--- 1/draft-ietf-ace-cbor-web-token-10.txt 2018-01-21 14:13:08.013197516 -0800
+++ 2/draft-ietf-ace-cbor-web-token-11.txt 2018-01-21 14:13:08.057198557 -0800
@@ -1,23 +1,23 @@
ACE Working Group M. Jones
Internet-Draft Microsoft
Intended status: Standards Track E. Wahlstroem
-Expires: June 20, 2018
+Expires: July 25, 2018
S. Erdtman
Spotify AB
H. Tschofenig
ARM Ltd.
- December 17, 2017
+ January 21, 2018
CBOR Web Token (CWT)
- draft-ietf-ace-cbor-web-token-10
+ draft-ietf-ace-cbor-web-token-11
Abstract
CBOR Web Token (CWT) is a compact means of representing claims to be
transferred between two parties. The claims in a CWT are encoded in
the Concise Binary Object Representation (CBOR) and CBOR Object
Signing and Encryption (COSE) is used for added application layer
security protection. A claim is a piece of information asserted
about a subject and is represented as a name/value pair consisting of
a claim name and a claim value. CWT is derived from JSON Web Token
@@ -31,25 +31,25 @@
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on June 20, 2018.
+ This Internet-Draft will expire on July 25, 2018.
Copyright Notice
- Copyright (c) 2017 IETF Trust and the persons identified as the
+ Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
@@ -143,30 +143,29 @@
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document reuses terminology from JWT [RFC7519] and COSE
[RFC8152].
StringOrURI
The "StringOrURI" term has the same meaning, syntax, and
processing rules as the "StringOrURI" term defined in Section 2 of
- JWT [RFC7519], except that it uses a CBOR text string instead of a
+ [RFC7519], except that it uses a CBOR text string instead of a
JSON string value.
NumericDate
The "NumericDate" term has the same meaning, syntax, and
processing rules as the "NumericDate" term defined in Section 2 of
- JWT [RFC7519], except that the CBOR numeric date representation
- (from Section 2.4.1 of [RFC7049]) is used. The encoding is
- modified so that the leading tag 1 (epoch-based date/time) MUST be
- omitted.
+ [RFC7519], except that the CBOR numeric date representation (from
+ Section 2.4.1 of [RFC7049]) is used. The encoding is modified so
+ that the leading tag 1 (epoch-based date/time) MUST be omitted.
Claim Name
The human-readable name used to identify a claim.
Claim Key
The CBOR map key used to identify a claim.
Claim Value
The CBOR map value representing the value of the claim.
@@ -190,65 +189,65 @@
None of the claims defined below are intended to be mandatory to use
or implement. They rather provide a starting point for a set of
useful, interoperable claims. Applications using CWTs should define
which specific claims they use and when they are required or
optional.
3.1.1. iss (Issuer) Claim
The "iss" (issuer) claim has the same meaning, syntax, and processing
- rules as the "iss" claim defined in Section 4.1.1 of JWT [RFC7519],
+ rules as the "iss" claim defined in Section 4.1.1 of [RFC7519],
except that the value is of type StringOrURI. The Claim Key 1 is
used to identify this claim.
3.1.2. sub (Subject) Claim
The "sub" (subject) claim has the same meaning, syntax, and
- processing rules as the "sub" claim defined in Section 4.1.2 of JWT
+ processing rules as the "sub" claim defined in Section 4.1.2 of
[RFC7519], except that the value is of type StringOrURI. The Claim
Key 2 is used to identify this claim.
3.1.3. aud (Audience) Claim
The "aud" (audience) claim has the same meaning, syntax, and
- processing rules as the "aud" claim defined in Section 4.1.3 of JWT
+ processing rules as the "aud" claim defined in Section 4.1.3 of
[RFC7519], except that the value of the audience claim is of type
StringOrURI when it is not an array or the values of the audience
array elements are of type StringOrURI when the audience claim value
is an array. The Claim Key 3 is used to identify this claim.
3.1.4. exp (Expiration Time) Claim
The "exp" (expiration time) claim has the same meaning, syntax, and
- processing rules as the "exp" claim defined in Section 4.1.4 of JWT
+ processing rules as the "exp" claim defined in Section 4.1.4 of
[RFC7519], except that the value is of type NumericDate. The Claim
Key 4 is used to identify this claim.
