<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet type='text/xsl' href='http://xml2rfc.tools.ietf.org/authoring/rfc2629.xslt' ?>

<!DOCTYPE rfc PUBLIC "-//IETF//DTD RFC 2629//EN" "http://xml2rfc.tools.ietf.org/authoring/rfc2629.dtd"> [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" ipr="trust200902"
  docName="draft-ietf-cose-typ-header-parameter-05">

  <?rfc toc="yes"?>
  <?rfc tocompact="yes"?>
  <?rfc tocdepth="5"?>
  <?rfc tocindent="yes"?>
  <?rfc symrefs="yes"?>
  <?rfc sortrefs="yes"?>
  <?rfc compact="yes"?>
  <?rfc subcompact="no"?> docName="draft-ietf-cose-typ-header-parameter-05" number="9596" updates="" obsoletes="" submissionType="IETF" consensus="true" tocInclude="true" tocDepth="5" symRefs="true" sortRefs="true" version="3" xml:lang="en">

  <front>

    <title>COSE
    <title abbrev='COSE "typ" (type) Header Parameter'>CBOR Object Signing and Encryption (COSE) "typ" (type) Header Parameter</title>
    <seriesInfo name="RFC" value="9596"/>
    <author fullname="Michael B. Jones" initials="M.B." surname="Jones">
      <organization>Self-Issued Consulting</organization>
      <address>
        <email>michael_b_jones@hotmail.com</email>
        <uri>https://self-issued.info/</uri>
      </address>
    </author>
    <author fullname="Orie Steele" initials="O." surname="Steele">
      <organization>Transmute</organization>
      <address>
        <email>orie@transmute.industries</email>
      </address>
    </author>
    <date day="3" month="April" year="2024" />

    <area>Security</area>
    <workgroup>COSE Working Group</workgroup> month="June" year="2024"/>
    <area>SEC</area>
    <workgroup>cose</workgroup>
    <keyword>Explicit Typing</keyword>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <t>
	This specification adds the equivalent of the JSON Object Signing and Encryption (JOSE)
  <spanx style="verb">typ</spanx>
  "typ" (type) header parameter to
	CBOR Object Signing and Encryption (COSE).
	This enables the benefits of explicit typing,
	as typing (as defined in the JSON RFC 8725, "JSON Web Token Best Current Practices BCP, Practices")
	to be brought to COSE objects.
	The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter.
      </t>
    </abstract>
  </front>
  <middle>
    <section anchor="Introduction" title="Introduction"> anchor="Introduction">
      <name>Introduction</name>
      <t>
	CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> defines header parameters
	that parallel many of those defined by the JSON Object Signing and Encryption (JOSE) specifications
	<xref target="RFC7515"/> <xref target="RFC7516"/> specifications. target="RFC7516"/>.
	However, one way in which COSE does not provide equivalent functionality to JOSE is that
	it does not define an equivalent of the <spanx style="verb">typ</spanx> "typ" (type) header parameter,
	which is used for declaring the type of the entire JOSE data structure.
	The security benefits of having <spanx style="verb">typ</spanx> "typ" (type) are described in
  Section 3.11 of the JSON Web Token Best Current Practices
  <xref target="RFC8725"/>, target="RFC8725" sectionFormat="of" section="3.11"/>,
	which recommends its use for "explicit typing" --
	using <spanx style="verb">typ</spanx> "typ" values to distinguish between
	different kinds of JSON Web Tokens (JWTs) <xref target="RFC7519"/>.
      </t>
      <t>
	This specification adds the equivalent of the JOSE <spanx style="verb">typ</spanx> "typ" (type) header parameter to COSE
	so that the benefits of explicit typing
	can be brought to COSE objects.
	The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter,
	allowing both unsigned integer CoAP Content-Formats integers as registered in the "CoAP Content-Formats" registry <xref target="IANA.CoAP.ContentFormats"/> values target="CoAP.ContentFormats"/>
	and string Media Type <xref target="IANA.MediaTypes"/> media type values <xref target="MediaTypes"/> to be used.
      </t>
      <t>
	The term "COSE object" is used as defined in <xref target="RFC9052"/>.
	An example of a COSE object is a COSE_Sign1 structure,
	as described in Section 4.2 of <xref target="RFC9052"/>. target="RFC9052" sectionFormat="of" section="4.2"/>.
      </t>
      <section anchor="rnc" title="Requirements anchor="rnc">
        <name>Requirements Notation and Conventions"> Conventions</name>
        <t>
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	  "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
    "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
    "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
    "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and
	  "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be
    interpreted as described in
	  BCP 14 BCP&nbsp;14 <xref target="RFC2119"/> <xref
    target="RFC8174"/> when, and only when, they appear in all capitals, as
    shown here.
        </t>
      </section>
    </section>

