IETF Logo Mail Archive

Re: [COSE] Draft IETF 117 COSE agenda

"lgl island-resort.com" <lgl@island-resort.com> Thu, 20 July 2023 16:44 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E393FC15108D for <cose@ietfa.amsl.com>; Thu, 20 Jul 2023 09:44:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.887
X-Spam-Level:
X-Spam-Status: No, score=-6.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UM9ZE5Otesl2 for <cose@ietfa.amsl.com>; Thu, 20 Jul 2023 09:44:46 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2105.outbound.protection.outlook.com [40.107.93.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6253AC151530 for <cose@ietf.org>; Thu, 20 Jul 2023 09:44:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dyB4c8lHgUIs6BpwYE92nSbdUEGIN/XY5qChkI/6Ujrk/x3qB+urrptLcrm3eXRG77FyXAjEJaKvxFsX4DvHVRn+R3Xg/kaD71wddC3ia1s0DRbFpGddAV5Cs5QGir9F8Q58E9TV4q007KuYaxWc8VZbUZ2EJy1ZL7tRnw+s6QVLr4TVc+aDEsB/WSYR24jVAEidxINM+LvU3KBULDvrF3Yv/zUErspLJt6ZOVG1o7caInX7HkKUMJ4iIeOpssAl6R6yFMBoWhRz6L1Ngn/BKvQcLsv5kvJtTudqQdb5qc/VJ0OTfBo1g5EeDHyGQhphlQ3er/D3rGCUSuJmD98mbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OyYGpvnmfcdx0oAixZGdA20UVf2DOP7V9ND04/1TCiQ=; b=Dqyb5LfEvkx4zUrmgbL5K8k1wZPdKS/FkIitmPU5pDUNh4pbZ1oQgc8WlRlzm0iRo6piIF9uStLpwHAicTASXPS+SSXonPP2+8TKVzGOdoQTcGEgSUk/fKBh49rKoQ0AWAx6PSocBI9gqs2OFRIB7em/xG97mRjZG58Lm9I1tR2tBxJY5ZIPRdaWgxpc1XRBDl7W/lDypyUj78c6PVaEOJiVm6DwpeaAmLloyPiUutSjqbQDI6THVzyzMPURXmdP6sYaJ3HqZblztgsEgD6wSoSwhKKyRxaVCYUSodhPb/hqFx3K47WlcW6jhv6VuyV8I6T+yLnqm4WTfHU1FZiT3A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by DM6PR22MB1865.namprd22.prod.outlook.com (2603:10b6:5:258::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.23; Thu, 20 Jul 2023 16:44:41 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::9293:61e8:93b8:c26b]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::9293:61e8:93b8:c26b%6]) with mapi id 15.20.6609.024; Thu, 20 Jul 2023 16:44:40 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: AJITOMI Daisuke <ajitomi@gmail.com>
CC: Orie Steele <orie@transmute.industries>, Michael Prorock <mprorock@mesur.io>, Michael Jones <michael_b_jones@hotmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>
Thread-Topic: [COSE] Draft IETF 117 COSE agenda
Thread-Index: Adm5nPWN7H2vcrPeSseRlHnamti7dAAZhSIgABd9EgAAAa7GAAAKvbaAAAOHJlAAHDDxAAAAS2YAAABOFQAAAJXoAAACmTAAAAIxxgA=
