| draft-ietf-ace-cbor-web-token-09.txt | draft-ietf-ace-cbor-web-token-10.txt | |||
|---|---|---|---|---|
| ACE Working Group M. Jones | ACE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track E. Wahlstroem | Intended status: Standards Track E. Wahlstroem | |||
| Expires: April 29, 2018 | Expires: June 20, 2018 | |||
| S. Erdtman | S. Erdtman | |||
| Spotify AB | Spotify AB | |||
| H. Tschofenig | H. Tschofenig | |||
| ARM Ltd. | ARM Ltd. | |||
| October 26, 2017 | December 17, 2017 | |||
| CBOR Web Token (CWT) | CBOR Web Token (CWT) | |||
| draft-ietf-ace-cbor-web-token-09 | draft-ietf-ace-cbor-web-token-10 | |||
| Abstract | Abstract | |||
| CBOR Web Token (CWT) is a compact means of representing claims to be | CBOR Web Token (CWT) is a compact means of representing claims to be | |||
| transferred between two parties. The claims in a CWT are encoded in | transferred between two parties. The claims in a CWT are encoded in | |||
| the Concise Binary Object Representation (CBOR) and CBOR Object | the Concise Binary Object Representation (CBOR) and CBOR Object | |||
| Signing and Encryption (COSE) is used for added application layer | Signing and Encryption (COSE) is used for added application layer | |||
| security protection. A claim is a piece of information asserted | security protection. A claim is a piece of information asserted | |||
| about a subject and is represented as a name/value pair consisting of | about a subject and is represented as a name/value pair consisting of | |||
| a claim name and a claim value. CWT is derived from JSON Web Token | a claim name and a claim value. CWT is derived from JSON Web Token | |||
| (JWT), but uses CBOR rather than JSON. | (JWT) but uses CBOR rather than JSON. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 29, 2018. | This Internet-Draft will expire on June 20, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 27 ¶ | skipping to change at page 2, line 27 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. CBOR Related Terminology . . . . . . . . . . . . . . . . 3 | 1.1. CBOR Related Terminology . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Registered Claims . . . . . . . . . . . . . . . . . . . . 5 | 3.1. Registered Claims . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1.1. iss (Issuer) Claim . . . . . . . . . . . . . . . . . 5 | 3.1.1. iss (Issuer) Claim . . . . . . . . . . . . . . . . . 5 | |||
| 3.1.2. sub (Subject) Claim . . . . . . . . . . . . . . . . . 5 | 3.1.2. sub (Subject) Claim . . . . . . . . . . . . . . . . . 5 | |||
| 3.1.3. aud (Audience) Claim . . . . . . . . . . . . . . . . 5 | 3.1.3. aud (Audience) Claim . . . . . . . . . . . . . . . . 5 | |||
| 3.1.4. exp (Expiration Time) Claim . . . . . . . . . . . . . 5 | 3.1.4. exp (Expiration Time) Claim . . . . . . . . . . . . . 5 | |||
| 3.1.5. nbf (Not Before) Claim . . . . . . . . . . . . . . . 5 | 3.1.5. nbf (Not Before) Claim . . . . . . . . . . . . . . . 5 | |||
| 3.1.6. iat (Issued At) Claim . . . . . . . . . . . . . . . . 5 | 3.1.6. iat (Issued At) Claim . . . . . . . . . . . . . . . . 6 | |||
| 3.1.7. cti (CWT ID) Claim . . . . . . . . . . . . . . . . . 6 | 3.1.7. cti (CWT ID) Claim . . . . . . . . . . . . . . . . . 6 | |||
| 4. Summary of the claim names, keys, and value types . . . . . . 6 | 4. Summary of the claim names, keys, and value types . . . . . . 6 | |||
| 5. CBOR Tags and Claim Values . . . . . . . . . . . . . . . . . 6 | 5. CBOR Tags and Claim Values . . . . . . . . . . . . . . . . . 6 | |||
| 6. CWT CBOR Tag . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6. CWT CBOR Tag . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Creating and Validating CWTs . . . . . . . . . . . . . . . . 7 | 7. Creating and Validating CWTs . . . . . . . . . . . . . . . . 7 | |||
| 7.1. Creating a CWT . . . . . . . . . . . . . . . . . . . . . 7 | 7.1. Creating a CWT . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7.2. Validating a CWT . . . . . . . . . . . . . . . . . . . . 8 | 7.2. Validating a CWT . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 9.1. CBOR Web Token (CWT) Claims Registry . . . . . . . . . . 10 | 9.1. CBOR Web Token (CWT) Claims Registry . . . . . . . . . . 10 | |||
| 9.1.1. Registration Template . . . . . . . . . . . . . . . . 10 | 9.1.1. Registration Template . . . . . . . . . . . . . . . . 10 | |||
| 9.1.2. Initial Registry Contents . . . . . . . . . . . . . . 11 | 9.1.2. Initial Registry Contents . . . . . . . . . . . . . . 11 | |||
| 9.2. Media Type Registration . . . . . . . . . . . . . . . . . 13 | 9.2. Media Type Registration . . . . . . . . . . . . . . . . . 13 | |||
| 9.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 13 | 9.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 13 | |||
| 9.3. CoAP Content-Formats Registration . . . . . . . . . . . . 13 | 9.3. CoAP Content-Formats Registration . . . . . . . . . . . . 13 | |||
| 9.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 13 | 9.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 14 | |||
| 9.4. CBOR Tag registration . . . . . . . . . . . . . . . . . . 14 | 9.4. CBOR Tag registration . . . . . . . . . . . . . . . . . . 14 | |||
| 9.4.1. Registry Contents . . . . . . . . . . . . . . . . . . 14 | 9.4.1. Registry Contents . . . . . . . . . . . . . . . . . . 14 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 14 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 15 | 10.2. Informative References . . . . . . . . . . . . . . . . . 15 | |||
| Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 15 | Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| A.1. Example CWT Claims Set . . . . . . . . . . . . . . . . . 15 | A.1. Example CWT Claims Set . . . . . . . . . . . . . . . . . 16 | |||
| A.2. Example keys . . . . . . . . . . . . . . . . . . . . . . 16 | A.2. Example keys . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| A.2.1. 128-bit Symmetric Key . . . . . . . . . . . . . . . . 16 | A.2.1. 128-bit Symmetric Key . . . . . . . . . . . . . . . . 16 | |||
| A.2.2. 256-bit Symmetric Key . . . . . . . . . . . . . . . . 16 | A.2.2. 256-bit Symmetric Key . . . . . . . . . . . . . . . . 17 | |||
| A.2.3. ECDSA P-256 256-bit COSE Key . . . . . . . . . . . . 17 | A.2.3. ECDSA P-256 256-bit COSE Key . . . . . . . . . . . . 17 | |||
| A.3. Example Signed CWT . . . . . . . . . . . . . . . . . . . 17 | A.3. Example Signed CWT . . . . . . . . . . . . . . . . . . . 17 | |||
| A.4. Example MACed CWT . . . . . . . . . . . . . . . . . . . . 18 | A.4. Example MACed CWT . . . . . . . . . . . . . . . . . . . . 18 | |||
| A.5. Example Encrypted CWT . . . . . . . . . . . . . . . . . . 19 | A.5. Example Encrypted CWT . . . . . . . . . . . . . . . . . . 19 | |||
| A.6. Example Nested CWT . . . . . . . . . . . . . . . . . . . 20 | A.6. Example Nested CWT . . . . . . . . . . . . . . . . . . . 20 | |||
| A.7. Example MACed CWT with a floating-point value . . . . . . 21 | A.7. Example MACed CWT with a floating-point value . . . . . . 21 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 22 | Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 22 | |||
| Appendix C. Document History . . . . . . . . . . . . . . . . . . 22 | Appendix C. Document History . . . . . . . . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| skipping to change at page 4, line 4 ¶ | skipping to change at page 3, line 51 ¶ | |||
| In JSON, maps are called objects and only have one kind of map key: a | In JSON, maps are called objects and only have one kind of map key: a | |||
| string. CBOR uses strings, negative integers, and unsigned integers | string. CBOR uses strings, negative integers, and unsigned integers | |||
| as map keys. The integers are used for compactness of encoding and | as map keys. The integers are used for compactness of encoding and | |||
| easy comparison. The inclusion of strings allows for an additional | easy comparison. The inclusion of strings allows for an additional | |||
| range of short encoded values to be used. | range of short encoded values to be used. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119]. | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | ||||
| This document reuses terminology from JWT [RFC7519] and COSE | This document reuses terminology from JWT [RFC7519] and COSE | |||
| [RFC8152]. | [RFC8152]. | |||
| StringOrURI | StringOrURI | |||
| The "StringOrURI" term has the same meaning, syntax, and | The "StringOrURI" term has the same meaning, syntax, and | |||
| processing rules as the "StringOrUri" term defined in Section 2 of | processing rules as the "StringOrURI" term defined in Section 2 of | |||
| JWT [RFC7519], except that it uses a CBOR text string instead of a | JWT [RFC7519], except that it uses a CBOR text string instead of a | |||
| JSON string value. | JSON string value. | |||
| NumericDate | NumericDate | |||
| The "NumericDate" term has the same meaning, syntax, and | The "NumericDate" term has the same meaning, syntax, and | |||
| processing rules as the "NumericDate" term defined in Section 2 of | processing rules as the "NumericDate" term defined in Section 2 of | |||
| JWT [RFC7519], except that the CBOR numeric date representation | JWT [RFC7519], except that the CBOR numeric date representation | |||
| (from Section 2.4.1 of [RFC7049]) is used. The encoding is | (from Section 2.4.1 of [RFC7049]) is used. The encoding is | |||
| modified so that the leading tag 1 (epoch-based date/time) MUST be | modified so that the leading tag 1 (epoch-based date/time) MUST be | |||
| omitted. | omitted. | |||
| skipping to change at page 5, line 31 ¶ | skipping to change at page 5, line 31 ¶ | |||
| The "sub" (subject) claim has the same meaning, syntax, and | The "sub" (subject) claim has the same meaning, syntax, and | |||
| processing rules as the "sub" claim defined in Section 4.1.2 of JWT | processing rules as the "sub" claim defined in Section 4.1.2 of JWT | |||
| [RFC7519], except that the value is of type StringOrURI. The Claim | [RFC7519], except that the value is of type StringOrURI. The Claim | |||
| Key 2 is used to identify this claim. | Key 2 is used to identify this claim. | |||
| 3.1.3. aud (Audience) Claim | 3.1.3. aud (Audience) Claim | |||
| The "aud" (audience) claim has the same meaning, syntax, and | The "aud" (audience) claim has the same meaning, syntax, and | |||
| processing rules as the "aud" claim defined in Section 4.1.3 of JWT | processing rules as the "aud" claim defined in Section 4.1.3 of JWT | |||
| [RFC7519], except that the value is of type StringOrURI. The Claim | [RFC7519], except that the value of the audience claim is of type | |||
| Key 3 is used to identify this claim. | StringOrURI when it is not an array or the values of the audience | |||
| array elements are of type StringOrURI when the audience claim value | ||||
| is an array. The Claim Key 3 is used to identify this claim. | ||||
| 3.1.4. exp (Expiration Time) Claim | 3.1.4. exp (Expiration Time) Claim | |||
| The "exp" (expiration time) claim has the same meaning, syntax, and | The "exp" (expiration time) claim has the same meaning, syntax, and | |||
| processing rules as the "exp" claim defined in Section 4.1.4 of JWT | processing rules as the "exp" claim defined in Section 4.1.4 of JWT | |||
