Re: [COSE] [jose] Call for Adoption: draft-ajitomi-cose-cose-key-jwk-hpke-kem

[Orie Steele <orie@transmute.industries>]

Inline:

On Sun, Apr 16, 2023 at 3:10 PM AJITOMI Daisuke <ajitomi@gmail.com> wrote:

> Hi Orie,
>
> > 8812 defined an "alg" and key representations for JWK and COSE Key in
> one document.
>
> At least, I want to define both key representations and alg values in the
> same draft if possible as I mentioned in the previous mail as follows:
>
> > > If this draft is adopted as a working group document, I was thinking
> of proposing to move the definition of alg values from the COSE-HPKE spec
> to this draft.
>
> And I don't think defining alg values other than HPKE-v1-Base beforehand
> is as bad an idea as Ilari suggests.
>
> The mode-dependent processing in HPKE is all confined to the KEM step and
> all HPKE modes are clearly defined within the HPKE spec (RFC9180), and it
> is evident that this does not affect the key representation for KEM and the
> "hkc" structure.
>
> I thought you believed that JWK and COSE_Key for HPKE should be defined
> simultaneously (in the same draft), or am I mistaken?
> If you think JWK and COSE_Key should be defined together, separating the
> key representation draft from the COSE-HPKE might not be a bad idea.
>
>
Yes, I believe the JWK and COSE Key Representations for HPKE should be
defined together.

I would have started with this part, since HPKE assumes the sender has the
recipient's key, and that they have agreed to mutually supported algorithms.

Holding a restricted key is a natural way to capture this assumption,
although it is not the only way to achieve it.


