Re: [COSE] [jose] Call for Adoption: draft-ajitomi-cose-cose-key-jwk-hpke-kem
AJITOMI Daisuke <ajitomi@gmail.com> Mon, 17 April 2023 15:07 UTC
Return-Path: <ajitomi@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73591C151B1E for <cose@ietfa.amsl.com>; Mon, 17 Apr 2023 08:07:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7QSS8JtyyDiX for <cose@ietfa.amsl.com>; Mon, 17 Apr 2023 08:06:56 -0700 (PDT)
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B97D5C151B1F for <cose@ietf.org>; Mon, 17 Apr 2023 08:06:56 -0700 (PDT)
Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-54f6a796bd0so306093557b3.12 for <cose@ietf.org>; Mon, 17 Apr 2023 08:06:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681744016; x=1684336016; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HaNfr88nraUNk707e9yfgWNUtEJ2TKiSvwK014W0YOg=; b=EwDr2PFl277dR67w2CPI74AF/UaT/G8W5DHBiV4+sySPXWvnVzGyTQiEI+DAIzS88b OQ290mLOaKJpm8i+AVh4T84gW+R7HEUTQh5VyxV8Fl4XPrtiDgMG3BCXnyRddj9EqLvA ZGrD9v+NeEFJZIuVYgUnm1grxyg595znynVuCdfkRZNc+M89RkLwL4vJTp4rnSkF5SeS DBmGrEAi9Jd8Jm0XKjNTguoQEnRssAnPoG7hdPmgGKrUC9JwoAhpn4W6gKIuY3V0AsIt YaGqvPCXrEJ+9OGYGEoTeoJ+zSdTmsw/zCyKiryYVIu8AHOfVrCOlAvQl37C2K9+aCLK y2Aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681744016; x=1684336016; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HaNfr88nraUNk707e9yfgWNUtEJ2TKiSvwK014W0YOg=; b=PcpA2G19zbGrD/AgFxYgaupLp0BxrRIcQ2kXXPF2TGXVItDkCDddK1cKZo3P7UJTmU 0Vqpew0nEWdfqqfI2jw1naTebGqYoGdtXKy6r/OBeJ0iziZBUXhehS/ANeo1yM9RTCph K8DB1BCHm52IgW9TsqaNGCdbviyHDDAKEJzLIc3dPuCf/fS8MuCYNVct8alIlAOQPjU4 SL9ZKITAy36LONHEIciHZbE3b6E3ysyE6usF8X9evs2DFCsGLg58q/z/lp/HLOQtgWCg qRao/0xp8QzmtRPIlmwJ4QJYMggsj2mYpO6Nd6I/n8HCW7Kf6KtJrTwfkdg2tV7CIlJj HOQw==
X-Gm-Message-State: AAQBX9egPuba77soKLyALkDxdJjmzIIxq8nJf40VYcq8JUTkU6tcrDsg IjexxQKTbd3RSLs3C6ctQcEQ+Eitk+mPN8lCllN4xxpCUwJH
X-Google-Smtp-Source: AKy350Z+nGByUoIuIYPYf4g+nDyR4OQ+s4AKx6ldMZMmkaNZu0OOUFneE6tTRSAHa8rshGpA3gIQDRVc6hqwVxUTViM=
X-Received: by 2002:a81:af5a:0:b0:54f:69a4:151e with SMTP id x26-20020a81af5a000000b0054f69a4151emr8978364ywj.8.1681744014722; Mon, 17 Apr 2023 08:06:54 -0700 (PDT)
MIME-Version: 1.0
References: <ZDZj/boaTVkcLzhq@LK-Perkele-VII2.locald> <CAN8C-_J_A=F_K8sxpZ6YJ_FPHYxgh_pX-0AEM_kXsh_o=EJu-Q@mail.gmail.com> <E9237176-AA3D-49FF-AA80-976E196591D8@island-resort.com> <CAN8C-_LrQoeN87SFsA8XN-9GJMQZOv9A1sc3MgWOk0EFmoHxKQ@mail.gmail.com> <9639F2AF-CF80-4C46-9936-E2D267647A4F@island-resort.com> <ZDkEW716XyikW1ah@LK-Perkele-VII2.locald> <CAN8C-_Jawc9OEROYdi+QhNtXbvKPQaLtL1+veCF0zVKFnUM00g@mail.gmail.com> <ZDmdwQqw5xg4FvHY@LK-Perkele-VII2.locald> <7357D0EA-F248-4042-B4E0-111DB306E988@island-resort.com> <CAN8C-_LfJmu2Qf1hV1W4iu8V4dyxEwo-_h8RVXPgyaRFDtPTCQ@mail.gmail.com> <ZDuDv6NVJ8exaXMj@LK-Perkele-VII2.locald> <CAFWvErWkOWTT28gxd43atkjVwMUcZw9Zi=MEodL_PFDiQFpueQ@mail.gmail.com> <CAN8C-_+=mT97rownLqFvKaWRBbmBHp+JMbVpFArBrB0C3zNqeA@mail.gmail.com> <CAFWvErVT2ZUsoPyzaj-5+9K4LwwN6ioue8uZ8Z6fxmh6zk78Hg@mail.gmail.com> <CAN8C-_J8DKsfk9H+XKEJN2s61nVnMVGHjExiGMLSpcwVGJdPxA@mail.gmail.com> <CAFWvErXyzanCSRTuzPdO01MvGfAJBOr6Q-JEALEnUmXRAHL1ng@mail.gmail.com> <CAN8C-_L_Sey25QM8W5LqExJV4iSjF=W+2znQO-tuw54PcS=+=A@mail.gmail.com> <CAFWvErV5kvfO5VvkJW-HgOCGhRKR_2fbN2xu+JBLMe09PztGzQ@mail.gmail.com> <CAN8C-_JYGUusJFevCzZGd9E0pxwM6v3waSFbSMPG6iCDwMYDpA@mail.gmail.com>
In-Reply-To: <CAN8C-_JYGUusJFevCzZGd9E0pxwM6v3waSFbSMPG6iCDwMYDpA@mail.gmail.com>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Tue, 18 Apr 2023 00:06:44 +0900
Message-ID: <CAFWvErUM_2rJw+h+e+zhw3wpCvPu=UPcOusAOnXLH=1=jfJ1Gw@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: cose <cose@ietf.org>, Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="00000000000099c8ed05f9898a66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/cTij-CkJ9LZNCrG26rcfqQfck7k>
Subject: Re: [COSE] [jose] Call for Adoption: draft-ajitomi-cose-cose-key-jwk-hpke-kem
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2023 15:07:02 -0000
