Re: [COSE] Draft IETF 117 COSE agenda
AJITOMI Daisuke <ajitomi@gmail.com> Thu, 20 July 2023 22:01 UTC
Return-Path: <ajitomi@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8871C151547 for <cose@ietfa.amsl.com>; Thu, 20 Jul 2023 15:01:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pcfb_0eGOLrJ for <cose@ietfa.amsl.com>; Thu, 20 Jul 2023 15:01:02 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B972CC151534 for <cose@ietf.org>; Thu, 20 Jul 2023 15:01:02 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id 3f1490d57ef6-bcb6dbc477eso1080700276.1 for <cose@ietf.org>; Thu, 20 Jul 2023 15:01:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689890462; x=1690495262; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FXanCFIhqpM0uY5m5ybvmsO8sq9K6LugxyHg/7Di2nc=; b=lzQ43Divm+p09cGF+o1D3Gr5dBBCRypGeO9+ELAc+NK/vF/hkpmHW6Nj2g1wPQhn4P S31/m8gzik8tEGlzAu7sTIZXnxqBBGiyymUQcWNg3Elqg6SKTbF4sYfJ+oJTfdg7yZ0m Aucm/xKUrE8lx88HIjck3WG5GvzIq9/yNKox1mEnLGZbGEgPo1GKOh+OkK9hx3hmHxZM xy1yyAPdlh6V3kKmrkOpSkUKm9Gz4dO2/HYyZebUlK4ermTjCZoukNNxAzbyKyni5frO BIX4qt3KascvVFXcKVxiWlneatPAYhs0UWwpKAop6dV+QY9+E3M8c3LHfudKOtCnQoie 14QA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689890462; x=1690495262; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FXanCFIhqpM0uY5m5ybvmsO8sq9K6LugxyHg/7Di2nc=; b=RpKWk57PK9GKz6k8/3zJixFpqNyOJBDW/V7x5k0B7vdHs1x+3pg0wN2TJU/OhR/Ecm lO/Na4K2MwiUy6dsRN1+R7bRfJXBhUjYTYehPBJJqHQ29VryzrdAtB7TYQi2xkgiuBjI p7MrX2qTzUN1uDnxV5u/8qp7tETfbi6jUvE/Q41icDvxBw6jnZSQSjQ9xJUGeHzECpsM PTB4qASQIMG/I1zlRgsuz/iudz5jZac0NTYShstwGudYFnHqIWFk5p0YVo5qAxkApHkx JqJtxzinsecqM4Wr/Zg88ohpPHIo2CrPByiD7xGUmIGv3mP11BN2yzXn6QfM2fE9Q87j xpDQ==
X-Gm-Message-State: ABy/qLYVvgWIl4bERD2e7nPF3MNoTD9QK3xQiZy4kAYxPp5qxLJTcVTK chVDNxoszqBWhb6WwOLOjxO+SGEoGntdrEGqSA2mL/Oca8Gy6lg=
X-Google-Smtp-Source: APBJJlFARL3HiuYScobyaC3qJaDy1AAaLsrxihJIrbAje/aLYOruCkBQeYnFkJIvaw1TGKTVq4R8ZDRfJ+T3cjwhzss=
X-Received: by 2002:a25:4209:0:b0:c84:3e74:c6ee with SMTP id p9-20020a254209000000b00c843e74c6eemr224714yba.32.1689890461525; Thu, 20 Jul 2023 15:01:01 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB74394E66F880D4948217ED57B738A@SJ0PR02MB7439.namprd02.prod.outlook.com> <AS8PR10MB7427A0FF328462A6212E2590EE39A@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <MW4PR02MB74281BC30C2B395F77E3F1FCB739A@MW4PR02MB7428.namprd02.prod.outlook.com> <798F3FD9-115B-40C6-8F20-CB1DB1FB3648@island-resort.com> <CAFWvErU3mSR5PRk6FaW11-5r6tC1Kx9sMMBtVAqEhhjT5p1P4g@mail.gmail.com> <MW4PR02MB742891C6F229AE71BF1ECC02B73EA@MW4PR02MB7428.namprd02.prod.outlook.com> <CAFWvErV5hb8KoX12WiWn8epJJs4Q1RsCHcv4K4OAqmLQr5urnw@mail.gmail.com> <CAGJKSNSeVS8j6zUf26TxLR5w920gO0w1k3ADpEgCaKJxLQJTKQ@mail.gmail.com> <CAGJKSNTkhZdMz0VCdY7xMHJOdfZss1rvh8dwZg1phARP3Jbstg@mail.gmail.com> <CAN8C-_LPcz6p==hVmuO6bZFoiT7fPRuV4hYeGwZi_py_NLpj9w@mail.gmail.com> <CAFWvErXZX7YwHAaeM42ZxAc3ZJ2XAaOK5UQfG0qyTTuvpEoMXQ@mail.gmail.com> <CAN8C-_KSeVvb-1Pj2kEtAfqyT9mXWmySmJGFt6dUgb8sCivDQw@mail.gmail.com>
In-Reply-To: <CAN8C-_KSeVvb-1Pj2kEtAfqyT9mXWmySmJGFt6dUgb8sCivDQw@mail.gmail.com>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Fri, 21 Jul 2023 07:00:49 +0900
