| rfc9597.original | rfc9597.txt | |||
|---|---|---|---|---|
| COSE T. Looker | Internet Engineering Task Force (IETF) T. Looker | |||
| Internet-Draft Mattr | Request for Comments: 9597 Mattr | |||
| Intended status: Standards Track M. Jones | Category: Standards Track M.B. Jones | |||
| Expires: 1 June 2024 Self-Issued Consulting | ISSN: 2070-1721 Self-Issued Consulting | |||
| 29 November 2023 | June 2024 | |||
| CBOR Web Token (CWT) Claims in COSE Headers | CBOR Web Token (CWT) Claims in COSE Headers | |||
| draft-ietf-cose-cwt-claims-in-headers-10 | ||||
| Abstract | Abstract | |||
| This document describes how to include CBOR Web Token (CWT) claims in | This document describes how to include CBOR Web Token (CWT) claims in | |||
| the header parameters of any COSE structure. This functionality | the header parameters of any CBOR Object Signing and Encryption | |||
| helps to facilitate applications that wish to make use of CBOR Web | (COSE) structure. This functionality helps to facilitate | |||
| Token (CWT) claims in encrypted COSE structures and/or COSE | applications that wish to make use of CWT claims in encrypted COSE | |||
| structures featuring detached signatures, while having some of those | structures and/or COSE structures featuring detached signatures, | |||
| claims be available before decryption and/or without inspecting the | while having some of those claims be available before decryption and/ | |||
| detached payload. Another use case is using CWT claims with payloads | or without inspecting the detached payload. Another use case is | |||
| that are not CWT Claims Sets, including payloads that are not CBOR at | using CWT claims with payloads that are not CWT Claims Sets, | |||
| all. | including payloads that are not CBOR at all. | |||
| Discussion Venues | ||||
| This note is to be removed before publishing as an RFC. | ||||
| Source for this draft and an issue tracker can be found at | ||||
| https://github.com/tplooker/draft-ietf-cose-cwt-claims-in-headers. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 1 June 2024. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9597. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2023 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 1.1. Requirements Terminology . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Terminology | |||
| 2. Representation . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Representation | |||
| 3. Privacy Considerations . . . . . . . . . . . . . . . . . . . 4 | 3. Privacy Considerations | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 4. Security Considerations | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 5. IANA Considerations | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 6. References | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | 6.2. Informative References | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 6 | Acknowledgements | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 6 | Authors' Addresses | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | ||||
| 1. Introduction | 1. Introduction | |||
| In some applications of COSE, it is useful to have a standard | In some applications of COSE, it is useful to have a standard | |||
| representation of CWT claims [RFC8392] available in the header | representation of CWT claims [RFC8392] available in the header | |||
| parameters. These include encrypted COSE structures, which may or | parameters. These include encrypted COSE structures, which may or | |||
| may not be an encrypted CWT and/or those featuring a detached | may not be an encrypted CWT, and/or those featuring a detached | |||
| signature. Another use case is using CWT claims with payloads that | signature. Another use case is using CWT claims with payloads that | |||
| are not CWT Claims Sets, including payloads that are not CBOR at all. | are not CWT Claims Sets, including payloads that are not CBOR at all. | |||
| For instance, an application might want to include an "iss" (issuer) | For instance, an application might want to include an "iss" (issuer) | |||
| claim in a COSE_Sign1 structure when the payload being signed is a | claim in a COSE_Sign1 structure when the payload being signed is a | |||
| non-CBOR data structure, such as a bitmap image, and the issuer value | non-CBOR data structure, such as a bitmap image, and the issuer value | |||
| is used for key discovery. | is used for key discovery. | |||
| Section 5.3 of JSON Web Token (JWT) [RFC7519] defined a similar | Section 5.3 of [RFC7519], "JSON Web Token (JWT)", defined a similar | |||
| mechanism for expressing selected JWT based claims as JOSE header | mechanism for expressing selected JWT-based claims as JSON Object | |||
| parameters. This JWT feature was motivated by the desire to have | Signing and Encryption (JOSE) header parameters. This JWT feature | |||
| certain claims, such as the Issuer value, be visible to software | was motivated by the desire to have certain claims, such as the | |||
