ECDH recommended curves

[troyronda]

Section 6: Implementation Requirements

The JWS paragraph lists RECOMMENDED curves but the JWE paragraph doesn't explicitly list the RECOMMENDED curves.

I assume from the JWS paragraph (having P-256 and Ed25519) that JWE RECOMMENDED is intended to include:

• P-256
• X25519

[tplooker]

Yeap I agree we need to stipulate this, related to #25.

[tplooker]

Currently the specification states

ECDSA using the P-256 curve and SHA-256 hash algorithm ("ES256") MUST be implemented by conforming JWM implementations. It is RECOMMENDED that implementations also support ECDSA using the P-521 curve and the SHA-512 hash algorithm ("ES512") and EdDSA using the Ed25519 curve and SHA-512 hash algorithm.

And

Support for encrypted JWMs using JWE is also REQUIRED. Of the encryption algorithms specified in , using Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) with the P-256 curve to agree upon a key and using this key to to perform key wrapping of a Content Encryption Key ("ECDH-ES+A128KW" and "ECDH-ES+A256KW") MUST be supported. With regards to content encryption, AES in Galois/Counter Mode (GCM) with 128-bit and 256-bit keys ("A128GCM" and "A256GCM") MUST also be supported. It is RECOMMENDED that implementations also support ECDH-ES and key wrapping variants using the X25519 curve also.

Would we rather make the MUST the edwards based ECC curves for EdDSA and X25519 for ECDH-ES? Where the P-curves are optional @troyronda @kdenhartog?

[kdenhartog]

I like the consolidation of the cryptography this gives us. However, I'm internally debating whether we want to remove this section here and allowing JWMs to work with any valid JWE entry in the registry. Then we would add it at the DIDComm layer I would think.

If we were to include it here, yes, I would likely go MUST support Ed25519 with EdDSA and MUST support X25519 for ECDH operations. Then making the P-curves optional just as you pointed out the post above.