> This is not true, I showed a counter example using your library. I'm not confident that I fully understand what you're saying, but I cannot agree with you. The HPKE_Sender_Info structure cannot be replaced with COSE_Key/JWK representations for KEM. They are completely different things. Are you claiming that the representation of HPKE_Sender_Info in JOSE should also be defined in the COSE-HPKE spec? That is almost equivalent to "adding HPKE to JWE". > 2. register "alg" values that map to "hkc", like Apple does, and as I have shown on https://hpke.dev I believe that comparing the specification of Apple's Wallet app with COSE-HPKE is inappropriate. The former is simply the specification of an app from a single company, and adopting a ciphersuite approach is a reasonable choice for this kind of particular use case. On the other hand, COSE-HPKE should be a generic specification that does not assume any specific use case or application. Since HPKE is designed to be cryptoagility-oriented, it is natural to follow that design philosophy in COSE-HPKE as well. If someone wants to adopt a ciphersuite-based approach, they can do so on higher-level applications that utilize COSE-HPKE. > Laurence seems neutral so far ... at least, the definitions of the "alg" value (HPKE-v1-{Base, Auth, PSK, AuthPSK}) included in the COSE-HPKE specification and my draft were proposed by Laurence (I like this idea), so I believe that Laurence supports the current COSE-HPKE. Also, the definitions of the "alg" value are also an important part of my draft. Therefore, with Laurence's consent, we have added him as a co-author in the latest draft. Of course, I don't think Laurence fully agrees with my current draft. Best, AJITOMI Daisuke 2023年4月17日(月) 22:11 Orie Steele <orie@transmute.industries>: > Inline: > > On Mon, Apr 17, 2023 at 7:25 AM AJITOMI Daisuke <ajitomi@gmail.com> wrote: > >> https://datatracker.ietf.org/doc/html/rfc8812 >> >> >>> ^ this RFC defined JWK and COSE key for secp256k1, and it registered an >>> algorithm for use in JWS Headers. >> >> >>> I am suggesting COSE HPKE do the same thing, we don't need to do >>> anything with JOSE other than define reasonable algorithms in COSE, and >>> ensure that you can signal their use in JWK & COSE Key, consistently, just >>> like the above RFC does. >> >> >> Well, is your argument that the "Use of HPKE with COSE'' should be >> extended to "Use of HPKE with COSE and JOSE"? >> >> I believe that Hannes' scoping of the COSE-HPKE specification, which >> focuses on the structure including the encapsulated key called >> HPKE_Sender_Info and how to represent it in the COSE container, was very >> reasonable from the beginning. It is focused on the minimal specification >> necessary to use HPKE on COSE, and the representation of the recipient >> public key for KEM is excluded from the scope. As I wrote in b) above, this >> is because the key representation is not essential for COSE-HPKE and can be >> left to the application layer. >> >> Now, if we extend this specification to "Use of HPKE with COSE and JOSE," >> we will also need to decide how to represent HPKE_Sender_Info on JOSE. This >> is completely different from RFC8812, which only registers parameters with >> the IANA registry. We need to define what we have been doing with COSE-HPKE >> within the constraints specific to JOSE. Ilari says this is very difficult, >> but to be honest, I don't understand the extent of the difficulty. However, >> at least, it is certain that this is not a matter that can be settled with >> just registering parameters with the IANA registry. >> > > This is not true, I showed a counter example using your library. > > There may be difficulty in "adding HPKE to JWE", but it is not > difficult to make a JWK / COSE Key that supports HPKE regardless of if you > are using a COSE HPKE library or a regular one, like hpke-js. > > I am not saying the COSE WG needs to do more than define keys consistently > and define how "alg" relates