]> Fraunhofer SIT

henk.birkholz@ietf.contact

Intel

ned.smith@intel.com

Linaro

thomas.fossati@linaro.org

University of Applied Sciences Bonn-Rhein-Sieg

Hannes.Tschofenig@gmx.net

Security Remote ATtestation ProcedureS evidence attestation results endorsements reference values This document defines the RATS conceptual message wrapper (CMW) format, a type of encapsulation format that can be used for any RATS messages, such as Evidence, Attestation Results, Endorsements, and Reference Values. Additionally, the document describes a collection type that enables the aggregation of one or more CMWs into a single message. This document also defines corresponding CBOR tag, JSON Web Tokens (JWT) and CBOR Web Tokens (CWT) claims, as well as an X.509 extension. These allow embedding the wrapped conceptual messages into CBOR-based protocols, web APIs, and PKIX protocols. In addition, a Media Type and a CoAP Content-Format are defined for transporting CMWs in HTTP, MIME, CoAP and other Internet protocols.

Introduction The RATS architecture defines a handful of conceptual messages (see ), such as Evidence and Attestation Results. Each conceptual message can have multiple claims encoding and serialization formats (). Throughout their lifetime, RATS conceptual messages are typically transported over different protocols. For example, EAT Evidence in a "background check" topological arrangement first flows from Attester to Relying Party, and then from Relying Party to Verifier, over separate protocol legs. Attestation Results for Secure Interactions (AR4SI) payloads in "passport" mode would be sent by the Verifier to the Attester and then, at a later point in time and over a different channel, from the Attester to the Relying Party. It is desirable to reuse any typing information associated with the messages across such protocol boundaries to minimize the cost associated with type registrations and maximize interoperability. With the CMW format described in this document, protocol designers do not need to update protocol specifications to support different conceptual messages. This approach reduces the implementation effort for developers to support different attestation technologies. For example, an implementer of a Relying Party application does not need to parse attestation-related conceptual messages, such as different Evidence formats, but can instead utilize the CMW format to be agnostic to the attestation technology. This document defines two encapsulation formats for RATS conceptual messages that aim to achieve the goals stated above. These encapsulation formats have been specifically designed to possess the following characteristics: They are self-describing, which means that they can convey precise typing information without relying on the framing provided by the embedding protocol or the storage system. They are based on media types , which allows the cost of their registration to be spread across numerous usage scenarios. A protocol designer could use these formats, for example, to convey Evidence, Endorsements and Reference Values in certificates and CRLs extensions (), to embed Attestation Results or Evidence as first-class authentication credentials in TLS handshake messages , to transport attestation-related payloads in RESTful APIs, or for stable storage of Attestation Results in the form of file system objects. This document also defines corresponding CBOR tag, JSON Web Tokens (JWT) and CBOR Web Tokens (CWT) claims, as well as an X.509 extension. These allow embedding the wrapped conceptual messages into CBOR-based protocols, web APIs, and PKIX protocols. In addition, a Media Type and a CoAP Content-Format are defined for transporting CMWs in HTTP, MIME, CoAP and other Internet protocols.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. In this document, CDDL is used to describe the data formats. The reader is assumed to be familiar with the vocabulary and concepts defined in . This document reuses the terms defined in (e.g., "Content-Type").

Conceptual Message Wrapper Encodings Two types of RATS Conceptual Message Wrapper (CMW) are specified in this document: A CMW using a CBOR or JSON record (); A CMW based on CBOR tags (). A further CMW "collection" type that holds together multiple CMW items is defined in . A CMW "tunnel" type is also defined in to allow transporting CBOR CMWs in JSON collections and vice-versa. The collected CDDL is in . This document only defines an encapsulation, not a security format. It is the responsibility of the Attester to ensure that the CMW contents have the necessary security protection. Security considerations are discussed in .

CMW Record The format of the CMW record is shown in . The JSON and CBOR representations are provided separately. Both the json-record and cbor-record have the same fields except for slight differences in the types discussed below.

