On Thu, Oct 23, 2025 at 11:55:45AM +0200, Filip Skokan wrote: > The reasoning behind adding Recipient_structure in the first place eludes > me, it is not explained in the doc, its change history, or the actual PR it > was added in, nor do I recall a message on the list where its inclusion was > meant to resolve feedback.
What it seems to be for: - Cryptographically separate the modes (I requested this) - Bind the bulk cipher. Not needed because of the AEAD requirement, but okay. - Bind attributes to the recipient. However, the attributes are NOT authenticated, and thus nothing prevents an adversary from specifying arbitrary values. Thus the attributes can not be trusted. - Bind AAD to the recipient. This is also problematic in that nothing else in JWE supports such facility and that usually one wants bind context to the message as whole, not to individual recipient. Thinking about this, the COSE-HPKE also tries to bind attributes to the recipient and fails in the same way. On binding AAD, there are plenty of other stuff in COSE that also has that. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
