draft-ietf-ace-cbor-web-token-10.txt   draft-ietf-ace-cbor-web-token-11.txt 
ACE Working Group M. Jones ACE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track E. Wahlstroem Intended status: Standards Track E. Wahlstroem
Expires: June 20, 2018 Expires: July 25, 2018
S. Erdtman S. Erdtman
Spotify AB Spotify AB
H. Tschofenig H. Tschofenig
ARM Ltd. ARM Ltd.
December 17, 2017 January 21, 2018
CBOR Web Token (CWT) CBOR Web Token (CWT)
draft-ietf-ace-cbor-web-token-10 draft-ietf-ace-cbor-web-token-11
Abstract Abstract
CBOR Web Token (CWT) is a compact means of representing claims to be CBOR Web Token (CWT) is a compact means of representing claims to be
transferred between two parties. The claims in a CWT are encoded in transferred between two parties. The claims in a CWT are encoded in
the Concise Binary Object Representation (CBOR) and CBOR Object the Concise Binary Object Representation (CBOR) and CBOR Object
Signing and Encryption (COSE) is used for added application layer Signing and Encryption (COSE) is used for added application layer
security protection. A claim is a piece of information asserted security protection. A claim is a piece of information asserted
about a subject and is represented as a name/value pair consisting of about a subject and is represented as a name/value pair consisting of
a claim name and a claim value. CWT is derived from JSON Web Token a claim name and a claim value. CWT is derived from JSON Web Token
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 20, 2018. This Internet-Draft will expire on July 25, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 4, line 13 skipping to change at page 4, line 13
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
This document reuses terminology from JWT [RFC7519] and COSE This document reuses terminology from JWT [RFC7519] and COSE
[RFC8152]. [RFC8152].
StringOrURI StringOrURI
The "StringOrURI" term has the same meaning, syntax, and The "StringOrURI" term has the same meaning, syntax, and
processing rules as the "StringOrURI" term defined in Section 2 of processing rules as the "StringOrURI" term defined in Section 2 of
JWT [RFC7519], except that it uses a CBOR text string instead of a [RFC7519], except that it uses a CBOR text string instead of a
JSON string value. JSON string value.
NumericDate NumericDate
The "NumericDate" term has the same meaning, syntax, and The "NumericDate" term has the same meaning, syntax, and
processing rules as the "NumericDate" term defined in Section 2 of processing rules as the "NumericDate" term defined in Section 2 of
JWT [RFC7519], except that the CBOR numeric date representation [RFC7519], except that the CBOR numeric date representation (from
(from Section 2.4.1 of [RFC7049]) is used. The encoding is Section 2.4.1 of [RFC7049]) is used. The encoding is modified so
modified so that the leading tag 1 (epoch-based date/time) MUST be that the leading tag 1 (epoch-based date/time) MUST be omitted.
omitted.
Claim Name Claim Name
The human-readable name used to identify a claim. The human-readable name used to identify a claim.
Claim Key Claim Key
The CBOR map key used to identify a claim. The CBOR map key used to identify a claim.
Claim Value Claim Value
The CBOR map value representing the value of the claim. The CBOR map value representing the value of the claim.
skipping to change at page 5, line 16 skipping to change at page 5, line 16
None of the claims defined below are intended to be mandatory to use None of the claims defined below are intended to be mandatory to use
or implement. They rather provide a starting point for a set of or implement. They rather provide a starting point for a set of
useful, interoperable claims. Applications using CWTs should define useful, interoperable claims. Applications using CWTs should define
which specific claims they use and when they are required or which specific claims they use and when they are required or
optional. optional.
3.1.1. iss (Issuer) Claim 3.1.1. iss (Issuer) Claim
The "iss" (issuer) claim has the same meaning, syntax, and processing The "iss" (issuer) claim has the same meaning, syntax, and processing
rules as the "iss" claim defined in Section 4.1.1 of JWT [RFC7519], rules as the "iss" claim defined in Section 4.1.1 of [RFC7519],
except that the value is of type StringOrURI. The Claim Key 1 is except that the value is of type StringOrURI. The Claim Key 1 is
used to identify this claim. used to identify this claim.
3.1.2. sub (Subject) Claim 3.1.2. sub (Subject) Claim
The "sub" (subject) claim has the same meaning, syntax, and The "sub" (subject) claim has the same meaning, syntax, and
processing rules as the "sub" claim defined in Section 4.1.2 of JWT processing rules as the "sub" claim defined in Section 4.1.2 of
[RFC7519], except that the value is of type StringOrURI. The Claim [RFC7519], except that the value is of type StringOrURI. The Claim
Key 2 is used to identify this claim. Key 2 is used to identify this claim.
3.1.3. aud (Audience) Claim 3.1.3. aud (Audience) Claim
The "aud" (audience) claim has the same meaning, syntax, and The "aud" (audience) claim has the same meaning, syntax, and
processing rules as the "aud" claim defined in Section 4.1.3 of JWT processing rules as the "aud" claim defined in Section 4.1.3 of
[RFC7519], except that the value of the audience claim is of type [RFC7519], except that the value of the audience claim is of type
StringOrURI when it is not an array or the values of the audience StringOrURI when it is not an array or the values of the audience
array elements are of type StringOrURI when the audience claim value array elements are of type StringOrURI when the audience claim value
is an array. The Claim Key 3 is used to identify this claim. is an array. The Claim Key 3 is used to identify this claim.
3.1.4. exp (Expiration Time) Claim 3.1.4. exp (Expiration Time) Claim
The "exp" (expiration time) claim has the same meaning, syntax, and The "exp" (expiration time) claim has the same meaning, syntax, and
processing rules as the "exp" claim defined in Section 4.1.4 of JWT processing rules as the "exp" claim defined in Section 4.1.4 of
[RFC7519], except that the value is of type NumericDate. The Claim [RFC7519], except that the value is of type NumericDate. The Claim
Key 4 is used to identify this claim. Key 4 is used to identify this claim.
3.1.5. nbf (Not Before) Claim 3.1.5. nbf (Not Before) Claim
The "nbf" (not before) claim has the same meaning, syntax, and The "nbf" (not before) claim has the same meaning, syntax, and
processing rules as the "nbf" claim defined in Section 4.1.5 of JWT processing rules as the "nbf" claim defined in Section 4.1.5 of
[RFC7519], except that the value is of type NumericDate. The Claim [RFC7519], except that the value is of type NumericDate. The Claim
Key 5 is used to identify this claim. Key 5 is used to identify this claim.
3.1.6. iat (Issued At) Claim 3.1.6. iat (Issued At) Claim
The "iat" (issued at) claim has the same meaning, syntax, and The "iat" (issued at) claim has the same meaning, syntax, and
processing rules as the "iat" claim defined in Section 4.1.6 of JWT processing rules as the "iat" claim defined in Section 4.1.6 of
[RFC7519], except that the value is of type NumericDate. The Claim [RFC7519], except that the value is of type NumericDate. The Claim
Key 6 is used to identify this claim. Key 6 is used to identify this claim.
3.1.7. cti (CWT ID) Claim 3.1.7. cti (CWT ID) Claim
The "cti" (CWT ID) claim has the same meaning, syntax, and processing The "cti" (CWT ID) claim has the same meaning, syntax, and processing
rules as the "jti" claim defined in Section 4.1.7 of JWT [RFC7519], rules as the "jti" claim defined in Section 4.1.7 of [RFC7519],
except that the value is of type byte string. The Claim Key 7 is except that the value is of type byte string. The Claim Key 7 is
used to identify this claim. used to identify this claim.
4. Summary of the claim names, keys, and value types 4. Summary of the claim names, keys, and value types
+------+-----+----------------------------------+ +------+-----+----------------------------------+
| Name | Key | Value type | | Name | Key | Value type |
+------+-----+----------------------------------+ +------+-----+----------------------------------+
| iss | 1 | text string | | iss | 1 | text string |
| sub | 2 | text string | | sub | 2 | text string |
skipping to change at page 13, line 26 skipping to change at page 13, line 26
o Type name: application o Type name: application
o Subtype name: cwt o Subtype name: cwt
o Required parameters: N/A o Required parameters: N/A
o Optional parameters: N/A o Optional parameters: N/A
o Encoding considerations: binary o Encoding considerations: binary
o Security considerations: See the Security Considerations section o Security considerations: See the Security Considerations section
of [[ this specification ]] of [[ this specification ]]
o Interoperability considerations: N/A o Interoperability considerations: N/A
o Published specification: [[ this specification ]] o Published specification: [[ this specification ]]
o Applications that use this media type: IoT applications sending o Applications that use this media type: IoT applications sending
security tokens over HTTP(S) and other transports. security tokens over HTTP(S), CoAP(S), and other transports.