> Best,
> AJITOMI Daisuke
>
> 2023年4月16日(日) 23:09 Orie Steele <orie@transmute.industries>:
>
>>
>> Inline:
>>
>> On Sun, Apr 16, 2023 at 7:06 AM AJITOMI Daisuke <ajitomi@gmail.com>
>> wrote:
>>
>>> Hi Orie,
>>>
>>> Sorry for the late reply. I think I will be able to respond more quickly
>>> starting from this week...
>>> Thank you for the feedback on my draft.
>>>
>>> I think there are several topics mixed in this thread, but first, I'd
>>> like to comment on whether this draft should be merged into the existing
>>> COSE-HPKE spec.
>>>
>>>
>> Agreed, Laurence has summarized them well.
>>
>> 1. "alg" in Headers
>> 2. "alg" & "kty" in COSE Key and JWK
>> 3. Negotiation of "alg"
>>
>> The reasons why I proposed this draft as an independent specification
>>> separate from COSE-HPKE are as follows:
>>>
>>> a) I wanted to define not only COSE_Key but also JWK representation
>>> together for HPKE. This is the biggest reason.
>>>
>>
>> 8812 defined an "alg" and key representations for JWK and COSE Key in one
>> document.
>>
>> - https://www.rfc-editor.org/rfc/rfc8812
>>
>>
>>>
>>> b) Key representation is essentially independent of the COSE message
>>> format and can be used for various applications unrelated to COSE or JOSE.
>>> As I mentioned in the slides for IETF116, I thought it would be beneficial
>>> for applications using HPKE for end-to-end encryption over HTTP if the HPKE
>>> recipient's public key could be published at the .well-known/jwks endpoint.
>>> COSE_Key representation may also be useful for CoAP-based end-to-end
>>> encryption apps in the same way.
>>>
>>>
>> Yes,  I agree that representing keys in JSON and CBOR is valuable to many
>> use cases outside of COSE and JOSE.
>>
>> c) I wanted to consolidate the definitions of all expected alg values
>>> (HPKE-v1-{Base, Auth, PSK, AuthPSK}) into one document. Although I had
>>> agreed with the opinion that the COSE-HPKE should focus only on the Base
>>> mode, I thought it would be better to have all alg values for HPKE modes
>>> consolidated into one document. If this draft is adopted as a working group
>>> document, I was thinking of proposing to move the definition of alg values
>>> from the COSE-HPKE spec to this draft.
>>>
>>> Regarding (a), for example, the key representation for secp256k1 has
>>> both JWK and COSE_Key formats defined (RFC8812), and the recent
>>> post-quantum key representation proposed by Mike Prorock also has both JWK
>>> and COSE_Key formats defined.
>>>
>>
>> Yes, I generated the current JWK / JWS test vectors for those drafts, the
>> first thing I did, was the key format... the second thing I did was the
>> envelope format for the signatures:
>>
>>
>> https://github.com/mesur-io/post-quantum-signatures/blob/main/test-vectors/suites/dilithium-pqcrypto/jwk.js
>>
>> https://github.com/mesur-io/post-quantum-signatures/blob/main/test-vectors/suites/dilithium-pqcrypto/jws.js
>>
>> When I implemented the signature interface, it took a JWK private key,
>> not a "raw dilithium 3 private key"... the thought process there was that
>> it should reject a key that had been restricted to a different algorithm...
>>
>> Meaning you can always ask for ES256K from a key restricted to EdDSA...
>> but that should error, before an expensive / sensitive operation is
>> attempted.
>>
>> Same thing on the verify side:
>> The verify interface takes a public key in JWK format, not a "raw
>> dilithium 3 public key".
>> You can try to verify ES256K with a key restricted to EdDSA... that
>> should also error, before an expensive / sensitive operation is attempted.
>>
>> It is natural to ask for an operation from a key that is restricted to a
>> single algorithm, this won't always be the case, since "alg" is optional,
>> but it should be well supported for developers who want to build safer APIs.
>>
>> If we follow recent conventions, it would be better to define both
>>> COSE_Key and JWK representations together, don't you think? As I also
>>> mentioned in the slides for IETF116, in the EUDCC (EU Digital COVID
>>> Certificate) where COSE has been adopted, the public keys for signature
>>> verification were distributed in JWK format. JWK format is also useful for
>>> COSE.
>>>
>>>
>> Yes, I agree they should be done together, see RFC 8812.
>>
>> I disagree that they should be done separate from "alg", here is a short
>> list of RFCs that define both "alg" and "kty" / "crv" together:
>>
>> - https://www.rfc-editor.org/rfc/rfc8812
>> - https://www.rfc-editor.org/rfc/rfc8037
>> - https://www.rfc-editor.org/rfc/rfc8152.html
>>
>>
>>> If it is concluded that JWK should not be defined together, and that the
>>> definition of key representation should be limited to the HPKE Base mode,
>>> and that other HPKE modes should not be defined at this point, then it may
>>> indeed be better to merge this draft into the COSE-HPKE spec. On the other
>>> hand, if there is room for discussion on these issues, I think it would be
>>> appropriate to consider it as an independent draft currently. We can merge
>>> it into the COSE-HPKE spec at any time. What do you think?
>>>
>>>
>> I think you should continue working on it as an I-D, find co-authors,
>> implement library support for it, confirm your representations align with
>> previous libraries, and conventions their uses will assume, and continue to
>> press COSE HPKE to integrate reasonable key representation into the same
>> document that discussed "senders" and "recipients" and assumed "they have
>> already obtained each other's keys" : )
>>
>> I recommend reviewing the experience provided here:
>>
>> -
>> https://github.com/panva/jose/blob/a505724d72705b8bfab8026af45678b2a5534bf4/docs/classes/jwe_general_encrypt.GeneralEncrypt.md
>> - https://github.com/potatosalad/erlang-jose
>> - https://docs.authlib.org/en/latest/jose/jwe.html
>> - https://github.com/cisco/cjose/blob/master/src/jwe.c
>> - https://github.com/digitalbazaar/minimal-cipher
>>
>> You might also look at previous related drafts:
>>
>> - https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04
>>
>>
>>> Best,
>>> AJITOMI Daisuke
>>>
>>> 2023年4月16日(日) 14:12 Ilari Liusvaara <ilariliusvaara@welho.com>:
>>>
>>>> On Sat, Apr 15, 2023 at 10:33:37AM -0500, Orie Steele wrote:
>>>> > Thank you for this wonderful breakdown!
>>>> >
>>>> > On Fri, Apr 14, 2023 at 4:00 PM Laurence Lundblade <
>>>> lgl@island-resort.com>
>>>> > wrote:
>>>> >
>>>> > When we say "public key" in a CRFG document, I think it is reasonable
>>>> to
>>>> > assume no specific representation (JWK, COSE Key, PGP, etc...)
>>>> >
>>>> > As a side note, HPKE requires more than just having a recipient
>>>> public key,
>>>> > it also requires knowledge of the recipient supported algorithms...
>>>> (this
>>>> > is extremely obvious per the security considerations).
>>>> > It is natural to assume this will be solved differently in COSE, PGP,
>>>> > etc...
>>>> > Maybe it is in the key representation, maybe it is via negotiation,
>>>> as you
>>>> > mentioned earlier...
>>>> >
>>>> > But it has to actually be solved for, or the sender is just guessing
>>>> that
>>>> > the recipient will be able to process their messages.
>>>>
>>>> Well, in store-and-forward system like COSE or JOSE, there are really
>>>> only two ways:
>>>>
>>>> - negotiation.
>>>> - assume based on application.
>>>>
>>>> And when it comes to COSE and JOSE, there are no usable negotation
>>>> capabilties, so it is the latter: assuming based on application.
>>>>
>>>>
>>>> > When we say "public key" in a COSE WG document,
>>>> > folks will want to be sure if we are talking about the "abstract
>>>> concept of
>>>> > a public key"
>>>> > or a concrete serialization conforming to normative requirements (JWK
>>>> > Public Key or COSE Public Key).
>>>> >
>>>> > Holding a JWK or COSE "public key" with an algorithm, 🔥 has
>>>> historically
>>>> > meant 🔥 holding a recipient's encryption preferences.
>>>>
>>>> No, this is not correct. And this has been the case since the first
>>>> RFCs for both.
>>>>
>>>>
>>>> > There is no precedent for COSE Key or JWK containing "preferences for
>>>> > parameterization" in addition to a "restriction of key use".
>>>>
>>>> However, there is precedent for parametrization. For both COSE and
>>>> JOSE, since the first RFCs.
>>>>
>>>>
>>>> > You can imagine COSE HPKE asking IANA to update the COSE registry to
>>>> > communicate that "hkc" is bound to a specific value of "alg", similar
>>>> to
>>>> > how -27 is bound to "kty".
>>>> > (! 🔥 kty and alg confusion intensifies... )
>>>>
>>>> There is no precedent for key parameter being bound to "alg". Being
>>>> bound to "kty" yes (that is the difference between the two kinds of
>>>> key parameters in COSE). And in JOSE, analogous split exists, even if
>>>> it is not explicit in registeries.
>>>>
>>>>
>>>> > ... I prefer to imagine requesting registration of a few good choices
>>>> for
>>>> > HPKE COSE (to start), and not importing every option under the sun by
>>>> > default from the CFRG established registries here:
>>>> >
>>>> > How many other preferences would we need to register? Only the ones
>>>> people
>>>> > actually want to use, and *they* need to do *some* work to justify
>>>> why this
>>>> > is a good idea...
>>>>
>>>> With a few plausible extensions to HPKE, over 70.
>>>>
>>>> As for how many there currently would be, either 12 or *none at all*,
>>>> depending on how exactly one defines things.
>>>>
>>>>
>>>> > we don't just hand out a blank check, and leave COSE implementers on
>>>> the
>>>> > hook for an ever expanding bill of CFRG registered algorithms.
>>>>
>>>> Currently, it is not COSE-HPKE that is on the hook for HPKE algorithms,
>>>> it is HPKE itself. Just modified my test code to make the following
>>>> work (with COSE-HPKE code having absolutely no idea what is going on):
