On Sat, Jul 9, 2016 at 3:40 PM, Jim Schaad <[email protected]> wrote: > I need to find out where you went wrong, but that is not the intent. > > Note that there is both an ECDH-ES and an ECDH-SS version in the table. One > uses the ephemeral key and one uses the static key for doing the key > agreement. The paragraph that discusses these options is the > "Ephemeral-static or static-static" bullet above the table. > > There is a small number of common ECDH routines because, modulo how to find > the second key, the processing is the same. > > If you can identify where you got confused, please let me know so I can look > at doing clarifications.
Thank you for the clarification. I came into the document expecting ECDH-ES to bind a sender's static key (i.e. in the style of 6.2.1 of NIST SP 800-56A: http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-56Arev1_3-8-07.pdf), so the fault might well be entirely my own. There's much discussion of a sender static key in that area of the document, which fed my incorrect assumption, and there's the label -2 in table 19, which is defined as the sender's static key for ECDH-ES. Should that be for ECDH-SS, or is it a "return address" for the recipient in the case of ECDH-ES? I'm not sure that anything needs to change in the document, but would the expected structure for a sender-authenticated, one-way forward-secure message be an ECDH-ES message encrypted in an ECDH-SS message? Cheers AGL _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
