> On Jun 20, 2025, at 6:42 AM, Michael Richardson <[email protected]> wrote: > > > Laurence Lundblade <[email protected]> wrote: >> I am very sure that HPKE security was thought through. It went through >> the IRTF, not the IETF. COSE HPKE however brings a COSE layer that >> didn’t go through the IRTF — my first concern. > > I haven't finished my review, but I think it would be pretty hard for COSE to > break RFC9180. A few people who were involved in CFRG are involved here.
Yes, very much agree. IMO, HPKE is one of the most solid security protocols out there. > Do you have a specific concern that I'm missing? Yes. In multi-recipient [3.1.2.1] COSE-HPKE, only the content encryption key is secured by HPKE. The content itself is secured outside of HPKE and maybe secured by a non-AEAD algorithm (this is allowed because this algorithm functions outside HPKE). It is next_layer_alg in Recipient_structure that protects the non-AEAD algorithm ID. Recipient_structure is secured by HPKE. LL [3.1.2.1] https://www.ietf.org/archive/id/draft-ietf-cose-hpke-13.html#name-hpke-key-encryption-mode _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