| [RFC7519], except that the value is of type NumericDate. The Claim | [RFC7519], except that the value is of type NumericDate. The Claim | |||
| Key 4 is used to identify this claim. | Key 4 is used to identify this claim. | |||
| 3.1.5. nbf (Not Before) Claim | 3.1.5. nbf (Not Before) Claim | |||
| skipping to change at page 6, line 4 ¶ | skipping to change at page 6, line 9 ¶ | |||
| The "nbf" (not before) claim has the same meaning, syntax, and | The "nbf" (not before) claim has the same meaning, syntax, and | |||
| processing rules as the "nbf" claim defined in Section 4.1.5 of JWT | processing rules as the "nbf" claim defined in Section 4.1.5 of JWT | |||
| [RFC7519], except that the value is of type NumericDate. The Claim | [RFC7519], except that the value is of type NumericDate. The Claim | |||
| Key 5 is used to identify this claim. | Key 5 is used to identify this claim. | |||
| 3.1.6. iat (Issued At) Claim | 3.1.6. iat (Issued At) Claim | |||
| The "iat" (issued at) claim has the same meaning, syntax, and | The "iat" (issued at) claim has the same meaning, syntax, and | |||
| processing rules as the "iat" claim defined in Section 4.1.6 of JWT | processing rules as the "iat" claim defined in Section 4.1.6 of JWT | |||
| [RFC7519], except that the value is of type NumericDate. The Claim | [RFC7519], except that the value is of type NumericDate. The Claim | |||
| Key 6 is used to identify this claim. | Key 6 is used to identify this claim. | |||
| 3.1.7. cti (CWT ID) Claim | 3.1.7. cti (CWT ID) Claim | |||
| The "cti" (CWT ID) claim has the same meaning, syntax, and processing | The "cti" (CWT ID) claim has the same meaning, syntax, and processing | |||
| rules as the "jti" claim defined in Section 4.1.7 of JWT [RFC7519], | rules as the "jti" claim defined in Section 4.1.7 of JWT [RFC7519], | |||
| except that the value is of type binary string. The Claim Key 7 is | except that the value is of type byte string. The Claim Key 7 is | |||
| used to identify this claim. | used to identify this claim. | |||
| 4. Summary of the claim names, keys, and value types | 4. Summary of the claim names, keys, and value types | |||
| /---------+-----+----------------------------------\ | +------+-----+----------------------------------+ | |||
| | Name | Key | Value type | | | Name | Key | Value type | | |||
| |---------+-----+----------------------------------| | +------+-----+----------------------------------+ | |||
| | iss | 1 | text string | | | iss | 1 | text string | | |||
| | sub | 2 | text string | | | sub | 2 | text string | | |||
| | aud | 3 | text string | | | aud | 3 | text string | | |||
| | exp | 4 | integer or floating-point number | | | exp | 4 | integer or floating-point number | | |||
| | nbf | 5 | integer or floating-point number | | | nbf | 5 | integer or floating-point number | | |||
| | iat | 6 | integer or floating-point number | | | iat | 6 | integer or floating-point number | | |||
| | cti | 7 | binary string | | | cti | 7 | byte string | | |||
| \---------+-----+----------------------------------/ | +------+-----+----------------------------------+ | |||
| Figure 1: Summary of the claim names, keys, and value types | Table 1: Summary of the claim names, keys, and value types | |||
| 5. CBOR Tags and Claim Values | 5. CBOR Tags and Claim Values | |||
| The claim values defined in this specification MUST NOT be prefixed | The claim values defined in this specification MUST NOT be prefixed | |||
| with any CBOR tag. For instance, while CBOR tag 1 (epoch-based date/ | with any CBOR tag. For instance, while CBOR tag 1 (epoch-based date/ | |||
| time) could logically be prefixed to values of the "exp", "nbf", and | time) could logically be prefixed to values of the "exp", "nbf", and | |||
| "iat" claims, this is unnecessary, since the representation of the | "iat" claims, this is unnecessary, since the representation of the | |||
| claim values is already specified by the claim definitions. Tagging | claim values is already specified by the claim definitions. Tagging | |||
| claim values would only take up extra space without adding | claim values would only take up extra space without adding | |||
| information. However, this does not prohibit future claim | information. However, this does not prohibit future claim | |||
| skipping to change at page 7, line 7 ¶ | skipping to change at page 7, line 9 ¶ | |||
| How to determine that a CBOR data structure is a CWT is application- | How to determine that a CBOR data structure is a CWT is application- | |||
| dependent. In some cases, this information is known from the | dependent. In some cases, this information is known from the | |||
| application context, such as from the position of the CWT in a data | application context, such as from the position of the CWT in a data | |||
| structure at which the value must be a CWT. One method of indicating | structure at which the value must be a CWT. One method of indicating | |||
| that a CBOR object is a CWT is the use of the "application/cwt" | that a CBOR object is a CWT is the use of the "application/cwt" | |||
| content type by a transport protocol. | content type by a transport protocol. | |||
| This section defines the CWT CBOR tag as another means for | This section defines the CWT CBOR tag as another means for | |||
| applications to declare that a CBOR data structure is a CWT. Its use | applications to declare that a CBOR data structure is a CWT. Its use | |||
| is optional, and is intended for use in cases in which this | is optional and is intended for use in cases in which this | |||
