[jose] Re: Strawperson consensus call for changes to draft-ietf-jose-hpke-encrypt-01

[Orie Steele <orie@transmute.industries>]

Brian,

You are correct.

This is why I wrote : The working group SHALL draft text explaining what
"enc:dir" means, and how it is related to "alg".

Perhaps this might look like:

This document updates RFC7516.

This document defines a new value "dir" for "enc".

When "enc:dir" is present tag and iv are empty.

"enc:dir" can only be used with "alg" values that use an AEAD to perform
authenticated encryption on plaintext to produce ciphertext, when these
algorithms are used iv and tag are empty.

As you have just pointed out, it would be incorrect to use "enc: A128GCM"
for integrated encryption because no tag and no iv are present.

I suggest we defer discussion of the exact text the working group would
need for integrated encryption, since that is not necessary to agree to the
general approach.

If we cannot agree to writing text that explains what integrated encryption
is and how it is related to "enc" and "alg", the only other option I can
see is to drop support for integrated encryption with HPKE for JWEs.

I've incorporated your feedback, and highlighted changes in bold:

## draft-ietf-jose-hpke-encrypt-01 call topic number 1 (Yes / No):

### For HPKE JWE Integrated Encryption Mode:

The algorithm name SHALL be of the form "HPKE-P256-SHA256-A128GCM".
The "enc" value SHALL be "dir".
The working group SHALL draft text explaining what "enc:dir" means, and how
it related to "alg"*, including updating RFC7516 Section 4.1.2 as needed.*
The hpke-aad SHALL be from JWE Section 5.1 step 14.
The hpke-info SHOULD be empty.

## draft-ietf-jose-hpke-encrypt-01 call topic number 2 (Yes / No):

### For HPKE JWE Key Encryption Mode:

The algorithm name SHALL be of the form "HPKE-P256-SHA256-A128GCM".
The "enc" value SHALL be any registered AEAD here -
https://www.iana.org/assignments/jose/jose.xhtml, per section of RFC7518.
The hpke-aad SHALL be ECDH-ES FixedInfo  *(citation needed @ilari can you
provide a reference here please?) *
The hpke-info SHOULD be empty.



On Fri, Jul 12, 2024 at 5:11 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

>
>
> On Wed, Jul 10, 2024 at 9:45 AM Orie Steele <orie@transmute.industries>
> wrote:
>
>>
>> ### For HPKE JWE Integrated Encryption Mode:
>>
>
>
>> The "enc" value SHALL be "dir".
>> The working group SHALL draft text explaining what "enc:dir" means, and
>> how it related to "alg".
>>
>
> This doesn't work with RFC7516/JWE's definition of the "enc" header
> <https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.2>, which
> states that the `enc` "(encryption algorithm) Header Parameter identifies
> the content encryption algorithm used to perform authenticated encryption
> on the plaintext to produce the ciphertext and the Authentication Tag. This
> algorithm MUST be an AEAD algorithm with a specified key length."
>
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*



-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>