Diff: rfc9596.original

	rfc9596.original	rfc9596.txt


	COSE Working Group M.B. Jones	Internet Engineering Task Force (IETF) M.B. Jones
	Internet-Draft Self-Issued Consulting	Request for Comments: 9596 Self-Issued Consulting
	Intended status: Standards Track O. Steele	Category: Standards Track O. Steele
	Expires: 5 October 2024 Transmute	ISSN: 2070-1721 Transmute
	3 April 2024	June 2024


	COSE "typ" (type) Header Parameter	CBOR Object Signing and Encryption (COSE) "typ" (type) Header Parameter
	draft-ietf-cose-typ-header-parameter-05

	Abstract	Abstract

	This specification adds the equivalent of the JSON Object Signing and	This specification adds the equivalent of the JSON Object Signing and

	Encryption (JOSE) typ (type) header parameter to CBOR Object Signing	Encryption (JOSE) "typ" (type) header parameter to CBOR Object
	and Encryption (COSE). This enables the benefits of explicit typing,	Signing and Encryption (COSE). This enables the benefits of explicit
	as defined in the JSON Web Token Best Current Practices BCP, to be	typing (as defined in RFC 8725, "JSON Web Token Best Current
	brought to COSE objects. The syntax of the COSE type header	Practices") to be brought to COSE objects. The syntax of the COSE
	parameter value is the same as the existing COSE content type header	type header parameter value is the same as the existing COSE content
	parameter.	type header parameter.

	Status of This Memo	Status of This Memo


	This Internet-Draft is submitted in full conformance with the	This is an Internet Standards Track document.
	provisions of BCP 78 and BCP 79.

	Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.


	Internet-Drafts are draft documents valid for a maximum of six months	This document is a product of the Internet Engineering Task Force
	and may be updated, replaced, or obsoleted by other documents at any	(IETF). It represents the consensus of the IETF community. It has
	time. It is inappropriate to use Internet-Drafts as reference	received public review and has been approved for publication by the
	material or to cite them other than as "work in progress."	Internet Engineering Steering Group (IESG). Further information on
		Internet Standards is available in Section 2 of RFC 7841.


	This Internet-Draft will expire on 5 October 2024.	Information about the current status of this document, any errata,
		and how to provide feedback on it may be obtained at
		https://www.rfc-editor.org/info/rfc9596.

	Copyright Notice	Copyright Notice

	Copyright (c) 2024 IETF Trust and the persons identified as the	Copyright (c) 2024 IETF Trust and the persons identified as the
	document authors. All rights reserved.	document authors. All rights reserved.

	This document is subject to BCP 78 and the IETF Trust's Legal	This document is subject to BCP 78 and the IETF Trust's Legal

	Provisions Relating to IETF Documents (https://trustee.ietf.org/	Provisions Relating to IETF Documents
	license-info) in effect on the date of publication of this document.	(https://trustee.ietf.org/license-info) in effect on the date of
	Please review these documents carefully, as they describe your rights	publication of this document. Please review these documents
	and restrictions with respect to this document. Code Components	carefully, as they describe your rights and restrictions with respect
	extracted from this document must include Revised BSD License text as	to this document. Code Components extracted from this document must
	described in Section 4.e of the Trust Legal Provisions and are	include Revised BSD License text as described in Section 4.e of the
	provided without warranty as described in the Revised BSD License.	Trust Legal Provisions and are provided without warranty as described
		in the Revised BSD License.