| information would not otherwise be known. | information would not otherwise be known. | |||
| If present, the CWT tag MUST prefix a tagged object using one of the | If present, the CWT tag MUST prefix a tagged object using one of the | |||
| COSE CBOR tags. In this example, the COSE_Mac0 tag is used. The | COSE CBOR tags. In this example, the COSE_Mac0 tag is used. The | |||
| actual COSE_Mac0 object has been excluded from this example. | actual COSE_Mac0 object has been excluded from this example. | |||
| / CWT CBOR tag / 61( | / CWT CBOR tag / 61( | |||
| / COSE_Mac0 CBOR tag / 17( | / COSE_Mac0 CBOR tag / 17( | |||
| / COSE_Mac0 object / | / COSE_Mac0 object / | |||
| ) | ) | |||
| ) | ) | |||
| Figure 2: Example of a CWT tag usage | Figure 1: Example of a CWT tag usage | |||
| 7. Creating and Validating CWTs | 7. Creating and Validating CWTs | |||
| 7.1. Creating a CWT | 7.1. Creating a CWT | |||
| To create a CWT, the following steps are performed. The order of the | To create a CWT, the following steps are performed. The order of the | |||
| steps is not significant in cases where there are no dependencies | steps is not significant in cases where there are no dependencies | |||
| between the inputs and outputs of the steps. | between the inputs and outputs of the steps. | |||
| 1. Create a CWT Claims Set containing the desired claims. | 1. Create a CWT Claims Set containing the desired claims. | |||
| skipping to change at page 8, line 12 ¶ | skipping to change at page 8, line 14 ¶ | |||
| specified in [RFC8152] for creating a COSE_Mac/COSE_Mac0 | specified in [RFC8152] for creating a COSE_Mac/COSE_Mac0 | |||
| object MUST be followed. | object MUST be followed. | |||
| * Else, if the CWT is a COSE_Encrypt/COSE_Encrypt0 object, | * Else, if the CWT is a COSE_Encrypt/COSE_Encrypt0 object, | |||
| create a COSE_Encrypt/COSE_Encrypt0 using the Message as the | create a COSE_Encrypt/COSE_Encrypt0 using the Message as the | |||
| plaintext for the COSE_Encrypt/COSE_Encrypt0 object; all steps | plaintext for the COSE_Encrypt/COSE_Encrypt0 object; all steps | |||
| specified in [RFC8152] for creating a COSE_Encrypt/ | specified in [RFC8152] for creating a COSE_Encrypt/ | |||
| COSE_Encrypt0 object MUST be followed. | COSE_Encrypt0 object MUST be followed. | |||
| 5. If a nested signing, MACing, or encryption operation will be | 5. If a nested signing, MACing, or encryption operation will be | |||
| performed, let the Message be the COSE_Sign/COSE_Sign1, COSE_Mac/ | performed, let the Message be the tagged COSE_Sign/COSE_Sign1, | |||
| COSE_Mac0, or COSE_Encrypt/COSE_Encrypt0, add the matching COSE | COSE_Mac/COSE_Mac0, or COSE_Encrypt/COSE_Encrypt0, and return to | |||
| CBOR tag, and return to Step 3. | Step 3. | |||
| 6. If needed by the application, add the appropriate COSE CBOR tag | 6. If needed by the application, prepend the COSE object with the | |||
| to the COSE object to indicate the type of the COSE object. If | appropriate COSE CBOR tag to indicate the type of the COSE | |||
| needed by the application, add the CWT CBOR tag to indicate that | object. If needed by the application, prepend the COSE object | |||
| the COSE object is a CWT. | with the CWT CBOR tag to indicate that the COSE object is a CWT. | |||
| 7.2. Validating a CWT | 7.2. Validating a CWT | |||
| When validating a CWT, the following steps are performed. The order | When validating a CWT, the following steps are performed. The order | |||
| of the steps is not significant in cases where there are no | of the steps is not significant in cases where there are no | |||
| dependencies between the inputs and outputs of the steps. If any of | dependencies between the inputs and outputs of the steps. If any of | |||
| the listed steps fail, then the CWT MUST be rejected -- that is, | the listed steps fail, then the CWT MUST be rejected -- that is, | |||
| treated by the application as invalid input. | treated by the application as invalid input. | |||
| 1. Verify that the CWT is a valid CBOR object. | 1. Verify that the CWT is a valid CBOR object. | |||
| skipping to change at page 12, line 50 ¶ | skipping to change at page 12, line 51 ¶ | |||
| o Claim Key: 6 | o Claim Key: 6 | |||
| o Claim Value Type(s): integer or floating-point number | o Claim Value Type(s): integer or floating-point number | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 3.1.6 of [[ this specification | o Specification Document(s): Section 3.1.6 of [[ this specification | |||
| ]] | ]] | |||
| o Claim Name: "cti" | o Claim Name: "cti" | |||
| o Claim Description: CWT ID | o Claim Description: CWT ID | |||
| o JWT Claim Name: "jti" | o JWT Claim Name: "jti" | |||
| o Claim Key: 7 | o Claim Key: 7 | |||
| o Claim Value Type(s): binary string | o Claim Value Type(s): byte string | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 3.1.7 of [[ this specification | o Specification Document(s): Section 3.1.7 of [[ this specification | |||
| ]] | ]] | |||
| 9.2. Media Type Registration | 9.2. Media Type Registration | |||
| This section registers the "application/cwt" media type in the "Media | This section registers the "application/cwt" media type in the "Media | |||
| Types" registry [IANA.MediaTypes] in the manner described in RFC 6838 | Types" registry [IANA.MediaTypes] in the manner described in RFC 6838 | |||
| [RFC6838], which can be used to indicate that the content is a CWT. | [RFC6838], which can be used to indicate that the content is a CWT. | |||
| skipping to change at page 15, line 9 ¶ | skipping to change at page 15, line 13 ¶ | |||
