Markdown Version | Transcript | Session Recording | Session Materials

Session Date/Time: 17 Mar 2026 01:00

JOSE

Summary

The JOSE Working Group met at IETF 125 to discuss the status of active drafts, specifically focusing on JSON Web Proofs (JWP), Post-Quantum Cryptography (PQC) transitions, and algorithm registrations for Hybrid Public Key Encryption (HPKE). Key leadership changes were announced, including Michael Jones as the new co-chair and Deb Cooley continuing as the Area Director (AD). A significant portion of the meeting was dedicated to debating the necessity of standalone PQ KEM drafts versus HPKE-based PQ mechanisms and coordinating overlapping proposals for PQC registrations.

Key Discussion Points

Working Group Status and Administration

• Chairs and ADs: Karen O'Donoghue introduced Michael Jones as the new co-chair, replacing John Mattsson. Deb Cooley remains the AD.
• Document Status:
  • The HPKE framework document has been forwarded to the IESG.
  • draft-ietf-jose-deprecate-none-rsa15: Updates have been made to address previous consensus calls regarding wording. The chairs noted it is ready for Working Group Last Call (WGLC).

JSON Web Proof (JWP)

Presentation: JSON Web Proof Update (Mike Jones, David Waite)

• Technical Updates:
  • Introduced proof_alg for keys to distinguish between JWA/COSE algorithm registries and the specific proof algorithm registry.
  • Implemented deterministic inputs for examples to prevent unnecessary diffs in CI/CD builds.
• Future Work:
  • Partial Disclosure: Discussion on adding the ability to disclose parts of a claim (arrays/structures), similar to SD-JWT.
  • BBS Extensions: Mike Jones discussed BBS blind signatures and per-verifier identifiers.
  • Community Feedback: Brent Zundel and John Bradley emphasized that blind signatures are core to the utility of BBS. John Bradley noted the need to coordinate with ETSI on BBS work to avoid divergence.

Post-Quantum Key Encapsulation Mechanisms (PQ KEMs)

Presentation: PQ KEMs for COSE AND JOSE (Tiru Reddy)

• Draft: draft-ietf-jose-pqc-kem
• Technical Changes: The draft now uses the AKP (Algorithm Keypair) key type and provides separate algorithm identifiers for direct key agreement and key wrap.
• Discussion on Necessity:
  • Mike Jones and Brent Zundel questioned the need for this draft given the availability of HPKE for PQ/Hybrid transitions. They expressed concern over fracturing the ecosystem with redundant mechanisms.
  • Tiru Reddy and John Mattsson argued that this provides a simpler, minimalistic migration path for deployments (like the LAKE WG/constrained devices) that do not require the full HPKE feature set.
  • Deb Cooley suggested the possibility of splitting the draft to move the COSE-specific portions to the COSE WG if JOSE consensus was not reached.

PQ/T Hybrid Composite Signatures

Presentation: PQ/T Hybrid Composite Signatures for JOSE and COSE (Lucas Pardue)

• Draft: draft-ietf-jose-pq-composite-sigs
• Updates: Includes new test vectors for all combinations and an expanded security considerations section focusing on the lack of strong unforgeability (SUF-CMA).
• Feedback Requested: The working group was asked to review the list of registered algorithms and the security section.

HPKE Post-Quantum Registrations

Presentations:

1. JOSE HPKE PQ & PQ/T Algorithm Registrations (Brian Campbell, Philip Blum)
2. Post-Quantum and Hybrid KEMs for HPKE with JOSE and COSE (Tiru Reddy, Hannes Tschofenig)

• Comparison of Proposals:
  • The Campbell/Blum proposal focuses strictly on JOSE, utilizing automation for test vectors and paring down algorithm options (omitting ML-KEM 512).
  • The Reddy/Tschofenig proposal (draft-ietf-jose-pqc-hybrid-hpke) covers both JOSE and COSE and includes ML-KEM 512.
• Discussion:
  • Algorithm Selection: There was debate over including ChaChaPoly and the necessity of P-384/ML-KEM 1024 hybrids.
  • Alignment: Brian Campbell argued against strictly coupling JOSE and COSE work if it introduces unnecessary complexity or delays. Tiru Reddy advocated for a single document to maintain alignment.
  • Security Strengths: Deb Cooley and Philip Blum discussed the choice of AES-256 for all suites to simplify implementation, even if not perfectly "matched" to the security level of smaller KEMs.

Decisions and Action Items

• draft-ietf-jose-deprecate-none-rsa15: Moving to Working Group Last Call.
• PQ HPKE Coordination: The authors of the overlapping HPKE PQC registration drafts (Brian Campbell, Philip Blum, Tiru Reddy, and Hannes Tschofenig) will meet to determine a path forward. This may involve splitting the work into a JOSE-specific draft and a COSE-specific draft or merging them into a single coherent document.
• Action Item: Chairs to initiate a mailing list discussion regarding the necessity of draft-ietf-jose-pqc-kem for the JOSE ecosystem versus relying solely on HPKE.

Next Steps

• Review Request: Working Group members are encouraged to review draft-ietf-jose-pq-composite-sigs and provide feedback on the algorithm suites.
• JWP Development: Mike Jones and David Waite will explore adding partial disclosure syntax to draft-ietf-jose-json-web-proof.
• Coordination: Continued alignment between JOSE and COSE for HPKE algorithms will be maintained where beneficial, but documents may be separated to respect different working group requirements.

Related Documents

draft-ietf-jose-deprecate-none-rsa15, draft-ietf-jose-json-web-proof, draft-ietf-jose-pq-composite-sigs, draft-ietf-jose-pqc-hybrid-hpke, draft-ietf-jose-pqc-kem