[CFRG] Spencer Dawkins' No Objection on draft-irtf-cfrg-hpke-09: (with COMMENT)

Spencer Dawkins via Datatracker <noreply@ietf.org> Fri, 18 June 2021 16:58 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: cfrg@ietf.org
Delivered-To: cfrg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 561743A19AE; Fri, 18 Jun 2021 09:58:44 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Spencer Dawkins via Datatracker <noreply@ietf.org>
To: "The IRSG" <irsg@irtf.org>
Cc: draft-irtf-cfrg-hpke@ietf.org, cfrg-chairs@ietf.org, cfrg@ietf.org, Stanislav Smyshlyaev <smyshsv@gmail.com>, smyshsv@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.32.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Spencer Dawkins <spencerdawkins.ietf@gmail.com>
Message-ID: <162403552387.29040.7069216010328580026@ietfa.amsl.com>
Date: Fri, 18 Jun 2021 09:58:44 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vPCjmamdWZRgdv0RH8Cqn7y5S3w>
Subject: [CFRG] Spencer Dawkins' No Objection on draft-irtf-cfrg-hpke-09: (with COMMENT)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jun 2021 16:58:45 -0000

Spencer Dawkins has entered the following ballot position for
draft-irtf-cfrg-hpke-09: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)



The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

This isn't even remotely a topic I'm smart about, but the document was clearly
written, and I can imagine using it as an implementer. I do have some nits, so
please Do The Right Thing.

At the bottom of Section 5, this sentence, "The procedures described in this
session are laid out in a Python-like pseudocode", and that's the only
occurence of "session" in the document. I don't know what "this session" is
intended to refer to - I can guess, but I'd be guessing. Is it something like
"in the following *sections*"?

In this text, "This assurance is based on the assumption that AuthDecap(enc,
skR, pkS) produces the correct KEM shared secret only if the encapsulated value
enc was produced by AuthEncap(pkR, skS), where skS is the private key
corresponding to pkS", is "assumption" the right word? "Assumption" makes me
look for some mention of evidence that would support that assumption, but
reading further, I'm led to believe that this is a fundamental property, not an
assumption.

In this text, "In many cases, applications encrypt only a single message to a
recipient's public key", is "to the recipient's public key" the right way to
say this? I was guessing this meant "In many cases, applications encrypt only a
single message using a recipient's public key"

In this text, "The precise likelihood of DeriveKeyPair() failing with
DeriveKeyPairError depends on the group being used, but it is negligibly small
in all cases", is there any obvious action that an implementer could take if
this DOES happen?

I wonder if Section 7.1.5. KEM Key Reuse should appear in the security
considerations section, or perhaps even just be mentioned there, with a
reference to its current location. Perhaps even in Section 9.2? But just having
this appear in Section 7 without a mention in Section 9 seems counterintuitive.

Hmmm. Section 5.3 says this: “Applications that do not use the encryption API
in Section 5.2 can use the export-only AEAD ID 0xFFFF when computing the key
schedule. Such applications can avoid computing the key and base_nonce values
in the key schedule, as they are not used by the Export interface described
above”, but Section 7.3 says “The 0xFFFF AEAD ID is reserved for applications
which only use the Export interface; see Section 5.3 for more details”. Would
saying “Applications that do not use the encryption API in Section 5.2 can use
the export-only AEAD ID 0xFFFF when computing the key schedule” in Section 7.3
be accurate? If so, it would be more obvious that these two statements apply in
the same conditions if they use the same phrasing.

I may be going blind (and that would be a pity, since I had cataract surgery
earlier this year), but I can’t see the difference between what’s said about
DHKEM in

Extract() and Expand() (in DHKEM): Extract() can be modeled as a random oracle.
Expand() can be modeled as a pseudorandom function, wherein the first argument
is the key.

and what’s said about “elsewhere” in

Extract() and Expand() (elsewhere): Extract() can be modeled as a random
oracle. Expand() can be modeled as a pseudorandom function, wherein the first
argument is the key.

Is there a difference? I see text in Section 9.5 that looks like it might be
related, but I just don’t have the background to know for sure.

In 11.1. KEM Identifiers, “The "HPKE KEM Identifiers" registry lists
identifiers for key encapsulation algorithms defined for use with HPKE. These
are two-byte values, so the maximum possible value is 0xFFFF = 65535”, These
“might” be clearer as “These identifiers” (same comment in 11.2 and 11.3).