Each contains two or three members:

type:

Either a text string representing a Content-Type (e.g., an EAT media type ) or an unsigned integer corresponding to a CoAP Content-Format number (). The latter MUST NOT be used in the JSON serialization.

value:

The RATS conceptual message serialized according to the value defined in the type member. When using JSON, the value field MUST be encoded as Base64 using the URL and filename safe alphabet () without padding. This always applies, even if the conceptual message format is already textual (e.g., a JWT EAT). When using CBOR, the value field MUST be encoded as a CBOR byte string.

ind:

An optional bitmap that indicates which conceptual message types are carried in the value field. Any combination (i.e., any value between 1 and 15, included) is allowed. This is useful only if the type is potentially ambiguous and there is no further context available to the CMW consumer to decide. For example, this might be the case if the base media type is not profiled (e.g., application/eat+cwt), if the value field contains multiple conceptual messages with different types (e.g., both Reference Values and Endorsements within the same application/signed-corim+cbor), or if the same profile identifier is shared by different conceptual messages. Future specifications may add new values to the ind field; see .

CMW CBOR Tags CBOR Tags used as CMW may be derived from CoAP Content-Format numbers. If a CoAP content format exists for a RATS conceptual message, the TN() transform defined in can be used to derive a corresponding CBOR tag in range [1668546817, 1668612095]. The RATS conceptual message is first serialized according to the Content-Format number associated with the CBOR tag and then encoded as a CBOR byte string, to which the tag is prepended. The CMW CBOR Tag is defined in as a macro with two parameters: tn, the CBOR tag number $fmt, the definition of the associated conceptual message

= #6.(bytes .cbor $fmt) ]]>

To add a new CMW, the $cbor-tag type socket is extended with a new instance of the CMW CBOR Tag macro. For example, to associate conceptual messages of type my-evidence with CBOR Tag 1668576819, one would extend $cbor-tag as follows:

my-evidence = { &(eat_nonce: 10) => bstr .size (8..64) } ]]>

Use of Pre-existing CBOR Tags If a CBOR tag has been registered in association with a certain RATS conceptual message independently of a CoAP content format (i.e., it is not obtained by applying the TN() transform), it can be readily used as an encapsulation without the extra processing described in . A consumer can always distinguish tags that have been derived via TN(), which all fall in the [1668546817, 1668612095] range, from tags that are not, and therefore apply the right decapsulation on receive.

CMW Collections Layered Attesters and composite devices (Sections and of ) generate Evidence that consists of multiple parts. For example, in data center servers, it is not uncommon for separate attesting environments (AE) to serve a subsection of the entire machine. One AE might measure and attest to what was booted on the main CPU, while another AE might measure and attest to what was booted on a SmartNIC plugged into a PCIe slot, and a third AE might measure and attest to what was booted on the machine's GPU. To allow aggregation of multiple, potentially non-homogeneous evidence formats collected from different AEs, this document defines a CMW "collection" as a container that holds several CMW items, each with a label that is unique within the scope of the collection. Although originally designed to support layered Attester and composite device use cases, the CMW collection can be adapted for other scenarios that require the aggregation of RATS conceptual messages. For instance, collections may be used to group Endorsements, Reference Values, Attestation Results, and more. A single CMW collection can contain a mix of different message types, and it can also be used to carry messages related to multiple devices simultaneously. The CMW collection () is defined as a CBOR map or JSON object with CMW values, either native or "tunnelled" (). The position of a cmw entry in the cmw-collection is not significant. Labels can be strings (or integers in the CBOR serialization) that serve as a mnemonic for different conceptual messages in the collection. The "__cmwc_t" key is reserved for associating an optional type to the overall collection and MUST NOT be used for a label. The collection type is either a Uniform Resource Identifier (URI) or an object identifier (OID). The OID is always absolute and never relative. Since the collection type is recursive, implementations may limit the allowed depth of nesting.

json-CMW / c2j-tunnel } cbor-collection = { ? "__cmwc_t": ~uri / oid + &(label: (int / text)) => cbor-CMW / j2c-tunnel } ]]>

CMW itself provides no facilities for authenticity, integrity protection, or confidentiality. It is the responsibility of the designer for each use case to determine the necessary security properties and implement them accordingly. A secure channel (e.g., via TLS) or object-level security (e.g., using JWT) may suffice in some scenarios, but not in all. When a CMW is used to carry the Evidence for composite or layered attestation for a single device, the security properties needed are that of attestation. In particular, all the members in a CMW must be bound together so that an attacker can not replace one Evidence message showing compromise with that from a non-compromised device. The authenticity and integrity protection MUST be attestation-oriented. For further security considerations about collections, see .

