Re: [jose] HPKE Compact JWE Demo
Michael Prorock <mprorock@mesur.io> Sat, 10 February 2024 22:13 UTC
Return-Path: <michael.prorock@mesur.io>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 237D9C14F609 for <jose@ietfa.amsl.com>; Sat, 10 Feb 2024 14:13:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mesur-io.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w3s9nZB8Wzyg for <jose@ietfa.amsl.com>; Sat, 10 Feb 2024 14:13:34 -0800 (PST)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC64AC14F5FA for <jose@ietf.org>; Sat, 10 Feb 2024 14:13:29 -0800 (PST)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-a26f73732c5so277338866b.3 for <jose@ietf.org>; Sat, 10 Feb 2024 14:13:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mesur-io.20230601.gappssmtp.com; s=20230601; t=1707603208; x=1708208008; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aCge2qHFc+p8e6pSzaJFK52d5iesHfNo5iGOiaBGm3Q=; b=LU24c1ZUGvN2j0SU88lmobQ/URKC7Sik4ignq3Mpk2a12YDKobQy5trugOp+snOAgZ APy6tHE/uKBEG23XSRV44LYf8EfLDPAuLNvglKtRrZL3cUmD6Q0+G0ZGkiSoc4CmxcVl DbIkmzP2T/2smDpp9Vb/Det7w0/kngMfvYI9c6RBLyMj2A8aUPVv3nYl0ZVaU80J38Q+ jRbVzSZRUUJFXtKEX5oPUuz8OJ//cPhinKbltyuOGPjhbL4f02QGl5eCBafgMvKQbnpM r+M/cI/83Posb6qalXj2OFyPivnm5UZs5GxCESP/OcR6Xl4hjdUeDWsKOHqqoc/JOb2N 58Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707603208; x=1708208008; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aCge2qHFc+p8e6pSzaJFK52d5iesHfNo5iGOiaBGm3Q=; b=WWosQkRWzFix55xAeO9yeP/VNbi/w04lrELiDEulxxQcsCt1W3ttiE7mETUUpNztCR vRFfzFxOCzKrEatl865WyXa6XyjANypL0TaIIoQJBk4vHkkK2hVtsjwUzd0QHKZt7oo8 qYpUUsl++L9kL7oHyPKscHR3C8i7MmIiXeU6ZgDWk0iW13xuKjTnQ9yehgw7v3vS9QMk Oj7F6ad3Pm9Deq4B8Ub/IsEmGNqo/sTUItchJSaJ0FNfxvrgEpAS5EOKvLKf7jS3Gni/ Ek5gGNlId0zQWbAKu7D13v9Cyh23eNxqBTAtHGp/ebo4yK9NkRvaRBpxlXd3GzsSYQUR hh9w==
X-Forwarded-Encrypted: i=1; AJvYcCUZeZv3hkZ2jiR3niDNVR31TRCkVsuByf4DzYiYfbRin91ws51zB/mTQVib0YYNVGqPvAruZja/XMZBiCsp
X-Gm-Message-State: AOJu0YzNXglcFi3ihBxcqRvdTJixEWqaLSuk/VM9p4gtBq12ph0M5+cY BeDIs1E/TPVRxZxtixUgcNn0VcLQuu9eLryoJpydW0gXnsW3kLCuCjQBw8BQly70fr1AL92Dtf6 l7+6rd7UquLffOfisqIMw0ei0InYtOvJ4MABTn34YVx2M1Tx9nw==
X-Google-Smtp-Source: AGHT+IEQy7CumGjUPkyigPNuluLxIcdUL5v8g0QAOYfM7Ro4P4hfM3VCoCKM8IkDoHL9MzPvA6k7oHpUOIekTsfnZSY=
X-Received: by 2002:a17:906:80c3:b0:a3c:26f8:8114 with SMTP id a3-20020a17090680c300b00a3c26f88114mr1637261ejx.62.1707603207721; Sat, 10 Feb 2024 14:13:27 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_KgcsaY9A4icRhjHAPnEVb8fYu3vzf0=mk_ODkGEVDDtw@mail.gmail.com> <Zce0L9JgcfA2CAE7@LK-Perkele-VII2.locald> <CAN8C-_+aK5U3iVLJxg4RFe09K+OmkPfboROjRJYViwoYzcywRw@mail.gmail.com> <SJ0PR02MB743955EB403791A1B04FB9FCB74A2@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB743955EB403791A1B04FB9FCB74A2@SJ0PR02MB7439.namprd02.prod.outlook.com>
From: Michael Prorock <mprorock@mesur.io>
Date: Sat, 10 Feb 2024 15:13:18 -0700
Message-ID: <CAGJKSNROvui1HyteC5JnrwSbvGSvgVSpyzsBESqToUWHxhxBUw@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Cc: Orie Steele <orie@transmute.industries>, Ilari Liusvaara <ilariliusvaara@welho.com>, JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009d27bd06110e5a59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/q9KQQSimkvgssS8nlujgW9axTJQ>
Subject: Re: [jose] HPKE Compact JWE Demo
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Feb 2024 22:13:39 -0000
