| < draft-ietf-ace-cbor-web-token-10.txt | draft-ietf-ace-cbor-web-token-11.txt > | |||
|---|---|---|---|---|
| ACE Working Group M. Jones | ACE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track E. Wahlstroem | Intended status: Standards Track E. Wahlstroem | |||
| Expires: June 20, 2018 | Expires: July 25, 2018 | |||
| S. Erdtman | S. Erdtman | |||
| Spotify AB | Spotify AB | |||
| H. Tschofenig | H. Tschofenig | |||
| ARM Ltd. | ARM Ltd. | |||
| December 17, 2017 | January 21, 2018 | |||
| CBOR Web Token (CWT) | CBOR Web Token (CWT) | |||
| draft-ietf-ace-cbor-web-token-10 | draft-ietf-ace-cbor-web-token-11 | |||
| Abstract | Abstract | |||
| CBOR Web Token (CWT) is a compact means of representing claims to be | CBOR Web Token (CWT) is a compact means of representing claims to be | |||
| transferred between two parties. The claims in a CWT are encoded in | transferred between two parties. The claims in a CWT are encoded in | |||
| the Concise Binary Object Representation (CBOR) and CBOR Object | the Concise Binary Object Representation (CBOR) and CBOR Object | |||
| Signing and Encryption (COSE) is used for added application layer | Signing and Encryption (COSE) is used for added application layer | |||
| security protection. A claim is a piece of information asserted | security protection. A claim is a piece of information asserted | |||
| about a subject and is represented as a name/value pair consisting of | about a subject and is represented as a name/value pair consisting of | |||
| a claim name and a claim value. CWT is derived from JSON Web Token | a claim name and a claim value. CWT is derived from JSON Web Token | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 20, 2018. | This Internet-Draft will expire on July 25, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 4, line 13 ¶ | skipping to change at page 4, line 13 ¶ | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| This document reuses terminology from JWT [RFC7519] and COSE | This document reuses terminology from JWT [RFC7519] and COSE | |||
| [RFC8152]. | [RFC8152]. | |||
| StringOrURI | StringOrURI | |||
| The "StringOrURI" term has the same meaning, syntax, and | The "StringOrURI" term has the same meaning, syntax, and | |||
| processing rules as the "StringOrURI" term defined in Section 2 of | processing rules as the "StringOrURI" term defined in Section 2 of | |||
| JWT [RFC7519], except that it uses a CBOR text string instead of a | [RFC7519], except that it uses a CBOR text string instead of a | |||
| JSON string value. | JSON string value. | |||
| NumericDate | NumericDate | |||
| The "NumericDate" term has the same meaning, syntax, and | The "NumericDate" term has the same meaning, syntax, and | |||
| processing rules as the "NumericDate" term defined in Section 2 of | processing rules as the "NumericDate" term defined in Section 2 of | |||
| JWT [RFC7519], except that the CBOR numeric date representation | [RFC7519], except that the CBOR numeric date representation (from | |||
| (from Section 2.4.1 of [RFC7049]) is used. The encoding is | Section 2.4.1 of [RFC7049]) is used. The encoding is modified so | |||
| modified so that the leading tag 1 (epoch-based date/time) MUST be | that the leading tag 1 (epoch-based date/time) MUST be omitted. | |||
| omitted. | ||||
| Claim Name | Claim Name | |||
| The human-readable name used to identify a claim. | The human-readable name used to identify a claim. | |||
| Claim Key | Claim Key | |||
| The CBOR map key used to identify a claim. | The CBOR map key used to identify a claim. | |||
| Claim Value | Claim Value | |||
| The CBOR map value representing the value of the claim. | The CBOR map value representing the value of the claim. | |||
| skipping to change at page 5, line 16 ¶ | skipping to change at page 5, line 16 ¶ | |||
| None of the claims defined below are intended to be mandatory to use | None of the claims defined below are intended to be mandatory to use | |||
| or implement. They rather provide a starting point for a set of | or implement. They rather provide a starting point for a set of | |||
| useful, interoperable claims. Applications using CWTs should define | useful, interoperable claims. Applications using CWTs should define | |||
| which specific claims they use and when they are required or | which specific claims they use and when they are required or | |||
| optional. | optional. | |||
| 3.1.1. iss (Issuer) Claim | 3.1.1. iss (Issuer) Claim | |||
| The "iss" (issuer) claim has the same meaning, syntax, and processing | The "iss" (issuer) claim has the same meaning, syntax, and processing | |||
| rules as the "iss" claim defined in Section 4.1.1 of JWT [RFC7519], | rules as the "iss" claim defined in Section 4.1.1 of [RFC7519], | |||
| except that the value is of type StringOrURI. The Claim Key 1 is | except that the value is of type StringOrURI. The Claim Key 1 is | |||
