Re: [COSE] COSE HPKE Public Key Format Consensus Call
AJITOMI Daisuke <ajitomi@gmail.com> Mon, 26 September 2022 22:35 UTC
Return-Path: <ajitomi@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1BA3C14F743 for <cose@ietfa.amsl.com>; Mon, 26 Sep 2022 15:35:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TdAMeplKQHqK for <cose@ietfa.amsl.com>; Mon, 26 Sep 2022 15:35:02 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54FDCC14F72C for <cose@ietf.org>; Mon, 26 Sep 2022 15:35:02 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id rk17so3913275ejb.1 for <cose@ietf.org>; Mon, 26 Sep 2022 15:35:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=L1VMquvvk/+QFJaP4PZjxkz14Y+NqT0lUqImWuSB8js=; b=Fbe+Xj3ZBcjXYLS1zE74Qd5SQY5IZ4TTYlPeyzmHWPeLmE3MxCtSzf9CyO/z85OCuj SZitRHveg6X0FKlWhg7MEzRRZSRH7HV5TmJXFnPQQ0YnukYbpbypkE/U5Y4soRwRj5+/ Mpo+CKtwnRF2RETDFZTRDNJzDUTs6XOxuCZxHnz0sDi2ZCxjeQXBmgNFGvClZsZkcCS2 /r4PN9bDxd4hVgrDxtwil6rEOm3jQ+pXvPg6NPWQgnhajJHf/8386m0B7owDf6wNYvj5 ofjsmUlEWUiWlu3S7w9dE/SM7vo+gMqU7P6r/czbB4Obvi+fqE8J/GWmPFffpqO+1D83 CgJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=L1VMquvvk/+QFJaP4PZjxkz14Y+NqT0lUqImWuSB8js=; b=5znu5qxztXP/dUiBzz6N75BO+IodWIYVvTbWMTB2Q0qNXecRoZ3+fhYrJPaxPJM0Ap ihP9GI6qBRHuZ73NvE4EsSKbTqe04BhbrfC8HDLXsrfP/zADhEuzEXtj2gGY+oU8A3LT JADPD52GlJvRrWG7UrBjRBlsH4+SIbnJHtIEcwUBukDxTHA4zIi2nMn7xEc/7oEOUQGy cErOVWmtVRvWmrDdXs9luJjmo1sPlu5b58qcORek53bVtj0OriC5SSDF0VJav+hcwI3R 4aPW5meAa2IPBVbEtBlWfpo7TjpVLQSJZdtEWofVk+/Rizaig/N0CxjmQ+g2ek45epXN TX1w==
X-Gm-Message-State: ACrzQf1j8afQfH0D3LyRT9ThWpiL89CnGqNIUYT04yt1Iv7HhQZYbArQ JM6oao9j5ahrYww3K8kKXHHxvKCPWy68wqr0fBcqywwOyw==
X-Google-Smtp-Source: AMsMyM7xmRYBpvtxb0DUZHZKDF/sr4XyKuyQjfdeKH+L0G+zST/Kz96lnTTKHHjDAcJgybezRJtAjy3VzRFovMc3fA4=
X-Received: by 2002:a17:907:6d19:b0:783:3846:d39 with SMTP id sa25-20020a1709076d1900b0078338460d39mr9135861ejc.396.1664231699999; Mon, 26 Sep 2022 15:34:59 -0700 (PDT)
MIME-Version: 1.0
References: <CO1PR00MB130824EBDD7C1420E9D3065CF54E9@CO1PR00MB1308.namprd00.prod.outlook.com> <CAFWvErXY4NmpAr5SwN7UTsYmYJiL0HdxhmFrdPjpm0Ca0Hh++Q@mail.gmail.com> <DBBPR08MB59155B9005035B3365BCC12AFA529@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAFWvErXuQEASm7Z-ixEcYOGpnVPu6YM9MawWbYTttx9qYCB9Rg@mail.gmail.com> <DBBPR08MB591502A9BD42890E4DB31313FA529@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAN8C-_K8-XCg7J9g5mwAtY2Msy-kAOe65kAAuVuDtpFEkLMO9A@mail.gmail.com>
In-Reply-To: <CAN8C-_K8-XCg7J9g5mwAtY2Msy-kAOe65kAAuVuDtpFEkLMO9A@mail.gmail.com>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Tue, 27 Sep 2022 07:34:48 +0900
Message-ID: <CAFWvErWxpXYtzSzkJxUd7vhOLC1+G1nvuNjpdOtA+fiAjZMVig@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "cose@ietf.org" <cose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004d6fb505e99c23e1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/oY2Ciw_bzbWaJKvhEMNx6midsOE>
Subject: Re: [COSE] COSE HPKE Public Key Format Consensus Call
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 22:35:07 -0000
