Wire format of HPKE context

[cjpatton]

The draft does not specify how the HPKE context (cipher suite, exporter secret, key, nonce, sequence number, etc.) is represented on the wire. There are use cases for HPKE in which it is desirable to transmit the context over a secure channel. For example, Cloudflare's prototype implementation of the Encrypted ClientHello (ECH) extension for TLS will offload KEM operations to an RPC server (cloudflare/go#30).

I'm not requesting a change to the spec at this point ... I just wanted to bring up the use case and ask what people think. I'm not sure, but it might make sense to standardize the encoding. One proposal is here: https://github.com/cisco/go-hpke/blob/master/hpke.go#L197. In addition to the above parameters, this format encodes the "role" of the context's user, i.e., whether they are the sender or receiver.

[Lekensteyn]

There are many serialization formats possible (protobuf, DER, JSON, TLS syntax, ...). The "Context" type seems to refer to an implementation detail rather than an interchange format. If that is the case, then I don't think that a specific format has to be dicatated.

[cjpatton]

I'm fine with that resolution.

[chris-wood]

I'm fine with that resolution, too. Given this hasn't been requested until now, and how far along we are in the process, I'm closing this.