Likewise - I think Orie's described approach is sane Mike Prorock CTO - mesur.io On Sat, Feb 10, 2024, 14:47 Michael Jones <michael_b_jones@hotmail.com> wrote: > I support the design philosophy described by Orie below. > > > > -- Mike > > > > *From:* jose <jose-bounces@ietf.org> *On Behalf Of *Orie Steele > *Sent:* Saturday, February 10, 2024 1:15 PM > *To:* Ilari Liusvaara <ilariliusvaara@welho.com> > *Cc:* JOSE WG <jose@ietf.org> > *Subject:* Re: [jose] HPKE Compact JWE Demo > > > > This list feels like mostly complaints about JWE, and not about JOSE HPKE. > > > > With compatibility with ECDH-ES JWE shown, I feel pretty confident that > the design is on a good track. > > > > If there are problems in the design we have now... those problems are > fundamental to JWE. > > > > We are adding HPKE support to JWE not making an incompatible alternative > to JWE, that only works with HPKE. > > > > Adding the ability to upgrade to HPKE without major breaking interface > changes is the objective, and greenfielding alternatives to JWE just delays > adoption of KEMs and resilience to harvest now decrypt later. > > > > The guiding principle is this: > > > > Adding HPKE based single recipient and multiple recipient support, with as > few changes to JWE as possible. > > > > This constraint makes our job simple... What parameters go in headers? How > can we accomplish what is needed with as few HPKE specific changes as > possible. > > > > The current draft does the best at this so far, but it's possible in can > be further improved. > > > > I don't think your suggestion to concatenate strings values for enc and ct > is an improvement. > > > > OS > > > > > > > > > > > > On Sat, Feb 10, 2024, 11:46 AM Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > On Sat, Feb 10, 2024 at 08:39:07AM -0600, Orie Steele wrote: > > Hello Hybrid Public Key Encryption Enthusiasts, > > > > I feel JOSE HPKE is getting very close to stable, we have demonstrated > > compact and json serialization, including key encryption with both HPKE > and > > normal ECDH-ES. > > I feel that JOSE HPKE is far from stable. > > I did start writing review of draft-rha-jose-hpke-encrypt-03, but never > finished that because I hit just too many issues to properly write up. > > > Very abbrevated list (some involve aspects of JWE I only learned about > recently): > > 1) Key Management Modes are defined by JWE, not JWA. > 2) Key Agreement has nothing to do with the way HPKE is used. > 3) The mode descriptions are misleading. > 4) Encapsulated key is neither a structure nor a public key. > 5) Using header parameters for encapsulated key is problematic. > 6) Using JWK for encapsulated key is too complicated. > 7) "enc" existing does not mean it is Key Encryption, just not > Integrated Encryption. > 8) JWE requires serialization invariance, which precludes any > requirement on serialization used. > 9) JWE unions the recipient headers, which precludes requirements on > bucket used for any existing parameter. > 10) JWE allows "enc" to be in recipient header(!) if all recipients have > the same value. *vomit*. This precludes requiring enc to be in any > given bucket. > 11) Using JWE aad for recipients will cause severe implementation > issues. There is clear precedent of not doing that even with > something AEAD-capable. > 12) Mode_auth and mode_auth_psk with Key Encryption are insecure. > > > Deviating from important JWE requirements with single-recipient mode > needs to be done carefully, because doing so can cause nasty issues with > implementations. Doing so in multi-recipient mode is categorically not > acceptable. > > > The simplest way to handle HPKE seal outputs is to just concatenate the > two, no length markers. This would seem to work well for both modes. > > That is: > > JWE_ciphertext = hpke_enc || hpke_ct > JWE_encrypted_key = hpke_enc || hpke_ct > > > > > -Ilari > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Michael Jones
- Re: [jose] HPKE Compact JWE Demo Michael Prorock
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele
- Re: [jose] HPKE Compact JWE Demo Ilari Liusvaara
- Re: [jose] HPKE Compact JWE Demo Orie Steele