COSE Working Group
Internet Engineering Task Force (IETF) M.B. Jones
Internet-Draft
Request for Comments: 9596 Self-Issued Consulting
Intended status:
Category: Standards Track O. Steele
Expires: 5 October 2024
ISSN: 2070-1721 Transmute
3 April
June 2024
COSE
CBOR Object Signing and Encryption (COSE) "typ" (type) Header Parameter
draft-ietf-cose-typ-header-parameter-05
Abstract
This specification adds the equivalent of the JSON Object Signing and
Encryption (JOSE) typ "typ" (type) header parameter to CBOR Object
Signing and Encryption (COSE). This enables the benefits of explicit typing,
as
typing (as defined in the JSON RFC 8725, "JSON Web Token Best Current Practices BCP,
Practices") to be brought to COSE objects. The syntax of the COSE
type header parameter value is the same as the existing COSE content
type header parameter.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid the IETF community. It has
received public review and has been approved for a maximum publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of six months this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 5 October 2024.
https://www.rfc-editor.org/info/rfc9596.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info)
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation and Conventions . . . . . . . . . . 3
2. COSE "typ" (type) header parameter . . . . . . . . . . . . . 3 Header Parameter
3. Security Considerations . . . . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
4.1. COSE Header Parameter Registrations . . . . . . . . . . . 4
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1. Normative References . . . . . . . . . . . . . . . . . . 4
5.2. Informative References . . . . . . . . . . . . . . . . . 5
Appendix A. Document History . . . . . . . . . . . . . . . . . . 5
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
CBOR Object Signing and Encryption (COSE) [RFC9052] defines header
parameters that parallel many of those defined by the JSON Object
Signing and Encryption (JOSE) specifications [RFC7515] [RFC7516] specifications. [RFC7516].
However, one way in which COSE does not provide equivalent
functionality to JOSE is that it does not define an equivalent of the
typ
"typ" (type) header parameter, which is used for declaring the type
of the entire JOSE data structure. The security benefits of having typ
"typ" (type) are described in Section 3.11 of the JSON Web Token Best
Current Practices [RFC8725], which
recommends its use for "explicit typing" -- using typ "typ" values to
distinguish between different kinds of JSON Web Tokens (JWTs)
[RFC7519].
This specification adds the equivalent of the JOSE typ "typ" (type)
header parameter to COSE so that the benefits of explicit typing can
be brought to COSE objects. The syntax of the COSE type header
parameter value is the same as the existing COSE content type header
parameter, allowing both unsigned integer CoAP Content-Formats
[IANA.CoAP.ContentFormats] values integers as registered in the "CoAP
Content-Formats" registry [CoAP.ContentFormats] and string Media Type
[IANA.MediaTypes] media type
values [MediaTypes] to be used.
The term "COSE object" is used as defined in [RFC9052]. An example
of a COSE object is a COSE_Sign1 structure, as described in
Section 4.2 of [RFC9052].
1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. COSE "typ" (type) header parameter Header Parameter
The typ "typ" (type) header parameter is used by COSE applications to
declare the type of this complete COSE object, as compared to the
content type header parameter, which declares the type of the COSE
object payload. This is intended for use by the application when
more than one kind of COSE object could be present in an application
data structure that can contain a COSE object; the application can
use this value to disambiguate among the different kinds of COSE
objects that might be present. It will typically not be used by
applications when the kind of COSE object is already known. Use of
this header parameter is OPTIONAL.
The syntax of this header parameter value is the same as the content
type header parameter defined in Section 3.1 of [RFC9052]; it is
either an unsigned integer CoAP Content-Formats
[IANA.CoAP.ContentFormats] value as registered in the "CoAP Content-
Formats" registry [CoAP.ContentFormats] or a string Content Type content type
value. Content Type type values have a Media Type media type name [IANA.MediaTypes] [MediaTypes] and
MAY include Media Type media type parameters.
This
The "typ" (type) header parameter is ignored by COSE implementations
(libraries implementing [RFC9052] and this specification), other than
being passed through to applications using those implementations.
