Internet-Draft COSE "typ" (type) Header Parameter September 2023
Jones & Steele Expires 8 March 2024 [Page]
Workgroup:
COSE Working Group
Internet-Draft:
draft-ietf-cose-typ-header-parameter-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
M.B. Jones
independent
O. Steele
Transmute

COSE "typ" (type) Header Parameter

Abstract

This specification adds the equivalent of the JOSE typ (type) header parameter to COSE so that the benefits of explicit typing, as defined in the JSON Web Token Best Current Practices BCP, can be brought to COSE objects. The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 8 March 2024.

Table of Contents

1. Introduction

CBOR Object Signing and Encryption (COSE) [RFC9052] defines header parameters that parallel many of those defined by the JSON Object Signing and Encryption (JOSE) [RFC7515] [RFC7516] specifications. However, one way in which COSE does not provide equivalent functionality to JOSE is that it does not define an equivalent of the typ (type) header parameter, which is used for declaring the type of the entire JOSE data structure. The security benefits of having typ (type) are described in the JSON Web Token Best Current Practices [RFC8725], which recommends its use for "explicit typing" -- using typ values to distinguish between different kinds of objects.

This specification adds the equivalent of the JOSE typ (type) header parameter to COSE so that the benefits of explicit typing can be brought to COSE objects. The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter, allowing both integer CoAP Content-Formats [IANA.CoAP.ContentFormats] values and string Media Type [IANA.MediaTypes] values to be used.

1.1. Requirements Notation and Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. COSE "typ" (type) header parameter

The typ (type) header parameter is used by COSE applications to declare the type of this complete COSE object. This is intended for use by the application when more than one kind of object could be present in an application data structure that can contain a COSE object; the application can use this value to disambiguate among the different kinds of objects that might be present. It will typically not be used by applications when the kind of object is already known. This parameter is ignored by COSE implementations; any processing of this parameter is performed by the COSE application. Use of this header parameter is OPTIONAL.

The syntax of this header parameter value is the same as the content type header parameter defined in Section 3.1 of [RFC9052]; it can either be an integer CoAP Content-Formats [IANA.CoAP.ContentFormats] value or a string Media Type [IANA.MediaTypes] value.

The typ parameter MUST NOT be present in unprotected headers.

The typ parameter does not describe the content of unprotected headers. Changes to unprotected headers do not change the type of the COSE object.

3. Security Considerations

The case for explicit typing of COSE objects is equivalent to the case made for explicit typing in JSON Web Token Best Current Practices [RFC8725]; explicit typing can prevent confusion between different kinds of objects.

COSE applications employing explicit typing should reject COSE objects with a type header parameter value different than values that they expect in that application context. They should also reject COSE objects without a type header parameter when one is expected.

4. IANA Considerations

4.1. COSE Header Parameter Registrations

This section registers the following value in the IANA "COSE Header Parameters" registry [IANA.COSE.HeaderParameters].

5. References

5.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC7515]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, , <https://www.rfc-editor.org/info/rfc7515>.
[RFC7516]
Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10.17487/RFC7516, , <https://www.rfc-editor.org/info/rfc7516>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC8725]
Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best Current Practices", BCP 225, RFC 8725, DOI 10.17487/RFC8725, , <https://www.rfc-editor.org/info/rfc8725>.
[RFC9052]
Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, , <https://www.rfc-editor.org/info/rfc9052>.

5.2. Informative References

[IANA.CoAP.ContentFormats]
IANA, "CoAP Content-Formats", <https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#content-formats>.
[IANA.COSE.HeaderParameters]
IANA, "COSE Header Parameters", <https://www.iana.org/assignments/cose/cose.xhtml#header-parameters>.
[IANA.MediaTypes]
IANA, "Media Types", <https://www.iana.org/assignments/media-types>.

Appendix A. Document History

[[ to be removed by the RFC Editor before publication as an RFC ]]

-00

Acknowledgements

TBD

Authors' Addresses

Michael B. Jones
independent
Orie Steele
Transmute