On Thu, Aug 07, 2025 at 02:00:49PM +0200, Filip Skokan wrote: > > Please publish a revision that reverts back to using AKP. There was no > consensus on switching away from AKP in the first place, and the vote that > was requested on whether to use OKP resulted in a clear "No". I ask that > you publish with AKP again because the longer a latest draft shows the use > of OKP the more likely it is that implementations will pick up on it, which > they shouldn't.
Why they should not? OKP is the correct key type for ML-KEM key — despite looking odd, which I suspect is behind many of those "no". Furthermore: - alg=MLKEM* keys are a footgun, similarly as alg=ECDH is a footgun, and almost always what you actually wanted was use=enc, which ML-KEM keys implicitly have anyway. - It is impossible for an implementation to confuse ML-KEM and ML-KEM+AESKW in security-relevant ways due to cryptographic separation and both using the same keys. - When using AKP for keys it should not be used for — e.g., anything for DKA — it is possible for an implementation to confuse AKP keys in nasty — for interoperability — ways. Worse, there might even be an incentive to do so. - JOSE does not guarantee that recipient uses JWK for keys. If the recipient has non-JWK ML-KEM key, interoperability requires generic ML-KEM keys, including public keys. * Similarly for COSE and COSE_Key. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
