CBOR A. Rundgren, Ed. Internet-Draft Independent Intended status: Informational 26 July 2022 Expires: 27 January 2023 CBOR Object Type Extension (COTE) draft-rundgren-cote-00 Abstract This document describes a CBOR tag for providing type information to CBOR data. Unlike the native CBOR tagging scheme which builds on integers in a IANA registry, this specification supports arbitrary type identifiers, including using URLs. The latter enable type identifiers to potentially point to associated human readable definitions as well. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 27 January 2023. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Rundgren Expires 27 January 2023 [Page 1] Internet-Draft COTE July 2022 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Specification . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Sample . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.1. Normative References . . . . . . . . . . . . . . . . . . 5 5.2. Informative References . . . . . . . . . . . . . . . . . 5 Appendix A. URI and URL Identifiers . . . . . . . . . . . . . . 6 A.1. Registering a Dedicated Domain . . . . . . . . . . . . . 6 A.2. Using a Sub-domain . . . . . . . . . . . . . . . . . . . 6 A.3. The 'tag' URI Scheme . . . . . . . . . . . . . . . . . . 6 Appendix B. URN Identifiers . . . . . . . . . . . . . . . . . . 6 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 7 Document History . . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction This specification introduces a method for augmenting data expressed in the CBOR [RFC8949] notation, with a universal type identifier mechanism. The primary purpose is to enable developers defining application specific type identifiers without having to go through an external registration process. Although the described scheme imposes no restrictions on type identifiers (beyond being valid CBOR data items), using URLs [URL] should due to their ubiquity be a candidate for CBOR based standards. See also Appendix A. This specification is also intended to provide a path for ISO using CBOR as a possible alternative to XML by supporting their current URN [RFC8141] based identifier naming scheme. See also Appendix B. Since the type identifier scheme is supposed to be an integral part of CBOR data items, objects compliant with this specification may also be embedded in other CBOR and non-CBOR constructs, as well as stored in databases without any additional information. If applied to top level items, the type identifier scheme may also reduce the need for application specific media types. In many cases "application/cbor" should suffice. Rundgren Expires 27 January 2023 [Page 2] Internet-Draft COTE July 2022 1.1. Terminology In this document the term CBOR "object" is used interchangeably with the CBOR [RFC8949] "data item". The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Specification This specification builds on the CBOR [RFC8949] tag feature (major type 6), by defining a fixed tag with the preliminary decimal value of 1010. See also Section 3. This tag MUST in turn enclose a CBOR array with two elements, where the first element is assumed to contain an object type identifier, while the second element holds the object (instance) data itself. Both arguments MUST be valid (but arbitrary) CBOR objects. The syntax expressed in CBOR diagnostic notation (section 8 of [RFC8949]) would read as: 1010([_Object Identifier_, _Object Data_]) Note that real-world usages will typically impose constraints like requiring object identifiers to be expressed as HTTPS URLs etc. 2.1. Sample Consider the following sample: 1010(["https://example.com/myobject", { 1: "data", 2: "more data" }]) Converting the sample above to CBOR expressed in hexadecimal notation (here shown with embedded comments as well), should result in the following output: Rundgren Expires 27 January 2023 [Page 3] Internet-Draft COTE July 2022 D9 03F2 # tag(1010) 82 # array(2) 78 1C # text(28) 68747470733A2F2F6578616D706C652E636F6D2F6D796F626A656374 # "https://example.com/myobject" A2 # map(2) 01 # unsigned(1) 64 # text(4) 64617461 # "data" 02 # unsigned(2) 69 # text(9) 6D6F72652064617461 # "more data" In a typical implementation "https://example.com/myobject" would also serve as a hyper-link to human readable information about the identifier, accessed through a Web browser. 