to them when it is in "cose headers". > > There are 2 options on the table: > > 1. parameterize "alg" with "hkc" and relate it to "sender_info"... which > is * revolutionary *. > 2. register "alg" values that map to "hkc", like Apple does, and as I have > shown on https://hpke.dev > > We are currently doing 1, and if I am in the minority on this point, I > expect 1 to proceed... I still think the key side should be handled in the > same document if 1 is taken, and hence another draft is a mistake. > > I think 1 is a mistake, and I see Ilari, and Daisuke advocating for it, > Laurence seems neutral so far, but has noted we should try to follow > conventions that COSE has set, let's assume for the sake of argument that > Laurence is pro option 1 and anti option 2. > > At best option 1 has 3 people supporting it and option 2 has 1 person > supporting it. > > Since option 1 is pretty revolutionary, I think the bar for accepting it > should be a bit higher than that. > > OS > > > > > >> >> I feel that this contradicts your opinion that JOSE should not delay >> COSE-HPKE. >> >> Best, >> AJITOMI Daisuke >> >> >> 2023年4月17日(月) 8:43 Orie Steele <orie@transmute.industries>: >> >>> >>> Inline: >>> >>> On Sun, Apr 16, 2023 at 4:33 PM AJITOMI Daisuke <ajitomi@gmail.com> >>> wrote: >>> >>>> Yes, I believe the JWK and COSE Key Representations for HPKE should be >>>>> defined together. >>>> >>>> >>>> So, could I understand that you agree to the adoption of this draft >>>> into the WG document? Or do you think there are things that need to be done >>>> before adoption? >>>> >>> >>> Yes, the thing that needs to be done is address the use of "alg", in >>> headers, and keys, consistently. >>> >>> In my opinion, this work needs to be done in the COSE HPKE draft, and >>> when it is done, there will not be a need for a second draft focusing only >>> on keys. >>> >>> https://datatracker.ietf.org/doc/html/rfc8812 >>> >>> ^ this RFC defined JWK and COSE key for secp256k1, and it registered an >>> algorithm for use in JWS Headers. >>> >>> I am suggesting COSE HPKE do the same thing, we don't need to do >>> anything with JOSE other than define reasonable algorithms in COSE, and >>> ensure that you can signal their use in JWK & COSE Key, consistently, just >>> like the above RFC does. >>> >>> I don't support adoption of "draft-ajitomi-cose-cose-key-jwk-hpke-kem". >>> >>> I support including its contents in the already adopted >>> "draft-ietf-cose-hpke". >>> >>> >>>> >>>> 2023年4月17日(月) 5:24 Orie Steele <orie@transmute.industries>: >>>> >>>>> Inline: >>>>> >>>>> On Sun, Apr 16, 2023 at 3:10 PM AJITOMI Daisuke <ajitomi@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Orie, >>>>>> >>>>>> > 8812 defined an "alg" and key representations for JWK and COSE Key >>>>>> in one document. >>>>>> >>>>>> At least, I want to define both key representations and alg values in >>>>>> the same draft if possible as I mentioned in the previous mail as follows: >>>>>> >>>>>> > > If this draft is adopted as a working group document, I was >>>>>> thinking of proposing to move the definition of alg values from the >>>>>> COSE-HPKE spec to this draft. >>>>>> >>>>>> And I don't think defining alg values other than HPKE-v1-Base >>>>>> beforehand is as bad an idea as Ilari suggests. >>>>>> >>>>>> The mode-dependent processing in HPKE is all confined to the KEM step >>>>>> and all HPKE modes are clearly defined within the HPKE spec (RFC9180), and >>>>>> it is evident that this does not affect the key representation for KEM and >>>>>> the "hkc" structure. >>>>>> >>>>>> I thought you believed that JWK and COSE_Key for HPKE should be >>>>>> defined simultaneously (in the same draft), or am I mistaken? >>>>>> If you think JWK and COSE_Key should be defined together, separating >>>>>> the key representation draft from the COSE-HPKE might not be a bad idea. >>>>>> >>>>>> >>>>> Yes, I believe the JWK and COSE Key Representations for HPKE should be >>>>> defined together. >>>>> >>>>> I would have started with this part, since HPKE assumes the sender has >>>>> the recipient's key, and that they have agreed to mutually supported >>>>> algorithms. >>>>> >>>>> Holding a restricted key is a natural way to capture this assumption, >>>>> although it is not the only way to achieve it. >>>>> >>>>> >>>>>> Best, >>>>>> AJITOMI Daisuke >>>>>> >>>>>> 2023年4月16日(日) 23:09 Orie Steele <orie@transmute.industries>: >>>>>> >>>>>>> >>>>>>> Inline: >>>>>>> >>>>>>> On Sun, Apr 16, 2023 at 7:06 AM AJITOMI Daisuke <ajitomi@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Orie, >>>>>>>> >>>>>>>> Sorry for the late reply. I think I will be able to respond more >>>>>>>> quickly starting from this week... >>>>>>>> Thank you for the feedback on my draft. >>>>>>>> >>>>>>>> I think there are several topics mixed in this thread, but first, >>>>>>>> I'd like to comment on whether this draft should be merged into the >>>>>>>> existing COSE-HPKE spec. >>>>>>>> >>>>>>>> >>>>>>> Agreed, Laurence has summarized them well. >>>>>>> >>>>>>> 1. "alg" in Headers >>>>>>> 2. "alg" & "kty" in COSE Key and JWK >>>>>>> 3. Negotiation of "alg" >>>>>>> >>>>>>> The reasons why I proposed this draft as an independent >>>>>>>> specification separate from COSE-HPKE are as follows: >>>>>>>> >>>>>>>> a) I wanted to define not only COSE_Key but also JWK representation >>>>>>>> together for HPKE. This is the biggest reason. >>>>>>>> >>>>>>> >>>>>>> 8812 defined an "alg" and key representations for JWK and COSE Key >>>>>>> in one document. >>>>>>> >>>>>>> - https://www.rfc-editor.org/rfc/rfc8812 >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> b) Key representation is essentially independent of the COSE >>>>>>>> message format and can be used for various applications unrelated to COSE >>>>>>>> or JOSE. As I mentioned in the slides for IETF116, I thought it would be >>>>>>>> beneficial for applications using HPKE for end-to-end encryption over HTTP >>>>>>>> if the HPKE recipient's public key could be published at the >>>>>>>> .well-known/jwks endpoint. COSE_Key representation may also be useful for >>>>>>>> CoAP-based end-to-end encryption apps in the same way. >>>>>>>> >>>>>>>> >>>>>>> Yes, I agree that representing keys in JSON and CBOR is valuable to >>>>>>> many use cases outside of COSE and JOSE. >>>>>>> >>>>>>> c) I wanted to consolidate the definitions of all expected alg >>>>>>>> values (HPKE-v1-{Base, Auth, PSK, AuthPSK}) into one document. Although I >>>>>>>> had agreed with the opinion that the COSE-HPKE should focus only on the >>>>>>>> Base mode, I thought it would be better to have all alg values for HPKE >>>>>>>> modes consolidated into one document. If this draft is adopted as a working >>>>>>>> group document, I was thinking of proposing to move the definition of alg >>>>>>>> values from the COSE-HPKE spec to this draft. >>>>>>>> >>>>>>>> Regarding (a), for example, the key representation for secp256k1 >>>>>>>> has both JWK and COSE_Key formats defined (RFC8812), and the recent >>>>>>>> post-quantum key representation proposed by Mike Prorock also has both JWK >>>>>>>> and COSE_Key formats defined. >>>>>>>> >>>>>>> >>>>>>> Yes, I generated the current JWK / JWS test vectors for those >>>>>>> drafts, the first thing I did, was the key format... the second thing I did >>>>>>> was the envelope format for the signatures: >>>>>>> >>>>>>> >>>>>>> https://github.com/mesur-io/post-quantum-signatures/blob/main/test-vectors/suites/dilithium-pqcrypto/jwk.js >>>>>>> >>>>>>> https://github.com/mesur-io/post-quantum-signatures/blob/main/test-vectors/suites/dilithium-pqcrypto/jws.js >>>>>>> >>>>>>> When I implemented the signature interface, it took a JWK private >>>>>>> key, not a "raw dilithium 3 private key"... the thought process there was >>>>>>> that it should reject a key that had been restricted to a different >>>>>>> algorithm... >>>>>>> >>>>>>> Meaning you can always ask for ES256K