chris-wood
commented
9 months ago The HPKE limit was written with the intent of helping implementations that allocate on the stack choose some reasonable size. I don't know if we need to note anything here given that the HPKE construction doesn't technically impose such a limit, though I'd be happy to review text. I'm going to close this on that basis, but please feel free to reopen with a PR that suggests text for review.
HPKE (RFC9180) section 7.2.1 recommends 64 octets as a max for info. That's too short for ECH which requires 8+len(ECHConfig) and ECHConfig is extensible. Suggest adding at least a note about that in ECH, section 7.1. Not sure what value would be reasonable for guidance and/or selecting an HPKE implementation to use. My HPKE code supports up to 1024 for now which seems to work in ECH tests.
https://www.rfc-editor.org/errata/eid7251 is related, but also needs an edit to handle this.