On Thu, 13 Jun 2024 at 21:24, Ilari Liusvaara <[email protected]> wrote:
> On Thu, Jun 13, 2024 at 08:46:51AM +0100, Neil Madden wrote: > > Hi all, > > > > We appear to have yet another long WG discussion going on about how to > > try to squeeze the ground meat of HPKE into the intestinal lining of > > JOSE. I know that I at least don’t have the time to follow the > > minutiae of these threads. At some point should we ask if this is all > > worth it? My takeaway is that HPKE is at best an awkward fit for > > JOSE. > > I agree it is at best an awkward fit: Indirect HPKE is quite simple > (still having some pitfalls), but direct HPKE is definitely not, > requiring extending very core parts of JWE. > > Especially so if headers need to be supported. > > > > And if we do finally manage to make the HPKE-JOSE sausage, what have > > we really gained? As far as I can tell the only real advantage is that > > we might eventually get a single ML-KEM/hybrid post-quantum encryption > > scheme. > > As of currently, HPKE has no significant advantages over what presently > exists in JOSE (KEM48 can not be used for spec stability reasons). > > In the future, HPKE might gain post-quantum or hybrid KEMs that can be > incorporated to HPKE-JOSE. > > However, direct KEM support, capable of using both PQ and hybrid KEMs, > would be a simple thing to add to JOSE. > HPKE will need to support Hybrid PQ/T to address 'harvest now, decrypt later' attacks, which several protocols leveraging HPKE must mitigate. Direct KEM support will face similar challenges as direct HPKE; it also requires a new header or using JWE encrypted key to carry the public key and KEM ciphertext. Leveraging HPKE will simplify the JSON implementation and avoid cryptographic vulnerabilities. -Tiru > > > But with encapsulated keys that are >= 1KB in size and so totally > > unsuitable for most scenarios that JOSE is used for today, where size > > is extremely important. > > There are sites that use >1kB headers. I had to patch a reverse proxy > to increase the header size limit from 1kB to handle some callbacks. > > > > > -Ilari > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
