Re: [jose] HPKE Compact JWE Demo
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 11 February 2024 10:26 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D366DC14F699 for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 02:26:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIFu1E0qnApQ for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 02:26:09 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52DECC14F684 for <jose@ietf.org>; Sun, 11 Feb 2024 02:26:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 8CACF17E75 for <jose@ietf.org>; Sun, 11 Feb 2024 12:26:05 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id CsD9pv1A4sTQ for <jose@ietf.org>; Sun, 11 Feb 2024 12:26:05 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 4A9AF72 for <jose@ietf.org>; Sun, 11 Feb 2024 12:26:04 +0200 (EET)
Date: Sun, 11 Feb 2024 12:26:03 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>
Message-ID: <Zcigu0VDAvdeJPT0@LK-Perkele-VII2.locald>
References: <CAN8C-_KgcsaY9A4icRhjHAPnEVb8fYu3vzf0=mk_ODkGEVDDtw@mail.gmail.com> <Zce0L9JgcfA2CAE7@LK-Perkele-VII2.locald> <CAN8C-_+aK5U3iVLJxg4RFe09K+OmkPfboROjRJYViwoYzcywRw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_+aK5U3iVLJxg4RFe09K+OmkPfboROjRJYViwoYzcywRw@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/ZJLkhg0PC3tJyj6GqUms28BsvEc>
Subject: Re: [jose] HPKE Compact JWE Demo
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Feb 2024 10:26:13 -0000
On Sat, Feb 10, 2024 at 03:15:11PM -0600, Orie Steele wrote: > This list feels like mostly complaints about JWE, and not about JOSE HPKE. Sure, JWE has its problems, but that ship has sailed. Debating those problems when working with JWE is not productive. One just has to live with those. There is only one complaint about JWE, and that is then immediately taken as something one needs to live with. Plenty of other complaints just are not relevant here. > With compatibility with ECDH-ES JWE shown, I feel pretty confident that the > design is on a good track. That was only a smoke test. Failing it would have been really bad, but passing does not mean things are actually working. > If there are problems in the design we have now... those problems are > fundamental to JWE. I disagree. I think things can be vastly improved while modifying JWE no more than what is currently done. > We are adding HPKE support to JWE not making an incompatible alternative to > JWE, that only works with HPKE. The draft does currently have requirements incompatible with JWE. E.g., - Requirement to use JSON serialization for Key Encryption. - Requirement to put "enc" in protected parameters for Key Encryption. - Requirement to put "alg" in per-recipient unprotected header for Key Encryption. And then arguably also requirement to use compact serialization for Integrated Encryption. As example of just what requirements like this can cause, I once wrote support for extensible priorities in HTTP/2 in a reverse proxy. IIRC, I explicitly ignored every single requirement that went against base HTTP/2. Mostly, because code I was modifying was designed for as specified by base HTTP/2. > Adding the ability to upgrade to HPKE without major breaking interface > changes is the objective, and greenfielding alternatives to JWE just delays > adoption of KEMs and resilience to harvest now decrypt later. Greenfielding alternatives to JWE is not an option. And even stuff that just goes against precedent can cause severe issues. E.g., Multi-recipient interface with similar design as I used in COSE-HPKE test code would seem to work just fine now. But it would be a major breaking change to add HPKE as currently specified to it. > The guiding principle is this: > > Adding HPKE based single recipient and multiple recipient support, with as > few changes to JWE as possible. The guiding principles I have: - Keep things as simple as possible. - Minimize disruption caused by JWE changes for single recipient. - Zero HPKE-specific modifications to JWE. - Zero modifications to JWE for multiple recipient support. Note that first two are relative, while the last two are absolute. And new header parameters, algorithms, etc. are not "modifications to JWE". The reason for requiring zero modifications for multiple recipients is that the interaction between recipients is specified by JWE, and trying to change those rules is asking for critical issues. And some changes to JWE are required in order to add the Integrated Encryption mode, I.e., this draft needs to update RFC 7516, but those changes must not preclude non-HPKE mechnisms later. And as example of disruption JWE changes could cause, consider implementation that immediately parses JWE doing the first three steps of JWE section 5.2. Maybe together with doing step 15. By time that is done, original serialization is lost. That is very much code one does not want to touch lightly. > This constraint makes our job simple... What parameters go in headers? How > can we accomplish what is needed with as few HPKE specific changes as > possible. For stuff relevant to HPKE, nothing except alg needs to go in headers. This is in contrast to things like Key Agreement ephemeral key, that does need to go into headers. I don't see any need for HPKE-specific changes. Even a new header for KEM ciphertext (problematic for other reasons) could be usefully repurposed for KEM Key Agreement. > The current draft does the best at this so far, but it's possible in can be > further improved. > > I don't think your suggestion to concatenate strings values for enc and ct > is an improvement. What other way is there to satisfy: - Avoid requiring multi-shot HPKE for compact. - Both modes encode the output in the same way. ? I don't think there are any. There is only one output field besides headers for Key Encryption, and Integrated Encryption can not use headers in compact without requiring multi-shot. -Ilari
- [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Michael Jones
- Re: [jose] HPKE Compact JWE Demo Michael Prorock
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele