idnits 2.17.1 draft-looker-cose-cwt-claims-in-headers-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 121: '...ing such as structure MUST verify that...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (1 March 2022) is 787 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 COSE T. Looker 3 Internet-Draft Mattr 4 Intended status: Standards Track M. Jones 5 Expires: 2 September 2022 Microsoft 6 1 March 2022 8 CBOR Web Token (CWT) Claims in COSE Headers 9 draft-looker-cose-cwt-claims-in-headers-00 11 Abstract 13 This document describes how to include CBOR Web Token (CWT) claims in 14 the header parameters of any COSE structure. This functionality 15 helps to facilitate applications that wish to make use of CBOR Web 16 Token (CWT) claims in encrypted COSE structures and/or COSE 17 structures featuring detached signatures, while having some of those 18 claims be available before decryption and/or without inspecting the 19 detached payload. 21 Discussion Venues 23 This note is to be removed before publishing as an RFC. 25 Source for this draft and an issue tracker can be found at 26 https://github.com/tplooker/draft-looker-cose-cwt-claims-in-headers. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on 2 September 2022. 45 Copyright Notice 47 Copyright (c) 2022 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 52 license-info) in effect on the date of publication of this document. 53 Please review these documents carefully, as they describe your rights 54 and restrictions with respect to this document. Code Components 55 extracted from this document must include Revised BSD License text as 56 described in Section 4.e of the Trust Legal Provisions and are 57 provided without warranty as described in the Revised BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 3. Representation . . . . . . . . . . . . . . . . . . . . . . . 3 64 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 3 65 5. Security Considerations . . . . . . . . . . . . . . . . . . . 3 66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 67 7. Normative References . . . . . . . . . . . . . . . . . . . . 3 68 8. Informative References . . . . . . . . . . . . . . . . . . . 3 69 Appendix A. Document History . . . . . . . . . . . . . . . . . . 4 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 72 1. Introduction 74 In some applications of COSE, it is useful to have a standard 75 representation of CWT claims [RFC8392] available in the header 76 parameters. These include encrypted COSE structures, which may or 77 may not be an encrypted CWT and/or those featuring a detached 78 signature. 80 Section 5.3 of the JWT RFC [RFC7519] defined a similar mechanism for 81 expressing selected JWT based claims as JOSE header parameters. This 82 JWT feature was motivated by the desire to have certain claims, such 83 as Key ID values, be visible to software processing the JWT, even 84 though the JWT is encrypted. No corresponding feature was 85 standardized for CWTs, which was an omission that this specification 86 corrects. 88 Directly including CWT claim values as COSE header parameter values 89 would not work, since there are conflicts between the numeric header 90 parameter assignments and the numeric CWT claim assignments. 91 Instead, this specification defines a single header parameter 92 registered in the IANA "COSE Header Parameters" registry that creates 93 a location to store CWT claims in a COSE header parameter. 95 2. Terminology 97 3. Representation 99 This document defines the following COSE header parameter: 101 +========+================+=======+============+===============+ 102 | Name | Label | Value | Value | Description | 103 | | | Type | Registry | | 104 +========+================+=======+============+===============+ 105 | cwt | TBD (requested | map | [IANA.CWT] | location for | 106 | claims | assignment 11) | | | CWT claims in | 107 | | | | | COSE headers | 108 +--------+----------------+-------+------------+---------------+ 110 Table 1 112 4. Privacy Considerations 114 Some of the registered CWT claims may contain privacy-sensitive 115 information. Therefore care must be taken when expressing CWT claims 116 in COSE headers. 118 5. Security Considerations 120 In cases where CWT claims are both present in the payload and the 121 header, an application receiving such as structure MUST verify that 122 their values are identical, unless the application defines other 123 specific processing rules for these claims. 125 6. IANA Considerations 127 IANA is requested to register the new COSE Header parameter in the 128 table in Section 3 in the "COSE Header Parameters" registry 129 [IANA.COSE]. 131 7. Normative References 133 [IANA.COSE] 134 IANA, "COSE Header Parameters", 135 . 138 [IANA.CWT] IANA, "CBOR Web Token (CWT) Claims", 139 . 141 8. Informative References 143 [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 144 (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, 145 . 147 [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, 148 "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, 149 May 2018, . 151 Appendix A. Document History 153 -00 155 * Initial version 157 Authors' Addresses 159 Tobias Looker 160 Mattr 161 Email: tobias.looker@mattr.global 163 Michael B. Jones 164 Microsoft 165 Email: mbj@microsoft.com 166 URI: https://self-issued.info/