Internet-Draft | CBOR Tags for OIDs | February 2021 |
Bormann | Expires 23 August 2021 | [Page] |
The Concise Binary Object Representation (CBOR, RFC 8949) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation.¶
The present document defines CBOR tags for object identifiers (OIDs). It is intended as the reference document for the IANA registration of the CBOR tags so defined.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 23 August 2021.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
The Concise Binary Object Representation (CBOR, [RFC8949]) provides for the interchange of structured data without a requirement for a pre-agreed schema. [RFC8949] defines a basic set of data types, as well as a tagging mechanism that enables extending the set of data types supported via an IANA registry.¶
The present document defines CBOR tags for object identifiers (OIDs, [X.660]), which many IETF protocols carry. The ASN.1 Basic Encoding Rules (BER, [X.690]) specify binary encodings of both (absolute) object identifiers and relative object identifiers. The contents of these encodings (the "value" part of BER's type-length-value structure) can be carried in a CBOR byte string. This document defines two CBOR tags that cover the two kinds of ASN.1 object identifiers encoded in this way. The tags can also be applied to arrays and maps to efficiently tag all elements of an array or all keys of a map. It is intended as the reference document for the IANA registration of the tags so defined.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The terminology of [RFC8949] applies; in particular the term "byte" is used in its now customary sense as a synonym for "octet". The term "SDNV" is used as defined in [RFC6256].¶
The International Object Identifier tree [X.660] is a hierarchically managed space of identifiers, each of which is uniquely represented as a sequence of unsigned integer values [X.680]. (These integer values are called "primary integer values" in X.660 because they can be accompanied by (not necessarily unambiguous) secondary identifiers. We ignore the latter and simply use the term "integer values" here, occasionally calling out their unsignedness. We also use the term "arc" when the focus is on the edge of the tree labeled by such an integer value, as well as in the sense of a "long arc", i.e. a (sub)sequence of such integer values.)¶
While these sequences can easily be represented in CBOR arrays of unsigned integers, a more compact representation can often be achieved by adopting the widely used representation of object identifiers defined in BER; this representation may also be more amenable to processing by other software that makes use of object identifiers.¶
BER represents the sequence of unsigned integers by concatenating self-delimiting [RFC6256] representations of each of the integer values in sequence.¶
ASN.1 distinguishes absolute object identifiers (ASN.1 Type OBJECT IDENTIFIER
),
which begin at a root arc ([X.660] Clause 3.5.21), from relative object
identifiers (ASN.1 Type RELATIVE-OID
), which begin
relative to some object identifier known from context ([X.680]
Clause 3.8.63).
As a special optimization,
BER combines the first two integers in an absolute object identifier
into one numeric identifier by making use of the property of the
hierarchy that the first arc has only three integer values (0, 1, and 2),
and the second arcs under 0 and 1 are limited to the integer values between
0 and 39. (The root arc joint-iso-itu-t(2)
has
no such limitations on its second arc.)
If X and Y are the first two integer values,
the single integer value actually encoded is computed as:¶
The inverse transformation (again making use of the known ranges of X and Y) is applied when decoding the object identifier.¶
Since the semantics of absolute and relative object identifiers differ, this specification defines two tags, collectively called the "OID tags" here:¶
Tag TBD111: tags a byte string as the [X.690] encoding of an absolute object identifier (simply "object identifier" or "OID").¶
Tag TBD110: tags a byte string as the [X.690] encoding of a relative object identifier (also "relative OID"). Since the encoding of each number is the same as for [RFC6256] Self-Delimiting Numeric Values (SDNVs), this tag can also be used for tagging a byte string that contains a sequence of zero or more SDNVs.¶
Tag TBD112: structurally like TBD110, but understood to be relative to
1.3.6.1.4.1
(IANA Private Enterprise Number OID, [IANA.enterprise-numbers]). Hence, the
semantics of the result are that of an absolute object identifier.¶
To form a valid tag, a byte string tagged by TBD111, TBD110, or TBD112 MUST be a syntactically valid BER representation of an object identifier: A concatenation of zero or more SDNV values, where each SDNV value is a sequence of one or more bytes that all have their most significant bit set, except for the last byte, where it is unset. Also, the first byte of each SDNV cannot be a leading zero in SDNV's base-128 arithmetic, so it cannot take the value 0x80 (bullet (c) in Section 8.1.2.4.2 of [X.690]).¶
In other words:¶
If either of these invalid conditions are encountered, the tag is invalid.¶
[X.680] restricts RELATIVE-OID values to have at least one arc, i.e., their encoding would have at least one SDNV. This specification permits empty relative object identifiers; they may still be excluded by application semantics.¶
To facilitate the search for specific object ID values, it is RECOMMENDED that definite length encoding (see Section 3.2.3 of [RFC8949]) is used for the byte strings used as tag content for these tags.¶
The valid set of byte strings can also be expressed using regular expressions on bytes, using no specific notation but resembling [PCRE]. Unlike typical regular expressions that operate on character sequences, the following regular expressions take bytes as their domain, so they can be applied directly to CBOR byte strings.¶
For byte strings with tag TBD111:¶
/^(([\x81-\xFF][\x80-\xFF]*)?[\x00-\x7F])+$/
¶
For byte strings with tag TBD110 or TBD112:¶
/^(([\x81-\xFF][\x80-\xFF]*)?[\x00-\x7F])*$/
¶
A tag with tagged content that does not conform to the applicable regexp is invalid.¶