Any processing of this parameter is performed by the COSE application
using application-specific processing rules. For instance, an
application might verify that the typ "typ" value is a particular
application-chosen media type and reject the data structure if it is
not.
The typ "typ" parameter MUST NOT be present in unprotected headers.
The typ "typ" parameter does not describe the content of unprotected
headers. Changes to unprotected headers do not change the type of
the COSE object.
3. Security Considerations
The case for explicit typing of COSE objects is equivalent to the
case made for explicit typing in Section 3.11 of JSON Web Token Best
Current Practices [RFC8725]: Explicit
typing can prevent confusion between different kinds of COSE objects.
COSE applications employing explicit typing should reject COSE
objects with a type header parameter value different than values that
they expect in that application context. They should also reject
COSE objects without a type header parameter when one is expected.
4. IANA Considerations
4.1. COSE Header Parameter Registrations
This section registers
IANA has registered the following value in the IANA "COSE Header
Parameters" registry [IANA.COSE.HeaderParameters].
* Name: typ (type)
* Label: TBD (requested assignment 16)
* [COSE.HeaderParameters].
+======+=====+======+=======================+===========+=========+
|Name |Label|Value | Value Type: uint / tstr
* Value Registry: [IANA.CoAP.ContentFormats] Registry |Description|Reference|
| | |Type | | | |
+======+=====+======+=======================+===========+=========+
|typ |16 |uint /| [CoAP.ContentFormats] |Content |Section 2|
|(type)| |tstr | or [IANA.MediaTypes]
* Description: Type of the complete COSE object
* Reference: Section 2 [MediaTypes] |type of this specification the|of RFC |
| | | | registry |complete |9596 |
| | | | |COSE object| |
+------+-----+------+-----------------------+-----------+---------+
Table 1
5. References
5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8725] Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best
Current Practices", BCP 225, RFC 8725,
DOI 10.17487/RFC8725, February 2020,
<https://www.rfc-editor.org/info/rfc8725>.
[RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Structures and Process", STD 96, RFC 9052,
DOI 10.17487/RFC9052, August 2022,
<https://www.rfc-editor.org/info/rfc9052>.
5.2. Informative References
[IANA.CoAP.ContentFormats]
[CoAP.ContentFormats]
IANA, "CoAP Content-Formats",
<https://www.iana.org/assignments/core-parameters/core-
parameters.xhtml#content-formats>.
[IANA.COSE.HeaderParameters]
<https://www.iana.org/assignments/core-parameters>.
[COSE.HeaderParameters]
IANA, "COSE Header Parameters",
<https://www.iana.org/assignments/cose/cose.xhtml#header-
parameters>.
[IANA.MediaTypes]
<https://www.iana.org/assignments/cose>.
[MediaTypes]
IANA, "Media Types",
<https://www.iana.org/assignments/media-types>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <https://www.rfc-editor.org/info/rfc7515>.
[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
RFC 7516, DOI 10.17487/RFC7516, May 2015,
<https://www.rfc-editor.org/info/rfc7516>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>.
Appendix A. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]]
-05
* Addressed Area Director review comments.
-04
* Addressed SECDIR review comments.
-03
* Addressed GENART and OPSDIR review comments.
-02
* Addressed working group last call comments.
* Changed requested assignment from 14 to 16 due to conflict a with
new assignment.
-01
* Added language about media type parameters.
-00
* Initial working group version based on draft-jones-cose-typ-
header-parameter-01.
Acknowledgements
We would like to thank Henk Birkholz, Carsten Bormann, Susan Hares,
Dan Harkins, Murray Kucherawy, Marco Tiloca, Gunter Van de Velde,
Éric Vyncke, and Dale Worley for their valuable contributions to this
specification.
Authors' Addresses
Michael B. Jones
Self-Issued Consulting
Email: michael_b_jones@hotmail.com
URI: https://self-issued.info/
Orie Steele
Transmute
Email: orie@transmute.industries