Hi Orie, > I would expect ANY new 'alg' values to have some mapping to JWK / CWK. As Ilari mentioned, this is false for the encapsulated key in the first place but I'd like to know why the encapsulated key should be mapped to JWK/CWK. Why do you want to encode encapsulated keys to JWK/COSE_Key in spite of the fact that the encapsulated key (NOT recipient's public key) is generated and consumed inside the COSE-HPKE process and any applications don't need to know the format and don't need to handle the format directly? Additionally, please tell me why you can ignore the five shortcomings I mentioned on my slide. https://docs.google.com/presentation/d/1azfHu93NCm5M9KUbpbtRze7aitvpBAj9SxhpvHe877M Regards, Daisuke 2022年9月27日(火) 3:05 Orie Steele <orie@transmute.industries>: > > PQC public key encodings in COSE and then again in HPKE? > > Then, we have even more encodings of the same information. > > This is also my concern... But noting, > https://datatracker.ietf.org/doc/draft-prorock-cose-post-quantum-signatures/ > does not cover any relationship to HPKE... > We remained confused by the guidance being shared regarding COSE_Key and > registry requirements. > > I would expect ANY new 'alg' values to have some mapping to JWK / CWK. > > And for some (new) keys to support multiple algorithms in the future, for > example: > > kty: EC // if new stuff here or > crv: P-256 // new stuff here > alg: ES256 | ECDH-ES+A256KW // then new stuff here as well. > > IMO, keys control algorithms... not the other way round. > > Keys are generated for a purpose (use with an algorithm). > > It's fine for an algorithm to produce intermediate structures, and require > their specific processing... but if one of those structures is a key, such > as in JOSE the use of epk. > > https://www.rfc-editor.org/rfc/rfc7518.html#section-4.6.1.1 > > Then this structure needs its terms registered properly. > > I have heard some folks say that HPKE produces a structure which is like > `epk` but IS NOT a "standard key format (COSE_Key)"... > and therefore no registry update is needed to support it... *"opaque > byte strings to preserve agility with regard to the KEM"* > > I have also heard folks say that HPKE produces a structure that is like > `epk` and that IS a "standard key format (COSE_Key)"... > and that therefore a new registry update is necessary due to the need to > signal new `alg` values in that key format... *"In DHKEM, the > encapsulated value is a serialized public key"* > > I find that examples help here... in JOSE: > > Example JWE Header: > > { > *"alg": "ECDH-ES+A256KW",* > "enc": "A256GCM", > "epk": { > "x": "5cxzlgYyEspHzAhIWtnPDSZqzhWGUpRyDJ5M2EKg-D8", > "crv": "P-256", > "kty": "EC", > "y": "ECmJDhcuHOYtVQUukO8uxOErqcYk5ibyxqt-5IKXTcY" > } > } > > Example JWK: > > { > "kid": > "urn:ietf:params:oauth:jwk-thumbprint:sha-256:Dg1hH8e81xxGq0jaXxTl2dbyiabZAZtH0qDLRsT1VhA", > "kty": "EC", > "crv": "P-256", > * "alg": "ECDH-ES+A256KW",* > "key_ops": [ > "decrypt" > ], > ... > } > > From: > https://mailarchive.ietf.org/arch/msg/jose/IKIR_XusfHD26ewqZSt5ad2WUc8/ > > I am hearing that something like this is expected: > > Case 0: > > > https://www.rfc-editor.org/rfc/rfc9180.html#name-dhkemp-256-hkdf-sha256-hkdf- > > JWK: > > { > "kid": > "urn:ietf:params:oauth:jwk-thumbprint:sha-256:Dg1hH8e81xxGq0jaXxTl2dbyiabZAZtH0qDLRsT1VhA", > "kty": ... > "alg": " ** DHKEM ** +A256KW", > "key_ops": [ > "decrypt" > ], > ... > } > > JWE Header: > > { > "alg": " ** DHKEM ** +A256KW", // registry update for COSE Key required > "enc": "A256GCM", > "epk": { COSE_Key, JOSE_Key } > } > > But also: > > Case 