Hi COSE WG, I am reading through the COSE RFCs and there is an inconsistency I want to dig into.
RFC 9053 6.1.2 states: > Either the "salt" parameter for HKDF (Table 9) or the "PartyU nonce" > parameter for the context structure (Table 10) > MUST be present (both can be present if desired). The value in the > "salt"/"nonce" parameter can be generated > either randomly or deterministically. The requirement is that it be a unique > value for the shared secret in question. However, example "hmac-sha-256-08.json" from the Github-Examples repo provides an example of "direct+HKDF-SHA-256" without providing either a PartyU nonce or a salt: https://github.com/cose-wg/Examples/blob/master/hkdf-hmac-sha-examples/hmac-sha-256-08.json Along the lines of the Github example, RFC 9053 5.1 discusses that a salt or PartyU nonce may not be required in certain cases: > When using a good random shared secret of the correct length, the extract > step can be skipped. ... > The extract step cannot be skipped if the secret is not uniformly random So I'm curious: * Is Section 6.1.2 incorrect and it is OK to use "direct+HKDF-SHA-256" without a salt/PartyU nonce as long as your input secret is "uniformly random" as described in section 5.1? * Or is section 6.1.2 correct and you "MUST" always have a salt or PartyU nonce, and hmac-sha-256-08.json is non-compliant with the COSE RFC? Or am I missing a different nuance here? If this isn't the right forum to discuss old RFCs, I can make my best guess as to the intention (which is to probably change 6.1.2 to use "SHOULD" instead of "MUST"), and submit that as an errata to start off the discussion there. Appreciate your insights here, Nate Jones _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