from a key restricted to >>>>>>> EdDSA... but that should error, before an expensive / sensitive operation >>>>>>> is attempted. >>>>>>> >>>>>>> Same thing on the verify side: >>>>>>> The verify interface takes a public key in JWK format, not a "raw >>>>>>> dilithium 3 public key". >>>>>>> You can try to verify ES256K with a key restricted to EdDSA... that >>>>>>> should also error, before an expensive / sensitive operation is attempted. >>>>>>> >>>>>>> It is natural to ask for an operation from a key that is restricted >>>>>>> to a single algorithm, this won't always be the case, since "alg" is >>>>>>> optional, but it should be well supported for developers who want to build >>>>>>> safer APIs. >>>>>>> >>>>>>> If we follow recent conventions, it would be better to define both >>>>>>>> COSE_Key and JWK representations together, don't you think? As I also >>>>>>>> mentioned in the slides for IETF116, in the EUDCC (EU Digital COVID >>>>>>>> Certificate) where COSE has been adopted, the public keys for signature >>>>>>>> verification were distributed in JWK format. JWK format is also useful for >>>>>>>> COSE. >>>>>>>> >>>>>>>> >>>>>>> Yes, I agree they should be done together, see RFC 8812. >>>>>>> >>>>>>> I disagree that they should be done separate from "alg", here is a >>>>>>> short list of RFCs that define both "alg" and "kty" / "crv" together: >>>>>>> >>>>>>> - https://www.rfc-editor.org/rfc/rfc8812 >>>>>>> - https://www.rfc-editor.org/rfc/rfc8037 >>>>>>> - https://www.rfc-editor.org/rfc/rfc8152.html >>>>>>> >>>>>>> >>>>>>>> If it is concluded that JWK should not be defined together, and >>>>>>>> that the definition of key representation should be limited to the HPKE >>>>>>>> Base mode, and that other HPKE modes should not be defined at this point, >>>>>>>> then it may indeed be better to merge this draft into the COSE-HPKE spec. >>>>>>>> On the other hand, if there is room for discussion on these issues, I think >>>>>>>> it would be appropriate to consider it as an independent draft currently. >>>>>>>> We can merge it into the COSE-HPKE spec at any time. What do you think? >>>>>>>> >>>>>>>> >>>>>>> I think you should continue working on it as an I-D, find >>>>>>> co-authors, implement library support for it, confirm your representations >>>>>>> align with previous libraries, and conventions their uses will assume, and >>>>>>> continue to press COSE HPKE to integrate reasonable key representation into >>>>>>> the same document that discussed "senders" and "recipients" and assumed >>>>>>> "they have already obtained each other's keys" : ) >>>>>>> >>>>>>> I recommend reviewing the experience provided here: >>>>>>> >>>>>>> - >>>>>>> https://github.com/panva/jose/blob/a505724d72705b8bfab8026af45678b2a5534bf4/docs/classes/jwe_general_encrypt.GeneralEncrypt.md >>>>>>> - https://github.com/potatosalad/erlang-jose >>>>>>> - https://docs.authlib.org/en/latest/jose/jwe.html >>>>>>> - https://github.com/cisco/cjose/blob/master/src/jwe.c >>>>>>> - https://github.com/digitalbazaar/minimal-cipher >>>>>>> >>>>>>> You might also look at previous related drafts: >>>>>>> >>>>>>> - >>>>>>> https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04 >>>>>>> >>>>>>> >>>>>>>> Best, >>>>>>>> AJITOMI Daisuke >>>>>>>> >>>>>>>> 2023年4月16日(日) 14:12 Ilari Liusvaara <ilariliusvaara@welho.com>: >>>>>>>> >>>>>>>>> On Sat, Apr 15, 2023 at 10:33:37AM -0500, Orie Steele wrote: >>>>>>>>> > Thank you for this wonderful breakdown! >>>>>>>>> > >>>>>>>>> > On Fri, Apr 14, 2023 at 4:00 PM Laurence Lundblade < >>>>>>>>> lgl@island-resort.com> >>>>>>>>> > wrote: >>>>>>>>> > >>>>>>>>> > When we say "public key" in a CRFG document, I think it is >>>>>>>>> reasonable to >>>>>>>>> > assume no specific representation (JWK, COSE Key, PGP, etc...) >>>>>>>>> > >>>>>>>>> > As a side note, HPKE requires more than just having a recipient >>>>>>>>> public key, >>>>>>>>> > it also requires knowledge of the recipient supported >>>>>>>>> algorithms... (this >>>>>>>>> > is extremely obvious per the security considerations). >>>>>>>>> > It is natural to assume this will be solved differently in COSE, >>>>>>>>> PGP, >>>>>>>>> > etc... >>>>>>>>> > Maybe it is in the key representation, maybe it is via >>>>>>>>> negotiation, as you >>>>>>>>> > mentioned earlier... >>>>>>>>> > >>>>>>>>> > But it has to actually be solved for, or the sender is just >>>>>>>>> guessing that >>>>>>>>> > the recipient will be able to process their messages. >>>>>>>>> >>>>>>>>> Well, in store-and-forward system like COSE or JOSE, there are >>>>>>>>> really >>>>>>>>> only two ways: >>>>>>>>> >>>>>>>>> - negotiation. >>>>>>>>> - assume based on application. >>>>>>>>> >>>>>>>>> And when it comes to COSE and JOSE, there are no usable negotation >>>>>>>>> capabilties, so it is the latter: assuming based on application. >>>>>>>>> >>>>>>>>> >>>>>>>>> > When we say "public key" in a COSE WG document, >>>>>>>>> > folks will want to be sure if we are talking about the "abstract >>>>>>>>> concept of >>>>>>>>> > a public key" >>>>>>>>> > or a concrete serialization conforming to normative requirements >>>>>>>>> (JWK >>>>>>>>> > Public Key or COSE Public Key). >>>>>>>>> > >>>>>>>>> > Holding a JWK or COSE "public key" with an algorithm, 🔥 has >>>>>>>>> historically >>>>>>>>> > meant 🔥 holding a recipient's encryption preferences. >>>>>>>>> >>>>>>>>> No, this is not correct. And this has been the case since the first >>>>>>>>> RFCs for both. >>>>>>>>> >>>>>>>>> >>>>>>>>> > There is no precedent for COSE Key or JWK containing >>>>>>>>> "preferences for >>>>>>>>> > parameterization" in addition to a "restriction of key use". >>>>>>>>> >>>>>>>>> However, there is precedent for parametrization. For both COSE and >>>>>>>>> JOSE, since the first RFCs. >>>>>>>>> >>>>>>>>> >>>>>>>>> > You can imagine COSE HPKE asking IANA to update the COSE >>>>>>>>> registry to >>>>>>>>> > communicate that "hkc" is bound to a specific value of "alg", >>>>>>>>> similar to >>>>>>>>> > how -27 is bound to "kty". >>>>>>>>> > (! 🔥 kty and alg confusion intensifies... ) >>>>>>>>> >>>>>>>>> There is no precedent for key parameter being bound to "alg". Being >>>>>>>>> bound to "kty" yes (that is the difference between the two kinds of >>>>>>>>> key parameters in COSE). And in JOSE, analogous split exists, even >>>>>>>>> if >>>>>>>>> it is not explicit in registeries. >>>>>>>>> >>>>>>>>> >>>>>>>>> > ... I prefer to imagine requesting registration of a few good >>>>>>>>> choices for >>>>>>>>> > HPKE COSE (to start), and not importing every option under the >>>>>>>>> sun by >>>>>>>>> > default from the CFRG established registries here: >>>>>>>>> > >>>>>>>>> > How many other preferences would we need to register? Only the >>>>>>>>> ones people >>>>>>>>> > actually want to use, and *they* need to do *some* work to >>>>>>>>> justify why this >>>>>>>>> > is a good idea... >>>>>>>>> >>>>>>>>> With a few plausible extensions to HPKE, over 70. >>>>>>>>> >>>>>>>>> As for how many there currently would be, either 12 or *none at >>>>>>>>> all*, >>>>>>>>> depending on how exactly one defines things. >>>>>>>>> >>>>>>>>> >>>>>>>>> > we don't just hand out a blank check, and leave COSE >>>>>>>>> implementers on the >>>>>>>>> > hook for an ever expanding bill of CFRG registered algorithms. >>>>>>>>> >>>>>>>>> Currently, it is not COSE-HPKE that is on the hook for HPKE >>>>>>>>> algorithms, >>>>>>>>> it is HPKE itself. Just modified my test code to make the following >>>>>>>>> work (with COSE-HPKE code having absolutely no idea what is going >>>>>>>>> on): >>>>>>>>> >>>>>>>>> $ target/debug/cose-hpke-keygen /tmp/mystery-key.key TYPE21 >>>>>>>>> $ echo "The crow flies at midnight" >/tmp/message >>>>>>>>> $ target/debug/cose-hpke-encrypt --algorithm=TYPE2 /tmp/message >>>>>>>>> /tmp/mystery-key.key.pub >>>>>>>>> $ target/debug/cose-hpke-decrypt /tmp/message.chpke >>>>>>>>> /tmp/mystery-key.key.priv >>>>>>>>> $ cat /tmp/message.chpke.decrypted >>>>>>>>> The crow flies at midnight >>>>>>>>> $ >>>>>>>>> >>>>>>>>> In contrast, registering explicit algs would make COSE >>>>>>>>> implementers to >>>>>>>>> be on hook for the bill. >>>>>>>>> >>>>>>>>> And for JWK, explicit algs is non-starter. >>>>>>>>> >>>>>>>>> >>>>>>>>> > HPKE is not actually usable in COSE without some work from this >>>>>>>>> working >>>>>>>>> > group, >>>>>>>>> > we should not defer our responsibility to the (first ever, IIRC) >>>>>>>>> CFRG >>>>>>>>> > established registry, >>>>>>>>> > it is not going to feel good for developers, if we try to start >>>>>>>>> a 5 guy >>>>>>>>> > revolution while the world is trying to upgrade to post quantum >>>>>>>>> encryption. >>>>>>>>> >>>>>>>>> HPKE and its implementation has to update anyway for post-quantum. >>>>>>>>> >>>>>>>>> But does COSE-HPKE and its implementation *also* have to update for >>>>>>>>> post-quantum? >>>>>>>>> >>>>>>>>> With updated HPKE implementation, in the example above, replacing >>>>>>>>> "TYPE21" with "TYPE30" would have enabled Post-Quantum. >>>>>>>>> >>>>>>>>> TODO: Make the code dynamically link against HPKE library. >>>>>>>>> >>>>>>>>> >>>>>>>>> > > Up until COSE_HPKE, 1) and 2) are a single integer >>>>>>>>> ciphersuite. Probably >>>>>>>>> > > anyone doing 3) up to until COSE_HPKE would also use the >>>>>>>>> single integer too. >>>>>>>>> > > >>>>>>>>> > >>>>>>>>> > Agreed. >>>>>>>>> >>>>>>>>> I don't agree. Even ignoring keys, no single integer ciphersuite >>>>>>>>> ever >>>>>>>>> existed in COSE. >>>>>>>>> >>>>>>>>> >>>>>>>>> > > draft-ietf-cose-hpke has addressed 1) with the new >>>>>>>>> HPKE_sender_info header >>>>>>>>> > > parameter. Now the algorithm used is a special ciphersuite >>>>>>>>> identifier that >>>>>>>>> > > indicates further details in an additional parameter. >>>>>>>>> > > >>>>>>>>> > Agreed, there are "proposals for revolution", which I am all >>>>>>>>> for, if they >>>>>>>>> > are coming from enough reviewers / implementers. >>>>>>>>> > I am happy to withdraw my objection if overwhelmed by counter >>>>>>>>> arguments, I >>>>>>>>> > don't find the current arguments from Ilari compelling, but I >>>>>>>>> appreciate >>>>>>>>> > his consistent engagement. >>>>>>>>> >>>>>>>>> If performing asymmetric encryption with COSE or JOSE, there is >>>>>>>>> already >>>>>>>>> further details in additional parameter. >>>>>>>>> >>>>>>>>> >>>>>>>>> > > - In COSE_HPKE we’re requiring algorithm identification be >>>>>>>>> made up of a >>>>>>>>> > > special ciphersuite and a triple. This will/should apply in >>>>>>>>> all contexts >>>>>>>>> > > where COSE algorithm IDs are used. Maybe we should try to >>>>>>>>> unify the >>>>>>>>> > > definition of this in draft-ietf-cose-hpke >>>>>>>>> > > and draft-ajitomi-cose-cose-key-jwk-hpke-kem? >>>>>>>>> > > >>>>>>>>> > I don't think we need another document. >>>>>>>>> > >>>>>>>>> > I think we should bend the knee to convention in COSE HPKE, even >>>>>>>>> over the >>>>>>>>> > objections of Ilari and Daisuke... (assuming they persist in >>>>>>>>> advocating for >>>>>>>>> > parameterization of alg). >>>>>>>>> > >>>>>>>>> > UNLESS, we have clear consensus on proceeding with a revolution, >>>>>>>>> for that I >>>>>>>>> > would want to see a lot more engagement :) >>>>>>>>> >>>>>>>>> Well, speaking for myself, I will continue advocating >>>>>>>>> parametrization. >>>>>>>>> >>>>>>>>> Engagement seems to be very limited for COSE-HPKE. >>>>>>>>> >>>>>>>>> >>>>>>>>> > > My opinions on 3) are: >>>>>>>>> > > - The use cases are too widely varying for anyone to define an >>>>>>>>> actual >>>>>>>>> > > protocol >>>>>>>>> > > - draft-ajitomi-cose-cose-key-jwk-hpke-kem can only work for a >>>>>>>>> small >>>>>>>>> > > fraction of negotiation use cases — those that use COSE_Key >>>>>>>>> for negotiation >>>>>>>>> > > - We might generalize the HPKE COSE algorithm identifier >>>>>>>>> definition so the >>>>>>>>> > > same thing can be used for 1), 2) and 3). That is