I've previously pushed exactly this narrative as well and managed to convince the authors about it. But alas before the latest ID this was reverted to use dir again.
- Filip > 11. 6. 2024 v 9:44, Neil Madden <[email protected]>: > > > > >>> On 10 Jun 2024, at 22:30, Orie Steele <[email protected]> wrote: >>> >> >> Brian wrote: >> >> > The 'dir" Key Management algorithm for JWE is defined in JWA as Direct >> > Encryption with a Shared Symmetric Key, which is not what's happening with >> > that HPKE Direct Encryption mode. >> >> > This section defines the specifics of directly performing symmetric >> key encryption without performing a key wrapping step. In this case, >> the shared symmetric key is used directly as the Content Encryption >> Key (CEK) value for the "enc" algorithm. >> >> https://www.rfc-editor.org/rfc/rfc7518.html#section-4.5 >> >> It is true that when 7518 was written, "alg : dir" only had one meaning, for >> example: >> >> https://datatracker.ietf.org/doc/html/rfc7520#section-5.6 >> >> In the case of "HPKE Direct Encryption", consider the single shot APIs: >> >> https://datatracker.ietf.org/doc/html/rfc9180#name-single-shot-apis >> >> Instead of seeing: >> >> { >> "alg": "dir", >> "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a", >> "enc": "A128GCM" >> } >> >> You would see: >> >> { >> "alg": "dir", >> "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a", >> "enc": "HPKE-Base-P256-SHA256-A128GCM" >> } >> > > This is a total nonstarter. “Dir” with any “enc” value currently provides > symmetric *authenticated encryption*. You cannot just change this to suddenly > provide public key unauthenticated encryption. That is an enormous change in > security properties that will absolutely lead to vulnerabilities. > > — Neil > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
