Internet-Draft | COSE Key and JWK Representation for HPKE | January 2023 |
Ajitomi | Expires 27 July 2023 | [Page] |
This document defines an additional key parameter and a new key type for CBOR Object Signing and Encryption (COSE) Key and JSON Web Key (JWK) to represent a Key Encapsulated Mechanism (KEM) key configuration of Hybrid Public Key Encryption (HPKE).¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://dajiaji.github.io/i-d-cose-key-jwk-hpke/draft-ajitomi-cose-key-jwk-hpke.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ajitomi-cose-key-jwk-hpke/.¶
Discussion of this document takes place on the CBOR Object Signing and Encryption Working Group mailing list (mailto:cose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at https://www.ietf.org/mailman/listinfo/cose/.¶
Source for this draft and an issue tracker can be found at https://github.com/dajiaji/i-d-cose-key-jwk-hpke.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 27 July 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Standardized by the Internet Research Task Force (IRTF), HPKE has already been adopted in several communication protocol specifications such as Encrypted Client Hello (ECH), Oblivious DNS over HTTP (ODoH) and Oblivious HTTP (OHTTP). The HPKE itself is communication protocol independent and can be widely used as a standard scheme for public key based end-to-end encryption in various applications, not only in communication protocols.¶
In HPKE, the sender sending a ciphertext needs to know in advance the KEM supported by the recipient and its public key, as well as the HPKE mode, the set of supported KDF and AEAD algorithms. For example, ECH defines this information as a structure called HpkeKeyConfig. The way in which this information is exchanged is out-of-scope of the specification, but it is assumed that it is obtained in advance by the sender, for example via DNS HTTPS RRs.¶
This document defines how to represent the HPKE KEM key configuration information corresponding to the ECH HpkeKeyConfig in COSE_Key and JWK. Specifically, this document defines (1) a key parameter for defining the HPKE KEM configuration information in existing key types that can be used for key derivation and (2) a generic key type for HPKE that can also be used to represent a post-quantum KEM to be specified in the future.¶
The ability to include HPKE-related information in JWKs, which are widely used as public key representations at the application layer, and their binary representation, COSE_Key, will facilitate the use of HPKE in a wide variety of web applications and communication systems for constrained devices.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The KEM key configuration information is defined as a common key parameter of JWK and COSE_Key. The parameter can be specified in the key that can be used for key derivation. In addition, the handling of existing common key parameters is also defined.¶
The KEM key configuration parameter for JWK is defined as follows:¶
"hkc" (HPKE Key Configuration): The parameter MUST contain the object consisting of the following three attributes. A JWK used for HPKE KEM MUST have this parameter.¶
The restrictions on the use of existing common key parameters in a JWK for the HPKE KEM are as follows:¶
"alg": The parameter MUST be one of the following values if specified. If omitted, it MUST be treated as "HPKE-v1-Base".¶
The KEM key configuration parameter for COSE_Key is defined as follows:¶
HPKE_Key_Configuration = [ kem: uint, ; KEM identifier kdfs: uint / [+uint], ; KDF identifiers aeads: uint / [+uint], ; AEAD identifiers ]¶
+---------+----------------+-------------+----------------------+ | Name | CBOR Type | Value | Description | | | | Registry | | +---------+----------------+-------------+----------------------+ | kem | uint | HPKE KEM | The KEM identifier | | | | Identifiers | bound to the key | | | | | | | kdfs | uint / [+uint] | HPKE KDF | The KDF identifiers | | | | Identifiers | supported by the | | | | | recipient | | | | | | | aeads | uint / [+uint] | HPKE AEAD | The AEAD identifiers | | | | Identifiers | supported by the | | | | | recipient | | | | | | +---------+----------------+-------------+----------------------+¶
The restrictions on the use of existing common key parameters in a COSE_Key for the HPKE KEM are as follows:¶
A generic key type for the HPKE KEM keys including a post-quantum KEM defined in the future is defined. Even KEM keys that can be represented by existing key types can use the generic key type defined here.¶
A new generic key type (kty) value "HPKE-KEM" is defined to represent the private and public key used for the HPKE KEM. A key with this kty has the following parameters:¶
A new generic kty(1) value HPKE-KEM(T.B.D.) is defined to represent the private and public key used for the HPKE KEM. A key with this kty has the following parameters:¶
TODO¶
TODO acknowledge.¶