Staying close to the way object identifiers are encoded in ASN.1 BER makes back-and-forth translation easy; otherwise we would choose a more efficient encoding. Object identifiers in IETF protocols are serialized in dotted decimal form or BER form, so there is an advantage in not inventing a third form. Also, expectations of the cost of encoding object identifiers are based on BER; using a different encoding might not be aligned with these expectations. If additional information about an OID is desired, lookup services such as the OID Resolution Service (ORS) [X.672] and the OID Repository [OID-INFO] are available.¶
This section gives simple examples of an absolute and a relative object identifier, represented via tag number TBD111 and TBD110, respectively.¶
RFC editor: These and other examples assume the allocation of 111 for TBD111 and 110 for TBD110 and need to be changed if that isn't the actual allocation. Please remove this paragraph.¶
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) sha256(1) }¶
2.16.840.1.101.3.4.2.1¶
Given some OID (e.g., lowpanMib
, assumed to be 1.3.6.1.2.1.226
[RFC7388]),
to which the following is added:¶
{ lowpanObjects(1) lowpanStats(1) lowpanOutTransmits(29) }¶
.1.1.29¶
This relative OID saves seven bytes compared to the full OID encoding.¶
OID tags can tag byte strings (as discussed above), but also CBOR arrays and maps. The idea in the latter case is that the tag is factored out from each individual item in the container; the tag is placed on the array or map instead.¶
When an OID tag is applied to an array, it means that the respective tag is imputed to all elements of the array that are byte strings, arrays, or maps. (There is no effect on other elements, including text strings or tags.) For example, when an array is tagged with TBD111, every array element that is a byte string is an OID, and every element that is an array or map is in turn treated as discussed here.¶
When an OID tag is applied to a map, it means that the respective tag is imputed to all keys in the map that are byte strings, arrays, or maps; again, there is no effect on keys of other major types. Note that there is also no effect on the values in the map.¶
As a result of these rules, tag factoring in nested arrays and maps is supported. For example, a 3-dimensional array of OIDs can be composed by using a single TBD111 tag containing an array of arrays of arrays of byte strings. All such byte strings are then considered OIDs.¶
Consider the X.500 distinguished name:¶
Attribute Types | Attribute Values |
---|---|
c (2.5.4.6) | US |
l (2.5.4.7) s (2.5.4.8) postalCode (2.5.4.17) |
Los Angeles CA 90013 |
street (2.5.4.9) | 532 S Olive St |
businessCategory (2.5.4.15) buildingName (0.9.2342.19200300.100.1.48) |
Public Park Pershing Square |
Table 1 has four "relative distinguished names" (RDNs). The country and street RDNs are single-valued. The second and fourth RDNs are multi-valued.¶
The equivalent representations in CBOR diagnostic notation (Section 8 of [RFC8949]) and CBOR are:¶
(This example encoding assumes that all attribute values are UTF-8 strings, or can be represented as UTF-8 strings with no loss of information.)¶
CDDL specifications may want to specify the use of SDNVs or SDNV sequences (as defined for the tag content for TBD110). This document introduces two new control operators that can be applied to a target value that is a byte string:¶
.sdnv
, with a control type that contains unsigned integers. The
byte string is specified to be encoded as an [RFC6256] SDNV (BER
encoding) for the matching values of the control type.¶
.sdnvseq
, with a control type that contains arrays of unsigned
integers. The byte string is specified to be encoded as a sequence
of [RFC6256] SDNVs (BER encoding) that decodes to an array of
unsigned integers matching the control type.¶
.oid
, like .sdnvseq
, except that the X*40+Y translation for
absolute OIDs is included (see Figure 8).¶
Figure 7 shows an example for the use of .sdnvseq
for a part
of a structure using OIDs that could be used in Figure 6;
Figure 8 shows the same with the .oid
operator.¶
Note that the control type need not be a literal; e.g., bytes .oid
[2, 5, 4, *uint]
matches all OIDs inside OID arc 2.5.4,
attributeType
.¶
For the use with CDDL [RFC8610], the typenames defined in Figure 9 are recommended:¶
IANA is requested to assign the CDDL Control Operators in Table 3, with the present document as the specification reference.¶
Name | Reference |
---|---|
.sdnv | [this document, Section 5] |
.sdnvseq | [this document, Section 5] |
.oid | [this document, Section 5] |
The security considerations of [RFC8949] apply.¶
The encodings in Clauses 8.19 and 8.20 of [X.690] are quite compact and unambiguous, but MUST be followed precisely to avoid security pitfalls. In particular, the requirements set out in Section 2.1 of this document need to be followed; otherwise, an attacker may be able to subvert a checking process by submitting alternative representations that are later taken as the original (or even something else entirely) by another decoder supposed to be protected by the checking process.¶
OIDs and relative OIDs can always be treated as opaque byte strings. Actually understanding the structure that was used for generating them is not necessary, and, except for checking the structure requirements, it is strongly NOT RECOMMENDED to perform any processing of this kind (e.g., converting into dotted notation and back) unless absolutely necessary. If the OIDs are translated into other representations, the usual security considerations for non-trivial representation conversions apply; the integer values are unlimited in range.¶
This section is to be removed before publishing as an RFC.¶
Process WGLC and shepherd comments:¶
Minor editorial changes, remove some remnants, ready for WGLC.¶
Clean up OID tag factoring.¶
Resubmitted as WG draft after adoption.¶
Reduce the draft back to its basic mandate: Describe CBOR tags for what is colloquially know as ASN.1 Object IDs.¶
Refreshed the draft to the current date ("keep-alive").¶
Discussed UUID usage in CBOR, and incorporated fixes proposed by Olivier Dubuisson, including fixes regarding OID nomenclature.¶
Changes occurred based on limited feedback, mainly centered around the abstract and introduction, rather than substantive technical changes. These changes include:¶
Many significant changes occurred in this version. These changes include:¶
Sean Leonard started the work on this document in 2014 with an elaborate proposal. Jim Schaad provided a significant review of this document.¶