > with the existing JWE model, enabling a straightforward and consistent > migration path. > > Best, > Aritra. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