| processing the JWT, even though the JWT is encrypted. No | Issuer value, be visible to software processing the JWT, even though | |||
| corresponding feature was standardized for CWTs, which was an | the JWT is encrypted. No corresponding feature was standardized for | |||
| omission that this specification corrects. | CWTs, which was an omission that this specification corrects. | |||
| Directly including CWT claim values as COSE header parameter values | Directly including CWT claim values as COSE header parameter values | |||
| would not work, since there are conflicts between the numeric header | would not work, since there are conflicts between the numeric header | |||
| parameter assignments and the numeric CWT claim assignments. | parameter assignments and the numeric CWT claim assignments. | |||
| Instead, this specification defines a single header parameter | Instead, this specification defines a single header parameter | |||
| registered in the IANA "COSE Header Parameters" registry that creates | registered in the IANA "COSE Header Parameters" registry that creates | |||
| a location to store CWT claims in a COSE header parameter. | a location to store CWT claims in a COSE header parameter. | |||
| This specification does not define how to use CWT claims and their | This specification does not define how to use CWT claims and their | |||
| semantics for particular applications, whether they are in the COSE | semantics for particular applications, whether they are in the COSE | |||
| payload or the CWT Claims header parameter, or both. Therefore, | payload or the CWT Claims header parameter, or both. Therefore, | |||
| understanding how to process the CWT Claims header parameter requires | understanding how to process the CWT Claims header parameter requires | |||
| unambiguously knowing the intended interpretation. The necessary | unambiguously knowing the intended interpretation. The necessary | |||
| information about this MAY come from other header parameters. Unless | information about this MAY come from other header parameters. Unless | |||
| there already is a natural way of providing this information at an | there already is a natural way of providing this information at an | |||
| appropriate level of integrity protection and authentication, a | appropriate level of integrity protection and authentication, a | |||
| RECOMMENDED way to include this information in the COSE structure is | RECOMMENDED way to include this information in the COSE structure is | |||
| use of the typ (type) Header Parameter | use of the "typ" (type) Header Parameter [RFC9596]. Other methods | |||
| [I-D.ietf-cose-typ-header-parameter]. Other methods for determining | for determining the intended interpretation MAY also be used. | |||
| the intended interpretation MAY also be used. Recipients of the CWT | Recipients of the CWT Claims header parameter MUST NOT use the | |||
| Claims header parameter MUST NOT use the information in the CWT | information in the CWT Claims header parameter beyond the integrity | |||
| Claims header parameter beyond the integrity protection or | protection or authentication afforded to the CWT Claims header and | |||
| authentication afforded to the CWT Claims header and the information | the information used to derive its intended interpretation. | |||
| used to derive its intended interpretation. | ||||
| 1.1. Requirements Terminology | 1.1. Requirements Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. Representation | 2. Representation | |||
| This document defines the following COSE header parameter: | This document defines the following COSE header parameter: | |||
| +========+================+=======+=============+===================+ | +========+=======+=======+==============+===============+===========+ | |||
| | Name | Label | Value | Value | Description | | | Name | Label | Value | Value | Description | Reference | | |||
| | | | Type | Registry | | | | | | Type | Registry | | | | |||
| +========+================+=======+=============+===================+ | +========+=======+=======+==============+===============+===========+ | |||
| | CWT | TBD (requested | map | [IANA.COSE] | Location for | | | CWT | 15 | map | map keys in | Location | Section 2 | | |||
| | Claims | assignment 15) | | | CWT Claims in | | | Claims | | | [CWT.Claims] | for CWT | of RFC | | |||
| | | | | | COSE Header | | | | | | | Claims in | 9597 | | |||
| | | | | | Parameters | | | | | | | COSE Header | | | |||
| +--------+----------------+-------+-------------+-------------------+ | | | | | | Parameters | | | |||
| +--------+-------+-------+--------------+---------------+-----------+ | ||||
| Table 1 | Table 1 | |||
| The following is a non-normative description for the value type of | The following is a non-normative description for the value type of | |||
| the CWT claim header parameter using CDDL [RFC8610]. | the CWT claim header parameter using CDDL [RFC8610]. | |||
| CWT-Claims = { | CWT-Claims = { | |||
| * Claim-Label => any | * Claim-Label => any | |||
| } | } | |||