Date: Thu, 20 Jul 2023 16:44:40 +0000
Message-ID: <8DA5BC73-8569-4807-AEC1-CA52E387ECFE@island-resort.com>
References: <SJ0PR02MB74394E66F880D4948217ED57B738A@SJ0PR02MB7439.namprd02.prod.outlook.com> <AS8PR10MB7427A0FF328462A6212E2590EE39A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <MW4PR02MB74281BC30C2B395F77E3F1FCB739A@MW4PR02MB7428.namprd02.prod.outlook.com> <798F3FD9-115B-40C6-8F20-CB1DB1FB3648@island-resort.com> <CAFWvErU3mSR5PRk6FaW11-5r6tC1Kx9sMMBtVAqEhhjT5p1P4g@mail.gmail.com> <MW4PR02MB742891C6F229AE71BF1ECC02B73EA@MW4PR02MB7428.namprd02.prod.outlook.com> <CAFWvErV5hb8KoX12WiWn8epJJs4Q1RsCHcv4K4OAqmLQr5urnw@mail.gmail.com> <CAGJKSNSeVS8j6zUf26TxLR5w920gO0w1k3ADpEgCaKJxLQJTKQ@mail.gmail.com> <CAGJKSNTkhZdMz0VCdY7xMHJOdfZss1rvh8dwZg1phARP3Jbstg@mail.gmail.com> <CAN8C-_LPcz6p==hVmuO6bZFoiT7fPRuV4hYeGwZi_py_NLpj9w@mail.gmail.com> <CAFWvErXZX7YwHAaeM42ZxAc3ZJ2XAaOK5UQfG0qyTTuvpEoMXQ@mail.gmail.com>
In-Reply-To: <CAFWvErXZX7YwHAaeM42ZxAc3ZJ2XAaOK5UQfG0qyTTuvpEoMXQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|DM6PR22MB1865:EE_
x-ms-office365-filtering-correlation-id: 8d3645c5-1d05-476c-b99d-08db89409cee
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MPgNjIHXHg6Ul7WTG3gqUJ6DaTYxT/oJ4qYY1N3aP78VM/3Dm/ZHt6W8ZmyI1IkDbhTyzQGLZ0ApZY9rRNp5+kxA5XIHEQQmmwkCb2kYi2IAC++olCwkH39dAru57KPS4nZaIvVZN0Dyrk9gHBg0NAs6Sxprw+R9lTlwFSwipnJAPLSG7GmPj/fkckkEy7GEpPdvUpeZeuDGz0Pc+xLaxk3AaGYP1rKA73yCk7KBgfNyMjLQJbIgVv6pEPJDLr7qxtB4gWt2fT/HHBQRgcpJbAec+uKLDXRd7tnuhnOBK8jTd6rFXnVUoSpVLuCZoGjmWhZeGpgeT7pxngnABeJy7Udy/8fhY/HR6XlASIwSngdqV8MtiCNkQ+qLn5YbVpkv2gFybGZHhmdzFH1v1yvgJubTsM3R6VyYV6xp9OUmQ5uWSbfIudCtVCaRAbIS9tMtPIE9mFmK+AXrXE+5/qa3NZzXu/rYnEp8Ao+sTf1fqXQOTDDshGPCbBkMQSwlwPg9QXQwBng4S6XFqMeJ6BL5a8/VfVf6A+PQGctU4xGl6JXM4vsQabiCEt0AWgEPhc7te9hFNF9BF/kPN2IA2gIzz5JK17k2StOarPHoTw+xZAUKslBFze0WtzxizhsQS3a/Qss+Ga+9LqlvR1S65MZtog==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(346002)(136003)(39830400003)(366004)(376002)(1690799014)(451199021)(45080400002)(478600001)(53546011)(26005)(6506007)(66899021)(6512007)(966005)(6486002)(71200400001)(4326008)(8676002)(6916009)(8936002)(83380400001)(38070700005)(33656002)(5660300002)(2616005)(41300700001)(316002)(30864003)(86362001)(2906002)(166002)(186003)(122000001)(64756008)(76116006)(66556008)(36756003)(38100700002)(66446008)(66476007)(54906003)(66946007)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: