[jose] Re: draft-ietf-jose-hpke-encrypt-01
Les Hazlewood <lhazlewood@gmail.com> Tue, 09 July 2024 21:02 UTC
Return-Path: <lhazlewood@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 037F3C15109C for <jose@ietfa.amsl.com>; Tue, 9 Jul 2024 14:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NglQ9K5kIyg1 for <jose@ietfa.amsl.com>; Tue, 9 Jul 2024 14:02:14 -0700 (PDT)
Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22926C151552 for <jose@ietf.org>; Tue, 9 Jul 2024 14:02:14 -0700 (PDT)
Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-643efaf0786so45663977b3.1 for <jose@ietf.org>; Tue, 09 Jul 2024 14:02:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720558933; x=1721163733; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Yz9kL5zv/3h+VsVNMghdQvYCT32o1Uty8VOdmc1SzIo=; b=Jczpm7M9FIeULIIk+dlR0UQAd244aptSwC7d9K4B0hkWKzKAQRtQfBL6s17U+d6YFo vnq8gnxIzVYSjY3d9zHZ4g4sPv3ZuoBAOqssFZH2v+r8UkHr/LQYDnzb58YWvaku6zW4 BocxFOkVj1lkDGcVBXjVkZnSGbsOMD+hUY5b6GS+1SpCKEZnVkV6n9jHzFGuGj2+0MJp qopR1M607CZgWLhmWRKoQFzKioa4qQCfjwuPElm3PraSsIgPE3fGF/lBb+rdjMBKgond mlHoJkcxZ6PWpPzwwIhXgLxFtAlr1fgMrgPUNRFlzygNVBWSIyScONe7tapBx0d9iywU OWbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720558933; x=1721163733; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Yz9kL5zv/3h+VsVNMghdQvYCT32o1Uty8VOdmc1SzIo=; b=myxivOYLIjCJJdc0VMU88d/TsaFuHliiu6aGole4Y2dYRBzqF2kqns733gBPE4AzpQ TDvMbOuQ+l/RJqRxNAgKqkdhX8FKC3P/EjITCIbzX29WtLaZg+CCe8UdlGLEKs3wNbUW tYxS/Ki/efIx0BSZdRhrSAIbf4Is1p+pCEvGeTRAqlnf/AD1pHMFphbEWDyDWw9gZNLc yvde8jRNoRdWAoR5HTHN/YidT9snVQonltZyGBDGBvIO4R80iTRRy5RxCsgx2+Cel6nw jGnNjuDmtlpeJ6BcPy3S0/GYEIx7WdfDptOUuKi/yHTtR6ONN1rI72fxiJiHmh7oH9rS lLKQ==
X-Forwarded-Encrypted: i=1; AJvYcCV4O6BhRnvlIZiUkw0eCicKNoVSBi9Fcrg1j447gVvGZko1VGHcs7ihI4wosnPX2MxP4Sn/t6gjscf/TiFE
X-Gm-Message-State: AOJu0YwPIpa9ehW5uH4AkDU84xYZsiiBZdTq0vO+IE8sKDbIQzndCYih bKGu9ds+k+YcZ7y1u9U2ieLEunx/hG48urWz9BnLX0RK1DMe4G6CVcjRKQ0jC0k22Hbafd++FWL QNG6K5yAh2h49JzNB6fk7k1EUKUK5yXrZ
X-Google-Smtp-Source: AGHT+IF633fa0I24aL9MCSaPb5RbXRchfrRauOvxdN6y9K5xZhhtL5wewHHTbkkoXJy+XiTpzYgt0ZmIDv2/kE5wObs=
X-Received: by 2002:a0d:f684:0:b0:62c:c65d:8d1c with SMTP id 00721157ae682-658f0ebcd12mr35254337b3.52.1720558933031; Tue, 09 Jul 2024 14:02:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com> <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com> <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com> <CAN8C-_JyHsr07FcTMwA01+QTkzjxxqvv0fNpFthytSyyP+MgKQ@mail.gmail.com> <Zo1d2jNRtAjCGC4N@LK-Perkele-VII2.locald> <CAN8C-_JtWT=mG++9khv7H5Vb4uDoEqNjwhtozTEFFp-XGOuq1g@mail.gmail.com>
In-Reply-To: <CAN8C-_JtWT=mG++9khv7H5Vb4uDoEqNjwhtozTEFFp-XGOuq1g@mail.gmail.com>
From: Les Hazlewood <lhazlewood@gmail.com>
Date: Tue, 09 Jul 2024 14:02:01 -0700
Message-ID: <CACVbtYMY61mQWhROeeDobHZvkzCeTDKw1DCNOqJEmKepE1vOoA@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Content-Type: multipart/alternative; boundary="00000000000004c37e061cd6d846"
Message-ID-Hash: E2WR52JEF6CQR6GSJTBDWJBFDKV23EPV
X-Message-ID-Hash: E2WR52JEF6CQR6GSJTBDWJBFDKV23EPV
X-MailFrom: lhazlewood@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ilari Liusvaara <ilariliusvaara@welho.com>, JOSE WG <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/nV-vF2LJFSAGfcAwG0CMdtEs5Nw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