>>>>
>>>> $ target/debug/cose-hpke-keygen /tmp/mystery-key.key TYPE21
>>>> $ echo "The crow flies at midnight" >/tmp/message
>>>> $ target/debug/cose-hpke-encrypt --algorithm=TYPE2 /tmp/message
>>>> /tmp/mystery-key.key.pub
>>>> $ target/debug/cose-hpke-decrypt /tmp/message.chpke
>>>> /tmp/mystery-key.key.priv
>>>> $ cat /tmp/message.chpke.decrypted
>>>> The crow flies at midnight
>>>> $
>>>>
>>>> In contrast, registering explicit algs would make COSE implementers to
>>>> be on hook for the bill.
>>>>
>>>> And for JWK, explicit algs is non-starter.
>>>>
>>>>
>>>> > HPKE is not actually usable in COSE without some work from this
>>>> working
>>>> > group,
>>>> > we should not defer our responsibility to the (first ever, IIRC) CFRG
>>>> > established registry,
>>>> > it is not going to feel good for developers, if we try to start a 5
>>>> guy
>>>> > revolution while the world is trying to upgrade to post quantum
>>>> encryption.
>>>>
>>>> HPKE and its implementation has to update anyway for post-quantum.
>>>>
>>>> But does COSE-HPKE and its implementation *also* have to update for
>>>> post-quantum?
>>>>
>>>> With updated HPKE implementation, in the example above, replacing
>>>> "TYPE21" with "TYPE30" would have enabled Post-Quantum.
>>>>
>>>> TODO: Make the code dynamically link against HPKE library.
>>>>
>>>>
>>>> > > Up until COSE_HPKE, 1) and 2) are a single integer ciphersuite.
>>>> Probably
>>>> > > anyone doing 3) up to until COSE_HPKE would also use the single
>>>> integer too.
>>>> > >
>>>> >
>>>> > Agreed.
>>>>
>>>> I don't agree. Even ignoring keys, no single integer ciphersuite ever
>>>> existed in COSE.
>>>>
>>>>
>>>> > > draft-ietf-cose-hpke has addressed 1) with the new HPKE_sender_info
>>>> header
>>>> > > parameter. Now the algorithm used is a special ciphersuite
>>>> identifier that
>>>> > > indicates further details in an additional parameter.
>>>> > >
>>>> > Agreed, there are "proposals for revolution", which I am all for, if
>>>> they
>>>> > are coming from enough reviewers / implementers.
>>>> > I am happy to withdraw my objection if overwhelmed by counter
>>>> arguments, I
>>>> > don't find the current arguments from Ilari compelling, but I
>>>> appreciate
>>>> > his consistent engagement.
>>>>
>>>> If performing asymmetric encryption with COSE or JOSE, there is already
>>>> further details in additional parameter.
>>>>
>>>>
>>>> > > - In COSE_HPKE we’re requiring algorithm identification be made up
>>>> of a
>>>> > > special ciphersuite and a triple. This will/should apply in all
>>>> contexts
>>>> > > where COSE algorithm IDs are used.  Maybe we should try to unify the
>>>> > > definition of this in draft-ietf-cose-hpke
>>>> > > and draft-ajitomi-cose-cose-key-jwk-hpke-kem?
>>>> > >
>>>> > I don't think we need another document.
>>>> >
>>>> > I think we should bend the knee to convention in COSE HPKE, even over
>>>> the
>>>> > objections of Ilari and Daisuke... (assuming they persist in
>>>> advocating for
>>>> > parameterization of alg).
>>>> >
>>>> > UNLESS, we have clear consensus on proceeding with a revolution, for
>>>> that I
>>>> > would want to see a lot more engagement :)
>>>>
>>>> Well, speaking for myself, I will continue advocating parametrization.
>>>>
>>>> Engagement seems to be very limited for COSE-HPKE.
>>>>
>>>>
>>>> > > My opinions on 3) are:
>>>> > > - The use cases are too widely varying for anyone to define an
>>>> actual
>>>> > > protocol
>>>> > > - draft-ajitomi-cose-cose-key-jwk-hpke-kem can only work for a small
>>>> > > fraction of negotiation use cases — those that use COSE_Key for
>>>> negotiation
>>>> > > - We might generalize the HPKE COSE algorithm identifier definition
>>>> so the
>>>> > > same thing can be used for 1), 2) and 3).  That is probably
>>>> splitting HPKE_sender_info
>>>> > > into two, one structure that is the algorithm ID and one is the enc
>>>> info.
>>>> > > We still wouldn’t define actual protocol for 3) but we would have a
>>>> clear
>>>> > > common method for COSE HPKE algorithm identification that anyone
>>>> could use
>>>> > > for their use-case specific negotiation protocol.
>>>> > >
>>>> > I agree with you on 3.
>>>>
>>>> I do not see how that would work.
>>>>
>>>> And I think that negotiation mechanism that would work for majority of
>>>> use cases would be straightforward extension of the key draft. No
>>>> splitting needed.
>>>>
>>>> The question is, given that we have not needed negotiation mechanism in
>>>> the past, why do we need one now?
>>>>
>>>>
>>>>
>>>> -Ilari
>>>>
>>>> _______________________________________________
>>>> COSE mailing list
>>>> COSE@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/cose
>>>>
>>>
>>
>> --
>> *ORIE STEELE*
>> Chief Technical Officer
>> www.transmute.industries
>>
>> <https://www.transmute.industries>
>>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>