>LAKE needs the COSE-specific parts from draft-ietf-jose-pqc-kem, not the >JOSE >ones, correct?
Correct. >would you mind elaborating? As I wrote Mike, the main problem is that LAKE/EDHOC needs KEMs, not PKEs. Also, I don’t expect HPKE to focus on algorithms for very constrained devices and systems. A main target for LAKE/EDHOC is very constrained radio networks. --- Regarding JOSE, 3GPP has specified the use of JWE and are referring to draft-ietf-jose-pqc-kem and draft-ietf-jose-hpke-encrypt as adopted drafts in its PQC migration study. The EU roadmap recommends that all deployments using public-key cryptography for confidentiality to have completed migration to PQC no later than 2030. 5G and 6G intends to meet this deadline. 3GPP is likely to start normative work soon. With draft-ietf-jose-hpke-encrypt being published without ML-KEM and draft-ietf-jose-pqc-kem maybe not published for JOSE. When do JOSE WG plan to ship quantum-resistant JWE? Is it correct that when draft-ietf-hpke-pq is published, JOSE need to register new code points for the algorithms before they can be used in JWE? As discussed in TLS, 3GPP and most other external SDOs relying on JOSE are likely to want an RFC. Cheers, John From: Filip Skokan <[email protected]> Date: Friday, 6 March 2026 at 18:03 To: John Mattsson <[email protected]> Cc: Aritra Banerjee (Nokia) <[email protected]>, [email protected] <[email protected]>, cose <[email protected]>, lake <[email protected]> Subject: Re: [COSE] COSE and LAKE needs draft-ietf-jose-pqc-ke (was Proposal: Use HPKE for JWE PQ/PQT straight away) I hear you John, LAKE needs the COSE-specific parts from draft-ietf-jose-pqc-kem, not the JOSE ones, correct? Although I don't understand how constraints play a role in the suitability of draft-ietf-cose-hpke with additional Pure PQ algorithms vs the COSE parts of the draft-ietf-jose-pqc-kem draft, the underlying ops are the give or take the same just packaged differently, would you mind elaborating? Or is it purely timing in that draft-ietf-jose-pqc-kem seems closer than draft-ietf-cose-hpke with additional Pure PQ algs coming from elsewhere? S pozdravem, Filip Skokan On Fri, 6 Mar 2026 at 17:33, John Mattsson <[email protected]<mailto:[email protected]>> wrote: Adding COSE, LAKE LAKE WG is counting on draft-ietf-jose-pqc-kem, It is referenced by several drafts, and has been discussed several times. draft-ietf-cose-hpke is not suitable for LAKE and many other constrained uses of COSE. When I reviewed it last year it looked very much ready for WGLC. I would suggest to start WGLC. Cheers, John Preuß Mattsson From: Aritra Banerjee (Nokia) <[email protected]<mailto:[email protected]>> Date: Wednesday, 11 February 2026 at 18:20 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: [jose] Re: Proposal: Use HPKE for JWE PQ/PQT straight away Hello, The draft-ietf-jose-pqc-kem establishes a clear, HPKE-independent pathway for systems aiming to transition to PQC-only Key Encapsulation Mechanisms (KEMs). It does not depend on the new modes defined in draft-ietf-jose-hpke-encrypt. Instead, draft-ietf-jose-pqc-kem mirrors the original JWE ECDH-style key agreement model, making it the natural post-quantum analogue of ECDH-ES. While HPKE-based JOSE provides valuable capabilities, particularly for PQ/T use cases, deployments seeking a PQC-only key establishment mechanism should not be required to rely on the new modes introduced in jose-hpke. This draft supports a minimal-change transition to PQC-only KEMs while remaining aligned with the existing JWE model, enabling a straightforward and consistent migration path. Best, Aritra. _______________________________________________ COSE mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