Message-ID: <CAFWvErUAhxLvw7=TbWrF8pVxW6b8XdOX81Nb6EaZuShVWdAysw@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: Michael Prorock <mprorock@mesur.io>, Michael Jones <michael_b_jones@hotmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ab2db50600f24884"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/xAVwtSJXT1iKilUjG7yHh32iO-0>
Subject: Re: [COSE] Draft IETF 117 COSE agenda
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2023 22:01:07 -0000
> > It's *extremely* unfortunate naming choices, because that's not how JOSE > works: ...Regarding the KEM/key agreement thing about which we are talking, *that's how JOSE works*. In JOSE, the primary "alg" value for key agreement is "ECDH-ES". Not only "crv" but also "kty" cannot be determined by the "ECDH-ES". In the first place, "alg" is just an optional value in JWK/COSE_Key and cannot be relied upon. There are plenty of examples of JWKS endpoints without "alg" values. For example, Azure-AD JWKS endpoints like this... https://login.microsoftonline.com/common/discovery/keys Example JWKs in MDN web docs don't use "alg" ... https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#json_web_key_import > And this is "better" than iterating one list of "advertised algorithms" in the sense that it is "more compact" and "safer" ? I think the "hkc" approach is better. - Since it does not rely on "alg", it will work with many existing implementations and it can be used not only JOSE/COSE but also many other applications. - If the recipient(server) wants to support multiple KDF/AEADs for one KEM algorithm, the "alg" approach should provide multiple KEM keys. - etc... -- Daisuke 2023年7月21日(金) 1:53 Orie Steele <orie@transmute.industries>: > Inline: > > On Thu, Jul 20, 2023 at 10:42 AM AJITOMI Daisuke <ajitomi@gmail.com> > wrote: > >> The point here is... If I tell you -7 (ES256), you know 2 (kty EC2) and 1 >>> (crv P-256) >> >> >> ... No. In COSE, ES256 can be used not only with P-256 but also with >> other curves (P-521, etc.). >> > > https://datatracker.ietf.org/doc/html/rfc9053#section-8.3 > > I think you are correct. > > It's *extremely* unfortunate naming choices, because that's not how JOSE > works: > > https://datatracker.ietf.org/doc/html/rfc7518#section-3.1 > > It's also probably not a "good idea" to use "sha256 with P-521" (mismatch > in hash and curve strength) > ... Why does COSE encourage this kind of thing, I can't answer that... > > It leads to devices needing to support a kitchen sink, or only certain > protocols, ... it impacts agility. > > It seems that COSE created even more flexibility than JOSE, and encouraged > protocols to lock things down... > in other words, it punted responsibility, in a way that JOSE did not. > > >> >> Constrained devices won't ship support for both 6 and 7... so advertising >>> -8 is therefore ambiguous / not helpful (by itself) >> >> ... Now consider advertising "HPKE-Base"... How does this help you know >>> how to talk to a firmware or relying party? >> >> >> ES256 is also ambiguous... let's use key information. >> > > Seems you are required to use key information to use COSE... > But not in JOSE... I'm sorta shocked by how bad that is... > COSE "alg" values are NEVER enough information. > > Just for clarity... a receiver needs to advertise a list like this [ kty, > crv, alg, hkc ]. > > And then the sender needs to iterate that list to find a match they > support, in order to send. > > And this is "better" than iterating one list of "advertised algorithms" in > the sense that it is "more compact" and "safer" ? > > >> ... why would we go out of our way to add extra information to this >>> process, when we are supposed to be trying to design for a compact / >>> constrained environment? >> >> >> ... The current draft(or "hkc" approach) does not prohibit implementing >> only a specific combination of KEM/KDF/AEAD for constrained environments, >> and it is also possible not to put HPKE algorithm information in >> COSE_Key/JWK as an implicit agreement between a sender and a recipient. >> > > I agree with this. > > >> -- >> Daisuke >> >> 2023年7月20日(木) 23:27 Orie Steele <orie@transmute.industries>: >> >>> Granted, JOSE & COSE kinda broke this with EdDSA... >>> >>> > Therefore, in COSE, even ES256 has to be defined as follows: >>> > -7 (ES256), where kty is 2 (with uncompressed points) and crv is 1 >>> (P-256). >>> >>> The point here is... If I tell you -7 (ES256), you know 2 (kty EC2) and >>> 1 (crv P-256) >>> >>> If I tell you -8 (EdDSA) .... You know 1 (kty OKP), but *you don't >>> know if I meant 6 (crv Ed25519) or 7 (crv Ed448)* >>> >>> Constrained devices won't ship support for both 6 and 7... so >>> advertising -8 is therefore ambiguous / not helpful (by itself) >>> >>> ... Now consider advertising "HPKE-Base"... How does this help you know >>> how to talk to a firmware or relying party? >>> >>> ... why would we go out of our way to add extra information to this >>> process, when we are supposed to be trying to design for a compact / >>> constrained environment? >>> >>> OS >>> >>> >>> >>> On Thu, Jul 20, 2023 at 9:11 AM Michael Prorock <mprorock@mesur.io> >>> wrote: >>> >>>> A correction/clarification - basically, while you see both kty and alg >>>> together, if you have a well defined alg, you always know what kty is for >>>> that alg - so derivation is from alg alone >>>> >>>> Mike Prorock >>>> CTO - mesur.io >>>> >>>> On Thu, Jul 20, 2023, 08:01 Michael Prorock <mprorock@mesur.io> wrote: >>>> >>>>> Daisuke, >>>>> definitely 'combination of "alg" and key information.', especially as >>>>> things have started to evolve recently. However, I think the point that >>>>> Orie is trying to make (please correct me if I am wrong Orie) is that once >>>>> you have the 'kty' which lets you know what shape and family of keys you >>>>> are dealing with, then you should have everything you need from 'alg' and >>>>> nothing else. >>>>> >>>>> Mike Prorock >>>>> CTO, Founder >>>>> https://mesur.io/ >>>>> >>>>> >>>>> >>>>> On Thu, Jul 20, 2023 at 7:53 AM AJITOMI Daisuke <ajitomi@gmail.com> >>>>> wrote: >>>>> >>>>>> Daisuke asserts “On the other hand, there are no examples like the >>>>>>> proposal from Hannes/Laurence, where the "alg" value includes information >>>>>>> about "crv" values and unrelated key operation information (e.g., KDF, >>>>>>> AEAD)”. There are actually many such examples. >>>>>> >>>>>> >>>>>> It mainly concerns the latter, which is ”unrelated key operation >>>>>> information". Anyway, while it is true that JOSE's ES* algs include the >>>>>> "crv" value implicitly, the COSE's ES* algs don't. The COSE's ES256 >>>>>> algorithm is not limited to P-256 and this crv value