CBOR Object Signing and Encryption (COSE) "typ" (type) Header ParameterSelf-Issued Consultingmichael_b_jones@hotmail.comhttps://self-issued.info/Transmuteorie@transmute.industries
SEC
coseExplicit Typing
This specification adds the equivalent of the JSON Object Signing and Encryption (JOSE)
"typ" (type) header parameter to
CBOR Object Signing and Encryption (COSE).
This enables the benefits of explicit typing (as defined in RFC 8725, "JSON Web Token Best Current Practices")
to be brought to COSE objects.
The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
. Introduction
. Requirements Notation and Conventions
. COSE "typ" (type) Header Parameter
. Security Considerations
. IANA Considerations
. COSE Header Parameter Registrations
. References
. Normative References
. Informative References
Acknowledgements
Authors' Addresses
Introduction
CBOR Object Signing and Encryption (COSE) defines header parameters
that parallel many of those defined by the JSON Object Signing and Encryption (JOSE) specifications
.
However, one way in which COSE does not provide equivalent functionality to JOSE is that
it does not define an equivalent of the "typ" (type) header parameter,
which is used for declaring the type of the entire JOSE data structure.
The security benefits of having "typ" (type) are described in
,
which recommends its use for "explicit typing" --
using "typ" values to distinguish between
different kinds of JSON Web Tokens (JWTs) .
This specification adds the equivalent of the JOSE "typ" (type) header parameter to COSE
so that the benefits of explicit typing
can be brought to COSE objects.
The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter,
allowing both unsigned integers as registered in the "CoAP Content-Formats" registry
and string media type values to be used.
The term "COSE object" is used as defined in .
An example of a COSE object is a COSE_Sign1 structure,
as described in .
Requirements Notation and Conventions
The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in BCP 14 when, and only when, they appear in all capitals, as
shown here.
COSE "typ" (type) Header Parameter
The "typ" (type) header parameter
is used by COSE applications to declare the
type of this complete COSE object, as compared to the content type header parameter,
which declares the type of the COSE object payload.
This is intended for use by the application when
more than one kind of COSE object could be present in
an application data structure that can contain a COSE object;
the application can use this value to disambiguate among
the different kinds of COSE objects that might be present.
It will typically not be used by applications when
the kind of COSE object is already known.
Use of this header parameter is OPTIONAL.
The syntax of this header parameter value is the same as the content type header parameter
defined in ;
it is either
an unsigned integer as registered in the "CoAP Content-Formats" registry
or a string content type value.
Content type values have a media type name
and MAY include media type parameters.
The "typ" (type) header parameter is ignored by COSE implementations
(libraries implementing and this specification),
other than being passed through to applications using those implementations.
Any processing of this parameter is performed by the COSE application
using application-specific processing rules.
For instance, an application might verify that the "typ" value
is a particular application-chosen media type and reject the data structure if it is not.
The "typ" parameter MUST NOT be present in unprotected headers.
The "typ" parameter does not describe the content of unprotected headers.
Changes to unprotected headers do not change the type of the COSE object.
Security Considerations
The case for explicit typing of COSE objects is equivalent to the case made for explicit typing
in :
Explicit typing can prevent confusion between different kinds of COSE objects.
COSE applications employing explicit typing should reject COSE objects
with a type header parameter value different than values that they expect in that application context.
They should also reject COSE objects without a type header parameter when one is expected.
IANA ConsiderationsCOSE Header Parameter Registrations
IANA has registered the following value in the
IANA "COSE Header Parameters" registry .
Name
Label
Value Type
Value Registry
Description
Reference
typ (type)
16
uint / tstr
or registry
Content type of the complete COSE object
of RFC 9596
ReferencesNormative ReferencesKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.JSON Web Token Best Current PracticesJSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.CBOR Object Signing and Encryption (COSE): Structures and ProcessConcise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.This document, along with RFC 9053, obsoletes RFC 8152.Informative ReferencesCoAP Content-FormatsIANACOSE Header ParametersIANAMedia TypesIANAJSON Web Signature (JWS)JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.JSON Web Encryption (JWE)JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification. Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification.JSON Web Token (JWT)JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.Acknowledgements
We would like to thank
,
,
,
,
,
,
,
,
and
for their valuable contributions to this specification.
Authors' AddressesSelf-Issued Consultingmichael_b_jones@hotmail.comhttps://self-issued.info/Transmuteorie@transmute.industries