Self-Issued Consulting

michael_b_jones@hotmail.com https://self-issued.info/

Transmute

orie@transmute.industries

Security COSE Working Group Explicit Typing Internet-Draft This specification adds the equivalent of the JSON Object Signing and Encryption (JOSE) typ (type) header parameter to CBOR Object Signing and Encryption (COSE) so that the benefits of explicit typing, as defined in the JSON Web Token Best Current Practices BCP, can be brought to COSE objects. The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter.

CBOR Object Signing and Encryption (COSE) defines header parameters that parallel many of those defined by the JSON Object Signing and Encryption (JOSE) specifications. However, one way in which COSE does not provide equivalent functionality to JOSE is that it does not define an equivalent of the typ (type) header parameter, which is used for declaring the type of the entire JOSE data structure. The security benefits of having typ (type) are described in Section 3.11 of the JSON Web Token Best Current Practices , which recommends its use for "explicit typing" -- using typ values to distinguish between different kinds of JWTs. This specification adds the equivalent of the JOSE typ (type) header parameter to COSE so that the benefits of explicit typing can be brought to COSE objects. The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter, allowing both unsigned integer CoAP Content-Formats values and string Media Type values to be used. The term "COSE object" is used in the same manner as in . An example of a COSE object is a COSE_Sign1 structure, as described in Section 4.2 of .

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The typ (type) header parameter is used by COSE applications to declare the type of this complete COSE object, as compared to the content type header parameter, which declares the type of the COSE object payload. This is intended for use by the application when more than one kind of COSE object could be present in an application data structure that can contain a COSE object; the application can use this value to disambiguate among the different kinds of COSE objects that might be present. It will typically not be used by applications when the kind of COSE object is already known. Use of this header parameter is OPTIONAL. The syntax of this header parameter value is the same as the content type header parameter defined in Section 3.1 of ; it is either an unsigned integer CoAP Content-Formats value or a string Content Type value. Content Type values have a Media Type name and MAY include Media Type parameters. This parameter is ignored by COSE implementations (libraries implementing and this specification), other than being passed through to applications using those implementations. Any processing of this parameter is performed by the COSE application using application-specific processing rules. For instance, an application might verify that the typ value is a particular application-chosen media type and reject the data structure if it is not. The typ parameter MUST NOT be present in unprotected headers. The typ parameter does not describe the content of unprotected headers. Changes to unprotected headers do not change the type of the COSE object.

The case for explicit typing of COSE objects is equivalent to the case made for explicit typing in Section 3.11 of JSON Web Token Best Current Practices : Explicit typing can prevent confusion between different kinds of COSE objects. COSE applications employing explicit typing should reject COSE objects with a type header parameter value different than values that they expect in that application context. They should also reject COSE objects without a type header parameter when one is expected.

This section registers the following value in the IANA "COSE Header Parameters" registry . Name: typ (type) Label: TBD (requested assignment 16) Value Type: uint / tstr Value Registry: or Description: Type of the complete COSE object Reference: of this specification

IANA IANA IANA

[[ to be removed by the RFC Editor before publication as an RFC ]] -04 Addressed SECDIR review comments. -03 Addressed GENART and OPSDIR review comments. -02 Addressed working group last call comments. Changed requested assignment from 14 to 16 due to conflict a with new assignment. -01 Added language about media type parameters. -00 Initial working group version based on draft-jones-cose-typ-header-parameter-01.

We would like to thank Henk Birkholz, Carsten Bormann, Susan Hares, Dan Harkins, Marco Tiloca, and Dale Worley for their valuable contributions to this specification.