and the information >>>>>> about whether the key is compressed EC point or not ultimately requires >>>>>> referring to the key info. >>>>>> >>>>>> Therefore, in COSE, even ES256 has to be defined as follows: >>>>>> >>>>>> - -7 (ES256), where kty is 2 (with uncompressed points) and crv >>>>>> is 1 (P-256). >>>>>> >>>>>> It is evident that the mainstream approach is to negotiate using a >>>>>> combination of "alg" and key information. >>>>>> >>>>>> -- >>>>>> Daisuke >>>>>> >>>>>> >>>>>> 2023年7月20日(木) 9:55 Michael Jones <michael_b_jones@hotmail.com>: >>>>>> >>>>>>> [chair hat off] >>>>>>> >>>>>>> >>>>>>> >>>>>>> The interoperability problem caused by polymorphic algorithm >>>>>>> identifiers is that the “alg” and “enc” values are no longer useful for >>>>>>> algorithm negotiation. >>>>>>> >>>>>>> >>>>>>> >>>>>>> In protocols such as OpenID Connect, OAuth 2.0, and WebAuthn/FIDO2, lists of supported “alg” and “enc” values are published in metadata. For instance, here’s an example from RFC 8414: >>>>>>> >>>>>>> "token_endpoint_auth_signing_alg_values_supported": >>>>>>> >>>>>>> ["RS256", "ES256"], >>>>>>> >>>>>>> >>>>>>> >>>>>>> The problem with polymorphic algorithm identifiers such as “EdDSA” >>>>>>> is that they don’t actually specify which algorithm is used. It could mean >>>>>>> either “Ed25519” or “Ed448”. You can’t advertise which you support and/or >>>>>>> which you want. >>>>>>> >>>>>>> >>>>>>> >>>>>>> This is a problem in practice for WebAuthn, since some COSE alg >>>>>>> identifiers are polymorphic and WebAuthn and FIDO2 use COSE algorithm >>>>>>> identifiers for negotiation. See that WebAuthn specified that EdDSA always >>>>>>> uses Ed25519 – making it non-polymorphic but precluding its use with >>>>>>> Ed448. Here’s the line doing so at >>>>>>> https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy: >>>>>>> >>>>>>> - -8 (EdDSA), where crv >>>>>>> <https://tools.ietf.org/html/rfc8152#section-13.1.1> is 6 >>>>>>> (Ed25519). >>>>>>> >>>>>>> >>>>>>> >>>>>>> Daisuke asserts “On the other hand, there are no examples like the >>>>>>> proposal from Hannes/Laurence, where the "alg" value includes information >>>>>>> about "crv" values and unrelated key operation information (e.g., KDF, >>>>>>> AEAD)”. There are actually many such examples. >>>>>>> >>>>>>> >>>>>>> >>>>>>> All the registered JOSE algorithms (for example “ES256”) fully >>>>>>> specified all parameters until “EdDSA” was registered. The COSE >>>>>>> algorithms from RFC 8812 fully specify all parameters, such as when >>>>>>> secp256k1 is used and when RSASSA is used. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Likewise, if we had a single HPKE algorithm identifier, it couldn’t >>>>>>> be used to distinguish which HPKE algorithms are supported (and not all >>>>>>> will be by all implementations). This would cause the same problem for >>>>>>> future systems that, for instance, WebAuthn/FIDO2, OAuth 2.0, and OpenID >>>>>>> Connect already encounter when polymorphic algorithm identifiers are used. >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- Mike >>>>>>> >>>>>>> >>>>>>> >>>>>>> *From:* AJITOMI Daisuke <ajitomi@gmail.com> >>>>>>> *Sent:* Wednesday, July 19, 2023 3:45 PM >>>>>>> *To:* Michael Jones <michael_b_jones@hotmail.com>; Ilari Liusvaara < >>>>>>> ilariliusvaara@welho.com> >>>>>>> *Cc:* cose <cose@ietf.org> >>>>>>> *Subject:* Re: [COSE] Draft IETF 117 COSE agenda >>>>>>> >>>>>>> >>>>>>> >>>>>>> > Speaking as an individual contributor, I fully support the first >>>>>>> > (fully specified) choice. Whereas the second possibility will >>>>>>> cause >>>>>>> > endless interoperability problems. >>>>>>> >>>>>>> >>>>>>> I disagree. >>>>>>> >>>>>>> >>>>>>> +1 >>>>>>> >>>>>>> (Below, I comment from the standpoint that the design of alg values >>>>>>> should be consistent with COSE and JOSE.) >>>>>>> >>>>>>> I am convinced that the "fully specified" design, on the contrary, >>>>>>> includes more interoperability issues. >>>>>>> >>>>>>> Originally, in JOSE and COSE, the identification of the specific >>>>>>> cryptographic algorithm was done by combining the "alg" value ("ECDH-ES," >>>>>>> "EdDSA," etc.) with the information held by the key itself ({"kty": "EC", >>>>>>> "crv": "P-256", ...}, {"kty": "OKP", "crv": "Ed25519", ...}, etc.). >>>>>>> The current draft follows this approach. On the other hand, there are no >>>>>>> examples like the proposal from Hannes/Laurence, where the "alg" value >>>>>>> includes information about "crv" values and unrelated key operation >>>>>>> information (e.g., KDF, AEAD) to the original key's purpose. In JWK, the >>>>>>> "alg" value is merely an optional parameter, so packing excessive >>>>>>> information into the "alg" value will, in fact, lead to interoperability >>>>>>> issues. >>>>>>> >>>>>>> I have repeatedly written about the reasons why the current >>>>>>> specification is better than the "fully specified" design (*1, *2). >>>>>>> However, I would like to add one more point from a new perspective. >>>>>>> >>>>>>> I am very concerned that JWK, which is a "JSON representation of >>>>>>> keys" that could be used for a wide range of applications not limited to >>>>>>> JOSE and COSE, will no longer be available as a means of transmission and >>>>>>> negotiation of HPKE parameters. I think this is a very big loss. >>>>>>> >>>>>>> The following works with no problem with existing JWK >>>>>>> implementations, and it is also guaranteed to work in the JWK RFC: >>>>>>> >>>>>>> { >>>>>>> kty: "EC", >>>>>>> crv: "P-256", >>>>>>> // alg: "HPKE-v1-Base(-KEM)", // alg can be omitted as >>>>>>> many JWKs do >>>>>>> hkc: { kem: 0x0010, kdfs: [0x0001], aeads: [0x0001]}, >>>>>>> // Unknown parameters for the JWK implementation MUST be ignored on the JWK >>>>>>> layer. >>>>>>> x: "-eZXC6nV-xgthy8zZMCN8pcYSeE2XfWWqckA2fsxHPc", >>>>>>> y: "BGU5soLgsu_y7GN2I3EPUXS9EZ7Sw0qif-V70JtInFI", >>>>>>> } >>>>>>> >>>>>>> On the other hand, the following does not work with many existing >>>>>>> JWK implementations. This is because existing JWK implementations often >>>>>>> throw errors for "alg" values not supported by the bundled JWS/JWE: >>>>>>> >>>>>>> { >>>>>>> kty: "EC", >>>>>>> crv: "P-256", >>>>>>> alg: " >>>>>>> HPKEv1-Base-DHKEM(P256,HKDFSHA256)-HKDFSHA256-AES128GCM", // Must be >>>>>>> specified to specify HPKE parameters if not assuming an offline(implicit) >>>>>>> agreement. >>>>>>> x: "-eZXC6nV-xgthy8zZMCN8pcYSeE2XfWWqckA2fsxHPc", >>>>>>> y: "BGU5soLgsu_y7GN2I3EPUXS9EZ7Sw0qif-V70JtInFI", >>>>>>> } >>>>>>> >>>>>>> I think this example clearly