On Mon, Nov 14, 2022 at 04:07:48PM -0600, Orie Steele wrote: > Thanks again! Responses inline:
Responding to broad points: OKP always requires crv. Which is just horribly named: OKP MAY be used for lattices, in which case not only is crv used, but the lattice goes to the "COSE Elliptic Curves" registry, despite not being anything to do with elliptic curves. And then, the BLS curve, while being elliptic curve, is not the kind of elliptic curve as understood by COSE/JOSE (otherwise it would be EC2/EC like the usual elliptic curves). Actually, the problem with fixing alg for JWE keys is not between single and multiple recipients, but between compact and JSON serialization of JWE. And similar issue already exists for ECDH-ES: If key has alg=ECDH-ES, it can be used with compact serialization, but not JSON serialization, limiting it to a single recipient. Conversely if key has alg=ECDH-ES+A*KW, it can be used with JSON serialization (generic or flattened), but not compact serialization. In COSE, the constraints are a bit different: ECDH-ES+HKDF* can be used with multiple recipients, at cost of extra space. And using ECDH-ES+A*KW costs space if there is only one recipient. And similarly for ECDH-ES* -> KEM+SHA3KDF* There is no way to limit COSE encryption keys to HKDF-SHA256, since the only possible scopes of restriction are encryption (which is too loose) and algorithm (which is too strict). The combinatorial explosion would occur between KEMs, KDFs and KWs. Adding just the three kyber variants would give at least 6 alg's, with more appearing if there are additional KEMs. Obviously, using generic KEM in alg avoids it. E.g., the proposed four alg's: - KEM+SHA3KDF (probably just shorten to "KEM") - KEM+SHA3KDF+A128KW (probably shorten to "KEM+A128KW") - KEM+SHA3KDF+A192KW (probably shorten to "KEM+A192KW") - KEM+SHA3KDF+A256KW (probably shorten to "KEM+A256KW") (The reason for using SHA-3 for KDF is that whatever the KEM is, it most probably internally involves either SHA-3 or SHAKE). -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
