Hi all, We appear to have yet another long WG discussion going on about how to try to squeeze the ground meat of HPKE into the intestinal lining of JOSE. I know that I at least don’t have the time to follow the minutiae of these threads. At some point should we ask if this is all worth it? My takeaway is that HPKE is at best an awkward fit for JOSE. And if we do finally manage to make the HPKE-JOSE sausage, what have we really gained? As far as I can tell the only real advantage is that we might eventually get a single ML-KEM/hybrid post-quantum encryption scheme. But with encapsulated keys that are >= 1KB in size and so totally unsuitable for most scenarios that JOSE is used for today, where size is extremely important.
This all seems an awful lot of work for maybe one niche use-case encryption scheme. And HPKE doesn’t in any way address PQ signature schemes, which are *by far* the dominant use-case for JOSE. Is this really worth it? — Neil _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