J07yBF78h7HsXNQ/i1PlqM0KpFePC0IQaVEwYKDhf+8eogT09oo1jqef3mq/hCHJ4cZu8wcP5CJYq3AoYl1v/7NcCHYiQ3LFFUAuvQg35/mkpvnU+XKTzeEWUU0RiWcFh/kX+r2BuKPYGaWbTJM5DewJLnVJZS+bpXvhouqNj2FbVQyuf9YL6rV4JudzLaNKmOErO+bqvwmzLEgJDfwLlpg8LP2tuvrAnE1hooM1VmSaPWnKdY5lIm5PUIwbEqD1JOv17XIJjvvnpArEOObRyIGrSOpluke3dAAGyRMnmuV6e/efaWsS7gKPa1PCQtTLWgzOABw6rgk8hvS89hxOyq43sqH7y4iyIpRLGdgMQ1aUL/4ZnW2MCzdvyBa5G9R3KRWu2DfQ+nzt2SxpGYDkONXzt1YJDm2hXTyuYBtaOCVQSFK8PZ09/Y1zNzQd361HbcCEE47nLC6hD6oeIz7xA6zxmXIwVqVl2dky4g4Q0L4nXJvdvNMYUzSXhzf0HZ1lIxJK+g8E41f5eowvrIiFVVD3cGfmWruc+kFkOWq6OCK/+pDPPPtkibc3rXwH6eG6n1vh8/VnEFB5R7a775BE/Ex+8DkekJLeOJXFNMnxRnwMktEI68s/LAFCCd1/a0/MoaUaFKYdDEqL8IYb+2k8VRgzztwgB76e0yyu4uyip4IuFKpG7flLkrOUMzB/ySo4ptTRaRk3pEDJ7+klonosLWpQOzAJni6He/cRJ8ydRra9E06xC64xyDqR/JcZXpHz8UBoa7T1pDIXPQ8PJ4UAdCL6EzyyyYiHFuPcEJ6x6RRAY+cU/7cs/R5+KZS1AjktBF2s76clP5lnrQPEtDVYgPWKudYMM16yQj+rh994IGpMMEXfgQKTebkLV1CyNKhE7zP+qzCdEMcDP2Sbj27WRnAnKMxFt3CIhm6edcI8AtHah4qcQ8axDbjtHO+iyM5hbmZou2IBpLJIstwg6n03S47SVnQ616QW622j8pP0T4s3jgI9ntvplezySJuMbI3aUbDvaAieWWj/gsxqHMzsQmA6qSSoRqIqu2WREuxnIvs6VSjyx1UL62j4ofr4WQ8Hk5Z1bo1GybxqimVXNMcEARTci+AQIN8upwQg8ZfcoFVeqsVkaEh73MmZ8oCEQVOma1KI8kpB3I5GWxSbsuwLCxf4rttN1pGX1cnBdzbUnlfZfd5OUReqePckwCl1ZYx6bUCgbDoM2M6bOV0yaUA8XX56Pm1XAvAmQJRfSFdQEwzpixOIlfJ8wszsSTPgZkfHahH8PcmiajBh3hwnxQthAOg0n0IZYHdeXZ4CSQ0pXiarNZncEdt7af8Q/7hGlXBK8OaYvNJEROHhKIvw3WYP7OGLgJY5/DjkxnIiPZrOupi/7v95N3HPDzX+Wvmod6GTqVGqomzk58kVV2pCSQs8q8DzGQtrkuWCAlWrHPuiV5M6IBM6X5ui7C08+Eak8LWT6Xms9LZUUk3JPZ3TmvcX1D4momRoxMebXtUuozGe91yCGqpQAvKCok7dd+KEH5qzCtjPx1+O48p1u0y3x64bHbND7hE/VUj2JDCjVbQdXIFwzkDRPyXHwEWSCvX8G2JID24Q/H+rM13cgbVgn8GNXQ==
Content-Type: multipart/alternative; boundary="_000_8DA5BC7385694807AEC1CA52E387ECFEislandresortcom_"
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8d3645c5-1d05-476c-b99d-08db89409cee
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2023 16:44:40.6640 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PUzg52kbomLVjKNOadXpQDjGla/LFVFnfaE4b4h2Cl9Nx2vCr/eEsXQLqBxGURwr39YY7jt02BXQser/Wbz+5Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR22MB1865
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/BXLEO_oxfhqZ055VwANgyxRC5OM>
Subject: Re: [COSE] Draft IETF 117 COSE agenda
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2023 16:44:51 -0000

