]> Arm Limited

thomas.fossati@arm.com

Fraunhofer SIT

henk.birkholz@sit.fraunhofer.de

Security CBOR Object Signing and Encryption COSE profiling COSE (STD96) is not an end-to-end system with guaranteed interoperability. It is designed to serve a range of use cases and therefore it has a lot of options. In general, two COSE implementations that want to interoperate require an agreement on which subset of COSE features they will use. This document provides a set of rules for specifying such agreements as "COSE profiles" and registers a new COSE header parameter for in-band signalling of profile information. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the CBOR Object Signing and Encryption Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction COSE is not an end-to-end system with guaranteed interoperability. It is designed to serve a range of use cases and therefore it has a lot of options. In general, two COSE implementations that want to interoperate require an agreement on which subset of COSE features they will use. This document provides a set of rules for specifying such agreements as "COSE profiles" and registers a new COSE header parameter for in-band signalling of profile information.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Profiling Rules A COSE profile:

• MUST be specified in a document
• MUST NOT change the syntax or semantics of any already defined header attribute
  • but does allow restricting their values
• MAY define new header attributes
  • if so, it MUST provide their definition in the same document
• MUST use CDDL to fully specify the syntax rules for the profile
• MUST use the cose-profile header attribute (see ) in the protected header
  • The value of cose-profile MUST be globally unique. Possible choices include:
    • IANA registry ()
    • using an OID , URI or CRI
    • using a UUID
  • The chosen value SHOULD be appropriate for the intended usage scope (e.g., a short value when used in constrained node environments)
• MAY define its own CBOR tag that can be used together with, or in lieu of, the underlying COSE CBOR tag (Table 1, )
• SHOULD define its complementary media-type and content-format

COSE profile header parameter

Profile Registration Template Note: This is just an initial sketch. Tracked at: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/10

• What is the profile identifier?
• Requires certain header keys?
• Constrains any header keys?
• Constrains any header values?
• Defines new header keys?
• Defines its own CBOR Tag?
• Defines its own Media Type?
• What payload(s) allows?

CoSWID COSE Profile Definition Note: This is just an initial sketch. Tracked at: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/10 This section defines the COSE profile for CoSWID . This definition is semantically and syntactically equivalent with what is described in , with the exception of the explicit CoSWID COSE profile indicator that is added to the protected header.

CDDL Definition int &(content-type: 3) => "application/swid+cbor" &(cose-profile-CPA: 13) => &(CoSWID-COSE-profile-CPA: 0) * cose-label => cose-values } cose-label = int / text cose-values = any ]]>

Checklist

• Mandatory header keys? YES
• Constrains header keys? NO
• Constrains header values? YES (alg is only int)
• New header keys? NO
• Defines its own CBOR Tag? YES
• Defines its own Media Type? YES

Security Considerations TODO Security

IANA Considerations

New COSE Profile Header Parameter This document requests IANA to allocate a new header parameter cose-profile-CPA (suggested value 13) in the "COSE Header Parameters" registry.

COSE Profile Sub-registry This specification requests IANA to create a new sub-registry for COSE , with the policy "specification required" (). Each entry in the registry must include:

Key value:

integer value for the profile

Brief description:

a brief description

Change Controller:

(see )

Reference:

a reference document

The expert is requested to assign the shortest key values (1+0 and 1+1 encoding) to registrations that are likely to enjoy wide use and can benefit from short encodings.

References Normative References This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK] Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. Universität Bremen TZI Fraunhofer SIT The Constrained Resource Identifier (CRI) is a complement to the Uniform Resource Identifier (URI) that serializes the URI components in Concise Binary Object Representation (CBOR) instead of a sequence of characters. This simplifies parsing, comparison and reference resolution in environments with severe limitations on processing power, code size, and memory size. // The present revision -12 of this draft adds a registry that is // intended to provide full coverage for representing a URI scheme // (and certain text strings used in their place) as negative // integers. Fraunhofer SIT National Security Agency The MITRE Corporation National Institute of Standards and Technology ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles. SWID tag representations can be too large for devices with network and storage constraints. This document defines a concise representation of SWID tags: Concise SWID (CoSWID) tags. CoSWID supports a similar set of semantics and features as SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory efficient format. This specification defines a Uniform Resource Name namespace for UUIDs (Universally Unique IDentifier), also known as GUIDs (Globally Unique IDentifier). A UUID is 128 bits long, and can guarantee uniqueness across space and time. UUIDs were originally used in the Apollo Network Computing System and later in the Open Software Foundation\'s (OSF) Distributed Computing Environment (DCE), and then in Microsoft Windows platforms. This specification is derived from the DCE specification with the kind permission of the OSF (now known as The Open Group). Information from earlier versions of the DCE specification have been incorporated into this document. [STANDARDS-TRACK] The Concise Binary Object Representation (CBOR), defined in RFC 8949, is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. This document defines CBOR tags for object identifiers (OIDs) and is the reference document for the IANA registration of the CBOR tags so defined. Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. IANA Informative References The GlueCOSE Community

GlueCOSE Test Cases The community effort provides test vectors for the COSE specification. The CDDL definition for the test vector format used for COSE profiles will be provided in a future version of this document. Tracked at: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/4

Acknowledgments Laurence Lundblade who - unknowingly :-) - provided the introduction.