Yes, we've discussed this point several times in COSE HPKE as well. The problem is that single shot APIs are not always possible to use, but it's been asserted that they MUST be possible to use for JOSE and COSE.
I think the easiest solution to this would be to do a consensus call on if single shot APIs need to be supported in JOSE and COSE, because not needing to support them drastically simplifies the conversation. FWIW, I've been consistently on the "single shot APIs are not a requirement camp", and I think Ilari has been in the other camp, but I will let him answer for himself. I care less about which side the WG lands on, and more that we don't spin wheels on this topic, we need to know if they are a requirement in order to progress the draft. Regards, OS On Wed, Jun 12, 2024 at 8:04 AM tirumal reddy <[email protected]> wrote: > On Wed, 12 Jun 2024 at 13:14, Ilari Liusvaara <[email protected]> > wrote: > >> On Tue, Jun 11, 2024 at 10:19:29AM -0500, Orie Steele wrote: >> > Sounds like the current best option for HPKE single shot direct >> encryption >> > in JOSE would be: >> > >> > { alg: HPKE-....-A128GCM, enc: dir } >> > >> > Which would require updating JWE, and this part of the IANA registry: >> > >> > >> https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms >> >> When working on figuring out how to patch the encryption and decryption >> procedures for this mode, I noticed that if the direct encryption >> operation step produces headers, the resulting JWE can not be serialized >> with compact encoding. RFC7516 prohibits bulk encryption stop from >> producing headers (only allowing it to produce JWE Ciphertext and >> Authentication Tag outputs). >> >> This arises because the produced headers must be unprotected (due to >> hard cyclic dependency), and compact serialization not allowing >> unprotected headers. The RFC7516 prohibition on headers means all >> bulk encryption algorithms can work in compact serialization. >> > > The cyclic dependency can be prevented by invoking the SetupBaseS to get > the HPKE context and HPKE enc. The HPKE context is then used to invoke the > Seal function with "aad" and "pt" as parameters. The "ek'' parameter can be > within the JWE protected header. > > -Tiru > > >> >> So for compact encoding of the resulting JWE to be possible, the direct >> encryption operation can only output JWE Encrypted Key, Initialization >> Vector, Ciphertext and Authentication Tag fields. However, RFC7516 does >> have single-recipient JWEs that can not be serialized with compact >> serialization (e.g., anything that uses JWE AAD). >> >> >> >> >> -Ilari >> >> _______________________________________________ >> jose mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