Note that in EC HPKE the KEM Alg ID does specify the curve.  See below for examples.

In most EC key serialization formats, the curve is specified. So for HPKE you perform a check to be sure the key and the alg ID line up. For 9053 ECDH alg IDs, the curve is not specified, so you just use the curve from the key.

All that said, I think the big next step here is with the chairs to find the consensus on top level choice.

LL




Alg ID HPKE-P-256 (equivalent to COSE -29 with NIST key)
KEM: 0x0010 DHKEM(P-256, HKDF-SHA-256)
KDF: 0x0001 HKDF-SHA256
AEAD: 0x0001  AES-128-GCM

Alg ID HPKE-P-384 (equivalent to COSE -30 with NIST key)
KEM: 0x0011 DHKEM(P-384, HKDF-SHA-384)
KDF: 0x0002 HKDF-SHA384
AEAD: 0x0002  AES-256-GCM

Alg ID HPKE-P-521 (equivalent to COSE -31 with NIST key)
KEM: 0x0012 DHKEM(P-521, HKDF-SHA-512)
KDF: 0x0003 HKDF-SHA512
AEAD: 0x0002  AES-256-GCM



On Jul 20, 2023, at 8:41 AM, AJITOMI Daisuke <ajitomi@gmail.com<mailto:ajitomi@gmail.com>> wrote:

The point here is... If I tell you -7 (ES256), you know 2 (kty EC2) and 1 (crv P-256)

... No. In COSE, ES256 can be used not only with P-256 but also with other curves (P-521, etc.).

Constrained devices won't ship support for both 6 and 7... so advertising -8 is therefore ambiguous / not helpful (by itself)
... Now consider advertising "HPKE-Base"... How does this help you know how to talk to a firmware or relying party?

ES256 is also ambiguous... let's use key information.

... why would we go out of our way to add extra information to this process, when we are supposed to be trying to design for a compact / constrained environment?

... The current draft(or "hkc" approach) does not prohibit implementing only a specific combination of KEM/KDF/AEAD for constrained environments, and it is also possible not to put HPKE algorithm information in COSE_Key/JWK as an implicit agreement between a sender and a recipient.

--
Daisuke

2023年7月20日(木) 23:27 Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>:
Granted, JOSE & COSE kinda broke this with EdDSA...

> Therefore, in COSE, even ES256 has to be defined as follows:
>    -7 (ES256), where kty is 2 (with uncompressed points) and crv is 1 (P-256).

The point here is... If I tell you -7 (ES256), you know 2 (kty EC2) and 1 (crv P-256)

If I tell you -8 (EdDSA) .... You know 1 (kty OKP), but you don't know if I meant 6 (crv Ed25519) or 7 (crv Ed448)

Constrained devices won't ship support for both 6 and 7... so advertising -8 is therefore ambiguous / not helpful (by itself)

... Now consider advertising "HPKE-Base"... How does this help you know how to talk to a firmware or relying party?

... why would we go out of our way to add extra information to this process, when we are supposed to be trying to design for a compact / constrained environment?

OS



On Thu, Jul 20, 2023 at 9:11 AM Michael Prorock <mprorock@mesur.io<mailto:mprorock@mesur.io>> wrote:
A correction/clarification - basically, while you see both kty and alg together, if you have a well defined alg, you always know what kty is for that alg - so derivation is from alg alone

Mike Prorock
CTO - mesur.io<http://mesur.io/>

On Thu, Jul 20, 2023, 08:01 Michael Prorock <mprorock@mesur.io<mailto:mprorock@mesur.io>> wrote:
Daisuke,
definitely 'combination of "alg" and key information.', especially as things have started to evolve recently.  However, I think the point that Orie is trying to make (please correct me if I am wrong Orie) is that once you have the 'kty' which lets you know what shape and family of keys you are dealing with, then you should have everything you need from 'alg' and nothing else.

Mike Prorock
CTO, Founder
https://mesur.io/



On Thu, Jul 20, 2023 at 7:53 AM AJITOMI Daisuke <ajitomi@gmail.com<mailto:ajitomi@gmail.com>> wrote:
Daisuke asserts “On the other hand, there are no examples like the proposal from Hannes/Laurence, where the "alg" value includes information about "crv" values and unrelated key operation information (e.g., KDF, AEAD)”.  There are actually many such examples.

It mainly concerns the latter, which is ”unrelated key operation information". Anyway, while it is true that JOSE's ES* algs include the "crv" value implicitly, the COSE's ES* algs don't. The COSE's ES256 algorithm is not limited to P-256 and this crv value and the information about whether the key is compressed EC point or not ultimately requires referring to the key info.

Therefore, in COSE, even ES256 has to be defined as follows:

  *   -7 (ES256), where kty is 2 (with uncompressed points) and crv is 1 (P-256).

It is evident that the mainstream approach is to negotiate using a combination of "alg" and key information.

