Dear Hannes, all, I focused on reading RFC9180 and its application in this document.
Just one high level comment/question. Since HPKE depends on message reordering and message loss of other mechanisms ( RFC9180 Section 9.7.1. Message Order and Message Loss ). Here I put the text of interest: “Applications that allow for multiple invocations of Open() / Seal() on the same context MUST enforce the ordering property described above. (...). HPKE is not tolerant of lost messages. Applications MUST be able to detect when a message has been lost. When an unrecoverable loss is detected, the application MUST discard any associated HPKE context. ” What does this imply for the “HPKE Key Encryption Mode” which targets multiple recipients? Can/If we detect one Recipient did not get the message, we discard both contexts? How do we handle this, is it out of scope? It is not clear to me. I would like some clarification (and maybe this clarification can enhance the “Security Considerations” sections of the document). Some other comments, a bit more narrow: SS 3.1 “This specification supports two modes of HPKE in COSE” s/supports/defines ? Suggestion just to dissipate confusion, as “supports” gives the impression that these “modes” implement equivalent “HPKE modes” which is not the case (here we define new things: “HPKE Direct Encryption mode” and “HPKE Key Encryption mode”). “HPKE defines several authentication modes, as described in Table 1 of [RFC9180]. In COSE HPKE, only 'mode_base' and 'mode_psk' are supported.“ In RFC9180 the modes are not called “authentication modes” but simply “HPKE modes”, and the “mode_base” offers no (Sender) authentication. To avoid misimpressions I will suggest: s/authentication modes/modes s/'mode_psk'/'mode_psk' (providing Sender Authentication) SS 3.1.2.2. “HPKE itself covers the attacks that recipient_aad (and COSE_KDF_Context (and SP800-56A)) are used to mitigate.” Avoid parenthesis within parenthesis? SS 5. Examples Examples which use HPKE 'mode_psk' ( 'psk_id' parameter present) will be useful. Have a good end of the week. Saludos, Renzo On Fri, Jun 20, 2025 at 4:40 PM Hannes Tschofenig <[email protected]> wrote: > > Hi Mike, hi all, > > I have received a few comments, which I have been trying to address via PRs, > see https://github.com/cose-wg/HPKE/pulls > > I have been working on code for the draft and have changed it over the > (rather long) lifetime of the document. I have again been updating the code > to regenerate the examples. The code can be found here: > https://github.com/laurencelundblade/t_cose/pull/280 > > Ciao > Hannes > > Gesendet: Mittwoch, 4. Juni 2025 um 22:28 > Von: "Michael Jones" <[email protected]> > An: "[email protected]" <[email protected]> > Betreff: [COSE] WGLC for draft-ietf-cose-hpke-13 > > This note starts a two-week Working Group Last Call (WGLC) for the Use of > Hybrid Public-Key Encryption (HPKE) with CBOR Object Signing and Encryption > (COSE) specification > https://www.ietf.org/archive/id/draft-ietf-cose-hpke-13.html. The WGLC will > run for two weeks, ending on Friday, June 20, 2025. > > > > Please review and send any comments or feedback to the COSE working group at > [email protected]. Even if your feedback is “this is ready for publication”, > please let us know. > > > > Note that this WGLC is intentionally running concurrently with a JOSE WGLC > for https://www.ietf.org/archive/id/draft-ietf-jose-hpke-encrypt-08.html > because the drafts are closely related and their functionality is intended to > be aligned. Please reply to the JOSE WGLC on the [email protected] mailing list. > > > > Thank you, > > -- Mike and Ivaylo, COSE > Chairs > > > > _______________________________________________ COSE mailing list -- > [email protected] To unsubscribe send an email to [email protected] > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
