| Internet-Draft | COSE Profiles | September 2023 |
| Fossati, et al. | Expires 17 March 2024 | [Page] |
COSE (STD96) is not an end-to-end system with guaranteed interoperability. It is designed to serve a range of use cases and therefore it has a lot of options. In general, two COSE implementations that want to interoperate require an agreement on which subset of COSE features they will use. This document provides a set of rules for specifying such agreements as "COSE profiles" and registers a new COSE header parameter for in-band signalling of profile information.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://thomas-fossati.github.io/draft-fossati-cose-profile/draft-fossati-cose-profiles.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-fossati-cose-profiles/.¶
Discussion of this document takes place on the CBOR Object Signing and Encryption Working Group mailing list (mailto:cose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at https://www.ietf.org/mailman/listinfo/cose/.¶
Source for this draft and an issue tracker can be found at https://github.com/thomas-fossati/draft-fossati-cose-profile.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 17 March 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
COSE [STD96] is not an end-to-end system with guaranteed interoperability. It is designed to serve a range of use cases and therefore it has a lot of options. In general, two COSE implementations that want to interoperate require an agreement on which subset of COSE features they will use.¶
This document provides a set of rules for specifying such agreements as "COSE profiles" and registers a new COSE header parameter for in-band signalling of profile information.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A COSE profile:¶
MUST NOT change the syntax or semantics of any already defined header attribute¶
MAY define new header attributes¶
MUST use the cose-profile header attribute (see Section 4) in the protected header¶
The value of cose-profile MUST be globally unique. Possible choices include:¶
COSE-profile = registered-profile / oid-profile / uri-profile
/ cri-profile / uuid-profile
registered-profile = int
oid-profile = oid ; tagged
uri-profile = ~uri ; unwrapped -- any tstr is a uri
cri-profile = cri
uuid-profile = uuid ; naked bstr is a UUID
uuid = bstr .size 16
; imported from RFC 9090
oid = #6.111(bstr)
; import from CRI spec when ready
cri = [*any]
¶
Note: This is just an initial sketch.¶
Tracked at: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/10¶
Note: This is just an initial sketch.¶
Tracked at: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/10¶
This section defines the COSE profile for CoSWID [I-D.ietf-sacm-coswid].¶
This definition is semantically and syntactically equivalent with what is described in Section 7 of [I-D.ietf-sacm-coswid], with the exception of the explicit CoSWID COSE profile indicator that is added to the protected header.¶
protected-signed-coswid-header = {
&(alg: 1) => int
&(content-type: 3) => "application/swid+cbor"
&(cose-profile-CPA: 13) => &(CoSWID-COSE-profile-CPA: 0)
* cose-label => cose-values
}
cose-label = int / text
cose-values = any
¶
TODO Security¶
This document requests IANA to allocate a new header parameter
cose-profile-CPA (suggested value 13) in the "COSE Header Parameters"
[IANA.cose] registry.¶
This specification requests IANA to create a new sub-registry for COSE [IANA.cose], with the policy "specification required" (Section 4.6 of [RFC8126]).¶
Each entry in the registry must include:¶
integer value for the profile¶
a brief description¶
(see Section 2.3 of [RFC8126])¶
a reference document¶
The expert is requested to assign the shortest key values (1+0 and 1+1 encoding) to registrations that are likely to enjoy wide use and can benefit from short encodings.¶
The community effort [GlueCOSE] provides test vectors for the COSE specification.¶
The CDDL definition for the test vector format used for COSE profiles will be provided in a future version of this document.¶
Tracked at: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/4¶
Laurence Lundblade who - unknowingly :-) - provided the introduction.¶