[CFRG] [Technical Errata Reported] RFC9180 (7934)

RFC Errata System <rfc-editor@rfc-editor.org> Sun, 12 May 2024 08:03 UTC

Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63539C14F71A; Sun, 12 May 2024 01:03:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.648
X-Spam-Level:
X-Spam-Status: No, score=-6.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPB4Gfk8J-FL; Sun, 12 May 2024 01:03:34 -0700 (PDT)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83B64C14F5ED; Sun, 12 May 2024 01:03:34 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 60E52B3B07; Sun, 12 May 2024 01:03:34 -0700 (PDT)
To: rlb@ipv.sx, karthikeyan.bhargavan@inria.fr, ietf@benjaminlipp.de, caw@heapingbits.net, irsg@irtf.org, cfrg@irtf.org
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240512080334.60E52B3B07@rfcpa.amsl.com>
Date: Sun, 12 May 2024 01:03:34 -0700
Message-ID-Hash: 7TNJUGY2VI55RSUPNBWVHTS4UACRAVQG
X-Message-ID-Hash: 7TNJUGY2VI55RSUPNBWVHTS4UACRAVQG
X-MailFrom: wwwrun@rfcpa.amsl.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: raul@guardedbox.com, rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] [Technical Errata Reported] RFC9180 (7934)
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JD2NWyvZx4VJzHup3ow7rnbZgLI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

The following errata report has been submitted for RFC9180,
"Hybrid Public Key Encryption".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7934

--------------------------------------
Type: Technical
Reported by: Raul Siles <raul@guardedbox.com>

Section: 5.1 and 7.2.1

Original Text
-------------
- Section 5.1:

The psk and psk_id fields MUST appear together or not at all.

The psk, psk_id, and info fields have maximum lengths that depend
on the KDF itself,...

- Section 7.2.1:

The following table lists the maximum allowed lengths of these
fields for the KDFs defined in this document,...


Corrected Text
--------------
- Section 5.1:

[Add a new note]

The info parameter used by HPKE is not related to the optional
string info used by the LabeledExpand or Expand functions detailed
in section 4.

The psk and psk_id parameters MUST appear together or not at all.

The psk, psk_id, and info parameters have maximum lengths that depend
on the KDF itself,...

- Section 7.2.1:

The following table lists the maximum allowed lengths of these
parameters for the KDFs defined in this document,...


Notes
-----
The reference to the "info" parameter in sections 5.1 and 7.2.1 might be confusing. Thus, I suggest to clearly differentiate between the optional string "info" for the LabeledExpand or Expand functions, whose value is clearly defined by the RFC for each LabeledExpand function used in DHKEM or KeySchedule, and the "info" parameter used by HPKE.

It seems section 7.2.1 refers to the "info" parameter used by HPKE, as it is referenced from section 5.1. This is the "info" parameter that is used specifically as the key for the "info_hash" LabeledExtract function in KeySchedule.

In section 5.1 the third bullet refer to the HPKE "info" parameter, but the 3rd paragraph after the bullets, as it uses the term "fields", might be confused with the "info" string (or field) used by the LabeledExpand and Expand functions.

Perhaps it would be useful to always use two separate terms along RFC 9180:
- the "info" parameter used by HPKE.
- the "info" string used by the LabeledExpand and Expand functions.

As a result, I would remove the term "field(s)" from sections 5.1 and 7.2.1, and replace it by parameter(s).

Additionally, I suggest to add a note in section 5.1 to differentiate both, and clarify that section 5.1 and 7.2.1, with the input length restrictions, refer to the "info" parameter, and not to the "info" string.

Instructions:
-------------
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--------------------------------------
RFC9180 (draft-irtf-cfrg-hpke-12)
--------------------------------------
Title               : Hybrid Public Key Encryption
Publication Date    : February 2022
Author(s)           : R. Barnes, K. Bhargavan, B. Lipp, C. Wood
Category            : INFORMATIONAL
Source              : Crypto Forum Research Group
Stream              : IRTF
Verifying Party     : IRSG