Closed HBrock closed 1 year ago
The WG recommended use of HPKE for establishing a shared secret key. Today HPKE specifies only a D-H bases KEM in RFC9180 Section 4.1. To be independent to HPKE this document could also use the approach shown in https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-kemri/ only relying on the availability of a KeyGen, Encapsulate, and Decapsulate function. This would ease this specification and allow further reuse of profiling KEM algorithms for use in CMS. What do others think?
Authors meeting 3.2.23: I will submit a version including the HPKE SendExportBase based approach and then I will provide an update providing the plain KEM+KDF approach as this is the preferred choice of the group.
The change to plain KEM+KDF will be submitted with version -05
The changes to plain KEM+KDF was presented to IETF116 and supported
https://datatracker.ietf.org/doc/html/draft-celi-wiggers-tls-authkem-01#section-3.1 uses SetupExport. https://lamps-wg.github.io/cmp-updates/draft-ietf-lamps-rfc4210bis.html#section-5.1.3.4 uses SendExportBase. Are there reasons for using SetupExport + KDF instead of SendExportBase?