1: > > ( Where is this in the RFC?, how do I refer to this case by name? ) > > JWK: > > { > "kid": > "urn:ietf:params:oauth:jwk-thumbprint:sha-256:Dg1hH8e81xxGq0jaXxTl2dbyiabZAZtH0qDLRsT1VhA", > "kty": ... > "alg": " ** **KEM** ** +A256KW", // registry update for COSE Key > required > "key_ops": [ > "decrypt" > ], > ... > } > > JWE Header > { > "alg": " ** KEM ** +A256KW", // registry update for COSE Key required > "enc": "A256GCM", > "kem": ** opaque byte string * *// registry update for HPKE required > } > > > Hopefully these examples are triggering enough to get a clearer proposal, > especially regarding case 1 which I still don't understand well enough. > > My "Case 0" matches this proposal: > > > 1. Continuing to use COSE_Key > > ^ I support this proposal. > > Regards, > > OS > > On Mon, Sep 26, 2022 at 12:08 PM Hannes Tschofenig < > Hannes.Tschofenig@arm.com> wrote: > >> Hi Daisuke, >> >> >> >> I have been working on code that is meant to be used on IoT devices. So, >> my focus is on reducing the overall code size on the device. >> >> >> >> Imagine there is a library implementing the COSE specification (or most >> of it). The COSE spec already defines various public key formats. >> >> >> >> Now, you are implementing COSE-HPKE and HPKE for this library. With the >> proposed encodings you are adding new encodings for how to carry the >> payloads in COSE. >> >> >> >> That’s what I mean by adding complexity. >> >> >> >> Just because something is processed in HPKE does not mean that the other >> code for the key representations in a COSE library suddenly vanishes. >> >> >> >> How long will it take for someone to come along and to propose various >> PQC public key encodings in COSE and then again in HPKE? >> >> Then, we have even more encodings of the same information. >> >> >> >> I think I have shared my view on this subject and let other people speak >> up because so far we have heard mostly from you, me, and Ilari. >> >> >> >> Ciao >> >> Hannes >> >> >> >> *From:* COSE <cose-bounces@ietf.org> *On Behalf Of * AJITOMI Daisuke >> *Sent:* Monday, September 26, 2022 1:57 PM >> *To:* Hannes Tschofenig <Hannes.Tschofenig@arm.com>; cose@ietf.org >> *Subject:* Re: [COSE] COSE HPKE Public Key Format Consensus Call >> >> >> >> Hi Hannes, >> >> > Here is my question to you: How do you deal with this added complexity? >> >> As I and Ilari mentioned before, the static recipient's public key and >> the encapsulated key (sender's ephemeral public key) are different things >> and the encoding format of them should also be considered separately. >> Having two encoding schemes is natural, and there is no complexity. >> >> From my point of view, the COSE-HPKE specification should only cover the >> latter encapsulated key format, so I will limit my discussion to the latter. >> >> In my proposal, an encapsulated key is a byte string output by the HPKE >> module as it is, and is put into the COSE message without any unnecessary >> conversion process. Thus, the implementation is very simple. In addition, >> there is no need to update the implementation when new HPKE algorithms are >> added. >> >> On the other hand, in the current draft, each time a new HPKE algorithm >> is added, an additional conversion process must be implemented to convert >> the encapsulated key to