On Thu, Jun 13, 2024 at 08:46:51AM +0100, Neil Madden wrote: > Hi all, > > We appear to have yet another long WG discussion going on about how to > try to squeeze the ground meat of HPKE into the intestinal lining of > JOSE. I know that I at least don’t have the time to follow the > minutiae of these threads. At some point should we ask if this is all > worth it? My takeaway is that HPKE is at best an awkward fit for > JOSE.
I agree it is at best an awkward fit: Indirect HPKE is quite simple (still having some pitfalls), but direct HPKE is definitely not, requiring extending very core parts of JWE. Especially so if headers need to be supported. > And if we do finally manage to make the HPKE-JOSE sausage, what have > we really gained? As far as I can tell the only real advantage is that > we might eventually get a single ML-KEM/hybrid post-quantum encryption > scheme. As of currently, HPKE has no significant advantages over what presently exists in JOSE (KEM48 can not be used for spec stability reasons). In the future, HPKE might gain post-quantum or hybrid KEMs that can be incorporated to HPKE-JOSE. However, direct KEM support, capable of using both PQ and hybrid KEMs, would be a simple thing to add to JOSE. > But with encapsulated keys that are >= 1KB in size and so totally > unsuitable for most scenarios that JOSE is used for today, where size > is extremely important. There are sites that use >1kB headers. I had to patch a reverse proxy to increase the header size limit from 1kB to handle some callbacks. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
