rfc9596xml2.original.xml   rfc9596.xml 
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet type='text/xsl' href='http://xml2rfc.tools.ietf.org/authoring/r
fc2629.xslt' ?>
<!DOCTYPE rfc PUBLIC "-//IETF//DTD RFC 2629//EN" "http://xml2rfc.tools.ietf.org/
authoring/rfc2629.dtd">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" <!DOCTYPE rfc [
category="std" ipr="trust200902" <!ENTITY nbsp "&#160;">
docName="draft-ietf-cose-typ-header-parameter-05"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;">
]>
<?rfc toc="yes"?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" ipr="trust200902"
<?rfc tocompact="yes"?> docName="draft-ietf-cose-typ-header-parameter-05" number="9596" updates="" obso
<?rfc tocdepth="5"?> letes="" submissionType="IETF" consensus="true" tocInclude="true" tocDepth="5" s
<?rfc tocindent="yes"?> ymRefs="true" sortRefs="true" version="3" xml:lang="en">
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<front> <front>
<title abbrev='COSE "typ" (type) Header Parameter'>CBOR Object Signing and E
<title>COSE "typ" (type) Header Parameter</title> ncryption (COSE) "typ" (type) Header Parameter</title>
<seriesInfo name="RFC" value="9596"/>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones"> <author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization>Self-Issued Consulting</organization> <organization>Self-Issued Consulting</organization>
<address> <address>
<email>michael_b_jones@hotmail.com</email> <email>michael_b_jones@hotmail.com</email>
<uri>https://self-issued.info/</uri> <uri>https://self-issued.info/</uri>
</address> </address>
</author> </author>
<author fullname="Orie Steele" initials="O." surname="Steele"> <author fullname="Orie Steele" initials="O." surname="Steele">
<organization>Transmute</organization> <organization>Transmute</organization>
<address> <address>
<email>orie@transmute.industries</email> <email>orie@transmute.industries</email>
</address> </address>
</author> </author>
<date month="June" year="2024"/>
<date day="3" month="April" year="2024" /> <area>SEC</area>
<workgroup>cose</workgroup>
<area>Security</area>
<workgroup>COSE Working Group</workgroup>
<keyword>Explicit Typing</keyword> <keyword>Explicit Typing</keyword>
<keyword>Internet-Draft</keyword>
<abstract> <abstract>
<t> <t>
This specification adds the equivalent of the JSON Object Signing and Enc ryption (JOSE) This specification adds the equivalent of the JSON Object Signing and Enc ryption (JOSE)
<spanx style="verb">typ</spanx> (type) header parameter to "typ" (type) header parameter to
CBOR Object Signing and Encryption (COSE). CBOR Object Signing and Encryption (COSE).
This enables the benefits of explicit typing, This enables the benefits of explicit typing (as defined in RFC 8725, "JS
as defined in the JSON Web Token Best Current Practices BCP, ON Web Token Best Current Practices")
to be brought to COSE objects. to be brought to COSE objects.
The syntax of the COSE type header parameter value is the same as the exi sting COSE content type header parameter. The syntax of the COSE type header parameter value is the same as the exi sting COSE content type header parameter.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="Introduction">
<section anchor="Introduction" title="Introduction"> <name>Introduction</name>
<t> <t>
CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> define s header parameters CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> define s header parameters
that parallel many of those defined by the JSON Object Signing and Encryp that parallel many of those defined by the JSON Object Signing and Encryp
tion (JOSE) tion (JOSE) specifications
<xref target="RFC7515"/> <xref target="RFC7516"/> specifications. <xref target="RFC7515"/> <xref target="RFC7516"/>.
However, one way in which COSE does not provide equivalent functionality to JOSE is that However, one way in which COSE does not provide equivalent functionality to JOSE is that
it does not define an equivalent of the <spanx style="verb">typ</spanx> ( type) header parameter, it does not define an equivalent of the "typ" (type) header parameter,
which is used for declaring the type of the entire JOSE data structure. which is used for declaring the type of the entire JOSE data structure.