illustrates the harm of putting >>>>>>> subsequent algorithm information (KDF&AEAD), which is not originally >>>>>>> relevant to the key itsef, into a key that is originally only used in the >>>>>>> KEM step. >>>>>>> >>>>>>> >>>>>>> In any case, I am tired of the situation where even after all these >>>>>>> repeated discussions, even the obvious design point, which is obvious if >>>>>>> you read the HPKE standard, that "encapsulated_key should be expressed as a >>>>>>> sequence of bytes," is being rehashed... >>>>>>> >>>>>>> I hope the chairs will make a wise decision. >>>>>>> >>>>>>> Best regards, >>>>>>> Daisuke >>>>>>> >>>>>>> P.S. >>>>>>> ... the design of COSE-HPKE was more difficult than I had thought, >>>>>>> as it required not only knowledge of both COSE and HPKE, but also knowledge >>>>>>> of JOSE (primarily JWK) in terms of alg value design, and related >>>>>>> considerations of consistency with the W3C Web Cryptography API and >>>>>>> existing implementations. So I do not intend to ask you (the mailing list >>>>>>> participants) to agree with my suggestion easily, but I'm very glad if you >>>>>>> could read (*1)(*2) without bias. >>>>>>> >>>>>>> (*1) >>>>>>> https://mailarchive.ietf.org/arch/msg/cose/KTpXbZ3UxUH8BuLT4OmhfaToYTk/ >>>>>>> (*2) >>>>>>> https://mailarchive.ietf.org/arch/msg/cose/cPqYqCagPbWPKwvQODjqn98U3F4/ >>>>>>> >>>>>>> 2023年7月20日(木) 2:37 lgl island-resort.com <lgl@island-resort.com>: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Jul 19, 2023, at 9:52 AM, Michael Jones < >>>>>>> michael_b_jones@hotmail.com> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> As a chair, I’d like clarity on what you mean by “the single >>>>>>> algorithm design”. Do you mean that each algorithm identifier fully >>>>>>> specifies all the cryptographic parameters being used? Or do you mean that >>>>>>> a single algorithm identifier is used for all the HPKE possibilities? >>>>>>> >>>>>>> >>>>>>> >>>>>>> The proposal that Hannes, Jeremy and a few others favor is roughly >>>>>>> this. (I picked these three just as an example, the decision we want is not >>>>>>> whether these three are the ones to register, it is that we will use one >>>>>>> algorithm ID to indicate the HPKE KEM, KDF and AEAD. >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Alg ID HPKE-P-256 (equivalent to COSE -29 with NIST key)* >>>>>>> >>>>>>> KEM: 0x0010 DHKEM(P-256, HKDF-SHA-256) >>>>>>> >>>>>>> KDF: 0x0001 HKDF-SHA256 >>>>>>> >>>>>>> AEAD: 0x0001 AES-128-GCM >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Alg ID HPKE-P-384 (equivalent to COSE -30 with NIST key)* >>>>>>> >>>>>>> KEM: 0x0011 DHKEM(P-384, HKDF-SHA-384) >>>>>>> >>>>>>> KDF: 0x0002 HKDF-SHA384 >>>>>>> >>>>>>> AEAD: 0x0002 AES-256-GCM >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Alg ID HPKE-P-521 (equivalent to COSE -31 with NIST key)* >>>>>>> >>>>>>> KEM: 0x0012 DHKEM(P-521, HKDF-SHA-512) >>>>>>> >>>>>>> KDF: 0x0003 HKDF-SHA512 >>>>>>> >>>>>>> AEAD: 0x0002 AES-256-GCM >>>>>>> >>>>>>> >>>>>>> >>>>>>> The one that Ilari and Ajitomi-san favor is what we have now in >>>>>>> COSE-HPKE: >>>>>>> >>>>>>> >>>>>>> >>>>>>> When the alg value is set to 'HPKE-v1-BASE', the HPKE_sender_info >>>>>>> >>>>>>> structure MUST be present in the unprotected header