On Tue, Jun 11, 2024 at 10:19:29AM -0500, Orie Steele wrote:
> Sounds like the current best option for HPKE single shot direct encryption
> in JOSE would be:
>
> { alg: HPKE-....-A128GCM, enc: dir }
>
> Which would require updating JWE, and this part of the IANA registry:
>
> https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
When working on figuring out how to patch the encryption and decryption
procedures for this mode, I noticed that if the direct encryption
operation step produces headers, the resulting JWE can not be serialized
with compact encoding. RFC7516 prohibits bulk encryption stop from
producing headers (only allowing it to produce JWE Ciphertext and
Authentication Tag outputs).
This arises because the produced headers must be unprotected (due to
hard cyclic dependency), and compact serialization not allowing
unprotected headers. The RFC7516 prohibition on headers means all
bulk encryption algorithms can work in compact serialization.
So for compact encoding of the resulting JWE to be possible, the direct
encryption operation can only output JWE Encrypted Key, Initialization
Vector, Ciphertext and Authentication Tag fields. However, RFC7516 does
have single-recipient JWEs that can not be serialized with compact
serialization (e.g., anything that uses JWE AAD).
-Ilari
_______________________________________________
jose mailing list -- [email protected]
To unsubscribe send an email to [email protected]