Relation to EAT submods EAT submods () provide a facility for aggregating attestation that has built-in security and will be suitable for some of the same attestation Evidence use cases covered by CMW collections. However, compared to CMW collections, EAT submods are limited in two ways: EAT allows carrying non-EAT-formatted types by augmenting the $EAT-CBOR-Tagged-Token socket or the $JSON-Selector socket. However, these need to be specified in subsequent standard documents updating the EAT specification, Their top-down structure does not align well with the bottom-up approach layered attesters use to build the chain of trust, making them not ideal for modelling layered attestation.

CMW Collections' role in composite Attester topology A CMW Collection's tree structure is not required to be a spanning tree of the system's composite Attester topology. If the labels carry semantic content for a Verifier (e.g. to improve Verifier performance or aid human comprehension), the collection SHOULD be integrity protected. For example, the collection can be integrity protected by including it in a signed token such as a CWT or JWT.

CMW Tunnel The CMW tunnel type () allows for moving a CMW in one serialization format, either JSON or CBOR, into a collection that uses the opposite serialization format. Both tunnel types are arrays with two elements. The first element, a fixed text string starting with a #, acts as a sentinel value. The #, which is not an acceptable start symbol for the Content-Type production (), makes it possible to disambiguate a CMW tunnel from a CMW record.

The conversion algorithms are described in the following subsections.

CBOR-to-JSON The CBOR byte string of the serialised CBOR CMW is encoded as Base64 using the URL and filename safe alphabet () without padding. The obtained string is added as the second element of the c2j-tunnel array. The c2j-tunnel array is serialized as JSON.

JSON-to-CBOR The UTF-8 string of the serialized JSON CMW is encoded as a CBOR byte string (Major type 2). The byte string is added as the second element of the j2c-tunnel array. The j2c-tunnel array is serialized as CBOR.

Decapsulation Algorithm Once any external framing is removed (for example, if the CMW is carried in a certificate extension), the CMW decoder performs a 1-byte lookahead to determine how to decode the remaining byte buffer. The following pseudo-code illustrates this process:

= 0xc0 && b[0] <= 0xdb { return CBORTag } else if b[0] == 0x5b { return JSONRecord } else if b[0] == 0x7b { return JSONCollection } else if (b[0] >= 0xa0 && b[0] <= 0xbb) || b[0] == 0xbf { return CBORCollection } return Unknown } ]]>

Transporting CMW in COSE and JOSE Web Tokens To facilitate the embedding of CMWs and CMW collections in CBOR-based protocols and web APIs, this document defines two "cmw" claims for use with JSON Web Tokens (JWT) and CBOR Web Tokens (CWT). The definitions for these claims can be found in and , respectively.

Encoding Requirements A CMW collection carried in a "cmw" JWT claim MUST be a json-collection. A CMW collection carried in a "cmw" CWT claim MUST be a cbor-collection. A CMW record carried in a "cmw" JWT claim MUST be a json-record. A CMW record carried in a "cmw" CWT claim MUST be a cbor-record.

Transporting CMW in X.509 Messages CMW may need to be transported in PKIX messages, such as Certificate Signing Requests (CSRs) or in X.509 Certificates and Certificate Revocation Lists (CRLs). The use of CMW in CSRs is documented in , while its application in X.509 Certificates and CRLs is detailed in Section 6.1 of . This section outlines the CMW extension designed to carry CMW objects. The CMW extension MAY be included in X.509 Certificates, CRLs , and CSRs. The CMW extension MUST be identified by the following object identifier:

This extension SHOULD NOT be marked critical. It MAY be marked critical in cases where the attestation-related information is essential for granting resource access, and there is a risk that legacy relying parties would bypass such controls. The CMW extension MUST have the following syntax:

The CMW MUST include the serialized CMW object in either JSON or CBOR format, utilizing the appropriate CHOICE entry. The DER-encoded CMW is the value of the OCTET STRING for the extnValue field of the extension.

ASN.1 Module This section provides an ASN.1 module for the CMW extension, following the conventions established in and .

Compatibility with DICE ConceptualMessageWrapper Section 6.1.8 of specifies the ConceptualMessageWrapper (CMW) format and its corresponding object identifier. The CMW format outlined in permits only a subset of the CMW grammar defined in this document. In particular, the tunnel and collection formats cannot be encoded using DICE CMWs.