| October 2013, <https://www.rfc-editor.org/info/rfc7049>. | October 2013, <https://www.rfc-editor.org/info/rfc7049>. | |||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7519>. | <https://www.rfc-editor.org/info/rfc7519>. | |||
| [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | |||
| RFC 8152, DOI 10.17487/RFC8152, July 2017, | RFC 8152, DOI 10.17487/RFC8152, July 2017, | |||
| <https://www.rfc-editor.org/info/rfc8152>. | <https://www.rfc-editor.org/info/rfc8152>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| 10.2. Informative References | 10.2. Informative References | |||
| [IANA.JWT.Claims] | [IANA.JWT.Claims] | |||
| IANA, "JSON Web Token Claims", | IANA, "JSON Web Token Claims", | |||
| <http://www.iana.org/assignments/jwt>. | <http://www.iana.org/assignments/jwt>. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", RFC 5226, | IANA Considerations Section in RFCs", RFC 5226, | |||
| DOI 10.17487/RFC5226, May 2008, | DOI 10.17487/RFC5226, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5226>. | <https://www.rfc-editor.org/info/rfc5226>. | |||
| skipping to change at page 15, line 51 ¶ | skipping to change at page 16, line 11 ¶ | |||
| Where a byte string is to carry an embedded CBOR-encoded item, the | Where a byte string is to carry an embedded CBOR-encoded item, the | |||
| diagnostic notation for this CBOR data item can be enclosed in '<<' | diagnostic notation for this CBOR data item can be enclosed in '<<' | |||
| and '>>' to notate the byte string resulting from encoding the data | and '>>' to notate the byte string resulting from encoding the data | |||
| item, e.g., h'63666F6F' translates to <<"foo">>. | item, e.g., h'63666F6F' translates to <<"foo">>. | |||
| A.1. Example CWT Claims Set | A.1. Example CWT Claims Set | |||
| The CWT Claims Set used for the different examples displays usage of | The CWT Claims Set used for the different examples displays usage of | |||
| all the defined claims. For signed and MACed examples, the CWT | all the defined claims. For signed and MACed examples, the CWT | |||
| Claims Set is the CBOR encoding as a binary string. | Claims Set is the CBOR encoding as a byte string. | |||
| a70175636f61703a2f2f61732e6578616d706c652e636f6d02656572696b7703 | a70175636f61703a2f2f61732e6578616d706c652e636f6d02656572696b7703 | |||
| 7818636f61703a2f2f6c696768742e6578616d706c652e636f6d041a5612aeb0 | 7818636f61703a2f2f6c696768742e6578616d706c652e636f6d041a5612aeb0 | |||
| 051a5610d9f0061a5610d9f007420b71 | 051a5610d9f0061a5610d9f007420b71 | |||
| Figure 3: Example CWT Claims Set as hex string | Figure 2: Example CWT Claims Set as hex string | |||
| { | { | |||
| / iss / 1: "coap://as.example.com", | / iss / 1: "coap://as.example.com", | |||
| / sub / 2: "erikw", | / sub / 2: "erikw", | |||
| / aud / 3: "coap://light.example.com", | / aud / 3: "coap://light.example.com", | |||
| / exp / 4: 1444064944, | / exp / 4: 1444064944, | |||
| / nbf / 5: 1443944944, | / nbf / 5: 1443944944, | |||
| / iat / 6: 1443944944, | / iat / 6: 1443944944, | |||
| / cti / 7: h'0b71' | / cti / 7: h'0b71' | |||
| } | } | |||
| Figure 4: Example CWT Claims Set in CBOR diagnostic notation | Figure 3: Example CWT Claims Set in CBOR diagnostic notation | |||
| A.2. Example keys | A.2. Example keys | |||
| This section contains the keys used to sign, MAC, and encrypt the | This section contains the keys used to sign, MAC, and encrypt the | |||
| messages in this appendix. Line breaks are for display purposes | messages in this appendix. Line breaks are for display purposes | |||
| only. | only. | |||
| A.2.1. 128-bit Symmetric Key | A.2.1. 128-bit Symmetric Key | |||
| a42050231f4c4d4d3051fdc2ec0a3851d5b3830104024c53796d6d6574726963 | a42050231f4c4d4d3051fdc2ec0a3851d5b3830104024c53796d6d6574726963 | |||
| 313238030a | 313238030a | |||
| Figure 5: 128-bit symmetric COSE_Key as hex string | Figure 4: 128-bit symmetric COSE_Key as hex string | |||
| { | { | |||
| / k / -1: h'231f4c4d4d3051fdc2ec0a3851d5b383' | / k / -1: h'231f4c4d4d3051fdc2ec0a3851d5b383' | |||
| / kty / 1: 4 / Symmetric /, | / kty / 1: 4 / Symmetric /, | |||
| / kid / 2: h'53796d6d6574726963313238' / 'Symmetric128' /, | / kid / 2: h'53796d6d6574726963313238' / 'Symmetric128' /, | |||
| / alg / 3: 10 / AES-CCM-16-64-128 / | / alg / 3: 10 / AES-CCM-16-64-128 / | |||
| } | } | |||
| Figure 6: 128-bit symmetric COSE_Key in CBOR diagnostic notation | Figure 5: 128-bit symmetric COSE_Key in CBOR diagnostic notation | |||
| A.2.2. 256-bit Symmetric Key | A.2.2. 256-bit Symmetric Key | |||
| a4205820403697de87af64611c1d32a05dab0fe1fcb715a86ab435f1ec99192d | a4205820403697de87af64611c1d32a05dab0fe1fcb715a86ab435f1ec99192d | |||
| 795693880104024c53796d6d6574726963323536030a | 795693880104024c53796d6d6574726963323536030a | |||
| Figure 7: 256-bit symmetric COSE_Key as hex string | Figure 6: 256-bit symmetric COSE_Key as hex string | |||
| { | { | |||
| / k / -1: h'403697de87af64611c1d32a05dab0fe1fcb715a86ab435f1 | / k / -1: h'403697de87af64611c1d32a05dab0fe1fcb715a86ab435f1 | |||
| ec99192d79569388' | ec99192d79569388' | |||
| / kty / 1: 4 / Symmetric /, | / kty / 1: 4 / Symmetric /, | |||
| / kid / 4: h'53796d6d6574726963323536' / 'Symmetric256' /, | / kid / 4: h'53796d6d6574726963323536' / 'Symmetric256' /, | |||
| / alg / 3: 4 / HMAC 256/64 / | / alg / 3: 4 / HMAC 256/64 / | |||
| } | } | |||
| Figure 8: 256-bit symmetric COSE_Key in CBOR diagnostic notation | Figure 7: 256-bit symmetric COSE_Key in CBOR diagnostic notation | |||
| A.2.3. ECDSA P-256 256-bit COSE Key | A.2.3. ECDSA P-256 256-bit COSE Key | |||