COSE_Key format. >> >> Indeed, as you point out, my proposal has 1 (COSE_Key structure for the >> recipient's public key[1]) + 1 (octet string for the encapsulated key) = 2 >> ways for key encoding, >> >> but the current draft has n + n = 2n (if there are n HPKE algorithms) >> ways. >> >> I think it is clear which is more complicated. >> >> >> >> In addition, to reiterate what I mentioned in my previous post[2], the >> encapsulated key is generated and consumed internally (in the >> COSE-HPKE process).It does not emerge on the COSE interface. >> >> While the recipient's public key and private keys need to be expressed >> with COSE_Key, there is no need to express the encapsulated key with >> COSE_Key. >> I believe that the dedicated data structure for HPKE sender >> information(consists of the encapsulated key and a selected HPKE cipher >> suite) should be introduced so that the COSE-HPKE process can be >> implemented as simply, effectively and securely as possible. >> >> >> >> Best regards, >> >> Daisuke >> >> >> >> [1] >> https://mailarchive.ietf.org/arch/msg/cose/Rg_AAtgOL4p9SdlXHyL8-0HSrI8/ >> (I suggested a JWK format for the recipient's public key here) >> >> [2] >> https://mailarchive.ietf.org/arch/msg/cose/IgS66HB4xTySUDb45vQlkJe_etQ/ >> >> 2022年9月26日(月) 16:34 Hannes Tschofenig <Hannes.Tschofenig@arm.com>: >> >> Hi Daisuke, >> >> >> >> With your proposal and Ilari’s proposal there are two ways to encode >> public keys in COSE libraries. This adds complexity. Complexity leads to >> security problems. >> >> >> >> Here is my question to you: How do you deal with this added complexity? >> >> (FWIW this is not something you mention in your comparison table.) >> >> >> >> Ciao >> Hannes >> >> >> >> *From:* COSE <cose-bounces@ietf.org> *On Behalf Of *AJITOMI Daisuke >> *Sent:* Friday, September 23, 2022 12:00 AM >> *To:* Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> >> *Cc:* cose@ietf.org >> *Subject:* Re: [COSE] COSE HPKE Public Key Format Consensus Call >> >> >> >> Thanks for initiating the consensus call. >> >> > 3. Other (please describe in sufficient detail to enable its >> specification) >> >> >> +1 to my proposal described in my previous post[1]. >> >> I have made a chart comparing my proposal to the current draft. As >> described in the chart, there are some problems with the current draft that >> cannot be overlooked. I would be happy if you could use it as a reference >> for your vote. >> >> https://docs.google.com/presentation/d/1azfHu93NCm5M9KUbpbtRze7aitvpBAj9SxhpvHe877M >> >> In addition, Mr. Richard Barnes also pointed out on the JOSE WG mailing >> list that it is incorrect to use COSE_Key to represent encapsulated >> keys[2]. I have the same opinion. >> >> >> As I mentioned repeatedly, the encoding format of the recipient public >> key and the encapsulated key (ephemeral sender's public key) should be >> considered separately. >> >> The former should be able to be expressed with COSE_Key, but the latter >> should not. >> >> Best regards, >> >> Daisuke >> >> [1] >> https://mailarchive.ietf.org/arch/msg/cose/ZY5v7jJr4SxHGIbeA3dgLC6eZDg/ >> [2] >> https://mailarchive.ietf.org/arch/msg/jose/IKIR_XusfHD26ewqZSt5ad2WUc8/ >> >> >> >> 2022年9月23日(金) 2:09 Mike Jones <Michael.Jones= >> 40microsoft.com@dmarc.ietf.org>: >> >> As discussed at