My vote (that doesn't count because I'm a tourist in JOSE):
Fully specified is useful so that devs don't need to fish around in the guts of RFCs to figure out what actually makes up a given cipher suite. Short-forms over the wire are also fine. I have a slight preference for `HPKE-0` rather than `HPKE10-1` because A) if you have to look it up, then you have to look it up, and B) this scheme may not extend well to hybrid KEMs. (I put the same comment on the github issue) --- Mike Ounsworth From: Neil Madden <[email protected]> Sent: Friday, December 6, 2024 2:16 AM To: Michael Jones <[email protected]> Cc: [email protected] Subject: [EXTERNAL] [jose] Re: JOSE HPKE algorithm identifiers On 5 Dec 2024, at 20: 15, Michael Jones <michael_b_jones@ hotmail. com> wrote: Please see the discussion in the issue https: //github. com/ietf-wg-jose/draft-ietf-jose-hpke-encrypt/issues/8 (Algorithm identifiers like HPKE-P256-SHA256-A128GCM On 5 Dec 2024, at 20:15, Michael Jones <[email protected] <mailto:[email protected]> > wrote: Please see the discussion in the issue https://github.com/ietf-wg-jose/draft-ietf-jose-hpke-encrypt/issues/8 <https://urldefense.com/v3/__https:/github.com/ietf-wg-jose/draft-ietf-jose-hpke-encrypt/issues/8__;!!FJ-Y8qCqXTj2!dkAXywCk8GH0njy6D_ujG2lCYDGj6mRy7VbeW72BCrKdMbE8fuQ0sbtdh9p90wCApYgU5lHz9Z65WzO_nPMYSqliVa9D$> (Algorithm identifiers like HPKE-P256-SHA256-A128GCM are overly verbose) and add your thoughts there. Given that one of the primary motivators of HPKE is use of post-quantum KEMs, I’d have thought the length of the algorithm identifiers was the least of the size issues. Even the smallest ML-KEM ciphertexts are over 1KB when base64-encoded. A few bytes for an algorithm identifier seems neither here nor there. — Neil
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