| used to identify this claim. | used to identify this claim. | |||
| 3.1.2. sub (Subject) Claim | 3.1.2. sub (Subject) Claim | |||
| The "sub" (subject) claim has the same meaning, syntax, and | The "sub" (subject) claim has the same meaning, syntax, and | |||
| processing rules as the "sub" claim defined in Section 4.1.2 of JWT | processing rules as the "sub" claim defined in Section 4.1.2 of | |||
| [RFC7519], except that the value is of type StringOrURI. The Claim | [RFC7519], except that the value is of type StringOrURI. The Claim | |||
| Key 2 is used to identify this claim. | Key 2 is used to identify this claim. | |||
| 3.1.3. aud (Audience) Claim | 3.1.3. aud (Audience) Claim | |||
| The "aud" (audience) claim has the same meaning, syntax, and | The "aud" (audience) claim has the same meaning, syntax, and | |||
| processing rules as the "aud" claim defined in Section 4.1.3 of JWT | processing rules as the "aud" claim defined in Section 4.1.3 of | |||
| [RFC7519], except that the value of the audience claim is of type | [RFC7519], except that the value of the audience claim is of type | |||
| StringOrURI when it is not an array or the values of the audience | StringOrURI when it is not an array or the values of the audience | |||
| array elements are of type StringOrURI when the audience claim value | array elements are of type StringOrURI when the audience claim value | |||
| is an array. The Claim Key 3 is used to identify this claim. | is an array. The Claim Key 3 is used to identify this claim. | |||
| 3.1.4. exp (Expiration Time) Claim | 3.1.4. exp (Expiration Time) Claim | |||
| The "exp" (expiration time) claim has the same meaning, syntax, and | The "exp" (expiration time) claim has the same meaning, syntax, and | |||
| processing rules as the "exp" claim defined in Section 4.1.4 of JWT | processing rules as the "exp" claim defined in Section 4.1.4 of | |||
| [RFC7519], except that the value is of type NumericDate. The Claim | [RFC7519], except that the value is of type NumericDate. The Claim | |||
| Key 4 is used to identify this claim. | Key 4 is used to identify this claim. | |||
| 3.1.5. nbf (Not Before) Claim | 3.1.5. nbf (Not Before) Claim | |||
| The "nbf" (not before) claim has the same meaning, syntax, and | The "nbf" (not before) claim has the same meaning, syntax, and | |||
| processing rules as the "nbf" claim defined in Section 4.1.5 of JWT | processing rules as the "nbf" claim defined in Section 4.1.5 of | |||
| [RFC7519], except that the value is of type NumericDate. The Claim | [RFC7519], except that the value is of type NumericDate. The Claim | |||
| Key 5 is used to identify this claim. | Key 5 is used to identify this claim. | |||
| 3.1.6. iat (Issued At) Claim | 3.1.6. iat (Issued At) Claim | |||
| The "iat" (issued at) claim has the same meaning, syntax, and | The "iat" (issued at) claim has the same meaning, syntax, and | |||
| processing rules as the "iat" claim defined in Section 4.1.6 of JWT | processing rules as the "iat" claim defined in Section 4.1.6 of | |||
| [RFC7519], except that the value is of type NumericDate. The Claim | [RFC7519], except that the value is of type NumericDate. The Claim | |||
| Key 6 is used to identify this claim. | Key 6 is used to identify this claim. | |||
| 3.1.7. cti (CWT ID) Claim | 3.1.7. cti (CWT ID) Claim | |||
| The "cti" (CWT ID) claim has the same meaning, syntax, and processing | The "cti" (CWT ID) claim has the same meaning, syntax, and processing | |||
| rules as the "jti" claim defined in Section 4.1.7 of JWT [RFC7519], | rules as the "jti" claim defined in Section 4.1.7 of [RFC7519], | |||
| except that the value is of type byte string. The Claim Key 7 is | except that the value is of type byte string. The Claim Key 7 is | |||
| used to identify this claim. | used to identify this claim. | |||
| 4. Summary of the claim names, keys, and value types | 4. Summary of the claim names, keys, and value types | |||
| +------+-----+----------------------------------+ | +------+-----+----------------------------------+ | |||
| | Name | Key | Value type | | | Name | Key | Value type | | |||
| +------+-----+----------------------------------+ | +------+-----+----------------------------------+ | |||
| | iss | 1 | text string | | | iss | 1 | text string | | |||
| | sub | 2 | text string | | | sub | 2 | text string | | |||
| skipping to change at page 13, line 26 ¶ | skipping to change at page 13, line 26 ¶ | |||
| o Type name: application | o Type name: application | |||
| o Subtype name: cwt | o Subtype name: cwt | |||
| o Required parameters: N/A | o Required parameters: N/A | |||
| o Optional parameters: N/A | o Optional parameters: N/A | |||
| o Encoding considerations: binary | o Encoding considerations: binary | |||
| o Security considerations: See the Security Considerations section | o Security considerations: See the Security Considerations section | |||