3.1.5. nbf (Not Before) Claim
The "nbf" (not before) claim has the same meaning, syntax, and
- processing rules as the "nbf" claim defined in Section 4.1.5 of JWT
+ processing rules as the "nbf" claim defined in Section 4.1.5 of
[RFC7519], except that the value is of type NumericDate. The Claim
Key 5 is used to identify this claim.
3.1.6. iat (Issued At) Claim
The "iat" (issued at) claim has the same meaning, syntax, and
- processing rules as the "iat" claim defined in Section 4.1.6 of JWT
+ processing rules as the "iat" claim defined in Section 4.1.6 of
[RFC7519], except that the value is of type NumericDate. The Claim
Key 6 is used to identify this claim.
3.1.7. cti (CWT ID) Claim
The "cti" (CWT ID) claim has the same meaning, syntax, and processing
- rules as the "jti" claim defined in Section 4.1.7 of JWT [RFC7519],
+ rules as the "jti" claim defined in Section 4.1.7 of [RFC7519],
except that the value is of type byte string. The Claim Key 7 is
used to identify this claim.
4. Summary of the claim names, keys, and value types
+------+-----+----------------------------------+
| Name | Key | Value type |
+------+-----+----------------------------------+
| iss | 1 | text string |
| sub | 2 | text string |
@@ -579,21 +578,21 @@
o Type name: application
o Subtype name: cwt
o Required parameters: N/A
o Optional parameters: N/A
o Encoding considerations: binary
o Security considerations: See the Security Considerations section
of [[ this specification ]]
o Interoperability considerations: N/A
o Published specification: [[ this specification ]]
o Applications that use this media type: IoT applications sending
- security tokens over HTTP(S) and other transports.
+ security tokens over HTTP(S), CoAP(S), and other transports.
o Fragment identifier considerations: N/A
o Additional information:
Magic number(s): N/A
File extension(s): N/A
Macintosh file type code(s): N/A
o Person & email address to contact for further information:
IESG, iesg@ietf.org
o Intended usage: COMMON
@@ -944,21 +943,21 @@
Figure 16: Signed and Encrypted CWT as hex string
16(
[
/ protected / << {
/ alg / 1: 10 / AES-CCM-16-64-128 /
} >>,
/ unprotected / {
/ kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /,
- / iv / 5: h'86bbd41cc32604396324b7f380'
+ / iv / 5: h'4a0694c0e69ee6b5956655c7b2'
},
/ ciphertext / h'f6b0914f993de822cc47e5e57a188d7960b528a7474
46fe12f0e7de05650dec74724366763f167a29c002d
fd15b34d8993391cf49bc91127f545dba8703d66f5b
7f1ae91237503d371e6333df9708d78c4fb8a8386c8
ff09dc49af768b23179deab78d96490a66d5724fb33
900c60799d9872fac6da3bdb89043d67c2a05414ce3
31b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bf
f142631610a7e0f677b7e9b0bc73adefdcee16d9d5d
284c616abeab5d8c291ce0'
@@ -997,26 +996,40 @@
)
Figure 19: MACed CWT with a floating-point value in CBOR diagnostic
notation
Appendix B. Acknowledgements
This specification is based on JSON Web Token (JWT) [RFC7519], the
authors of which also include Nat Sakimura and John Bradley. It also
incorporates suggestions made by many people, including Carsten
- Bormann, Esko Dijk, Jim Schaad, Ludwig Seitz, and Goeran Selander.
+ Bormann, Esko Dijk, Benjamin Kaduk, Jim Schaad, Ludwig Seitz, and
+ Goeran Selander.
Appendix C. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]]
+ -11
+
+ o Corrected the "iv" value in the signed and encrypted CWT example.
+
+ o Mention CoAP in the "application/cwt" media type registration.
+
+ o Changed references of the form "Section 4.1.1 of JWT " to "Section 4.1.1 of "
+ so that rfcmarkup will generate correct external section reference
+ links.
+
+ o Updated Acknowledgements.
+
-10
o Clarified that the audience claim value can be a single audience
value or an array of audience values, just as is the case for the
JWT "aud" claim.
o Clarified the nested CWT description.
o Changed uses of "binary string" to "byte string".