    <section anchor="typ" title='COSE anchor="typ">
      <name>COSE "typ" (type) header parameter'> Header Parameter</name>
      <t>
	The <spanx style="verb">typ</spanx> "typ" (type) header parameter
	is used by COSE applications to declare the
	type of this complete COSE object, as compared to the content type header parameter,
  which declares the type of the COSE object payload.
	This is intended for use by the application when
	more than one kind of COSE object could be present in
	an application data structure that can contain a COSE object;
	the application can use this value to disambiguate among
	the different kinds of COSE objects that might be present.
	It will typically not be used by applications when
	the kind of COSE object is already known.
	Use of this header parameter is OPTIONAL. <bcp14>OPTIONAL</bcp14>.
      </t>
      <t>
	The syntax of this header parameter value is the same as the content type header parameter
	defined in Section 3.1 of <xref target="RFC9052"/>; target="RFC9052" sectionFormat="of" section="3.1"/>;
	it is either
	an unsigned integer CoAP Content-Formats as registered in the "CoAP Content-Formats" registry  <xref target="IANA.CoAP.ContentFormats"/> value target="CoAP.ContentFormats"/>
	or a string Content Type content type value.
	Content Type type values have a Media Type media type name <xref target="IANA.MediaTypes"/> target="MediaTypes"/>
	and MAY <bcp14>MAY</bcp14> include Media Type media type parameters.
      </t>
      <t>
	This
	The "typ" (type) header parameter is ignored by COSE implementations
	(libraries implementing <xref target="RFC9052"/> and this specification),
	other than being passed through to applications using those implementations.
	Any processing of this parameter is performed by the COSE application
	using application-specific processing rules.
	For instance, an application might verify that the <spanx style="verb">typ</spanx> "typ" value
	is a particular application-chosen media type and reject the data structure if it is not.
      </t>
      <t>
  The <spanx style="verb">typ</spanx> "typ" parameter MUST NOT <bcp14>MUST NOT</bcp14> be present in unprotected headers.
      </t>
      <t>
  The <spanx style="verb">typ</spanx> "typ" parameter does not describe the content of unprotected headers.
  Changes to unprotected headers do not change the type of the COSE object.
      </t>
    </section>
    <section anchor="Security" title="Security Considerations"> anchor="Security">
      <name>Security Considerations</name>
      <t>
	The case for explicit typing of COSE objects is equivalent to the case made for explicit typing
	in Section 3.11 of JSON Web Token Best Current Practices <xref target="RFC8725"/>: target="RFC8725" section="3.11" sectionFormat="of"/>:
  Explicit typing can prevent confusion between different kinds of COSE objects.
      </t>
      <t>
	COSE applications employing explicit typing should reject COSE objects
	with a type header parameter value different than values that they expect in that application context.
	They should also reject COSE objects without a type header parameter when one is expected.
      </t>
    </section>
    <section anchor="IANA" title="IANA Considerations"> anchor="IANA">
      <name>IANA Considerations</name>
      <section anchor="cose-algorithms-registrations" title="COSE anchor="cose-algorithms-registrations">
        <name>COSE Header Parameter Registrations"> Registrations</name>
        <t>
	  This section registers
	  IANA has registered the following value in the
	  IANA "COSE Header Parameters" registry <xref target="IANA.COSE.HeaderParameters"/>. target="COSE.HeaderParameters"/>.
        </t>
	<t>
	  <?rfc subcompact="yes"?>
	  <list style='symbols'>
	    <t>
	      Name: typ (type)
	    </t>
	    <t>
	      Label: TBD (requested assignment 16)
	    </t>
	    <t>
	      Value Type: uint / tstr
	    </t>
	    <t>
	      Value Registry: <xref target="IANA.CoAP.ContentFormats"/>