| Claim-Label = int / text | Claim-Label = int / text | |||
| In cases where CWT claims are present both in the payload and the | In cases where CWT claims are present both in the payload and the | |||
| header of a CWT, an application receiving such a structure MUST | header of a CWT, an application receiving such a structure MUST | |||
| verify that their values are identical, unless the application | verify that their values are identical, unless the application | |||
| defines other specific processing rules for these claims. | defines other specific processing rules for these claims. | |||
| It is RECOMMENDED that the CWT Claims header parameter is used only | It is RECOMMENDED that the CWT Claims header parameter only be used | |||
| in a protected header to avoid the contents being malleable. The | in a protected header to avoid the contents being malleable. The | |||
| header parameter MUST only occur once in either the protected or | header parameter MUST only occur once in either the protected or | |||
| unprotected header of a COSE structure. | unprotected header of a COSE structure. | |||
| The CWT Claims header parameter MAY be used in any COSE object using | The CWT Claims header parameter MAY be used in any COSE object using | |||
| header parameters, such as COSE_Sign objects. Its use is not | header parameters, such as COSE_Sign objects. Its use is not | |||
| restricted to CWTs. | restricted to CWTs. | |||
| 3. Privacy Considerations | 3. Privacy Considerations | |||
| skipping to change at page 5, line 9 ¶ | skipping to change at line 175 ¶ | |||
| 4. Security Considerations | 4. Security Considerations | |||
| Implementers should also review the security considerations for CWT, | Implementers should also review the security considerations for CWT, | |||
| which are documented in Section 8 of [RFC8392]. | which are documented in Section 8 of [RFC8392]. | |||
| As described in [RFC9052], if the COSE payload is transported | As described in [RFC9052], if the COSE payload is transported | |||
| separately ("detached content"), then it is the responsibility of the | separately ("detached content"), then it is the responsibility of the | |||
| application to ensure that it will be transported without changes. | application to ensure that it will be transported without changes. | |||
| The reason for applications to verify that CWT claims that are | The reason for applications to verify that CWT claims present in both | |||
| present both in the payload and the header of a CWT are identical, | the payload and the header of a CWT are identical, unless they define | |||
| unless it defines other specific processing rules for these claims, | other specific processing rules for these claims, is to eliminate | |||
| is to eliminate potential confusion that might arise by having | potential confusion that might arise by having different values for | |||
| different values for the same claim, which could result in | the same claim, which could result in inconsistent processing of such | |||
| inconsistent processing of such claims. | claims. | |||
| Processing information in claims prior to validating that their | Processing information in claims prior to validating that their | |||
| integrity is cryptographically secured can pose security risks. This | integrity is cryptographically secure can pose security risks. This | |||
| is true whether the claims are in the payload or a header parameter. | is true whether the claims are in the payload or a header parameter. | |||
| Implementers must ensure that any tentative decisions made based on | Implementers must ensure that any tentative decisions made based on | |||
| previously unverified information are confirmed once the | previously unverified information are confirmed once the | |||
| cryptographic processing has been completed. This includes any | cryptographic processing has been completed. This includes any | |||
| information that was used to derive the intended interpretation of | information that was used to derive the intended interpretation of | |||
| the CWT claims parameter. | the CWT claims parameter. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| IANA is requested to register the new COSE header parameter "CWT | IANA has registered the new COSE header parameter "CWT Claims" | |||
| Claims" in the table in Section 2 in the "COSE Header Parameters" | defined in Table 1 in the "COSE Header Parameters" registry | |||
| registry [IANA.COSE]. | [COSE.HeaderParameters]. | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [I-D.ietf-cose-typ-header-parameter] | [COSE.HeaderParameters] | |||
| Jones, M. B. and O. Steele, "COSE "typ" (type) Header | ||||
| Parameter", Work in Progress, Internet-Draft, draft-ietf- | ||||
| cose-typ-header-parameter-01, 7 November 2023, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-cose- | ||||
| typ-header-parameter-01>. | ||||
| [IANA.COSE] | ||||
| IANA, "COSE Header Parameters", | IANA, "COSE Header Parameters", | |||
| <https://www.iana.org/assignments/cose/cose.xhtml#header- | <https://www.iana.org/assignments/cose/>. | |||