Transporting CMW in EAT submods allows carrying non-EAT-formatted types in EAT submods by augmenting the $EAT-CBOR-Tagged-Token socket or the $JSON-Selector socket. The following CDDL adds cbor-CMW and json-CMW to EAT using such extension points:

Where: cbor-CMW and json-CMW are defined in , and CPA765 is the CBOR tag for CMW (). RFC Editor: This document uses the CPA (code point allocation) convention described in . For each usage of the term "CPA", please remove the prefix "CPA" from the indicated value and replace the residue with the value assigned by IANA; perform an analogous substitution for all other occurrences of the prefix "CPA" in the document. Finally, please remove this note.

Examples The (equivalent) examples in , , and assume that the Media-Type-Name application/vnd.example.rats-conceptual-msg has been registered alongside a corresponding CoAP Content-Format number 30001. The CBOR tag 1668576818 is derived applying the TN() transform as described in . The example in is a signed CoRIM (Concise Reference Integrity Manifest) payload with an explicit CM indicator 0b0000_0011 (3), meaning that the wrapped message contains both Reference Values and Endorsements.

JSON Record

Note that a CoAP Content-Format number can also be used with the JSON record form. That may be the case when it is known that the receiver can handle CoAP Content-Formats and it is crucial to save bytes.

CBOR Record

with the following wire representation:

Note that a Media-Type-Name can also be used with the CBOR record form, for example if it is known that the receiver cannot handle CoAP Content-Formats, or (unlike the case in point) if a CoAP Content-Format number has not been registrered.

CBOR Tag

with the following wire representation:

CBOR Record with explicit CM indicator

with the following wire representation:

CBOR Collection The following example is a CBOR collection that assembles conceptual messages from three attesters: Evidence for attesters A and B and Attestation Results for attester C. It is given an explicit collection type using the URI form.

with the following wire representation:

The following example shows the use of a tunnelled type to move a JSON record to a CBOR collection:

JSON Collection The following example is a JSON collection that assembles Evidence from two attesters.

The following example shows the use of a tunnelled type to move a CBOR record to a JSON collection:

Use in JWT The following example shows the use of the "cmw" JWT claim to transport a CMW collection in a JWT :

Implementation Status This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".

Project Veraison The organization responsible for this implementation is Project Veraison, a Linux Foundation project hosted at the Confidential Computing Consortium. The software, hosted at , provides a Golang package that allows encoding and decoding of CMW payloads. The implementation covers all the features presented in this draft. The maturity level is alpha. The license is Apache 2.0. The developers can be contacted on the Zulip channel: .

Security Considerations

Records and CBOR Tags RATS conceptual messages are typically secured using cryptography. If the messages are already protected, then there are no additional security requirements imposed by the introduction of this encapsulation. If an adversary tries to modify the payload encapsulation, it will result in incorrect processing of the encapsulated message and lead to an error. If the messages are not protected, additional security must be added at a different layer. As an example, a cbor-record containing an UCCS (Unprotected CWT Claims Sets) can be signed using COSE Sign1 .

Collections If the collection is not protected from tampering by external security measures (such as object security primitives) or internal mechanisms (such as intra-item binding), an attacker could easily manipulate the collection's contents. It is the responsibility of the Attester who creates the CMW collection to ensure that the contents of the collection are integrity-protected. The designer of the attestation technology is typically in charge of ensuring that the security properties are met, not the user of the conceptual message wrapper. In particular, when a CMW is used to carry multiple Evidence messages for a composite device or layered attestation, there should be strong binding between the Evidence messages within the collection. This binding is needed to prevent attacks where Evidence from a subverted part of the device is replaced by Evidence from a separate non-subverted device. The binding of Evidence messages should be some form of attestation. For example, key material used to sign/bind an entire CMW collection should be an attestation key, handled as described in . The binding does not necessarily have to be a signature over the CMW collection, it might also be achieved through identifiers, cross-linking, signing or hashing between the members of the collection. Client-authenticated TLS may be used to bind a CMW collection of Evidence messages. However, the client key used with TLS should not be that of the end-user or owner of the device. Instead, it should be attestation-oriented key material from the device or the attester manufacturer.

IANA Considerations RFC Editor: replace "&SELF;" with the RFC number assigned to this document.

CWT cmw Claim Registration IANA is requested to add a new cmw claim to the "CBOR Web Token (CWT) Claims" registry as follows: Claim Name: cmw Claim Description: A RATS Conceptual Message Wrapper Claim Key: TBD Claim Value Type(s): CBOR Map, CBOR Array, or CBOR Tag Change Controller: IETF Specification Document(s): , and of &SELF; The suggested value for the Claim Key is 299.