IETF 114, the HPKE draft uses the COSE_Key public key >> representation. The authors described that Ilari Liusvaara had proposed >> using a different public key representation, which is detailed in Slide 2 >> of >> https://datatracker.ietf.org/meeting/114/materials/slides-114-cose-cose-hpke-00. >> As recorded in the minutes >> <https://datatracker.ietf.org/doc/minutes-114-cose/>, consensus during >> the meeting appeared to be in favor of continuing to use COSE_Key. >> >> >> >> This note initiates a consensus call by the chairs on the topic of what >> public key format the COSE HPKE specification will use. Working group >> members are requested to express their preferences within two weeks of this >> note (by Thursday, September 6th) for either: >> >> >> >> 1. Continuing to use COSE_Key >> >> 2. Using the different format proposed by Ilari Liusvaara >> >> 3. Other (please describe in sufficient detail to enable its >> specification) >> >> >> >> Thank you, >> >> -- Mike (for the COSE chairs) >> >> >> >> _______________________________________________ >> COSE mailing list >> COSE@ietf.org >> https://www.ietf.org/mailman/listinfo/cose >> >> IMPORTANT NOTICE: The contents of this email and any attachments are >> confidential and may also be privileged. If you are not the intended >> recipient, please notify the sender immediately and do not disclose the >> contents to any other person, use it for any purpose, or store or copy the >> information in any medium. Thank you. >> >> IMPORTANT NOTICE: The contents of this email and any attachments are >> confidential and may also be privileged. If you are not the intended >> recipient, please notify the sender immediately and do not disclose the >> contents to any other person, use it for any purpose, or store or copy the >> information in any medium. Thank you. >> _______________________________________________ >> COSE mailing list >> COSE@ietf.org >> https://www.ietf.org/mailman/listinfo/cose >> > > > -- > *ORIE STEELE* > Chief Technical Officer > www.transmute.industries > > <https://www.transmute.industries> >
- [COSE] COSE HPKE Public Key Format Consensus Call Mike Jones
- Re: [COSE] COSE HPKE Public Key Format Consensus … AJITOMI Daisuke
- Re: [COSE] COSE HPKE Public Key Format Consensus … Hannes Tschofenig
- Re: [COSE] COSE HPKE Public Key Format Consensus … Ilari Liusvaara
- Re: [COSE] COSE HPKE Public Key Format Consensus … Ilari Liusvaara
- Re: [COSE] COSE HPKE Public Key Format Consensus … AJITOMI Daisuke
- Re: [COSE] COSE HPKE Public Key Format Consensus … Hannes Tschofenig
- Re: [COSE] COSE HPKE Public Key Format Consensus … Orie Steele
- Re: [COSE] COSE HPKE Public Key Format Consensus … AJITOMI Daisuke
- Re: [COSE] COSE HPKE Public Key Format Consensus … Ilari Liusvaara
- Re: [COSE] COSE HPKE Public Key Format Consensus … AJITOMI Daisuke
- Re: [COSE] COSE HPKE Public Key Format Consensus … Hannes Tschofenig
- Re: [COSE] COSE HPKE Public Key Format Consensus … AJITOMI Daisuke
- Re: [COSE] COSE HPKE Public Key Format Consensus … Orie Steele
- Re: [COSE] COSE HPKE Public Key Format Consensus … Russ Housley
- Re: [COSE] COSE HPKE Public Key Format Consensus … Ilari Liusvaara
- Re: [COSE] COSE HPKE Public Key Format Consensus … AJITOMI Daisuke
- Re: [COSE] COSE HPKE Public Key Format Consensus … Mike Jones