Closed OR13 closed 3 months ago
It looks specific to HPKE KEM because "ek" is not required with PQC KEM (e.g., Kyber).
I'd feel much better about after seeing examples of Kyber / RSA Kem, that are not using this draft.
PQC KEM Encaps only outputs ciphertext and shared secret (see https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-02.html#section-10.1). The sender has to only send ciphertext to the recipient unlike HPKE Seal (but equivalent to HPKE Encap). It looks like we will need a separate draft to explain how JWE works with Kyber.
I wonder if the proposal to concat enc and ct is worth revisiting in light of this.
Should this kty say "ek" is only "enc" as produced from an HPKE Kem, or should it say "ek" is any "encapsulated key" from "any kem" ?