| parameters>. | ||||
| [CWT.Claims] | ||||
| IANA, "CBOR Web Token (CWT) Claims", | ||||
| <https://www.iana.org/assignments/cwt/>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, | [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, | |||
| "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, | "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, | |||
| May 2018, <https://www.rfc-editor.org/info/rfc8392>. | May 2018, <https://www.rfc-editor.org/info/rfc8392>. | |||
| [RFC9596] Jones, M.B. and O. Steele, "CBOR Object Signing and | ||||
| Encryption (COSE) "typ" (type) Header Parameter", | ||||
| RFC 9596, DOI 10.17487/RFC9596, June 2024, | ||||
| <https://www.rfc-editor.org/info/rfc9596>. | ||||
| 6.2. Informative References | 6.2. Informative References | |||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7519>. | <https://www.rfc-editor.org/info/rfc7519>. | |||
| [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | |||
| Definition Language (CDDL): A Notational Convention to | Definition Language (CDDL): A Notational Convention to | |||
| Express Concise Binary Object Representation (CBOR) and | Express Concise Binary Object Representation (CBOR) and | |||
| JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | |||
| June 2019, <https://www.rfc-editor.org/info/rfc8610>. | June 2019, <https://www.rfc-editor.org/info/rfc8610>. | |||
| [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): | [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
| Structures and Process", STD 96, RFC 9052, | Structures and Process", STD 96, RFC 9052, | |||
| DOI 10.17487/RFC9052, August 2022, | DOI 10.17487/RFC9052, August 2022, | |||
| <https://www.rfc-editor.org/info/rfc9052>. | <https://www.rfc-editor.org/info/rfc9052>. | |||
| Appendix A. Acknowledgements | Acknowledgements | |||
| We would like to thank Daisuke Ajitomi, Claudio Allocchio, Carsten | We would like to thank Daisuke Ajitomi, Claudio Allocchio, Carsten | |||
| Bormann, Laurence Lundblade, Ivaylo Petrov, Ines Robles, Orie Steele, | Bormann, Laurence Lundblade, Ivaylo Petrov, Ines Robles, Orie Steele, | |||
| Hannes Tschofenig, Paul Wouters, and Peter Yee for their valuable | Hannes Tschofenig, Paul Wouters, and Peter Yee for their valuable | |||
| contributions to this specification. | contributions to this specification. | |||
| Appendix B. Document History | ||||
| -09 | ||||
| * Described use cases where CWT claims can't be put in the payload | ||||
| in response to Hannes Tschofenig's IotDir review. | ||||
| * Said that profiles specify the semantics of the CWT claims in | ||||
| response to Carsten Bormann's feedback. | ||||
| -08 | ||||
| * Added Security Consideration about profiles and processing CWT | ||||
| claims. | ||||
| -07 | ||||
| * Added Privacy Consideration about unencrypted claims in header | ||||
| parameters. | ||||
| * Added Security Consideration about detached content. | ||||
| * Added Security Consideration about claims that are present both in | ||||
| the payload and the header of a CWT. | ||||
| * Changed requested IANA COSE Header Parameter assignment number | ||||
| from 13 to 15 due to subsequent assignments of 13 and 14. | ||||
| * Acknowledged last call reviewers. | ||||
| -06 | ||||
| * Changed requested IANA COSE Header Parameter assignment number | ||||
| from 11 to 13 due to Countersignature being allocated 11. | ||||
| * Reference correct registry IANA COSE Header Parameters. | ||||
| -05 | ||||
| * Added Acknowledgements section. | ||||
| * Addressed WGLC feedback. Specifically... | ||||
| * Added statement about being able to use the header parameter in | ||||
| any COSE object. | ||||
| * Moved statment about verifing that claim values present in both | ||||
| the header and payload are identical from the Security | ||||
| Considerations to the body of the specification. | ||||
| -04 | ||||
| * Update author affiliation. | ||||
| * Add standard reference to RFC terminology. | ||||
| * Added reference to security considerations from RFC8392. | ||||
| -03 | ||||
| * Added recommendation around header treatment in protected vs | ||||
| unprotected. | ||||
| -02 | ||||
| * Added CDDL description for CWT claim value. | ||||
| -01 | ||||
| * Changed example from Key ID to Issuer. | ||||
| -00 | ||||
| * Created draft-ietf-cose-cwt-claims-in-headers-00 from draft- | ||||
| looker-cose-cwt-claims-in-headers-00 following working group | ||||
| adoption. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Tobias Looker | Tobias Looker | |||
| Mattr | Mattr | |||
| Email: tobias.looker@mattr.global | Email: tobias.looker@mattr.global | |||
| Michael B. Jones | Michael B. Jones | |||
| Self-Issued Consulting | Self-Issued Consulting | |||
| Email: michael_b_jones@hotmail.com | Email: michael_b_jones@hotmail.com | |||
| URI: https://self-issued.info/ | URI: https://self-issued.info/ | |||
| End of changes. 23 change blocks. | ||||
| 165 lines changed or deleted | 91 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||