A few questions for the group:
Does HPKE require us to update JWE? Or can we use existing structures?
Which of these is better for HPKE direct encryption with a single shot api:
1. { alg: HPKE-....-A128GCM, enc: A128GCM }
2. { alg: HPKE-....-A128GCM, enc: HPKE }
3. { alg: HPKE, enc: HPKE-....-A128GCM }
OS
On Tue, Jun 11, 2024, 6:07 AM Filip Skokan <[email protected]> wrote:
> FYI the respective PR that reverted to use "dir" is
> https://github.com/tireddy2/JOSE_HPKE/pull/23/files
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Tue, 11 Jun 2024 at 10:09, Filip Skokan <[email protected]> wrote:
>
>> I've previously pushed exactly this narrative as well and managed to
>> convince the authors about it. But alas before the latest ID this was
>> reverted to use dir again.
>>
>> - Filip
>>
>> 11. 6. 2024 v 9:44, Neil Madden <[email protected]>:
>>
>>
>>
>>
>> On 10 Jun 2024, at 22:30, Orie Steele <[email protected]> wrote:
>>
>>
>> Brian wrote:
>>
>> > The 'dir" Key Management algorithm for JWE is defined in JWA as Direct
>> Encryption with a Shared Symmetric Key, which is not what's happening with
>> that HPKE Direct Encryption mode.
>>
>> > This section defines the specifics of directly performing symmetric
>> key encryption without performing a key wrapping step. In this case,
>> the shared symmetric key is used directly as the Content Encryption
>> Key (CEK) value for the "enc" algorithm.
>>
>> https://www.rfc-editor.org/rfc/rfc7518.html#section-4.5
>>
>> It is true that when 7518 was written, "alg : dir" only had one meaning,
>> for example:
>>
>> https://datatracker.ietf.org/doc/html/rfc7520#section-5.6
>>
>> In the case of "HPKE Direct Encryption", consider the single shot APIs:
>>
>> https://datatracker.ietf.org/doc/html/rfc9180#name-single-shot-apis
>>
>> Instead of seeing:
>>
>> {
>> "alg": "dir",
>> "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
>> "enc": "A128GCM"
>> }
>>
>> You would see:
>>
>> {
>> "alg": "dir",
>> "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
>> "enc": "HPKE-Base-P256-SHA256-A128GCM"
>> }
>>
>>
>> This is a total nonstarter. “Dir” with any “enc” value currently provides
>> symmetric *authenticated encryption*. You cannot just change this to
>> suddenly provide public key unauthenticated encryption. That is an enormous
>> change in security properties that will absolutely lead to vulnerabilities.
>>
>> — Neil
>> _______________________________________________
>> jose mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
>>
>>
_______________________________________________
jose mailing list -- [email protected]
To unsubscribe send an email to [email protected]