| a72358206c1382765aec5358f117733d281c1c7bdc39884d04a45a1e6c67c858 | a72358206c1382765aec5358f117733d281c1c7bdc39884d04a45a1e6c67c858 | |||
| bc206c1922582060f7f1a780d8a783bfb7a2dd6b2796e8128dbbcef9d3d168db | bc206c1922582060f7f1a780d8a783bfb7a2dd6b2796e8128dbbcef9d3d168db | |||
| 9529971a36e7b9215820143329cce7868e416927599cf65a34f3ce2ffda55a7e | 9529971a36e7b9215820143329cce7868e416927599cf65a34f3ce2ffda55a7e | |||
| ca69ed8919a394d42f0f2001010202524173796d6d6574726963454344534132 | ca69ed8919a394d42f0f2001010202524173796d6d6574726963454344534132 | |||
| 35360326 | 35360326 | |||
| Figure 9: ECDSA 256-bit COSE Key as hex string | Figure 8: ECDSA 256-bit COSE Key as hex string | |||
| { | { | |||
| / d / -4: h'6c1382765aec5358f117733d281c1c7bdc39884d04a45a1e | / d / -4: h'6c1382765aec5358f117733d281c1c7bdc39884d04a45a1e | |||
| 6c67c858bc206c19', | 6c67c858bc206c19', | |||
| / y / -3: h'60f7f1a780d8a783bfb7a2dd6b2796e8128dbbcef9d3d168 | / y / -3: h'60f7f1a780d8a783bfb7a2dd6b2796e8128dbbcef9d3d168 | |||
| db9529971a36e7b9', | db9529971a36e7b9', | |||
| / x / -2: h'143329cce7868e416927599cf65a34f3ce2ffda55a7eca69 | / x / -2: h'143329cce7868e416927599cf65a34f3ce2ffda55a7eca69 | |||
| ed8919a394d42f0f', | ed8919a394d42f0f', | |||
| / crv / -1: 1 / P-256 /, | / crv / -1: 1 / P-256 /, | |||
| / kty / 1: 2 / EC2 /, | / kty / 1: 2 / EC2 /, | |||
| / kid / 2: h'4173796d6d657472696345434453413 | / kid / 2: h'4173796d6d657472696345434453413 | |||
| 23536' / 'AsymmetricECDSA256' /, | 23536' / 'AsymmetricECDSA256' /, | |||
| / alg / 3: -7 / ECDSA 256 / | / alg / 3: -7 / ECDSA 256 / | |||
| } | } | |||
| Figure 10: ECDSA 256-bit COSE Key in CBOR diagnostic notation | Figure 9: ECDSA 256-bit COSE Key in CBOR diagnostic notation | |||
| A.3. Example Signed CWT | A.3. Example Signed CWT | |||
| This section shows a signed CWT with a single recipient and a full | This section shows a signed CWT with a single recipient and a full | |||
| CWT Claims Set. | CWT Claims Set. | |||
| The signature is generated using the private key listed in | The signature is generated using the private key listed in | |||
| Appendix A.2.3 and it can be validated using the public key from | Appendix A.2.3 and it can be validated using the public key from | |||
| Appendix A.2.3. Line breaks are for display purposes only. | Appendix A.2.3. Line breaks are for display purposes only. | |||
| d28443a10126a104524173796d6d657472696345434453413235365850a701756 | d28443a10126a104524173796d6d657472696345434453413235365850a701756 | |||
| 36f61703a2f2f61732e6578616d706c652e636f6d02656572696b77037818636f | 36f61703a2f2f61732e6578616d706c652e636f6d02656572696b77037818636f | |||
| 61703a2f2f6c696768742e6578616d706c652e636f6d041a5612aeb0051a5610d | 61703a2f2f6c696768742e6578616d706c652e636f6d041a5612aeb0051a5610d | |||
| 9f0061a5610d9f007420b7158405427c1ff28d23fbad1f29c4c7c6a555e601d6f | 9f0061a5610d9f007420b7158405427c1ff28d23fbad1f29c4c7c6a555e601d6f | |||
| a29f9179bc3d7438bacaca5acd08c8d4d4f96131680c429a01f85951ecee743a5 | a29f9179bc3d7438bacaca5acd08c8d4d4f96131680c429a01f85951ecee743a5 | |||
| 2b9b63632c57209120e1c9e30 | 2b9b63632c57209120e1c9e30 | |||
| Figure 11: Signed CWT as hex string | Figure 10: Signed CWT as hex string | |||
| 18( | 18( | |||
| [ | [ | |||
| / protected / << { | / protected / << { | |||
| / alg / 1: -7 / ECDSA 256 / | / alg / 1: -7 / ECDSA 256 / | |||
| } >>, | } >>, | |||
| / unprotected / { | / unprotected / { | |||
| / kid / 4: h'4173796d6d657472696345434453413 | / kid / 4: h'4173796d6d657472696345434453413 | |||
| 23536' / 'AsymmetricECDSA256' / | 23536' / 'AsymmetricECDSA256' / | |||
| }, | }, | |||
| skipping to change at page 18, line 39 ¶ | skipping to change at page 18, line 43 ¶ | |||
| / iat / 6: 1443944944, | / iat / 6: 1443944944, | |||
| / cti / 7: h'0b71' | / cti / 7: h'0b71' | |||
| } >>, | } >>, | |||
| / signature / h'5427c1ff28d23fbad1f29c4c7c6a555e601d6fa29f | / signature / h'5427c1ff28d23fbad1f29c4c7c6a555e601d6fa29f | |||
| 9179bc3d7438bacaca5acd08c8d4d4f96131680c42 | 9179bc3d7438bacaca5acd08c8d4d4f96131680c42 | |||
| 9a01f85951ecee743a52b9b63632c57209120e1c9e | 9a01f85951ecee743a52b9b63632c57209120e1c9e | |||
| 30' | 30' | |||
| ] | ] | |||
| ) | ) | |||
| Figure 12: Signed CWT in CBOR diagnostic notation | Figure 11: Signed CWT in CBOR diagnostic notation | |||
| A.4. Example MACed CWT | A.4. Example MACed CWT | |||
| This section shows a MACed CWT with a single recipient, a full CWT | This section shows a MACed CWT with a single recipient, a full CWT | |||
| Claims Set, and a CWT tag. | Claims Set, and a CWT tag. | |||
| The MAC is generated using the 256-bit symmetric key from | The MAC is generated using the 256-bit symmetric key from | |||
| Appendix A.2.2 with a 64-bit truncation. Line breaks are for display | Appendix A.2.2 with a 64-bit truncation. Line breaks are for display | |||
| purposes only. | purposes only. | |||
| d83dd18443a10104a1044c53796d6d65747269633235365850a70175636f6170 | d83dd18443a10104a1044c53796d6d65747269633235365850a70175636f6170 | |||
| 3a2f2f61732e6578616d706c652e636f6d02656572696b77037818636f61703a | 3a2f2f61732e6578616d706c652e636f6d02656572696b77037818636f61703a | |||
| 2f2f6c696768742e6578616d706c652e636f6d041a5612aeb0051a5610d9f006 | 2f2f6c696768742e6578616d706c652e636f6d041a5612aeb0051a5610d9f006 | |||
| 1a5610d9f007420b7148093101ef6d789200 | 1a5610d9f007420b7148093101ef6d789200 | |||
| Figure 13: MACed CWT with CWT tag as hex string | Figure 12: MACed CWT with CWT tag as hex string | |||
| 61( | 61( | |||
| 17( | 17( | |||
| [ | [ | |||
| / protected / << { | / protected / << { | |||