--
Daisuke


2023年7月20日(木) 9:55 Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>>:
[chair hat off]

The interoperability problem caused by polymorphic algorithm identifiers is that the “alg” and “enc” values are no longer useful for algorithm negotiation.


In protocols such as OpenID Connect, OAuth 2.0, and WebAuthn/FIDO2, lists of supported “alg” and “enc” values are published in metadata.  For instance, here’s an example from RFC 8414:

    "token_endpoint_auth_signing_alg_values_supported":
        ["RS256", "ES256"],

The problem with polymorphic algorithm identifiers such as “EdDSA” is that they don’t actually specify which algorithm is used.  It could mean either “Ed25519” or “Ed448”.  You can’t advertise which you support and/or which you want.

This is a problem in practice for WebAuthn, since some COSE alg identifiers are polymorphic and WebAuthn and FIDO2 use COSE algorithm identifiers for negotiation.  See that WebAuthn specified that EdDSA always uses Ed25519 – making it non-polymorphic but precluding its use with Ed448.  Here’s the line doing so at https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy:

  *   -8 (EdDSA), where crv<https://tools.ietf.org/html/rfc8152#section-13.1.1> is 6 (Ed25519).

Daisuke asserts “On the other hand, there are no examples like the proposal from Hannes/Laurence, where the "alg" value includes information about "crv" values and unrelated key operation information (e.g., KDF, AEAD)”.  There are actually many such examples.

All the registered JOSE algorithms (for example “ES256”) fully specified all parameters until “EdDSA”  was registered.  The COSE algorithms from RFC 8812 fully specify all parameters, such as when secp256k1 is used and when RSASSA is used.

Likewise, if we had a single HPKE algorithm identifier, it couldn’t be used to distinguish which HPKE algorithms are supported (and not all will be by all implementations).  This would cause the same problem for future systems that, for instance, WebAuthn/FIDO2, OAuth 2.0, and OpenID Connect already encounter when polymorphic algorithm identifiers are used.

                                                       -- Mike

From: AJITOMI Daisuke <ajitomi@gmail.com<mailto:ajitomi@gmail.com>>
Sent: Wednesday, July 19, 2023 3:45 PM
To: Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>>; Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>>
Cc: cose <cose@ietf.org<mailto:cose@ietf.org>>
Subject: Re: [COSE] Draft IETF 117 COSE agenda

> Speaking as an individual contributor, I fully support the first
> (fully specified) choice.  Whereas the second possibility will cause
> endless interoperability problems.

I disagree.

+1

(Below, I comment from the standpoint that the design of alg values should be consistent with COSE and JOSE.)
I am convinced that the "fully specified" design, on the contrary, includes more interoperability issues.

Originally, in JOSE and COSE, the identification of the specific cryptographic algorithm was done by combining the "alg" value ("ECDH-ES," "EdDSA," etc.) with the information held by the key itself ({"kty": "EC", "crv": "P-256", ...}, {"kty": "OKP", "crv": "Ed25519", ...}, etc.). The current draft follows this approach. On the other hand, there are no examples like the proposal from Hannes/Laurence, where the "alg" value includes information about "crv" values and unrelated key operation information (e.g., KDF, AEAD) to the original key's purpose. In JWK, the "alg" value is merely an optional parameter, so packing excessive information into the "alg" value will, in fact, lead to interoperability issues.

I have repeatedly written about the reasons why the current specification is better than the "fully specified" design (*1, *2). However, I would like to add one more point from a new perspective.

I am very concerned that JWK, which is a "JSON representation of keys" that could be used for a wide range of applications not limited to JOSE and COSE, will no longer be available as a means of transmission and negotiation of HPKE parameters. I think this is a very big loss.
The following works with no problem with existing JWK implementations, and it is also guaranteed to work in the JWK RFC:

  {
        kty: "EC",
        crv: "P-256",
        // alg: "HPKE-v1-Base(-KEM)",   // alg can be omitted as many JWKs do
        hkc: { kem: 0x0010, kdfs: [0x0001], aeads: [0x0001]}, // Unknown parameters for the JWK implementation MUST be ignored on the JWK layer.
        x: "-eZXC6nV-xgthy8zZMCN8pcYSeE2XfWWqckA2fsxHPc",
        y: "BGU5soLgsu_y7GN2I3EPUXS9EZ7Sw0qif-V70JtInFI",
  }