JWT cmw Claim Registration IANA is requested to add a new cmw claim to the "JSON Web Token Claims" sub-registry of the "JSON Web Token (JWT)" registry as follows: Claim Name: cmw Claim Description: A RATS Conceptual Message Wrapper Change Controller: IETF Specification Document(s): and of &SELF;

CBOR Tag Registration IANA is requested to add the following tag to the "CBOR Tags" registry. CBOR Tag Data Item Semantics Reference CPA765 CBOR map, CBOR array, CBOR tag RATS Conceptual Message Wrapper , and of &SELF;

RATS Conceptual Message Wrapper (CMW) Indicators Registry This specification defines a new "RATS Conceptual Message Wrapper (CMW) Indicators" registry, with the policy "Expert Review" (). The objective is to have CMW Indicators values registered for all RATS Conceptual Messages ().

Instructions for the Designated Expert The expert is instructed to add the values incrementally. Acceptable values are those corresponding to RATS Conceptual Messages defined by the RATS architecture and any of its updates.

Structure of Entries Each entry in the registry must include:

Indicator value:

A number corresponding to the bit position in the ind bitmap ().

Conceptual Message name:

A text string describing the RATS conceptual message this indicator corresponds to.

Reference:

A reference to a document, if available, or the registrant.

The initial registrations for the registry are detailed in . Indicator value Conceptual Message name Reference 0 Reference Values &SELF; 1 Endorsements &SELF; 2 Evidence &SELF; 3 Attestation Results &SELF; 4-31 Unassigned &SELF;

Provisional Registration Before the creation of the registry by IANA, new codepoints can be added to the provisional CMW Indicators registry by following the documented procedure. will be regularly updated to match the contents of the provisional registry. The provisional registry will be discontinued once IANA establishes the permanent registry, which is expected to coincide with the publication of the current document.

Media Types IANA is requested to add the following media types to the "Media Types" registry . Name Template Reference cmw+cbor application/cmw+cbor , and of &SELF; cmw+json application/cmw+json and of &SELF;

application/cmw+cbor

Type name:

application

Subtype name:

cmw+cbor

Required parameters:

n/a

Optional parameters:

cmwc_t (CMW collection type in string format. The parameter value is case-insensitive. It MUST NOT be used for CMW that are not collections.)

Encoding considerations:

binary (CBOR)

Security considerations:

of &SELF;

Interoperability considerations:

n/a

Published specification:

&SELF;

Applications that use this media type:

Attesters, Verifiers, Endorsers and Reference-Value providers, Relying Parties that need to transfer CMW payloads over HTTP(S), CoAP(S), and other transports.

Fragment identifier considerations:

The syntax and semantics of fragment identifiers are as specified for "application/cbor". (No fragment identification syntax is currently defined for "application/cbor".)

Person & email address to contact for further information:

RATS WG mailing list (rats@ietf.org)

Intended usage:

COMMON

Restrictions on usage:

none

Author/Change controller:

IETF

Provisional registration:

no

application/cmw+json

Type name:

application

Subtype name:

cmw+json

Required parameters:

n/a

Optional parameters:

cmwc_t (CMW collection type in string format. The parameter value is case-insensitive. It MUST NOT be used for CMW that are not collections.)

Encoding considerations:

binary (JSON is UTF-8-encoded text)

Security considerations:

of &SELF;

Interoperability considerations:

n/a

Published specification:

&SELF;

Applications that use this media type:

Attesters, Verifiers, Endorsers and Reference-Value providers, Relying Parties that need to transfer CMW payloads over HTTP(S), CoAP(S), and other transports.

Fragment identifier considerations:

The syntax and semantics of fragment identifiers are as specified for "application/json". (No fragment identification syntax is currently defined for "application/json".)

Person & email address to contact for further information:

RATS WG mailing list (rats@ietf.org)

Intended usage:

COMMON

Restrictions on usage:

none

Author/Change controller:

IETF

Provisional registration:

no

CoAP Content Formats IANA is requested to register the following Content-Format numbers in the "CoAP Content-Formats" sub-registry, within the "Constrained RESTful Environments (CoRE) Parameters" Registry : Content-Type Content Coding ID Reference application/cmw+cbor - TBD1 , and of &SELF; application/cmw+json - TBD2 and of &SELF; If possible, TBD1 and TBD2 should be assigned in the 256..999 range.

