Thursday, 24 July 2025
17:00 - 19:00 (UTC +2)
Patio 3
Session Recording:
https://meetecho-player.ietf.org/playout/?session=IETF123-JOSE-20250724-1500
These minutes have been summarized at a very high level. There are time
indications that will direct you to the recording of the session (linked
above) to allow you to look at the recording, meeting chat, and session
transcript for more details.
Admin, Agenda Bash, document status (Chairs, 10 min)
Slides:
https://datatracker.ietf.org/meeting/123/materials/slides-123-jose-jose-wg-chair-slides-00
Chairs covered Note well, agenda, and solicited a minute taker.
WG Document status:
Fully Specified Algorithms for JOSE and COSE
https://datatracker.ietf.org/doc/draft-ietf-jose-fully-specified-algorithms/
is in the RFC Editor queue.
JSON Web Proof Drafts (30 min)
Slides:
https://datatracker.ietf.org/meeting/123/materials/slides-123-jose-json-web-proof-00
Time reference: 00:04:20
* JSON Web Proofs
https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-proof/
* JSON Proof Algorithms
https://datatracker.ietf.org/doc/draft-ietf-jose-json-proof-algorithms/
* JSON Proof Token
https://datatracker.ietf.org/doc/draft-ietf-jose-json-proof-token/
David Waite described updates to the JWP specs since IETF 122,
especially updates to the single-use algorithms. He also brought up
three open issues and solicited reviews, implementations, and next
steps. Work will continue on the mailing list and github.
Post-Quantum Key Encapsulation Mechanisms (PQ KEMs) for JOSE and
COSE (T. Reddy, 10 min)
https://datatracker.ietf.org/doc/draft-ietf-jose-pqc-kem/
Slides:
https://datatracker.ietf.org/meeting/123/materials/slides-123-jose-pq-kems-for-cose-and-jose-01
Time reference: 00:25:05 minutes
Tiru Reddy presented the update on the document. Discussion and
questions followed.
Filip Skokan: In ECDH private is set to be an empty octet, how is that
dealt with. If the peers have negotiated private information out of band
it should go there, otherwise it will be set to an empty string.
Filip Skokan: I don't think having the same key for two modes is useful
or needed
Daniel Huigens: When exporting a JWK, an ML-Kem the cryptop API doesn't
know which algorithm. So why not define an algorithm id for this.
Brian Campbell: Maybe there is something to look at but this is not an
impetus for changing the key type.
Seek input from the WG on the key type to be used.
Poll - Should OKP be used for PQC KEM Keys
Yes 0 / No 5/ No Opinion 7
Poll - Should we use AKP
Yes 5 / No 1 / No Opinion 10
JOSE: Deprecate 'none' and 'RSA1_5'
https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/
Time reference: 00:40:20
Brian Campbell: Promised a review last time but didn't get to it. Will
do for the next cycle. Draft progressing OK, author having issues with
his employment situation so this draft hasn't been top of the priority
list.
Michael Jones: Was asked to review, review has been posted, substantive
stuff is OK, needs some references.
PQ/T Hybrid KEM: HPKE with JOSE/COSE (T. Reddy, 10 min)
https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-hybrid-hpke/
Time reference: 00:42:45
Topic moved up in agenda to accommodate HPKE discussion.
Mike Jones: Last time there was a decision to put all our effort into
finishing the JOSE HPKE spec before taking on a new HPKE draft.
Chair: We will reconsider after we do the existing HKPE draft.
Designated Verifier Signatures for JOSE (Stefan Santesson, 10 min)
https://datatracker.ietf.org/doc/draft-bastian-jose-dvs/
Slides:https://datatracker.ietf.org/meeting/123/materials/slides-123-jose-designated-verifier-signatures-for-jose-00
Time reference: 00:48:11
Mike Jones: Prefer using the existing algorithms and then separately
derrive the key, less duplication of work.
Stefan: I agree
Filip Skokan: I disagree, will lead to issues like we had with RSA
signature stripping, we have been doing fully specified algorithms.