	Table of Contents	Table of Contents


	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2	1. Introduction
	1.1. Requirements Notation and Conventions . . . . . . . . . . 3	1.1. Requirements Notation and Conventions
	2. COSE "typ" (type) header parameter . . . . . . . . . . . . . 3	2. COSE "typ" (type) Header Parameter
	3. Security Considerations . . . . . . . . . . . . . . . . . . . 4	3. Security Considerations
	4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4	4. IANA Considerations
	4.1. COSE Header Parameter Registrations . . . . . . . . . . . 4	4.1. COSE Header Parameter Registrations
	5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4	5. References
	5.1. Normative References . . . . . . . . . . . . . . . . . . 4	5.1. Normative References
	5.2. Informative References . . . . . . . . . . . . . . . . . 5	5.2. Informative References
	Appendix A. Document History . . . . . . . . . . . . . . . . . . 5	Acknowledgements
	Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 6	Authors' Addresses
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6

	1. Introduction	1. Introduction

	CBOR Object Signing and Encryption (COSE) [RFC9052] defines header	CBOR Object Signing and Encryption (COSE) [RFC9052] defines header
	parameters that parallel many of those defined by the JSON Object	parameters that parallel many of those defined by the JSON Object

	Signing and Encryption (JOSE) [RFC7515] [RFC7516] specifications.	Signing and Encryption (JOSE) specifications [RFC7515] [RFC7516].
	However, one way in which COSE does not provide equivalent	However, one way in which COSE does not provide equivalent
	functionality to JOSE is that it does not define an equivalent of the	functionality to JOSE is that it does not define an equivalent of the

	typ (type) header parameter, which is used for declaring the type of	"typ" (type) header parameter, which is used for declaring the type
	the entire JOSE data structure. The security benefits of having typ	of the entire JOSE data structure. The security benefits of having
	(type) are described in Section 3.11 of the JSON Web Token Best	"typ" (type) are described in Section 3.11 of [RFC8725], which
	Current Practices [RFC8725], which recommends its use for "explicit	recommends its use for "explicit typing" -- using "typ" values to
	typing" -- using typ values to distinguish between different kinds of	distinguish between different kinds of JSON Web Tokens (JWTs)
	JSON Web Tokens (JWTs) [RFC7519].	[RFC7519].


	This specification adds the equivalent of the JOSE typ (type) header	This specification adds the equivalent of the JOSE "typ" (type)
	parameter to COSE so that the benefits of explicit typing can be	header parameter to COSE so that the benefits of explicit typing can
	brought to COSE objects. The syntax of the COSE type header	be brought to COSE objects. The syntax of the COSE type header
	parameter value is the same as the existing COSE content type header	parameter value is the same as the existing COSE content type header

	parameter, allowing both unsigned integer CoAP Content-Formats	parameter, allowing both unsigned integers as registered in the "CoAP
	[IANA.CoAP.ContentFormats] values and string Media Type	Content-Formats" registry [CoAP.ContentFormats] and string media type
	[IANA.MediaTypes] values to be used.	values [MediaTypes] to be used.

	The term "COSE object" is used as defined in [RFC9052]. An example	The term "COSE object" is used as defined in [RFC9052]. An example
	of a COSE object is a COSE_Sign1 structure, as described in	of a COSE object is a COSE_Sign1 structure, as described in
	Section 4.2 of [RFC9052].	Section 4.2 of [RFC9052].

	1.1. Requirements Notation and Conventions	1.1. Requirements Notation and Conventions

	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and	"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and

	"OPTIONAL" in this document are to be interpreted as described in BCP	"OPTIONAL" in this document are to be interpreted as described in
	14 [RFC2119] [RFC8174] when, and only when, they appear in all	BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
	capitals, as shown here.	capitals, as shown here.


	2. COSE "typ" (type) header parameter	2. COSE "typ" (type) Header Parameter


	The typ (type) header parameter is used by COSE applications to	The "typ" (type) header parameter is used by COSE applications to
	declare the type of this complete COSE object, as compared to the	declare the type of this complete COSE object, as compared to the
	content type header parameter, which declares the type of the COSE	content type header parameter, which declares the type of the COSE
	object payload. This is intended for use by the application when	object payload. This is intended for use by the application when
	more than one kind of COSE object could be present in an application	more than one kind of COSE object could be present in an application
	data structure that can contain a COSE object; the application can	data structure that can contain a COSE object; the application can
	use this value to disambiguate among the different kinds of COSE	use this value to disambiguate among the different kinds of COSE
	objects that might be present. It will typically not be used by	objects that might be present. It will typically not be used by
	applications when the kind of COSE object is already known. Use of	applications when the kind of COSE object is already known. Use of
	this header parameter is OPTIONAL.	this header parameter is OPTIONAL.

