Share considerations about obtaining the salt in the remote case #83
Description
We have explored multiple options in the interaction between the Holder and Issuer:
| Method | Seen in | Comments |
|---|---|---|
| Holder shares current salt with Issuer | N/A | No, enables parent to discover all associated descendant keys and prove association |
| Holder creates ratchet with seed and some locally stored branch ID, shares new salt directly with Issuer | BIP 0032 | No, enables eavesdroppers to discover direct child keys and prove association |
| Holder creates ratchet with seed and some locally stored branch ID, shares new salt in HPKE | N/A | No, requires Holder to know Issuer’s static HPKE recipient public key, no reasonable protocol extension for that |
| Holder and Issuer both derive new salt from app request and public material | ETSI TR 119 476 V1.2.1 | No, enables eavesdroppers to do the same and discover direct child keys and prove association |
| Holder derives KEM key pair from salt, Issuer encapsulates a new salt | hdkeys-02 | Need to check risk of weak issuer entropy #75, need to extend protocol #16 |