On Tue, Dec 02, 2025 at 01:45:46PM -0600, Orie wrote: > Hi, > > I'm supportive of not giving JOSE / COSE implementers 2 PQ > migration strategies to consider. > > The design goals I had in mind were (still are): > > - Crypto libraries that power JOSE, should be able to power COSE. > - Algorithms and Key Formats should be aligned between JOSE and COSE for > PQC.
Note that in COSE, any Integrated Encryption can be used as Key Encryption (RFC 9052 Section 5.3). Thus, there is only one algorithm per HPKE cipher suite, not two. > - The same PQ and PQ/T options should be available for both. > - Minimal changes to both JOSE and COSE to support KEMs, where changes are > required, have them be consistent. While JOSE needed changes for Integrated Encryption, COSE needs no changes. > In short, I hope we could modernize both JOSE and COSE while deferring > significant cryptographic responsibility to HPKE. > > I'm supportive of doing that, and I would prefer if there was not a similar > but slightly different way of doing PQ, that would require different > security analysis, and lead to different classes of attack. ECDH-ES in COSE and JOSE is rather hair-raising cryptographically (fortunately without any major attacks). KEMs would already avoid the most major issues. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