| / alg / 1: 4 / HMAC-256-64 / | / alg / 1: 4 / HMAC-256-64 / | |||
| } >>, | } >>, | |||
| / unprotected / { | / unprotected / { | |||
| / kid / 4: h'53796d6d6574726963323536' / 'Symmetric256' / | / kid / 4: h'53796d6d6574726963323536' / 'Symmetric256' / | |||
| }, | }, | |||
| skipping to change at page 19, line 35 ¶ | skipping to change at page 19, line 35 ¶ | |||
| / exp / 4: 1444064944, | / exp / 4: 1444064944, | |||
| / nbf / 5: 1443944944, | / nbf / 5: 1443944944, | |||
| / iat / 6: 1443944944, | / iat / 6: 1443944944, | |||
| / cti / 7: h'0b71' | / cti / 7: h'0b71' | |||
| } >>, | } >>, | |||
| / tag / h'093101ef6d789200' | / tag / h'093101ef6d789200' | |||
| ] | ] | |||
| ) | ) | |||
| ) | ) | |||
| Figure 14: MACed CWT with CWT tag in CBOR diagnostic notation | Figure 13: MACed CWT with CWT tag in CBOR diagnostic notation | |||
| A.5. Example Encrypted CWT | A.5. Example Encrypted CWT | |||
| This section shows an encrypted CWT with a single recipient and a | This section shows an encrypted CWT with a single recipient and a | |||
| full CWT Claims Set. | full CWT Claims Set. | |||
| The encryption is done with AES-CCM mode using the 128-bit symmetric | The encryption is done with AES-CCM mode using the 128-bit symmetric | |||
| key from Appendix A.2.1 with a 64-bit tag and 13-byte nonce, i.e., | key from Appendix A.2.1 with a 64-bit tag and 13-byte nonce, i.e., | |||
| COSE AES-CCM-16-64-128. Line breaks are for display purposes only. | COSE AES-CCM-16-64-128. Line breaks are for display purposes only. | |||
| d08343a1010aa2044c53796d6d6574726963313238054d99a0d7846e762c49ff | d08343a1010aa2044c53796d6d6574726963313238054d99a0d7846e762c49ff | |||
| e8a63e0b5858b918a11fd81e438b7f973d9e2e119bcb22424ba0f38a80f27562 | e8a63e0b5858b918a11fd81e438b7f973d9e2e119bcb22424ba0f38a80f27562 | |||
| f400ee1d0d6c0fdb559c02421fd384fc2ebe22d7071378b0ea7428fff157444d | f400ee1d0d6c0fdb559c02421fd384fc2ebe22d7071378b0ea7428fff157444d | |||
| 45f7e6afcda1aae5f6495830c58627087fc5b4974f319a8707a635dd643b | 45f7e6afcda1aae5f6495830c58627087fc5b4974f319a8707a635dd643b | |||
| Figure 15: Encrypted CWT as hex string | Figure 14: Encrypted CWT as hex string | |||
| 16( | 16( | |||
| [ | [ | |||
| / protected / << { | / protected / << { | |||
| / alg / 1: 10 / AES-CCM-16-64-128 / | / alg / 1: 10 / AES-CCM-16-64-128 / | |||
| } >>, | } >>, | |||
| / unprotected / { | / unprotected / { | |||
| / kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /, | / kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /, | |||
| / iv / 5: h'99a0d7846e762c49ffe8a63e0b' | / iv / 5: h'99a0d7846e762c49ffe8a63e0b' | |||
| }, | }, | |||
| / ciphertext / h'b918a11fd81e438b7f973d9e2e119bcb22424ba0f38 | / ciphertext / h'b918a11fd81e438b7f973d9e2e119bcb22424ba0f38 | |||
| a80f27562f400ee1d0d6c0fdb559c02421fd384fc2e | a80f27562f400ee1d0d6c0fdb559c02421fd384fc2e | |||
| be22d7071378b0ea7428fff157444d45f7e6afcda1a | be22d7071378b0ea7428fff157444d45f7e6afcda1a | |||
| ae5f6495830c58627087fc5b4974f319a8707a635dd | ae5f6495830c58627087fc5b4974f319a8707a635dd | |||
| 643b' | 643b' | |||
| ] | ] | |||
| ) | ) | |||
| Figure 16: Encrypted CWT in CBOR diagnostic notation | Figure 15: Encrypted CWT in CBOR diagnostic notation | |||
| A.6. Example Nested CWT | A.6. Example Nested CWT | |||
| This section shows a Nested CWT, signed and then encrypted, with a | This section shows a Nested CWT, signed and then encrypted, with a | |||
| single recipient and a full CWT Claims Set. | single recipient and a full CWT Claims Set. | |||
| The signature is generated using the private ECDSA key from | The signature is generated using the private ECDSA key from | |||
| Appendix A.2.3 and it can be validated using the public ECDSA parts | Appendix A.2.3 and it can be validated using the public ECDSA parts | |||
| from Appendix A.2.3. The encryption is done with AES-CCM mode using | from Appendix A.2.3. The encryption is done with AES-CCM mode using | |||
| the 128-bit symmetric key from Appendix A.2.1 with a 64-bit tag and | the 128-bit symmetric key from Appendix A.2.1 with a 64-bit tag and | |||
| skipping to change at page 20, line 49 ¶ | skipping to change at page 20, line 49 ¶ | |||
| layers. Line breaks are for display purposes only. | layers. Line breaks are for display purposes only. | |||
| d08343a1010aa2044c53796d6d6574726963313238054d4a0694c0e69ee6b595 | d08343a1010aa2044c53796d6d6574726963313238054d4a0694c0e69ee6b595 | |||
| 6655c7b258b7f6b0914f993de822cc47e5e57a188d7960b528a747446fe12f0e | 6655c7b258b7f6b0914f993de822cc47e5e57a188d7960b528a747446fe12f0e | |||
| 7de05650dec74724366763f167a29c002dfd15b34d8993391cf49bc91127f545 | 7de05650dec74724366763f167a29c002dfd15b34d8993391cf49bc91127f545 | |||
| dba8703d66f5b7f1ae91237503d371e6333df9708d78c4fb8a8386c8ff09dc49 | dba8703d66f5b7f1ae91237503d371e6333df9708d78c4fb8a8386c8ff09dc49 | |||
| af768b23179deab78d96490a66d5724fb33900c60799d9872fac6da3bdb89043 | af768b23179deab78d96490a66d5724fb33900c60799d9872fac6da3bdb89043 | |||
| d67c2a05414ce331b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bff142631 | d67c2a05414ce331b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bff142631 | |||
| 610a7e0f677b7e9b0bc73adefdcee16d9d5d284c616abeab5d8c291ce0 | 610a7e0f677b7e9b0bc73adefdcee16d9d5d284c616abeab5d8c291ce0 | |||
| Figure 17: Signed and Encrypted CWT as hex string | Figure 16: Signed and Encrypted CWT as hex string | |||
| 16( | 16( | |||
| [ | [ | |||
| / protected / << { | / protected / << { | |||
| / alg / 1: 10 / AES-CCM-16-64-128 / | / alg / 1: 10 / AES-CCM-16-64-128 / | |||
| } >>, | } >>, | |||
