IETF Logo Mail Archive

Re: [jose] [COSE] HPKE PartyU / PartyV

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 28 February 2024 09:12 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EA6EC14F69F; Wed, 28 Feb 2024 01:12:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dEukmtM5SB4F; Wed, 28 Feb 2024 01:12:28 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EF2EC14F619; Wed, 28 Feb 2024 01:12:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 1B7C24451B; Wed, 28 Feb 2024 11:12:23 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id JvUZPvmO-2jp; Wed, 28 Feb 2024 11:12:22 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id C961F7B; Wed, 28 Feb 2024 11:12:20 +0200 (EET)
Date: Wed, 28 Feb 2024 11:12:20 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Message-ID: <Zd749IrwWC2hI6yX@LK-Perkele-VII2.locald>
References: <CAN8C-_LUMe09=WbkwT-RckhR8+LYCQMw8XWnwmDLE5riYjd7pg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_LUMe09=WbkwT-RckhR8+LYCQMw8XWnwmDLE5riYjd7pg@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/dRZfQEqD64pdh91grB99GjxesXk>
Subject: Re: [jose] [COSE] HPKE PartyU / PartyV
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 09:12:32 -0000

On Tue, Feb 27, 2024 at 02:02:16PM -0600, Orie Steele wrote:
> Hello OSE-Enthusiasts,
> 
> As we align JOSE and COSE drafts for adding support for HPKE, we've
> encountered our old friends:
> 
> PartyU and PartyV...

Those two only really make sense for ECDH-SS. JOSE does not support
that at all, nor does HPKE (auth mode is not ECDH-SS).

 
> JOSE has this to say:
> https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.2
> 
> """
>    The "apv" (agreement PartyVInfo) value for key agreement algorithms
>    using it (such as "ECDH-ES"), represented as a base64url encoded
>    string.  When used, the PartyVInfo value contains information about
>    the recipient.  Use of this Header Parameter is OPTIONAL.  This
>    Header Parameter MUST be understood and processed by implementations
>    when these algorithms are used.
> """

Note that is only for key agreement algorithms. HPKE is not a key
agreement algorithm.

Now, native KEM support would be key agreement algorithm and would
process "apv" just like ECDH-ES does.


> COSE has this to say:
> https://datatracker.ietf.org/doc/html/rfc9053#name-context-information-structu
> 
> (TLDR... No MUST).

Every field in that structure seems to be at least one of:

- Redundant (e.g., AlgorithmID)
- Absurd (e.g., keyDataLength)
- Unsafe (e.g., PartyUInfo.identity)
- Non-interoperable (e.g., Party*Info.other)


The design philosophies of JOSE and COSE are rather different. JOSE is
designed to be interoperable and implementable without profiling. COSE
is designed to be heavily profiled down for application, and is not in
general meant to be interoperable nor implementable.

This already shows in KDF context structures. The JOSE one is 
interoperable, the COSE one is explicitly not interoperable.

Then there is plenty of stuff in COSE that is in theory interoperable,
but no implementation implements it. E.g., ECDH-ES with AES-GCM key
wrapping (bonus points for also using iv-generation).


> We have an opportunity to maintain parity here, and essentially
> repeat the support for behavior we have in JOSE and COSE for
> "ECDH-ES+A128KW", when PartyU and PartyV are present.

As stated above, PartyU and PartyV don't really make sense here.


> I've always found this part of encryption in JOSE troublesome, why is it
> necessary for HPKE to support this?

I don't think there is any good reason to support it. Especially with
the HPKE limitations on parameters.


> Are we passing up an opportunity to simplify things and remove an
> unused/underutilized feature from being required in a new, and currently
> not used encryption scheme (HPKE).

The simplest thing to do is to just ignore that stuff.


> Is it time for apu and apv to be ignored when present and not
> understood?

As explained above, the MUST is inapplicable. Thus "apu" and "apv"
are ignored for HPKE.




-Ilari

v2.23.0 | Report a Bug | By Email