The security benefits of having <spanx style="verb">typ</spanx> (type) ar The security benefits of having "typ" (type) are described in
e described in <xref target="RFC8725" sectionFormat="of" section="3.11"/>,
Section 3.11 of the JSON Web Token Best Current Practices <xref target="RFC872
5"/>,
which recommends its use for "explicit typing" -- which recommends its use for "explicit typing" --
using <spanx style="verb">typ</spanx> values to distinguish between using "typ" values to distinguish between
different kinds of JSON Web Tokens (JWTs) <xref target="RFC7519"/>. different kinds of JSON Web Tokens (JWTs) <xref target="RFC7519"/>.
</t> </t>
<t> <t>
This specification adds the equivalent of the JOSE <spanx style="verb">ty p</spanx> (type) header parameter to COSE This specification adds the equivalent of the JOSE "typ" (type) header pa rameter to COSE
so that the benefits of explicit typing so that the benefits of explicit typing
can be brought to COSE objects. can be brought to COSE objects.
The syntax of the COSE type header parameter value is the same as the exi sting COSE content type header parameter, The syntax of the COSE type header parameter value is the same as the exi sting COSE content type header parameter,
allowing both unsigned integer CoAP Content-Formats <xref target="IANA.Co allowing both unsigned integers as registered in the "CoAP Content-Format
AP.ContentFormats"/> values s" registry <xref target="CoAP.ContentFormats"/>
and string Media Type <xref target="IANA.MediaTypes"/> values to be used. and string media type values <xref target="MediaTypes"/> to be used.
</t> </t>
<t> <t>
The term "COSE object" is used as defined in <xref target="RFC9052"/>. The term "COSE object" is used as defined in <xref target="RFC9052"/>.
An example of a COSE object is a COSE_Sign1 structure, An example of a COSE object is a COSE_Sign1 structure,
as described in Section 4.2 of <xref target="RFC9052"/>. as described in <xref target="RFC9052" sectionFormat="of" section="4.2"/> .
</t> </t>
<section anchor="rnc">
<section anchor="rnc" title="Requirements Notation and Conventions"> <name>Requirements Notation and Conventions</name>
<t> <t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>
"OPTIONAL" in this document are to be interpreted as described in ",
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
only when, they appear in all capitals, as shown here. "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
</t> "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be
interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/> <xref
target="RFC8174"/> when, and only when, they appear in all capitals, as
shown here.
</t>
</section> </section>
</section> </section>
<section anchor="typ" title='COSE "typ" (type) header parameter'> <section anchor="typ">
<name>COSE "typ" (type) Header Parameter</name>
<t> <t>
The <spanx style="verb">typ</spanx> (type) header parameter The "typ" (type) header parameter
is used by COSE applications to declare the is used by COSE applications to declare the
type of this complete COSE object, as compared to the content type header parameter, type of this complete COSE object, as compared to the content type header parameter,
which declares the type of the COSE object payload. which declares the type of the COSE object payload.
This is intended for use by the application when This is intended for use by the application when
more than one kind of COSE object could be present in more than one kind of COSE object could be present in
an application data structure that can contain a COSE object; an application data structure that can contain a COSE object;
the application can use this value to disambiguate among the application can use this value to disambiguate among
the different kinds of COSE objects that might be present. the different kinds of COSE objects that might be present.
It will typically not be used by applications when It will typically not be used by applications when
the kind of COSE object is already known. the kind of COSE object is already known.
Use of this header parameter is OPTIONAL. Use of this header parameter is <bcp14>OPTIONAL</bcp14>.
</t> </t>
<t> <t>
The syntax of this header parameter value is the same as the content type header parameter The syntax of this header parameter value is the same as the content type header parameter
defined in Section 3.1 of <xref target="RFC9052"/>; defined in <xref target="RFC9052" sectionFormat="of" section="3.1"/>;
it is either it is either
an unsigned integer CoAP Content-Formats <xref target="IANA.CoAP.ContentF an unsigned integer as registered in the "CoAP Content-Formats" registry
ormats"/> value <xref target="CoAP.ContentFormats"/>
or a string Content Type value. or a string content type value.