3. IANA Considerations In the registry [IANA.cbor-tags], IANA is requested to allocate the tag defined in Table 1. +======+=====================+============+=====================+ | Tag | Data Item | Semantics | Reference | +======+=====================+============+=====================+ | 1010 | array: [id, object] | Object | draft-rundgren-cote | | | | identifier | | +------+---------------------+------------+---------------------+ Table 1: Values for Tag Numbers 4. Security Considerations This specification inherits all the security considerations of CBOR [RFC8949]. URL-based type identifiers MUST NOT be used for automatically downloading CBOR schema data like CDDL [RFC8610] to CBOR processors, since this introduces potential vulnerabilities. The availability of type information does in no way limit the need for input data validation. For signed CBOR objects, it is RECOMMENDED to include the type identifier extension in the signature calculation as well. The same considerations apply to encryption using AEAD algorithms. 5. References Rundgren Expires 27 January 2023 [Page 4] Internet-Draft COTE July 2022 5.1. Normative References [IANA.cbor-tags] IANA, "Concise Binary Object Representation (CBOR) Tags", 19 September 2013, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", DOI 10.17487/RFC2119, BCP 14, RFC 2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", DOI 10.17487/RFC8174, RFC 8174, BCP 14, May 2017, . [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, DOI 10.17487/RFC8949, RFC 8949, December 2020, . 5.2. Informative References [RFC4151] Kindberg, T. and S. Hawke, "The 'tag' URI Scheme", RFC 4151, DOI 10.17487/RFC4151, October 2005, . [RFC5141] Goodwin, J. and H. Apel, "A Uniform Resource Name (URN) Namespace for the International Organization for Standardization (ISO)", DOI 10.17487/RFC5141, RFC 5141, March 2008, . [RFC8141] Saint-Andre, P. and J. Klensin, "Uniform Resource Names (URNs)", RFC 8141, DOI 10.17487/RFC8141, April 2017, . [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", DOI 10.17487/RFC8610, RFC 8610, June 2019, . [URL] What WG, "Living Standard — Last Updated 3 May 2022", . [XSD] W3C, "XML Schema Definition Language (XSD) 1.1 Part 1: Structures", . Rundgren Expires 27 January 2023 [Page 5] Internet-Draft COTE July 2022 Appendix A. URI and URL Identifiers The primary reason for using URI or URL [URL] based identifiers is for maintaining a single name-space for the entire specification of a system. Note that the referenced URL specification does not distinguish between URIs and URLs. A core issue with identifiers depending on host (DNS) names is that host names may not necessarily remain valid during the anticipated life time of an identifier. The originator of a host name may due to organizational changes, neglect, lack of interest, or even death, lose control over its use, effectively leaving associated identifiers orphaned. This non-normative section describes different methods for dealing with identifiers expressed as URIs or URLs. A.1. Registering a Dedicated Domain Creating a dedicated domain may be tempting but unless the domain is backed by either an organization having multiple uses of the domain or a genuine standards organization, there is a risk that it might not survive in the long run. A.2. Using a Sub-domain An alternative is using a dedicated sub-domain belonging to an entity that is likely to survive for an overseeable future. With the advent of public repositories like GitHub, this appears to be a simpler, cheaper, and more robust solution than maintaining dedicated domain names. A.3. The 'tag' URI Scheme For applications where strict control over the name-space is hard to achieve, the 'tag' URI scheme [RFC4151] may be used. Appendix B. URN Identifiers ISO currently use URN [RFC8141] [RFC5141] based identifiers like "urn:iso:std:iso:20022:tech:xsd:pain.001.001.10" for data definitions using XML schema [XSD]. This method could be applied to CBOR and CDDL [RFC8610] as well. Rundgren Expires 27 January 2023 [Page 6] Internet-Draft COTE July 2022 Acknowledgements People who have contributed with valuable feedback to this specification include Christian Amsüss, Carsten Bormann, and Joe Hildebrand. Document History [[ This section to be removed by the RFC Editor before publication as an RFC ]] Version 00: * Initial publication. Author's Address Anders Rundgren (editor) Independent Montpellier France Email: anders.rundgren.net@gmail.com URI: https://www.linkedin.com/in/andersrundgren/ Rundgren Expires 27 January 2023 [Page 7]