Internet DRAFT - draft-jones-cose-typ-header-parameter
draft-jones-cose-typ-header-parameter
COSE Working Group M.B. Jones
Internet-Draft independent
Intended status: Standards Track O. Steele
Expires: 5 February 2024 Transmute
4 August 2023
COSE "typ" (type) Header Parameter
draft-jones-cose-typ-header-parameter-01
Abstract
This specification adds the equivalent of the JOSE typ (type) header
parameter to COSE so that the benefits of explicit typing, as defined
in the JSON Web Token Best Current Practices BCP, can be brought to
COSE objects. The syntax of the COSE type header parameter value is
the same as the existing COSE content type header parameter.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 5 February 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Jones & Steele Expires 5 February 2024 [Page 1]
Internet-Draft COSE "typ" (type) Header Parameter August 2023
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation and Conventions . . . . . . . . . . 2
2. COSE "typ" (type) header parameter . . . . . . . . . . . . . 3
3. Security Considerations . . . . . . . . . . . . . . . . . . . 3
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
4.1. COSE Header Parameter Registrations . . . . . . . . . . . 3
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1. Normative References . . . . . . . . . . . . . . . . . . 4
5.2. Informative References . . . . . . . . . . . . . . . . . 4
Appendix A. Document History . . . . . . . . . . . . . . . . . . 5
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
CBOR Object Signing and Encryption (COSE) [RFC9052] defines header
parameters that parallel many of those defined by the JSON Object
Signing and Encryption (JOSE) [RFC7515] [RFC7516] specifications.
However, one way in which COSE does not provide equivalent
functionality to JOSE is that it does not define an equivalent of the
typ (type) header parameter, which is used for declaring the type of
the entire JOSE data structure. The security benefits of having typ
(type) are described in the JSON Web Token Best Current Practices
[RFC8725], which recommends its use for "explicit typing" -- using
typ values to distinguish between different kinds of objects.
This specification adds the equivalent of the JOSE typ (type) header
parameter to COSE so that the benefits of explicit typing can be
brought to COSE objects. The syntax of the COSE type header
parameter value is the same as the existing COSE content type header
parameter, allowing both integer CoAP Content-Formats
[IANA.CoAP.ContentFormats] values and string Media Type
[IANA.MediaTypes] values to be used.
1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Jones & Steele Expires 5 February 2024 [Page 2]
Internet-Draft COSE "typ" (type) Header Parameter August 2023
2. COSE "typ" (type) header parameter
The typ (type) header parameter is used by COSE applications to
declare the type of this complete COSE object. This is intended for
use by the application when more than one kind of object could be
present in an application data structure that can contain a COSE
object; the application can use this value to disambiguate among the
different kinds of objects that might be present. It will typically
not be used by applications when the kind of object is already known.
This parameter is ignored by COSE implementations; any processing of
this parameter is performed by the COSE application. Use of this
header parameter is OPTIONAL.
The syntax of this header parameter value is the same as the content
type header parameter defined in Section 3.1 of [RFC9052]; it can
either be an integer CoAP Content-Formats [IANA.CoAP.ContentFormats]
value or a string Media Type [IANA.MediaTypes] value.
The typ parameter MUST NOT be present in unprotected headers.
The typ parameter does not describe the content of unprotected
headers. Changes to unprotected headers do not change the type of
the COSE object.
3. Security Considerations
The case for explicit typing of COSE objects is equivalent to the
case made for explicit typing in JSON Web Token Best Current
Practices [RFC8725]; explicit typing can prevent confusion between
different kinds of objects.
COSE applications employing explicit typing should reject COSE
objects with a type header parameter value different than values that
they expect in that application context. They should also reject
COSE objects without a type header parameter when one is expected.
4. IANA Considerations
4.1. COSE Header Parameter Registrations
This section registers the following value in the IANA "COSE Header
Parameters" registry [IANA.COSE.HeaderParameters].
* Name: typ (type)
* Label: TBD (requested assignment 14)
* Value Type: uint / tstr
* Value Registry: [IANA.CoAP.ContentFormats] or [IANA.MediaTypes]
* Description: Type of the complete COSE object
Jones & Steele Expires 5 February 2024 [Page 3]
Internet-Draft COSE "typ" (type) Header Parameter August 2023
* Reference: Section 2 of this specification
5. References
5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <https://www.rfc-editor.org/info/rfc7515>.
[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
RFC 7516, DOI 10.17487/RFC7516, May 2015,
<https://www.rfc-editor.org/info/rfc7516>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8725] Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best
Current Practices", BCP 225, RFC 8725,
DOI 10.17487/RFC8725, February 2020,
<https://www.rfc-editor.org/info/rfc8725>.
[RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Structures and Process", STD 96, RFC 9052,
DOI 10.17487/RFC9052, August 2022,
<https://www.rfc-editor.org/info/rfc9052>.
5.2. Informative References
[IANA.CoAP.ContentFormats]
IANA, "CoAP Content-Formats",
<https://www.iana.org/assignments/core-parameters/core-
parameters.xhtml#content-formats>.
[IANA.COSE.HeaderParameters]
IANA, "COSE Header Parameters",
<https://www.iana.org/assignments/cose/cose.xhtml#header-
parameters>.
[IANA.MediaTypes]
IANA, "Media Types",
<https://www.iana.org/assignments/media-types>.
Jones & Steele Expires 5 February 2024 [Page 4]
Internet-Draft COSE "typ" (type) Header Parameter August 2023
Appendix A. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]]
-01
* Restricted use to the protected header.
* Commented on interpretation when protected header changes.
-00
* Initial version.
Acknowledgements
TBD
Authors' Addresses
Michael B. Jones
independent
Email: michael_b_jones@hotmail.com
URI: https://self-issued.info/
Orie Steele
Transmute
Email: orie@transmute.industries
Jones & Steele Expires 5 February 2024 [Page 5]