probably >>>>>>>>> splitting HPKE_sender_info >>>>>>>>> > > into two, one structure that is the algorithm ID and one is >>>>>>>>> the enc info. >>>>>>>>> > > We still wouldn’t define actual protocol for 3) but we would >>>>>>>>> have a clear >>>>>>>>> > > common method for COSE HPKE algorithm identification that >>>>>>>>> anyone could use >>>>>>>>> > > for their use-case specific negotiation protocol. >>>>>>>>> > > >>>>>>>>> > I agree with you on 3. >>>>>>>>> >>>>>>>>> I do not see how that would work. >>>>>>>>> >>>>>>>>> And I think that negotiation mechanism that would work for >>>>>>>>> majority of >>>>>>>>> use cases would be straightforward extension of the key draft. No >>>>>>>>> splitting needed. >>>>>>>>> >>>>>>>>> The question is, given that we have not needed negotiation >>>>>>>>> mechanism in >>>>>>>>> the past, why do we need one now? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -Ilari >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> COSE mailing list >>>>>>>>> COSE@ietf.org >>>>>>>>> https://www.ietf.org/mailman/listinfo/cose >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *ORIE STEELE* >>>>>>> Chief Technical Officer >>>>>>> www.transmute.industries >>>>>>> >>>>>>> <https://www.transmute.industries> >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> *ORIE STEELE* >>>>> Chief Technical Officer >>>>> www.transmute.industries >>>>> >>>>> <https://www.transmute.industries> >>>>> >>>> >>> >>> -- >>> *ORIE STEELE* >>> Chief Technical Officer >>> www.transmute.industries >>> >>> <https://www.transmute.industries> >>> >> > > -- > *ORIE STEELE* > Chief Technical Officer > www.transmute.industries > > <https://www.transmute.industries> >
- [COSE] Call for Adoption: draft-ajitomi-cose-cose… Ivaylo Petrov
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Ilari Liusvaara
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Hannes Tschofenig
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Mike Prorock
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Orie Steele
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Ilari Liusvaara
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Orie Steele
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Ilari Liusvaara
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Orie Steele
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Laurence Lundblade
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Orie Steele
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Ilari Liusvaara
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Ilari Liusvaara
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Laurence Lundblade
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Ilari Liusvaara
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Orie Steele
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Ilari Liusvaara
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Laurence Lundblade
- Re: [COSE] Call for Adoption: draft-ajitomi-cose-… Orie Steele
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Orie Steele
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Orie Steele
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Orie Steele
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Orie Steele
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Orie Steele
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Orie Steele
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Orie Steele
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Orie Steele
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [EXT] Re: [jose] Call for Adoption: dr… Blumenthal, Uri - 0553 - MITLL
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Hannes Tschofenig
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… AJITOMI Daisuke
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Laurence Lundblade
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara
- Re: [COSE] [jose] Call for Adoption: draft-ajitom… Ilari Liusvaara