<table anchor="iana-tab">
  <name></name>
  <thead>
    <tr>
      <th>Name</th>
      <th>Label</th>
      <th>Value Type</th>
      <th>Value Registry</th>
      <th>Description</th>
      <th>Reference</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>typ (type)</td>
      <td>16</td>
      <td>uint&nbsp;/ tstr</td>
      <td><xref target="CoAP.ContentFormats"/> or <xref target="IANA.MediaTypes"/>
	    </t>
	    <t>
	      Description: Type
target="MediaTypes"/> registry</td>
      <td>Content type of the complete COSE object
	    </t>
	    <t>
	      Reference: <xref object</td>
      <td><xref target="typ"/> of this specification
	    </t>
	  </list>
	</t>
	<?rfc subcompact="no"?> RFC 9596</td>
    </tr>
  </tbody>
</table>
      </section>
    </section>
  </middle>
  <back>

    <references title="Normative References">
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8725.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml"/>
      </references>

    <references title="Informative References">
      <references>
        <name>Informative References</name>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7515.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7516.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml"/>

        <reference anchor="IANA.COSE.HeaderParameters" target="https://www.iana.org/assignments/cose/cose.xhtml#header-parameters"> anchor="COSE.HeaderParameters" target="https://www.iana.org/assignments/cose">
          <front>
            <title>COSE Header Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>

        <reference anchor="IANA.CoAP.ContentFormats" target="https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#content-formats"> anchor="CoAP.ContentFormats" target="https://www.iana.org/assignments/core-parameters">
          <front>
            <title>CoAP Content-Formats</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>

        <reference anchor="IANA.MediaTypes" anchor="MediaTypes" target="https://www.iana.org/assignments/media-types">
          <front>
            <title>Media Types</title>
            <author>
              <organization>IANA</organization>
            </author>
	  <date></date>
            <date/>
          </front>
        </reference>

      </references>
    </references>

    <section title="Document History" anchor="History">
      <t>
        [[ to be removed by the RFC Editor before publication as an RFC ]]
      </t>

      <t>
        -05
        <list style='symbols'>
          <t>
	    Addressed Area Director review comments.
          </t>
        </list>
      </t>

      <t>
        -04
        <list style='symbols'>
          <t>
	    Addressed SECDIR review comments.
          </t>
        </list>
      </t>

      <t>
        -03
        <list style='symbols'>
          <t>
	    Addressed GENART and OPSDIR review comments.
          </t>
        </list>
      </t>

      <t>
        -02
        <list style='symbols'>
          <t>
	    Addressed working group last call comments.
          </t>
          <t>
	    Changed requested assignment from 14 to 16 due to conflict a with new assignment.
          </t>
        </list>
      </t>

      <t>
        -01
        <list style='symbols'>
          <t>
	    Added language about media type parameters.
          </t>
        </list>
      </t>

      <t>
        -00
        <list style='symbols'>
          <t>
	    Initial working group version based on draft-jones-cose-typ-header-parameter-01.
          </t>
        </list>
      </t>

    </section>

    <section title="Acknowledgements" anchor="Acknowledgements" numbered="no"> numbered="false">
      <name>Acknowledgements</name>
      <t>
	We would like to thank
        Henk Birkholz,
	Carsten Bormann,
	Susan Hares,
	Dan Harkins,
	Murray Kucherawy,
	Marco Tiloca,
	Gunter
        <contact fullname="Henk Birkholz" />,
<contact fullname="Carsten Bormann" />,
<contact fullname="Susan Hares" />,
<contact fullname="Dan Harkins" />,
<contact fullname="Murray Kucherawy" />,
<contact fullname="Marco Tiloca" />,
<contact fullname="Gunter Van de Velde,
	Éric Vyncke,
	and
	Dale Worley Velde" />,
<contact fullname="Éric Vyncke" />,
	and
<contact fullname="Dale Worley" />
	for their valuable contributions to this specification.
      </t>
    </section>
  </back>
</rfc>