I have started to think of COSE_Key as “CBOR Key”. It’s just a key serialization format using CBOR (rather than ASN.1). RFC-5480 which describes serialization of EC keys in ASN.1 is not “CMS Key” or “PKCS Key” or “TLS Key” even though those are the contexts we use it in. I’m not suggesting a name change here, just framing what we’re doing.
We’re basically rebuilding all the security protocols we have based on ASN.1 using CBOR. COSE is the first major chunk of work on this kinda like PKCS was for the ASN.1 stuff. (Russ, do I have my history right?). A key serialization format is a critical part of that. Note that there is often no binding between a protocol using a key and the serialization format for the key uses. You could use an EC key serialized as COSE_Key with CMS or an ASN.1 serialized key with COSE_Encrypt. COSE_Key with kty EC2 or OKP already works for COSE_HPKE because COSE_HPKE just uses EC keys. RFC 8230 <https://www.rfc-editor.org/rfc/rfc8230.html> had to do a lot more work to integrate RSA with COSE because there wasn’t a key type that worked. The main thing we have to do for a COSE_Key with HPKE is define how to do algorithm restriction. We can’t do that in the normal COSE way of just using an integer cipher suite. HPKE-v1-BASE doesn’t give enough info. (RFC 8230 didn’t have to mention the alg parameter at all because it is using integer cipher suites. Key use restriction by algorithm just worked automatically). So what I’d put in draft-ietf-cose-hpke is roughly this: When a COSE_Key is used with HPKE, the algorithm usage restriction is expressed by having the alg parameter set to HPKE-v1-BASE and with an additional COSE Key parameter called “hkc”. The “hkc” parameter gives the additional listing of the AEADs, KDFs and KEMs for which the key can be used. If the alg parameter is HPKE-v1-BASE, the “hkc” parameter MUST be present and the key use MUST be restricted to HPKE with the listed AEADs, KDFs and KEMs. I don’t think there is any need to say that keys uses with COSE_HPKE must be of any key type or have any particular parameters. We don’t do that anywhere else in COSE. It is fine to write security considerations to recommend the COSE_Keys used with COSE-HPKE should have an “hkc” parameter. If is also OK to use EC keys in PEM files, in RFC 8230 format and such with COSE-HPKE. Even if we wrote that only COSE_Keys with the “hkc” parameter MUST be used with COSE-HPKE, lots of people will have to ignore that because that giant database of EC keys they have already, or that HSM model they use doesn’t support COSE_Key. LL
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
