idnits 2.17.1 draft-birkholz-rats-uccs-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 09, 2020) is 1509 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFCthis' is mentioned on line 129, but not defined ** Obsolete normative reference: RFC 7049 (Obsoleted by RFC 8949) ** Obsolete normative reference: RFC 8152 (Obsoleted by RFC 9052, RFC 9053) Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RATS Working Group H. Birkholz 3 Internet-Draft Fraunhofer SIT 4 Intended status: Standards Track N. Cam-Winget 5 Expires: September 10, 2020 Cisco Systems 6 C. Bormann 7 Universitaet Bremen TZI 8 March 09, 2020 10 A CBOR Tag for Unprotected CWT Claims Sets 11 draft-birkholz-rats-uccs-00 13 Abstract 15 CBOR Web Token (CWT, RFC 8392) Claims Sets sometimes do not need the 16 protection afforded by wrapping them into COSE, as is required for a 17 true CWT. This specification defines a CBOR tag for such unprotected 18 CWT claims sets (UCCS) and discusses conditions for its proper use. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on September 10, 2020. 37 Copyright Notice 39 Copyright (c) 2020 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Characteristics of a Secure Channel . . . . . . . . . . . . . 3 57 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 58 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 59 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 5.1. Normative References . . . . . . . . . . . . . . . . . . 4 61 5.2. Informative References . . . . . . . . . . . . . . . . . 4 62 Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 4 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 65 1. Introduction 67 A CBOR Web Token (CWT) as specified by [RFC8392] is always wrapped in 68 a CBOR Object Signing and Encryption (COSE, [RFC8152]) envelope. 69 COSE provides - amongst other things - the integrity protection 70 mandated by RFC 8392 and optional encryption for CWTs. Under the 71 right circumstances, though, a signature providing proof for 72 authenticity and integrity can be omitted from the information in a 73 CWT without compromising the intended goal of authenticity and 74 integrity. If a secure channel is established in an appropriate 75 fashion between two remote peers, and if that secure channel provides 76 the correct properties, it is possible to omit the protection 77 provided by COSE, creating a use case for unprotected CWT Claims 78 Sets. 80 This specification allocates a CBOR tag to mark Unprotected CWT 81 Claims Sets (UCCS) as such and discusses conditions for its proper 82 use. 84 This specification does not change [RFC8392]: A true CWT does not 85 make use of the tag allocated here; the UCCS tag is an alternative to 86 using COSE protection and a CWT tag. 88 1.1. Terminology 90 The terms Claim and Claims Set are used as in [RFC8392]. 92 UCCS: Unprotected CWT Claims Set 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 96 "OPTIONAL" in this document are to be interpreted as described in 97 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 98 capitals, as shown here. 100 2. Characteristics of a Secure Channel 102 A Secure Channel for the conveyance of UCCS needs to provide the 103 security properties that would otherwise be provided by COSE for a 104 CWT. 106 Secure Channels are often set up in a handshake protocol that agrees 107 a session key, where the handshake protocol establishes the 108 authenticity of one of both ends of the communication as well as 109 confidentiality. The session key can then be used to protect 110 confidentiality and integrity of the transfer of information inside 111 the secure channel. A well-known example of a such a secure channel 112 setup protocol is the TLS [RFC8446] handshake; the TLS record 113 protocol can then be used for secure conveyance. 115 If only authenticity/integrity is required, the secure channel needs 116 to be set up with authentication of the side that is providing the 117 UCCS. If confidentiality is also required, the receiving side also 118 needs to be authenticated. 120 3. IANA Considerations 122 In the registry [IANA.cbor-tags], IANA is requested to allocate the 123 tag in Table 1 from the FCFS space, with the present document as the 124 specification reference. 126 +--------+-----------+--------------------------------------+ 127 | Tag | Data Item | Semantics | 128 +--------+-----------+--------------------------------------+ 129 | TBD601 | map | Unprotected CWT Claims Set [RFCthis] | 130 +--------+-----------+--------------------------------------+ 132 Table 1: Values for Tags 134 4. Security Considerations 136 The security considerations of [RFC7049] and [RFC8392] apply. 138 {#secchan} discusses security considerations for secure channels, in 139 which UCCS might be used. 141 5. References 143 5.1. Normative References 145 [IANA.cbor-tags] 146 IANA, "Concise Binary Object Representation (CBOR) Tags", 147 . 149 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 150 Requirement Levels", BCP 14, RFC 2119, 151 DOI 10.17487/RFC2119, March 1997, 152 . 154 [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object 155 Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, 156 October 2013, . 158 [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", 159 RFC 8152, DOI 10.17487/RFC8152, July 2017, 160 . 162 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 163 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 164 May 2017, . 166 [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, 167 "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, 168 May 2018, . 170 5.2. Informative References 172 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 173 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 174 . 176 Appendix A. Example 178 The example CWT Claims Set from Appendix A.1 of [RFC8392] can be 179 turned into an UCCS by enclosing it with a tag number TBD601: 181 ( 182 { 183 / iss / 1: "coap://as.example.com", 184 / sub / 2: "erikw", 185 / aud / 3: "coap://light.example.com", 186 / exp / 4: 1444064944, 187 / nbf / 5: 1443944944, 188 / iat / 6: 1443944944, 189 / cti / 7: h'0b71' 190 } 191 ) 193 Authors' Addresses 195 Henk Birkholz 196 Fraunhofer SIT 197 Rheinstrasse 75 198 Darmstadt 64295 199 Germany 201 Email: henk.birkholz@sit.fraunhofer.de 203 Nancy Cam-Winget 204 Cisco Systems 205 3550 Cisco Way 206 San Jose, CA 95134 207 USA 209 Email: ncamwing@cisco.com 211 Carsten Bormann 212 Universitaet Bremen TZI 213 Bibliothekstrasse 1 214 Bremen 28369 215 Germany 217 Phone: +49-421-218-63921 218 Email: cabo@tzi.de