New SMI Numbers Registrations IANA is requested to assign an object identifier (OID) for the CMW extension defined in in the "Certificate Extension" sub-registry of the "SMI Numbers" registry. IANA is requested to assign an object identifier (OID) for the ASN.1 Module defined in in the "Module Identifier" sub-registry of the "SMI Numbers" registry.

This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normative version. There are no bits- on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice. The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. The Concise Data Definition Language (CDDL), standardized in RFC 8610, provides "control operators" as its main language extension point. The present document defines a number of control operators that were not yet ready at the time RFC 8610 was completed:,, and for the construction of constants; / for including ABNF (RFC 5234 and RFC 7405) in CDDL specifications; and for indicating the use of a non-basic feature in an instance. This document defines a stored ("file") format for Concise Binary Object Representation (CBOR) data items that is friendly to common systems that recognize file types, such as the Unix file(1) command. The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. IANA IANA Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. International Telephone and Telegraph Consultative Committee In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. IANA IANA IANA IANA This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice. The Sensor Measurement Lists (SenML) media types support multiple types of values, from numbers to text strings and arbitrary binary Data Values. In order to facilitate processing of binary Data Values, this document specifies a pair of new SenML fields for indicating the content format of those binary Data Values, i.e., their Internet media type, including parameters as well as any content codings applied. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. Security Theory LLC Mediatek USA Qualcomm Technologies Inc. Red Hound Software, Inc. An Entity Attestation Token (EAT) provides an attested claims set that describes state and characteristics of an entity, a device like a smartphone, IoT device, network equipment or such. This claims set is used by a relying party, server or service to determine the type and degree of trust placed in the entity. An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation-oriented claims. Security Theory LLC Fraunhofer Institute for Secure Information Technology Linaro Payloads used in Remote Attestation Procedures may require an associated media type for their conveyance, for example when used in RESTful APIs. This memo defines media types to be used for Entity Attestation Tokens (EAT). Cisco Systems Fraunhofer SIT MIT Linaro Intel This document defines reusable Attestation Result information elements. When these elements are offered to Relying Parties as Evidence, different aspects of Attester trustworthiness can be evaluated. Additionally, where the Relying Party is interfacing with a heterogeneous mix of Attesting Environment and Verifier types, consistent policies can be applied to subsequent information exchange between each Attester and the Relying Party. Fraunhofer SIT Qualcomm Technologies Inc. Cisco Systems Universität Bremen TZI When transported over secure channels, CBOR Web Token (CWT, RFC 8392) Claims Sets may not need the protection afforded by wrapping them into COSE, as is required for a true CWT. This specification defines a CBOR tag for such unprotected CWT Claims Sets (UCCS) and discusses conditions for its proper use. Intuit Arm Limited Arm Limited Arm Limited Huawei Linaro The TLS handshake protocol allows authentication of one or both peers using static, long-term credentials. In some cases, it is also desirable to ensure that the peer runtime environment is in a secure state. Such an assurance can be achieved using attestation which is a process by which an entity produces evidence about itself that another party can use to appraise whether that entity is found in a secure state. This document describes a series of protocol extensions to the TLS 1.3 handshake that enables the binding of the TLS authentication key to a remote attestation session. This enables an entity capable of producing attestation evidence, such as a confidential workload running in a Trusted Execution Environment (TEE), or an IoT device that is trying to authenticate itself to a network access point, to present a more comprehensive set of security metrics to its peer. These extensions have been designed to allow the peers to use any attestation technology, in any remote attestation topology, and mutually. Entrust Limited Siemens Fraunhofer SIT Beyond Identity Intel Corporation A PKI end entity requesting a certificate from a Certification Authority (CA) may wish to offer trustworthy claims about the platform generating the certification request and the environment associated with the corresponding private key, such as whether the private key resides on a hardware security module. This specification defines an attribute and an extension that allow for conveyance of Evidence in Certificate Signing Requests (CSRs) such as PKCS#10 or Certificate Request Message Format (CRMF) payloads which provides an elegant and automatable mechanism for transporting Evidence to a Certification Authority. Including Evidence along with a CSR can help to improve the assessment of the security posture for the private key, and can help the Certification Authority to assess whether it satisfies the requested certificate profile. These Evidence Claims can include information about the hardware component's manufacturer, the version of installed or running firmware, the version of software installed or running in layers above the firmware, or the presence of hardware components providing specific protection capabilities or shielded locations (e.g., to protect keys). Fraunhofer SIT Linaro arm Intel Huawei Technologies Remote Attestation Procedures (RATS) enable Relying Parties to assess the trustworthiness of a remote Attester and therefore to decide whether or not to engage in secure interactions with it. Evidence about trustworthiness can be rather complex and it is deemed unrealistic that every Relying Party is capable of the appraisal of Evidence. Therefore that burden is typically offloaded to a Verifier. In order to conduct Evidence appraisal, a Verifier requires not only fresh Evidence from an Attester, but also trusted Endorsements and Reference Values from Endorsers and Reference Value Providers, such as manufacturers, distributors, or device owners. This document specifies the information elements for representing Endorsements and Reference Values in CBOR format. Trusted Computing Group Universität Bremen TZI CBOR-based protocols often make use of numbers allocated in a registry. During development of the protocols, those numbers may not yet be available. This impedes the generation of data models and examples that actually can be used by tools. This short draft proposes a common way to handle these situations, without any changes to existing tools. Also, in conjunction with the application-oriented EDN literal e'', a further reduction in editorial processing of CBOR examples around the time of approval can be achieved.