Stefan: If you are going to verify a Designated signature you are going
to have to present the shared secret and the signature and that is two
parameters.
Filip Skokan: Will raise issue on list
Brian Campbell: Query on relationship between the blinding part and the
confirmation method.
Stefan: This draft is about the HMAC piece, not the blinding. It just
describes how to derrive a shared secret from a public key.
Brian Campbell: Seems like the second approach is mixing application
layer constructs into the JWS and that is bad.
Stefan: So you Would like the algorithm identifier completely specify
the processing.
PHB: that ECDH signatures are somewhat fragile and easy to get burned.
Would like to be restrictive.
Stefan: Share the view that there should be one way to do it.
Chair: Further discussion on the mailing list. No call for adoption yet.
PQ/T Hybrid Composite Signatures for JOSE and COSE (Lucas Prabel, 10
min)
https://datatracker.ietf.org/doc/draft-prabel-jose-pq-composite-sigs/
Time Reference:
Filip Skokan: What Brian says resonates.
Use of Hybrid Public Key Encryption (HPKE) with JSON Object Signing
and Encryption (JOSE) (30 min)
https://datatracker.ietf.org/doc/draft-ietf-jose-hpke-encrypt/
Note: There are two presenters for this draft, and the agenda was
adjusted so that this discussion was in the second hour of the
meeting to allow interested parties to participate.
Brian Campbell Slides:
https://datatracker.ietf.org/meeting/123/materials/slides-123-jose-bc-on-jose-hpke-00
Mike Jones Slides:
https://datatracker.ietf.org/meeting/123/materials/slides-123-jose-jose-hpke-00
Time Reference: 01:09:02
Brian Campbell stated that he has skin in the game because his company
Ping Identity uses JWE and he's the author of the jose4j JOSE
implementation. He expressed concerns over the fact that HPKE integrated
encryption does not match the JWE model. Brian stated that JOSE HPKE
would have to update RFC 7516 to allow the integrated encryption
represention, which it currently doesn't.
Filip Skokan: What Brian says resonates.
Mike Jones: Reviewed updates to JOSE HPKE draft incorporating feedback
received during IETF 122 and during WGLC. Mike apologized for the draft
not presently updating RFC 7516, even though it says in the body of the
spec that it does. He asked if anyone knows the correct Kramdown syntax
for doing this. Mike's presentation contained three questions for the
working group to decide so that the working group can finish the
specification
Chair Karen O'Donoghue ran polls for each of the three questions
Chair: Any discussion on asking question? (None)
Poll: Should the WG Uodate RFC7516
Yes 9 / No 0 / No Opinion 4
Chair: There is WG support for updating rather than replacing RFC
7516
How to signal integrated encryption?
Filip Skokan: Don't think we can answer this yet.
Joseph Heenan: Didn't Brian Suggest an alternative option?
Tirumalswar Reddy: Can't see a downgrade attack possibility
Brian: The problem isn't a downgrade attack, it is the problem of
HPKE having to co-exist in the deployed infrastructure.
Leif: I don't care enormously but it is fine.
Joe Salowey: If the implementations are such that there can be
confusion, there is a problem.
Poll: Should the WG Pick a different syntax other than 'enc':'int'?
Yes 0 / No 7 / No Opinion 14
Chair: No consensus on this question.
Poll: Define new JWE Key Management Mode?
Yes 11 / No 0 / No Opinion 5
Chair/AD : Take to the list
Mike: The editors will produce a draft defining this new key management
mode for working group review.
PQ/T Hybrid Composite Signatures for JOSE and COSE (Lucas Prabel, 10
min)
https://datatracker.ietf.org/doc/draft-prabel-jose-pq-composite-sigs/
Time Reference: 02:00:15
Lucas Prablel introduced the draft in the last few minutes of the
meeting.
There was not enough time for any discussions or decisions. He feels it
is ready for working group call for adoption.
Chairs will send an email soliciting comments on whether we are ready to
do a call for adoption.
The meeting adjourned.