o Fragment identifier considerations: N/A o Fragment identifier considerations: N/A
o Additional information: o Additional information:
Magic number(s): N/A Magic number(s): N/A
File extension(s): N/A File extension(s): N/A
Macintosh file type code(s): N/A Macintosh file type code(s): N/A
o Person & email address to contact for further information: o Person & email address to contact for further information:
IESG, iesg@ietf.org IESG, iesg@ietf.org
o Intended usage: COMMON o Intended usage: COMMON
skipping to change at page 21, line 12 skipping to change at page 21, line 12
Figure 16: Signed and Encrypted CWT as hex string Figure 16: Signed and Encrypted CWT as hex string
16( 16(
[ [
/ protected / << { / protected / << {
/ alg / 1: 10 / AES-CCM-16-64-128 / / alg / 1: 10 / AES-CCM-16-64-128 /
} >>, } >>,
/ unprotected / { / unprotected / {
/ kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /, / kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /,
/ iv / 5: h'86bbd41cc32604396324b7f380' / iv / 5: h'4a0694c0e69ee6b5956655c7b2'
}, },
/ ciphertext / h'f6b0914f993de822cc47e5e57a188d7960b528a7474 / ciphertext / h'f6b0914f993de822cc47e5e57a188d7960b528a7474
46fe12f0e7de05650dec74724366763f167a29c002d 46fe12f0e7de05650dec74724366763f167a29c002d
fd15b34d8993391cf49bc91127f545dba8703d66f5b fd15b34d8993391cf49bc91127f545dba8703d66f5b
7f1ae91237503d371e6333df9708d78c4fb8a8386c8 7f1ae91237503d371e6333df9708d78c4fb8a8386c8
ff09dc49af768b23179deab78d96490a66d5724fb33 ff09dc49af768b23179deab78d96490a66d5724fb33
900c60799d9872fac6da3bdb89043d67c2a05414ce3 900c60799d9872fac6da3bdb89043d67c2a05414ce3
31b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bf 31b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bf
f142631610a7e0f677b7e9b0bc73adefdcee16d9d5d f142631610a7e0f677b7e9b0bc73adefdcee16d9d5d
284c616abeab5d8c291ce0' 284c616abeab5d8c291ce0'
skipping to change at page 22, line 28 skipping to change at page 22, line 28
) )
Figure 19: MACed CWT with a floating-point value in CBOR diagnostic Figure 19: MACed CWT with a floating-point value in CBOR diagnostic
notation notation
Appendix B. Acknowledgements Appendix B. Acknowledgements
This specification is based on JSON Web Token (JWT) [RFC7519], the This specification is based on JSON Web Token (JWT) [RFC7519], the
authors of which also include Nat Sakimura and John Bradley. It also authors of which also include Nat Sakimura and John Bradley. It also
incorporates suggestions made by many people, including Carsten incorporates suggestions made by many people, including Carsten
Bormann, Esko Dijk, Jim Schaad, Ludwig Seitz, and Goeran Selander. Bormann, Esko Dijk, Benjamin Kaduk, Jim Schaad, Ludwig Seitz, and
Goeran Selander.
Appendix C. Document History Appendix C. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-11
o Corrected the "iv" value in the signed and encrypted CWT example.
o Mention CoAP in the "application/cwt" media type registration.
o Changed references of the form "Section 4.1.1 of JWT <xref
target="RFC7519"/>" to "Section 4.1.1 of <xref target="RFC7519"/>"
so that rfcmarkup will generate correct external section reference
links.
o Updated Acknowledgements.
-10 -10
o Clarified that the audience claim value can be a single audience o Clarified that the audience claim value can be a single audience
value or an array of audience values, just as is the case for the value or an array of audience values, just as is the case for the
JWT "aud" claim. JWT "aud" claim.
o Clarified the nested CWT description. o Clarified the nested CWT description.
o Changed uses of "binary string" to "byte string". o Changed uses of "binary string" to "byte string".
 End of changes. 18 change blocks. 
20 lines changed or deleted 33 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/