RFC Errata
RFC 9180, "Hybrid Public Key Encryption", February 2022
Source of RFC: IRTF
Errata ID: 7934
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Raul Siles
Date Reported: 2024-05-12
Sections 5.1 and 7.2.1 say:
- Section 5.1: The psk and psk_id fields MUST appear together or not at all. The psk, psk_id, and info fields have maximum lengths that depend on the KDF itself,... - Section 7.2.1: The following table lists the maximum allowed lengths of these fields for the KDFs defined in this document,...
It should say:
- Section 5.1: [Add a new note] The info parameter used by HPKE is not related to the optional string info used by the LabeledExpand or Expand functions detailed in section 4. The psk and psk_id parameters MUST appear together or not at all. The psk, psk_id, and info parameters have maximum lengths that depend on the KDF itself,... - Section 7.2.1: The following table lists the maximum allowed lengths of these parameters for the KDFs defined in this document,...
Notes:
The reference to the "info" parameter in sections 5.1 and 7.2.1 might be confusing. Thus, I suggest to clearly differentiate between the optional string "info" for the LabeledExpand or Expand functions, whose value is clearly defined by the RFC for each LabeledExpand function used in DHKEM or KeySchedule, and the "info" parameter used by HPKE.
It seems section 7.2.1 refers to the "info" parameter used by HPKE, as it is referenced from section 5.1. This is the "info" parameter that is used specifically as the key for the "info_hash" LabeledExtract function in KeySchedule.
In section 5.1 the third bullet refer to the HPKE "info" parameter, but the 3rd paragraph after the bullets, as it uses the term "fields", might be confused with the "info" string (or field) used by the LabeledExpand and Expand functions.
Perhaps it would be useful to always use two separate terms along RFC 9180:
- the "info" parameter used by HPKE.
- the "info" string used by the LabeledExpand and Expand functions.
As a result, I would remove the term "field(s)" from sections 5.1 and 7.2.1, and replace it by parameter(s).
Additionally, I suggest to add a note in section 5.1 to differentiate both, and clarify that section 5.1 and 7.2.1, with the input length restrictions, refer to the "info" parameter, and not to the "info" string.