Externally Supplied AAD only processed at layer 0

[hannestschofenig]

Laurence wrote:

However, it doesn’t seem so strongly stated in 9052 that we couldn’t consider an alternative. If I understand correctly Illari recently suggested that external_aad be an empty bstr in COSE_Recipients.

I see some implementation benefits to this. The Externally Supplied AAD would only be processed at layer 0 and wouldn't have to be passed to COSE_Recipient creation saving some code. Theoretically, Externally Supplied AAD can be large which means you have to either have a buffer to hold the entire Enc_structure. While you can’t avoid this at layer 0 it might be nice to avoid it at layer 1.

I don’t see a security issue here. The Externally Supplied AAD is covered just fine at layer 0.

We could specify this only for HPKE.

I don’t think this is a big deal either way and what’s in the -04 draft is OK, but thought I’d bring up the alternative.

Also, It seems like there should be Errata for 9052 here. It could say either it is always Externally Supplied AAD, always an empty bstr or it varies with the key distribution method.

[OR13]

@hannestschofenig whats your opinion on the relationship of this issue to https://github.com/cose-wg/HPKE/issues/25