> > And ideally (at least in my mind), draft-skokan-jose-hpke-pq-pqt can be > expanded to also register the corresponding COSE HPKE algorithm > identifiers, keeping JOSE and COSE HPKE in sync.
Coincidentally, just today I was adapting the tooling me and Brian have, which allows us to (re-)generate the tables and vectors just based on the algorithm set in draft-skokan-jose-hpke-pq-pqt at will, such that we could generate a separate draft for the COSE WG-tailored draft too if there's appetite for it. S pozdravem, *Filip Skokan* On Fri, 6 Mar 2026 at 21:10, Michael Jones <[email protected]> wrote: > And ideally (at least in my mind), draft-skokan-jose-hpke-pq-pqt can be > expanded to also register the corresponding COSE HPKE algorithm > identifiers, keeping JOSE and COSE HPKE in sync. > > > > Cheers, > > -- Mike > > > > *From:* Filip Skokan <[email protected]> > *Sent:* Friday, March 6, 2026 11:23 AM > *To:* John Mattsson <[email protected]> > *Cc:* Aritra Banerjee (Nokia) <[email protected]>; [email protected]; > cose <[email protected]>; lake <[email protected]> > *Subject:* [COSE] Re: COSE and LAKE needs draft-ietf-jose-pqc-ke (was > Proposal: Use HPKE for JWE PQ/PQT straight away) > > > > John, > > > > The JOSE WG adoption of PQ & PQ/T HPKE algs was postponed to allow the > completion of draft-ietf-jose-hpke-encrypt. With that out of the way now > (it's been submitted to IESG for publication already) I'm hoping that we'll > be adopting one of the two I-Ds* that we have for this after the meeting in > Shenzhen. Given that all we need are algorithm registrations and JWK key > format definition with the rest referencing draft-ietf-hpke-pq these > shouldn't take too long *fingers crossed*. > > > > *1: draft-reddy-cose-jose-pqc-hybrid-hpke > > *2: draft-skokan-jose-hpke-pq-pqt > > > > S pozdravem, > *Filip Skokan* > > > > > > On Fri, 6 Mar 2026 at 19:59, John Mattsson <[email protected]> > wrote: > > >LAKE needs the COSE-specific parts from draft-ietf-jose-pqc-kem, not the > >JOSE ones, correct? > > > > Correct. > > > > >would you mind elaborating? > > > > As I wrote Mike, the main problem is that LAKE/EDHOC needs KEMs, not PKEs. > Also, I don’t expect HPKE to focus on algorithms for very constrained > devices and systems. A main target for LAKE/EDHOC is very constrained radio > networks. > > > > --- > > > > Regarding JOSE, 3GPP has specified the use of JWE and are referring to > draft-ietf-jose-pqc-kem and draft-ietf-jose-hpke-encrypt as adopted > drafts in its PQC migration study. > > > > The EU roadmap recommends that all deployments using public-key > cryptography for confidentiality to have completed migration to PQC no > later than 2030. 5G and 6G intends to meet this deadline. 3GPP is likely to > start normative work soon. > > > > With draft-ietf-jose-hpke-encrypt being published without ML-KEM and > draft-ietf-jose-pqc-kem > maybe not published for JOSE. When do JOSE WG plan to ship > quantum-resistant JWE? > > > > Is it correct that when draft-ietf-hpke-pq is published, JOSE need to > register new code points for the algorithms before they can be used in JWE? > > > > As discussed in TLS, 3GPP and most other external SDOs relying on JOSE are > likely to want an RFC. > > > > Cheers, > > John > > > > *From: *Filip Skokan <[email protected]> > *Date: *Friday, 6 March 2026 at 18:03 > *To: *John Mattsson <[email protected]> > *Cc: *Aritra Banerjee (Nokia) <[email protected]>, [email protected] < > [email protected]>, cose <[email protected]>, lake <[email protected]> > *Subject: *Re: [COSE] COSE and LAKE needs draft-ietf-jose-pqc-ke (was > Proposal: Use HPKE for JWE PQ/PQT straight away) > > I hear you John, LAKE needs the COSE-specific parts > from draft-ietf-jose-pqc-kem, not the JOSE ones, correct? > > > > Although I don't understand how constraints play a role in the suitability > of draft-ietf-cose-hpke with additional Pure PQ algorithms vs the COSE > parts of the draft-ietf-jose-pqc-kem draft, the underlying ops are the give > or take the same just packaged differently, would you mind elaborating? Or > is it purely timing in that draft-ietf-jose-pqc-kem seems closer > than draft-ietf-cose-hpke with additional Pure PQ algs coming from > elsewhere? > > > > S pozdravem, > *Filip Skokan* > > > > > > On Fri, 6 Mar 2026 at 17:33, John Mattsson <john.mattsson= > [email protected]> wrote: > > Adding COSE, LAKE > > > > LAKE WG is counting on draft-ietf-jose-pqc-kem, It is referenced by several > drafts, and has been discussed several times. > > > > draft-ietf-cose-hpke is not suitable for LAKE and many other constrained > uses of COSE. > > > > When I reviewed it last year it looked very much ready for WGLC. I would > suggest to start WGLC. > > > > Cheers, > > John Preuß Mattsson > > > > *From: *Aritra Banerjee (Nokia) <[email protected]> > *Date: *Wednesday, 11 February 2026 at 18:20 > *To: *[email protected] <[email protected]> > *Subject: *[jose] Re: Proposal: Use HPKE for JWE PQ/PQT straight away > > Hello, > > The draft-ietf-jose-pqc-kem establishes a clear, HPKE-independent pathway > for systems aiming to transition to PQC-only Key Encapsulation Mechanisms > (KEMs). It does not depend on the new modes defined in > draft-ietf-jose-hpke-encrypt. Instead, draft-ietf-jose-pqc-kem mirrors the > original JWE ECDH-style key agreement model, making it the natural > post-quantum analogue of ECDH-ES. > > > > While HPKE-based JOSE provides valuable capabilities, particularly for > PQ/T use cases, deployments seeking a PQC-only key establishment mechanism > should not be required to rely on the new modes introduced in jose-hpke. > This draft supports a minimal-change transition to PQC-only KEMs while > remaining aligned with the existing JWE model, enabling a straightforward > and consistent migration path. > > Best, > Aritra. > > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] > >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