Collected CDDL

= #6.(bytes .cbor $fmt) json-collection = { ? "__cmwc_t": ~uri / oid + &(label: text) => json-CMW / c2j-tunnel } cbor-collection = { ? "__cmwc_t": ~uri / oid + &(label: (int / text)) => cbor-CMW / j2c-tunnel } c2j-tunnel = [ "#cmw-c2j-tunnel", base64url-string ] j2c-tunnel = [ "#cmw-j2c-tunnel", bytes ] media-type = text .abnf ("Content-Type" .cat Content-Type-ABNF) base64url-string = text .regexp "[A-Za-z0-9_-]+" cm-type = &( reference-values: 0 endorsements: 1 evidence: 2 attestation-results: 3 ) coap-content-format-type = uint .size 2 oid = text .regexp "([0-2])((\\.0)|(\\.[1-9][0-9]*))*" Content-Type-ABNF = ' Content-Type = Media-Type-Name *( *SP ";" *SP parameter ) parameter = token "=" ( token / quoted-string ) token = 1*tchar tchar = "!" / "#" / "$" / "%" / "&" / "\'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA quoted-string = %x22 *( qdtext / quoted-pair ) %x22 qdtext = SP / %x21 / %x23-5B / %x5D-7E quoted-pair = "\" ( SP / VCHAR ) Media-Type-Name = type-name "/" subtype-name type-name = restricted-name subtype-name = restricted-name restricted-name = restricted-name-first *126restricted-name-chars restricted-name-first = ALPHA / DIGIT restricted-name-chars = ALPHA / DIGIT / "!" / "#" / "$" / "&" / "-" / "^" / "_" restricted-name-chars =/ "." ; Characters before first dot always ; specify a facet name restricted-name-chars =/ "+" ; Characters after last plus always ; specify a structured syntax suffix DIGIT = %x30-39 ; 0 - 9 POS-DIGIT = %x31-39 ; 1 - 9 ALPHA = %x41-5A / %x61-7A ; A - Z / a - z SP = %x20 VCHAR = %x21-7E ; printable ASCII (no SP) ' ]]>

Registering and Using CMWs describes the registration preconditions for using CMWs in either CMW record or CBOR tag forms. When using CMW collection, the preconditions apply for each entry in the collection.

Open Issues The list of currently open issues for this documents can be found at . RFC Editor: please remove before publication.

Acknowledgments The authors would like to thank Brian Campbell, Carl Wallace, Carsten Bormann, Dionna Glaze, , Michael B. Jones, Mohit Sethi, Russ Housley, and Tom Jones for their reviews and suggestions. The definition of a CMW collection has been modelled on a proposal originally made by Simon Frost for an EAT-based Evidence collection type. The CMW collection intentionally attains binary compatibility with Simon's design and aims at superseding it by also generalizing on the allowed Evidence formats.

Contributors Security Theory LLC

lgl@securitytheory.com

Laurence made significant contributions to enhancing the security requirements and considerations for CMW collections.