	The syntax of this header parameter value is the same as the content	The syntax of this header parameter value is the same as the content
	type header parameter defined in Section 3.1 of [RFC9052]; it is	type header parameter defined in Section 3.1 of [RFC9052]; it is

	either an unsigned integer CoAP Content-Formats	either an unsigned integer as registered in the "CoAP Content-
	[IANA.CoAP.ContentFormats] value or a string Content Type value.	Formats" registry [CoAP.ContentFormats] or a string content type
	Content Type values have a Media Type name [IANA.MediaTypes] and MAY	value. Content type values have a media type name [MediaTypes] and
	include Media Type parameters.	MAY include media type parameters.


	This parameter is ignored by COSE implementations (libraries	The "typ" (type) header parameter is ignored by COSE implementations
	implementing [RFC9052] and this specification), other than being	(libraries implementing [RFC9052] and this specification), other than
	passed through to applications using those implementations. Any	being passed through to applications using those implementations.
	processing of this parameter is performed by the COSE application	Any processing of this parameter is performed by the COSE application
	using application-specific processing rules. For instance, an	using application-specific processing rules. For instance, an

	application might verify that the typ value is a particular	application might verify that the "typ" value is a particular
	application-chosen media type and reject the data structure if it is	application-chosen media type and reject the data structure if it is
	not.	not.


	The typ parameter MUST NOT be present in unprotected headers.	The "typ" parameter MUST NOT be present in unprotected headers.


	The typ parameter does not describe the content of unprotected	The "typ" parameter does not describe the content of unprotected
	headers. Changes to unprotected headers do not change the type of	headers. Changes to unprotected headers do not change the type of
	the COSE object.	the COSE object.

	3. Security Considerations	3. Security Considerations

	The case for explicit typing of COSE objects is equivalent to the	The case for explicit typing of COSE objects is equivalent to the

	case made for explicit typing in Section 3.11 of JSON Web Token Best	case made for explicit typing in Section 3.11 of [RFC8725]: Explicit
	Current Practices [RFC8725]: Explicit typing can prevent confusion	typing can prevent confusion between different kinds of COSE objects.
	between different kinds of COSE objects.

	COSE applications employing explicit typing should reject COSE	COSE applications employing explicit typing should reject COSE
	objects with a type header parameter value different than values that	objects with a type header parameter value different than values that
	they expect in that application context. They should also reject	they expect in that application context. They should also reject
	COSE objects without a type header parameter when one is expected.	COSE objects without a type header parameter when one is expected.

	4. IANA Considerations	4. IANA Considerations

	4.1. COSE Header Parameter Registrations	4.1. COSE Header Parameter Registrations


	This section registers the following value in the IANA "COSE Header	IANA has registered the following value in the IANA "COSE Header
	Parameters" registry [IANA.COSE.HeaderParameters].	Parameters" registry [COSE.HeaderParameters].


	* Name: typ (type)	+======+=====+======+=======================+===========+=========+
	* Label: TBD (requested assignment 16)	\|Name \|Label\|Value \| Value Registry \|Description\|Reference\|
	* Value Type: uint / tstr	\| \| \|Type \| \| \| \|
	* Value Registry: [IANA.CoAP.ContentFormats] or [IANA.MediaTypes]	+======+=====+======+=======================+===========+=========+
	* Description: Type of the complete COSE object	\|typ \|16 \|uint /\| [CoAP.ContentFormats] \|Content \|Section 2\|
	* Reference: Section 2 of this specification	\|(type)\| \|tstr \| or [MediaTypes] \|type of the\|of RFC \|
		\| \| \| \| registry \|complete \|9596 \|
		\| \| \| \| \|COSE object\| \|
		+------+-----+------+-----------------------+-----------+---------+