parameter. >>>>>>> >>>>>>> >>>>>>> >>>>>>> The CDDL grammar describing the HPKE_sender_info structure is: >>>>>>> >>>>>>> >>>>>>> >>>>>>> HPKE_sender_info = [ >>>>>>> >>>>>>> kem_id : uint, ; kem identifier >>>>>>> >>>>>>> kdf_id : uint, ; kdf identifier >>>>>>> >>>>>>> aead_id : uint, ; aead identifier >>>>>>> >>>>>>> enc : bstr, ; encapsulated key >>>>>>> >>>>>>> ] >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Speaking as an individual contributor, I fully support the first >>>>>>> (fully specified) choice. Whereas the second possibility will cause >>>>>>> endless interoperability problems. >>>>>>> >>>>>>> >>>>>>> >>>>>>> We need your efforts primarily has a chair at this point. I think >>>>>>> we’ve had the discussion. >>>>>>> >>>>>>> >>>>>>> >>>>>>> LL >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> COSE mailing list >>>>>>> COSE@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/cose >>>>>>> >>>>>>> _______________________________________________ >>>>>> COSE mailing list >>>>>> COSE@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/cose >>>>>> >>>>> _______________________________________________ >>>> COSE mailing list >>>> COSE@ietf.org >>>> https://www.ietf.org/mailman/listinfo/cose >>>> >>> >>> >>> -- >>> >>> >>> ORIE STEELE >>> Chief Technology Officer >>> www.transmute.industries >>> >>> <https://transmute.industries> >>> >> > > -- > > > ORIE STEELE > Chief Technology Officer > www.transmute.industries > > <https://transmute.industries> >
- [COSE] Draft IETF 117 COSE agenda Michael Jones
- Re: [COSE] Draft IETF 117 COSE agenda Tschofenig, Hannes
- Re: [COSE] Draft IETF 117 COSE agenda Henk Birkholz
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda Michael Prorock
- Re: [COSE] Draft IETF 117 COSE agenda Jeremy O'Donoghue
- Re: [COSE] Draft IETF 117 COSE agenda Michael Jones
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda lgl island-resort.com
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Michael Jones
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Tschofenig, Hannes
- Re: [COSE] Draft IETF 117 COSE agenda Carsten Bormann
- Re: [COSE] Draft IETF 117 COSE agenda Hannes Tschofenig
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda Hannes Tschofenig
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Michael Prorock
- Re: [COSE] Draft IETF 117 COSE agenda Michael Prorock
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda lgl island-resort.com
- Re: [COSE] Draft IETF 117 COSE agenda Michael Richardson
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Stephen Farrell
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Stephen Farrell
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Orie Steele
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- Re: [COSE] Draft IETF 117 COSE agenda Carsten Bormann
- Re: [COSE] Draft IETF 117 COSE agenda AJITOMI Daisuke
- Re: [COSE] Draft IETF 117 COSE agenda Ilari Liusvaara
- [COSE] Opaque enc (was Re: Draft IETF 117 COSE ag… lgl island-resort.com
- Re: [COSE] Opaque enc (was Re: Draft IETF 117 COS… Orie Steele
- Re: [COSE] Opaque enc (was Re: Draft IETF 117 COS… Ilari Liusvaara
- Re: [COSE] Opaque enc (was Re: Draft IETF 117 COS… lgl island-resort.com
- Re: [COSE] Opaque enc (was Re: Draft IETF 117 COS… lgl island-resort.com