| rfc9597v1.txt | rfc9597.txt | |||
|---|---|---|---|---|
| skipping to change at line 121 ¶ | skipping to change at line 121 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. Representation | 2. Representation | |||
| This document defines the following COSE header parameter: | This document defines the following COSE header parameter: | |||
| +========+=======+=======+=============+===========================+ | +========+=======+=======+==============+===============+===========+ | |||
| | Name | Label | Value | Value | Description | | | Name | Label | Value | Value | Description | Reference | | |||
| | | | Type | Registry | | | | | | Type | Registry | | | | |||
| +========+=======+=======+=============+===========================+ | +========+=======+=======+==============+===============+===========+ | |||
| | CWT | 15 | map | [IANA.COSE] | Location for CWT Claims | | | CWT | 15 | map | map keys in | Location | Section 2 | | |||
| | Claims | | | | in COSE Header Parameters | | | Claims | | | [CWT.Claims] | for CWT | of RFC | | |||
| +--------+-------+-------+-------------+---------------------------+ | | | | | | Claims in | 9597 | | |||
| | | | | | COSE Header | | | ||||
| | | | | | Parameters | | | ||||
| +--------+-------+-------+--------------+---------------+-----------+ | ||||
| Table 1 | Table 1 | |||
| The following is a non-normative description for the value type of | The following is a non-normative description for the value type of | |||
| the CWT claim header parameter using CDDL [RFC8610]. | the CWT claim header parameter using CDDL [RFC8610]. | |||
| CWT-Claims = { | CWT-Claims = { | |||
| * Claim-Label => any | * Claim-Label => any | |||
| } | } | |||
| Claim-Label = int / text | Claim-Label = int / text | |||
| skipping to change at line 173 ¶ | skipping to change at line 176 ¶ | |||
| 4. Security Considerations | 4. Security Considerations | |||
| Implementers should also review the security considerations for CWT, | Implementers should also review the security considerations for CWT, | |||
| which are documented in Section 8 of [RFC8392]. | which are documented in Section 8 of [RFC8392]. | |||
| As described in [RFC9052], if the COSE payload is transported | As described in [RFC9052], if the COSE payload is transported | |||
| separately ("detached content"), then it is the responsibility of the | separately ("detached content"), then it is the responsibility of the | |||
| application to ensure that it will be transported without changes. | application to ensure that it will be transported without changes. | |||
| The reason for applications to verify that CWT claims present in both | The reason for applications to verify that CWT claims present in both | |||
| the payload and the header of a CWT are identical, unless it defines | the payload and the header of a CWT are identical, unless they define | |||
| other specific processing rules for these claims, is to eliminate | other specific processing rules for these claims, is to eliminate | |||
| potential confusion that might arise by having different values for | potential confusion that might arise by having different values for | |||
| the same claim, which could result in inconsistent processing of such | the same claim, which could result in inconsistent processing of such | |||
| claims. | claims. | |||
| Processing information in claims prior to validating that their | Processing information in claims prior to validating that their | |||
| integrity is cryptographically secure can pose security risks. This | integrity is cryptographically secure can pose security risks. This | |||
| is true whether the claims are in the payload or a header parameter. | is true whether the claims are in the payload or a header parameter. | |||
| Implementers must ensure that any tentative decisions made based on | Implementers must ensure that any tentative decisions made based on | |||
| previously unverified information are confirmed once the | previously unverified information are confirmed once the | |||
| cryptographic processing has been completed. This includes any | cryptographic processing has been completed. This includes any | |||
| information that was used to derive the intended interpretation of | information that was used to derive the intended interpretation of | |||
| the CWT claims parameter. | the CWT claims parameter. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| IANA has registered the new COSE header parameter "CWT Claims" | IANA has registered the new COSE header parameter "CWT Claims" | |||
| defined in Table 1 in the "COSE Header Parameters" registry | defined in Table 1 in the "COSE Header Parameters" registry | |||
| [IANA.COSE]. | [COSE.HeaderParameters]. | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [IANA.COSE] | [COSE.HeaderParameters] | |||
| IANA, "COSE Header Parameters", | IANA, "COSE Header Parameters", | |||
| <https://www.iana.org/assignments/cose/>. | <https://www.iana.org/assignments/cose/>. | |||
| [CWT.Claims] | ||||
| IANA, "CBOR Web Token (CWT) Claims", | ||||
| <https://www.iana.org/assignments/cwt/>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, | [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, | |||
| "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, | "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, | |||
| May 2018, <https://www.rfc-editor.org/info/rfc8392>. | May 2018, <https://www.rfc-editor.org/info/rfc8392>. | |||
| [RFC9596] Jones, M. and O. Steele, "CBOR Object Signing and | [RFC9596] Jones, M.B. and O. Steele, "CBOR Object Signing and | |||
| Encryption (COSE) "typ" (type) Header Parameter", | Encryption (COSE) "typ" (type) Header Parameter", | |||
| RFC 9596, DOI 10.17487/RFC9596, June 2024, | RFC 9596, DOI 10.17487/RFC9596, June 2024, | |||
| <https://www.rfc-editor.org/info/rfc9596>. | <https://www.rfc-editor.org/info/rfc9596>. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7519>. | <https://www.rfc-editor.org/info/rfc7519>. | |||
| End of changes. 7 change blocks. | ||||
| 12 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||