On the other hand, the following does not work with many existing JWK implementations. This is because existing JWK implementations often throw errors for "alg" values not supported by the bundled JWS/JWE:

  {
        kty: "EC",
        crv: "P-256",
        alg: " HPKEv1-Base-DHKEM(P256,HKDFSHA256)-HKDFSHA256-AES128GCM",   // Must be specified to specify HPKE parameters if not assuming an offline(implicit) agreement.
        x: "-eZXC6nV-xgthy8zZMCN8pcYSeE2XfWWqckA2fsxHPc",
        y: "BGU5soLgsu_y7GN2I3EPUXS9EZ7Sw0qif-V70JtInFI",
  }

I think this example clearly illustrates the harm of putting subsequent algorithm information (KDF&AEAD), which is not originally relevant to the key itsef, into a key that is originally only used in the KEM step.

In any case, I am tired of the situation where even after all these repeated discussions, even the obvious design point, which is obvious if you read the HPKE standard, that "encapsulated_key should be expressed as a sequence of bytes," is being rehashed...

I hope the chairs will make a wise decision.

Best regards,
Daisuke

P.S.
... the design of COSE-HPKE was more difficult than I had thought, as it required not only knowledge of both COSE and HPKE, but also knowledge of JOSE (primarily JWK) in terms of alg value design, and related considerations of consistency with the W3C Web Cryptography API and existing implementations. So I do not intend to ask you (the mailing list participants) to agree with my suggestion easily, but I'm very glad if you could read (*1)(*2) without bias.

(*1) https://mailarchive.ietf.org/arch/msg/cose/KTpXbZ3UxUH8BuLT4OmhfaToYTk/
(*2) https://mailarchive.ietf.org/arch/msg/cose/cPqYqCagPbWPKwvQODjqn98U3F4/

2023年7月20日(木) 2:37 lgl island-resort.com<http://island-resort.com/> <lgl@island-resort.com<mailto:lgl@island-resort.com>>:



On Jul 19, 2023, at 9:52 AM, Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>> wrote:

As a chair, I’d like clarity on what you mean by “the single algorithm design”.  Do you mean that each algorithm identifier fully specifies all the cryptographic parameters being used?  Or do you mean that a single algorithm identifier is used for all the HPKE possibilities?

The proposal that Hannes, Jeremy and a few others favor is roughly this. (I picked these three just as an example, the decision we want is not whether these three are the ones to register, it is that we will use one algorithm ID to indicate the HPKE KEM, KDF and AEAD.

Alg ID HPKE-P-256 (equivalent to COSE -29 with NIST key)
KEM: 0x0010 DHKEM(P-256, HKDF-SHA-256)
KDF: 0x0001 HKDF-SHA256
AEAD: 0x0001  AES-128-GCM

Alg ID HPKE-P-384 (equivalent to COSE -30 with NIST key)
KEM: 0x0011 DHKEM(P-384, HKDF-SHA-384)
KDF: 0x0002 HKDF-SHA384
AEAD: 0x0002  AES-256-GCM

Alg ID HPKE-P-521 (equivalent to COSE -31 with NIST key)
KEM: 0x0012 DHKEM(P-521, HKDF-SHA-512)
KDF: 0x0003 HKDF-SHA512
AEAD: 0x0002  AES-256-GCM

The one that Ilari and Ajitomi-san favor is what we have now in COSE-HPKE:

   When the alg value is set to 'HPKE-v1-BASE', the HPKE_sender_info
   structure MUST be present in the unprotected header parameter.

   The CDDL grammar describing the HPKE_sender_info structure is:

      HPKE_sender_info = [
          kem_id : uint,         ; kem identifier
          kdf_id : uint,         ; kdf identifier
          aead_id : uint,        ; aead identifier
          enc : bstr,            ; encapsulated key
      ]




Speaking as an individual contributor, I fully support the first (fully specified) choice.  Whereas the second possibility will cause endless interoperability problems.

We need your efforts primarily has a chair at this point. I think we’ve had the discussion.

LL





_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose


--

ORIE STEELE
Chief Technology Officer
www.transmute.industries<http://www.transmute.industries>
[https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/>
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email