| of [[ this specification ]] | of [[ this specification ]] | |||
| o Interoperability considerations: N/A | o Interoperability considerations: N/A | |||
| o Published specification: [[ this specification ]] | o Published specification: [[ this specification ]] | |||
| o Applications that use this media type: IoT applications sending | o Applications that use this media type: IoT applications sending | |||
| security tokens over HTTP(S) and other transports. | security tokens over HTTP(S), CoAP(S), and other transports. | |||
| o Fragment identifier considerations: N/A | o Fragment identifier considerations: N/A | |||
| o Additional information: | o Additional information: | |||
| Magic number(s): N/A | Magic number(s): N/A | |||
| File extension(s): N/A | File extension(s): N/A | |||
| Macintosh file type code(s): N/A | Macintosh file type code(s): N/A | |||
| o Person & email address to contact for further information: | o Person & email address to contact for further information: | |||
| IESG, iesg@ietf.org | IESG, iesg@ietf.org | |||
| o Intended usage: COMMON | o Intended usage: COMMON | |||
| skipping to change at page 21, line 12 ¶ | skipping to change at page 21, line 12 ¶ | |||
| Figure 16: Signed and Encrypted CWT as hex string | Figure 16: Signed and Encrypted CWT as hex string | |||
| 16( | 16( | |||
| [ | [ | |||
| / protected / << { | / protected / << { | |||
| / alg / 1: 10 / AES-CCM-16-64-128 / | / alg / 1: 10 / AES-CCM-16-64-128 / | |||
| } >>, | } >>, | |||
| / unprotected / { | / unprotected / { | |||
| / kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /, | / kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /, | |||
| / iv / 5: h'86bbd41cc32604396324b7f380' | / iv / 5: h'4a0694c0e69ee6b5956655c7b2' | |||
| }, | }, | |||
| / ciphertext / h'f6b0914f993de822cc47e5e57a188d7960b528a7474 | / ciphertext / h'f6b0914f993de822cc47e5e57a188d7960b528a7474 | |||
| 46fe12f0e7de05650dec74724366763f167a29c002d | 46fe12f0e7de05650dec74724366763f167a29c002d | |||
| fd15b34d8993391cf49bc91127f545dba8703d66f5b | fd15b34d8993391cf49bc91127f545dba8703d66f5b | |||
| 7f1ae91237503d371e6333df9708d78c4fb8a8386c8 | 7f1ae91237503d371e6333df9708d78c4fb8a8386c8 | |||
| ff09dc49af768b23179deab78d96490a66d5724fb33 | ff09dc49af768b23179deab78d96490a66d5724fb33 | |||
| 900c60799d9872fac6da3bdb89043d67c2a05414ce3 | 900c60799d9872fac6da3bdb89043d67c2a05414ce3 | |||
| 31b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bf | 31b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bf | |||
| f142631610a7e0f677b7e9b0bc73adefdcee16d9d5d | f142631610a7e0f677b7e9b0bc73adefdcee16d9d5d | |||
| 284c616abeab5d8c291ce0' | 284c616abeab5d8c291ce0' | |||
| skipping to change at page 22, line 28 ¶ | skipping to change at page 22, line 28 ¶ | |||
| ) | ) | |||
| Figure 19: MACed CWT with a floating-point value in CBOR diagnostic | Figure 19: MACed CWT with a floating-point value in CBOR diagnostic | |||
| notation | notation | |||
| Appendix B. Acknowledgements | Appendix B. Acknowledgements | |||
| This specification is based on JSON Web Token (JWT) [RFC7519], the | This specification is based on JSON Web Token (JWT) [RFC7519], the | |||
| authors of which also include Nat Sakimura and John Bradley. It also | authors of which also include Nat Sakimura and John Bradley. It also | |||
| incorporates suggestions made by many people, including Carsten | incorporates suggestions made by many people, including Carsten | |||
| Bormann, Esko Dijk, Jim Schaad, Ludwig Seitz, and Goeran Selander. | Bormann, Esko Dijk, Benjamin Kaduk, Jim Schaad, Ludwig Seitz, and | |||
| Goeran Selander. | ||||
| Appendix C. Document History | Appendix C. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -11 | ||||
| o Corrected the "iv" value in the signed and encrypted CWT example. | ||||
| o Mention CoAP in the "application/cwt" media type registration. | ||||
| o Changed references of the form "Section 4.1.1 of JWT <xref | ||||
| target="RFC7519"/>" to "Section 4.1.1 of <xref target="RFC7519"/>" | ||||
| so that rfcmarkup will generate correct external section reference | ||||
| links. | ||||
| o Updated Acknowledgements. | ||||
| -10 | -10 | |||
| o Clarified that the audience claim value can be a single audience | o Clarified that the audience claim value can be a single audience | |||
| value or an array of audience values, just as is the case for the | value or an array of audience values, just as is the case for the | |||
| JWT "aud" claim. | JWT "aud" claim. | |||
| o Clarified the nested CWT description. | o Clarified the nested CWT description. | |||
| o Changed uses of "binary string" to "byte string". | o Changed uses of "binary string" to "byte string". | |||
| End of changes. 18 change blocks. | ||||
| 20 lines changed or deleted | 33 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||