| / unprotected / { | / unprotected / { | |||
| / kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /, | / kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /, | |||
| / iv / 5: h'86bbd41cc32604396324b7f380' | / iv / 5: h'86bbd41cc32604396324b7f380' | |||
| }, | }, | |||
| skipping to change at page 21, line 26 ¶ | skipping to change at page 21, line 26 ¶ | |||
| fd15b34d8993391cf49bc91127f545dba8703d66f5b | fd15b34d8993391cf49bc91127f545dba8703d66f5b | |||
| 7f1ae91237503d371e6333df9708d78c4fb8a8386c8 | 7f1ae91237503d371e6333df9708d78c4fb8a8386c8 | |||
| ff09dc49af768b23179deab78d96490a66d5724fb33 | ff09dc49af768b23179deab78d96490a66d5724fb33 | |||
| 900c60799d9872fac6da3bdb89043d67c2a05414ce3 | 900c60799d9872fac6da3bdb89043d67c2a05414ce3 | |||
| 31b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bf | 31b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bf | |||
| f142631610a7e0f677b7e9b0bc73adefdcee16d9d5d | f142631610a7e0f677b7e9b0bc73adefdcee16d9d5d | |||
| 284c616abeab5d8c291ce0' | 284c616abeab5d8c291ce0' | |||
| ] | ] | |||
| ) | ) | |||
| Figure 18: Signed and Encrypted CWT in CBOR diagnostic notation | Figure 17: Signed and Encrypted CWT in CBOR diagnostic notation | |||
| A.7. Example MACed CWT with a floating-point value | A.7. Example MACed CWT with a floating-point value | |||
| This section shows a MACed CWT with a single recipient and a simple | This section shows a MACed CWT with a single recipient and a simple | |||
| CWT Claims Set. The CWT Claims Set with a floating-point 'iat' value. | CWT Claims Set. The CWT Claims Set with a floating-point 'iat' value. | |||
| The MAC is generated using the 256-bit symmetric key from | The MAC is generated using the 256-bit symmetric key from | |||
| Appendix A.2.2 with a 64-bit truncation. Line breaks are for display | Appendix A.2.2 with a 64-bit truncation. Line breaks are for display | |||
| purposes only. | purposes only. | |||
| d18443a10104a1044c53796d6d65747269633235364ba106fb41d584367c2000 | d18443a10104a1044c53796d6d65747269633235364ba106fb41d584367c2000 | |||
| 0048b8816f34c0542892 | 0048b8816f34c0542892 | |||
| Figure 19: MACed CWT with a floating-point value as hex string | Figure 18: MACed CWT with a floating-point value as hex string | |||
| 17( | 17( | |||
| [ | [ | |||
| / protected / << { | / protected / << { | |||
| / alg / 1: 4 / HMAC-256-64 / | / alg / 1: 4 / HMAC-256-64 / | |||
| } >>, | } >>, | |||
| / unprotected / { | / unprotected / { | |||
| / kid / 4: h'53796d6d6574726963323536' / 'Symmetric256' /, | / kid / 4: h'53796d6d6574726963323536' / 'Symmetric256' /, | |||
| }, | }, | |||
| / payload / << { | / payload / << { | |||
| / iat / 6: 1443944944.5 | / iat / 6: 1443944944.5 | |||
| } >>, | } >>, | |||
| / tag / h'b8816f34c0542892' | / tag / h'b8816f34c0542892' | |||
| ] | ] | |||
| ) | ) | |||
| Figure 20: MACed CWT with a floating-point value in CBOR diagnostic | Figure 19: MACed CWT with a floating-point value in CBOR diagnostic | |||
| notation | notation | |||
| Appendix B. Acknowledgements | Appendix B. Acknowledgements | |||
| This specification is based on JSON Web Token (JWT) [RFC7519], the | This specification is based on JSON Web Token (JWT) [RFC7519], the | |||
| authors of which also include Nat Sakimura and John Bradley. It also | authors of which also include Nat Sakimura and John Bradley. It also | |||
| incorporates suggestions made by many people, notably Carsten | incorporates suggestions made by many people, including Carsten | |||
| Bormann, Jim Schaad, Ludwig Seitz, and Goeran Selander. | Bormann, Esko Dijk, Jim Schaad, Ludwig Seitz, and Goeran Selander. | |||
| Appendix C. Document History | Appendix C. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -10 | ||||
| o Clarified that the audience claim value can be a single audience | ||||
| value or an array of audience values, just as is the case for the | ||||
| JWT "aud" claim. | ||||
| o Clarified the nested CWT description. | ||||
| o Changed uses of "binary string" to "byte string". | ||||
| -09 | -09 | |||
| o Added key ID values to the examples. | o Added key ID values to the examples. | |||
| o Key values for the examples are now represented in COSE_Key format | o Key values for the examples are now represented in COSE_Key format | |||
| using CBOR diagnostic notation. | using CBOR diagnostic notation. | |||
| -08 | -08 | |||
| o Updated the diagnostic notation for embedded objects in the | o Updated the diagnostic notation for embedded objects in the | |||
| examples, addressing feedback by Carsten Bormann. | examples, addressing feedback by Carsten Bormann. | |||
| -07 | -07 | |||
| o Updated examples for signing and encryption. Signatures are now | o Updated examples for signing and encryption. Signatures are now | |||
| deterministic as recommended by COSE specification. | deterministic as recommended by COSE specification. | |||
| -06 | -06 | |||
| o Addressed review comments by Carsten Bormann and Jim Schaad. All | o Addressed review comments by Carsten Bormann and Jim Schaad. All | |||
| changes were editorial in nature. | changes were editorial in nature. | |||
| -05 | -05 | |||
| o Addressed working group last call comments with the following | o Addressed working group last call comments with the following | |||
| changes: | changes: | |||
| o Say that CWT is derived from JWT, rather than CWT is a profile of | o Say that CWT is derived from JWT, rather than CWT is a profile of | |||
| JWT. | JWT. | |||
| End of changes. 46 change blocks. | ||||
| 61 lines changed or deleted | 77 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||