		Table 1

	5. References	5. References

	5.1. Normative References	5.1. Normative References

	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119,	Requirement Levels", BCP 14, RFC 2119,
	DOI 10.17487/RFC2119, March 1997,	DOI 10.17487/RFC2119, March 1997,
	<https://www.rfc-editor.org/info/rfc2119>.	<https://www.rfc-editor.org/info/rfc2119>.


	skipping to change at page 5, line 7 ¶	skipping to change at line 187 ¶
	DOI 10.17487/RFC8725, February 2020,	DOI 10.17487/RFC8725, February 2020,
	<https://www.rfc-editor.org/info/rfc8725>.	<https://www.rfc-editor.org/info/rfc8725>.

	[RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE):	[RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE):
	Structures and Process", STD 96, RFC 9052,	Structures and Process", STD 96, RFC 9052,
	DOI 10.17487/RFC9052, August 2022,	DOI 10.17487/RFC9052, August 2022,
	<https://www.rfc-editor.org/info/rfc9052>.	<https://www.rfc-editor.org/info/rfc9052>.

	5.2. Informative References	5.2. Informative References


	[IANA.CoAP.ContentFormats]	[CoAP.ContentFormats]
	IANA, "CoAP Content-Formats",	IANA, "CoAP Content-Formats",

	<https://www.iana.org/assignments/core-parameters/core-	<https://www.iana.org/assignments/core-parameters>.
	parameters.xhtml#content-formats>.


	[IANA.COSE.HeaderParameters]	[COSE.HeaderParameters]
	IANA, "COSE Header Parameters",	IANA, "COSE Header Parameters",

	<https://www.iana.org/assignments/cose/cose.xhtml#header-	<https://www.iana.org/assignments/cose>.
	parameters>.


	[IANA.MediaTypes]	[MediaTypes]
	IANA, "Media Types",	IANA, "Media Types",
	<https://www.iana.org/assignments/media-types>.	<https://www.iana.org/assignments/media-types>.

	[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web	[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
	Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May	Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
	2015, <https://www.rfc-editor.org/info/rfc7515>.	2015, <https://www.rfc-editor.org/info/rfc7515>.

	[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",	[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
	RFC 7516, DOI 10.17487/RFC7516, May 2015,	RFC 7516, DOI 10.17487/RFC7516, May 2015,
	<https://www.rfc-editor.org/info/rfc7516>.	<https://www.rfc-editor.org/info/rfc7516>.

	[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token	[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
	(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,	(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
	<https://www.rfc-editor.org/info/rfc7519>.	<https://www.rfc-editor.org/info/rfc7519>.


	Appendix A. Document History

	[[ to be removed by the RFC Editor before publication as an RFC ]]

	-05

	* Addressed Area Director review comments.

	-04

	* Addressed SECDIR review comments.

	-03

	* Addressed GENART and OPSDIR review comments.

	-02

	* Addressed working group last call comments.

	* Changed requested assignment from 14 to 16 due to conflict a with
	new assignment.

	-01

	* Added language about media type parameters.

	-00

	* Initial working group version based on draft-jones-cose-typ-
	header-parameter-01.

	Acknowledgements	Acknowledgements

	We would like to thank Henk Birkholz, Carsten Bormann, Susan Hares,	We would like to thank Henk Birkholz, Carsten Bormann, Susan Hares,
	Dan Harkins, Murray Kucherawy, Marco Tiloca, Gunter Van de Velde,	Dan Harkins, Murray Kucherawy, Marco Tiloca, Gunter Van de Velde,
	Éric Vyncke, and Dale Worley for their valuable contributions to this	Éric Vyncke, and Dale Worley for their valuable contributions to this
	specification.	specification.

	Authors' Addresses	Authors' Addresses

	Michael B. Jones	Michael B. Jones

End of changes. 29 change blocks.
	122 lines changed or deleted	88 lines changed or added
This html diff was produced by rfcdiff 1.48.