Content Type values have a Media Type name <xref target="IANA.MediaTypes" Content type values have a media type name <xref target="MediaTypes"/>
/> and <bcp14>MAY</bcp14> include media type parameters.
and MAY include Media Type parameters.
</t> </t>
<t> <t>
This parameter is ignored by COSE implementations The "typ" (type) header parameter is ignored by COSE implementations
(libraries implementing <xref target="RFC9052"/> and this specification), (libraries implementing <xref target="RFC9052"/> and this specification),
other than being passed through to applications using those implementatio ns. other than being passed through to applications using those implementatio ns.
Any processing of this parameter is performed by the COSE application Any processing of this parameter is performed by the COSE application
using application-specific processing rules. using application-specific processing rules.
For instance, an application might verify that the <spanx style="verb">ty p</spanx> value For instance, an application might verify that the "typ" value
is a particular application-chosen media type and reject the data structu re if it is not. is a particular application-chosen media type and reject the data structu re if it is not.
</t> </t>
<t> <t>
The <spanx style="verb">typ</spanx> parameter MUST NOT be present in unprotect ed headers. The "typ" parameter <bcp14>MUST NOT</bcp14> be present in unprotected headers.
</t> </t>
<t> <t>
The <spanx style="verb">typ</spanx> parameter does not describe the content of unprotected headers. The "typ" parameter does not describe the content of unprotected headers.
Changes to unprotected headers do not change the type of the COSE object. Changes to unprotected headers do not change the type of the COSE object.
</t> </t>
</section> </section>
<section anchor="Security">
<section anchor="Security" title="Security Considerations"> <name>Security Considerations</name>
<t> <t>
The case for explicit typing of COSE objects is equivalent to the case ma de for explicit typing The case for explicit typing of COSE objects is equivalent to the case ma de for explicit typing
in Section 3.11 of JSON Web Token Best Current Practices <xref target="RF C8725"/>: in <xref target="RFC8725" section="3.11" sectionFormat="of"/>:
Explicit typing can prevent confusion between different kinds of COSE objects. Explicit typing can prevent confusion between different kinds of COSE objects.
</t> </t>
<t> <t>
COSE applications employing explicit typing should reject COSE objects COSE applications employing explicit typing should reject COSE objects
with a type header parameter value different than values that they expect in that application context. with a type header parameter value different than values that they expect in that application context.
They should also reject COSE objects without a type header parameter when one is expected. They should also reject COSE objects without a type header parameter when one is expected.
</t> </t>
</section> </section>
<section anchor="IANA">
<section anchor="IANA" title="IANA Considerations"> <name>IANA Considerations</name>
<section anchor="cose-algorithms-registrations">
<section anchor="cose-algorithms-registrations" title="COSE Header Paramet <name>COSE Header Parameter Registrations</name>
er Registrations">
<t> <t>
This section registers the following value in the IANA has registered the following value in the
IANA "COSE Header Parameters" registry <xref target="IANA.COSE.HeaderPa IANA "COSE Header Parameters" registry <xref target="COSE.HeaderParamet
rameters"/>. ers"/>.
</t> </t>
<t>
<?rfc subcompact="yes"?>
<list style='symbols'>
<t>
Name: typ (type)
</t>
<t>
Label: TBD (requested assignment 16)
</t>
<t>
Value Type: uint / tstr
</t>
<t>
Value Registry: <xref target="IANA.CoAP.ContentFormats"/> or <xref
target="IANA.MediaTypes"/>
</t>
<t>
Description: Type of the complete COSE object
</t>
<t>
Reference: <xref target="typ"/> of this specification
</t>
</list>
</t>
<?rfc subcompact="no"?>
</section>
<table anchor="iana-tab">
<name></name>
<thead>
<tr>
<th>Name</th>
<th>Label</th>
<th>Value Type</th>
<th>Value Registry</th>
<th>Description</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>typ (type)</td>
<td>16</td>
<td>uint&nbsp;/ tstr</td>
<td><xref target="CoAP.ContentFormats"/> or <xref
target="MediaTypes"/> registry</td>
<td>Content type of the complete COSE object</td>
<td><xref target="typ"/> of RFC 9596</td>
</tr>
</tbody>
</table>
</section>
</section> </section>
</middle> </middle>
<back> <back>
<references>
<name>References</name>
<references>
<name>Normative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
174.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
725.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
052.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
515.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
516.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
519.xml"/>
<references title="Normative References"> <reference anchor="COSE.HeaderParameters" target="https://www.iana.org/a
ssignments/cose">
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.211 <front>
9.xml"/> <title>COSE Header Parameters</title>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.817 <author>
4.xml"/> <organization>IANA</organization>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.872 </author>
5.xml"/> <date/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.905 </front>
2.xml"/> </reference>
</references>
<references title="Informative References">
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.751
5.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.751
6.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.751
9.xml"/>
<reference anchor="IANA.COSE.HeaderParameters" target="https://www.iana.or
g/assignments/cose/cose.xhtml#header-parameters">
<front>
<title>COSE Header Parameters</title>
<author>
<organization>IANA</organization>
</author>
<date/>
</front>
</reference>
<reference anchor="IANA.CoAP.ContentFormats" target="https://www.iana.org/ <reference anchor="CoAP.ContentFormats" target="https://www.iana.org/ass
assignments/core-parameters/core-parameters.xhtml#content-formats"> ignments/core-parameters">
<front> <front>
<title>CoAP Content-Formats</title> <title>CoAP Content-Formats</title>
<author> <author>
<organization>IANA</organization> <organization>IANA</organization>
</author> </author>
<date/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="IANA.MediaTypes" target="https://www.iana.org/assignmen <reference anchor="MediaTypes" target="https://www.iana.org/assignments/
ts/media-types"> media-types">
<front> <front>
<title>Media Types</title> <title>Media Types</title>
<author> <author>
<organization>IANA</organization> <organization>IANA</organization>
</author> </author>
<date></date> <date/>
</front> </front>
</reference> </reference>
</references>
</references> </references>
<section title="Document History" anchor="History"> <section anchor="Acknowledgements" numbered="false">
<t> <name>Acknowledgements</name>
[[ to be removed by the RFC Editor before publication as an RFC ]]
</t>
<t>
-05
<list style='symbols'>
<t>
Addressed Area Director review comments.
</t>
</list>
</t>
<t>
-04
<list style='symbols'>
<t>
Addressed SECDIR review comments.
</t>
</list>
</t>
<t>
-03
<list style='symbols'>
<t>
Addressed GENART and OPSDIR review comments.
</t>
</list>
</t>
<t>
-02
<list style='symbols'>
<t>
Addressed working group last call comments.
</t>
<t>
Changed requested assignment from 14 to 16 due to conflict a with new
assignment.
</t>
</list>
</t>
<t>
-01
<list style='symbols'>
<t>
Added language about media type parameters.
</t>
</list>
</t>
<t>
-00
<list style='symbols'>
<t>
Initial working group version based on draft-jones-cose-typ-header-pa
rameter-01.
</t>
</list>
</t>
</section>
<section title="Acknowledgements" anchor="Acknowledgements" numbered="no">
<t> <t>
We would like to thank We would like to thank
Henk Birkholz, <contact fullname="Henk Birkholz" />,
Carsten Bormann, <contact fullname="Carsten Bormann" />,
Susan Hares, <contact fullname="Susan Hares" />,
Dan Harkins, <contact fullname="Dan Harkins" />,
Murray Kucherawy, <contact fullname="Murray Kucherawy" />,
Marco Tiloca, <contact fullname="Marco Tiloca" />,
Gunter Van de Velde, <contact fullname="Gunter Van de Velde" />,
Éric Vyncke, <contact fullname="Éric Vyncke" />,
and and
Dale Worley <contact fullname="Dale Worley" />
for their valuable contributions to this specification. for their valuable contributions to this specification.
</t> </t>
</section> </section>
</back> </back>
</rfc> </rfc>
 End of changes. 49 change blocks. 
243 lines changed or deleted 162 lines changed or added

This html diff was produced by rfcdiff 1.48.