I agree, `alg` and `enc` (when present) have always been related: other than "alg": "dir", `alg` must always produce a key compatible with `enc`, and therefore it must 'know about' things relevant to `enc. It doesn't make any sense to me to claim `alg` must be independent of `enc`. This feels a whole lot like trying to force-fit existing 10-year well-defined headers to support entirely new concepts that were never intended to be used in such headers (`alg` has never required anything about *content* encryption, only key encryption); see my preceding response in this thread. Anyway, conceptually at the highest level HPKE is a 3 phase process: (key encapsulation) --> (key derivation) --> (content encryption), so the `alg` value should contain all the (key encapsulation) -> (key derivation) parts first because that's the 'key management' stuff. But for JOSE, the first two phases aren't just KEM-->KDF. It's KEM-->KDF optionally followed by a key encryption/wrap algorithm. In other words, the JOSE CEK is still derived - it's just derived using both the RFC 9180 KEM->KDF phase, potentially followed by a key encryption/wrap phase. It's all still "key derivation", but just a potential extra step beyond what RFC 9180 defines. This implies the only way to really represent a polymorphic KDF identifier for JOSE would be either: - a standard HKDF identifier for integrated encryption e.g. "$hkdf_id" - a standard HKDF identifier concatenated with the `+` character followed by the key encryption algorithm identifier, e.g. "$hkdf_id+$kealg_id" This is all still part of the JOSE 'key derivation' phase and identifier strings should be tightly associated as such (combined) before any content encryption identifier. This reiterates what Orie has already shown in previous examples, but I wanted to express *why* I believe the format should be this way to be semantically 'correct' with the way the `alg` header parameter has always worked (i.e. key management) and why I believe the KDF id should be tightly coupled (`+`) with the key encryption alg id. There doesn't seem to be a good way to avoid the explosion of registrations Orie is hoping to avoid. Based on https://www.iana.org/assignments/hpke/hpke.xhtml and the existing JWA RFC, there are (currently): - 10 KEM algs - 3 KDF algs - 6 key encryption algs (A128KW...A256GCMKW) - 6 JOSE content AEAD algorithms implying a whopping 1080 permutations! Removing the content AEAD algorithm from the alg identifier (and keeping it only in `enc`) drops the permutations to 180. Still quite large. It seems that the only sensible solution is to greatly limit the permutations to only a select few, but then you'd be excluding potentially desirable permutations and/or greatly limiting any future 'pluggability' that would be desirable, forcing a new RFC to address them. I'd assume it'd be better for RFC longevity and flexibility to indicate that, while those few would exist as registrations, others MAY exist. Or better yet IMO, eliminate the requirement for fully-specified strings and instead provide requirements around what permutations MUST or MUST NOT exist. Best, Les
- [jose] draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Michael Jones
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 tirumal reddy
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Simo Sorce
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Brian Campbell
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Brian Campbell
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda