Archive for the 'CBOR' Category

May 31, 2020
secp256k1 curve and algorithm registered for JOSE use

IETF logoIANA has registered the “secp256k1” elliptic curve in the JSON Web Key Elliptic Curve registry and the corresponding “ES256K” signing algorithm in the JSON Web Signature and Encryption Algorithms registry. This curve is widely used among blockchain and decentralized identity implementations.

The registrations were specified by the COSE and JOSE Registrations for WebAuthn Algorithms specification, which was created by the W3C Web Authentication working group and the IETF COSE working group because WebAuthn also allows the use of secp256k1. This specification is now in IETF Last Call. The corresponding COSE registrations will occur after the specification becomes an RFC.

May 14, 2020
Nearing completion on two WebAuthn-related specs at the IETF

IETF logoThis week we published updates to two IETF specifications that support the WebAuthn/FIDO2 ecosystem, as well as other uses, such as decentralized identity.

One is COSE and JOSE Registrations for WebAuthn Algorithms. It registers algorithm and elliptic curve identifiers for algorithms used by WebAuthn and FIDO2. The “secp256k1” curve being registered is also used for signing in some decentralized identity applications. The specification has completed the Area Director review and has been submitted to the IESG for publication.

The other is Registries for Web Authentication (WebAuthn). This creates IANA registries enabling multiple kinds of extensions to W3C Web Authentication (WebAuthn) implementations to be registered. This specification has completed IETF last call and is scheduled for review by the IESG.

Thanks to the COSE working group for their adoption of the algorithms specification, and to Ivaylo Petrov and Murray Kucherawy for their reviews of it. Thanks to Kathleen Moriarty and Benjamin Kaduk for their Area Director sponsorships of the registries specification and to Jeff Hodges for being primary author of it.

The specifications are available at:

May 7, 2020
Working group adoption of Concise Binary Object Representation (CBOR) Tags for Date

IETF logoThe IETF CBOR working group has adopted the specification Concise Binary Object Representation (CBOR) Tags for Date. The abstract of the specification is:

The Concise Binary Object Representation (CBOR, RFC 7049) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation.

In CBOR, one point of extensibility is the definition of CBOR tags. RFC 7049 defines two tags for time: CBOR tag 0 (RFC 3339 date/time string) and tag 1 (Posix “seconds since the epoch”). Since then, additional requirements have become known. This specification defines a CBOR tag for an RFC 3339 date text string, for applications needing a textual date representation without a time. It also defines a CBOR tag for days since the Posix epoch, for applications needing a numeric date representation without a time. It is intended as the reference document for the IANA registration of the CBOR tags defined.

The need for this arose for the ISO Mobile Driver’s License specification in the working group ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification”.

The specification is available at:

An HTML-formatted version is also available at:

March 9, 2020
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) is now RFC 8747

IETF logoI’m pleased to report that Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) is now RFC 8747. The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).

This is one of a series of specifications, including CWT [RFC 8392] – which mirrors JWT [RFC 7519], in which we are intentionally bringing functionality that is available in JSON to the CBOR and IoT world.

March 9, 2020
Allocating a CBOR tag for RFC 3339 date strings

IETF logoI have published the specification Concise Binary Object Representation (CBOR) Tag for Date to allocate a CBOR tag for RFC 3339 full-date values. While there’s already a tag for date-time values, there’s currently no tag allocated for full-date values – a date string without a time. The need for this arose for the ISO Mobile Driver’s License specification in the working group ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification”.

Thanks to Carsten Bormann for pointers on the best way to accomplish this.

The specification is available at:

An HTML-formatted version is also available at:

January 27, 2020
COSE and JOSE Registrations for WebAuthn Algorithms spec adding explanatory comments on design decisions

IETF logoThe “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to add explanatory comments on design decisions made that were discussed on the mailing list that Jim Schaad requested be added to the draft.

The specification is available at:

An HTML-formatted version is also available at:

November 6, 2019
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) sent to the RFC Editor

OAuth logoI’m pleased to report that the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification is now technically stable and will shortly be an RFC – an Internet standard. Specifically, it has now progressed to the RFC Editor queue, meaning that the only remaining step before finalization is editorial due diligence. Thus, implementations can now utilize the draft specification with confidence that that breaking changes will not occur as it is finalized.

The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).

Thanks to the ACE working group for completing this important specification.

The specification is available at:

An HTML-formatted version is also available at:

October 24, 2019
COSE and JOSE Registrations for WebAuthn Algorithms spec addressing WGLC comments

IETF logoThe “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address working group last call (WGLC) feedback received. Thanks to J.C. Jones, Kevin Jacobs, Jim Schaad, Neil Madden, and Benjamin Kaduk for their useful reviews.

The specification is available at:

An HTML-formatted version is also available at:

October 21, 2019
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing Gen-ART and SecDir reviews

IETF logoA new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published addressing the Gen-ART and SecDir review comments. Thanks to Christer Holmberg and Yoav Nir, respectively, for these useful reviews.

The specification is available at:

An HTML-formatted version is also available at:

October 1, 2019
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing remaining Area Director comments

IETF logoA new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published to address the remaining Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz for doing the bulk of the editing for this version.

The specification is available at:

An HTML-formatted version is also available at:

September 19, 2019
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing Area Director review comments

IETF logoThe Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address the Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz and Hannes Tschofenig for their work on resolving the issues raised.

The specification is available at:

An HTML-formatted version is also available at:

July 8, 2019
Refinements to COSE and JOSE Registrations for WebAuthn Algorithms

IETF logoThe “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address feedback received since working group adoption. The one breaking change is changing the secp256k1 curve identifier for JOSE from “P-256K” to “secp256k1”, for reasons described by John Mattsson. The draft now also specifies that the SHA-256 hash function is to be used with “ES256K” signatures – a clarification due to Matt Palmer.

The specification is available at:

An HTML-formatted version is also available at:

March 27, 2019
Working group adoption of “COSE and JOSE Registrations for WebAuthn Algorithms”

IETF logoI’m pleased to report that the IETF COSE Working Group has adopted the specification “COSE and JOSE Registrations for WebAuthn Algorithms”. An abstract of what it does is:

This specification defines how to use several algorithms with COSE [RFC8152] that are used by implementations of the W3C Web Authentication (WebAuthn) [WebAuthn] and FIDO2 Client to Authenticator Protocol (CTAP) [CTAP] specifications. These algorithms are to be registered in the IANA “COSE Algorithms” registry [IANA.COSE.Algorithms] and also in the IANA “JSON Web Signature and Encryption Algorithms” registry [IANA.JOSE.Algorithms], when not already registered there.

The algorithms registered are RSASSA-PKCS1-v1_5 with four different hash functions and signing with the secp256k1 curve. Note that there was consensus in the working group meeting not to work on registrations for the Elliptic Curve Direct Anonymous Attestation (ECDAA) algorithms “ED256” and “ED512”, both because of issues that have been raised with them and because they are not in widespread use.

The -01 version will address the review comments received on the mailing list from Jim Schaad and John Mattsson.

The specification is available at:

An HTML-formatted version is also available at:

March 11, 2019
Additional COSE algorithms used by W3C Web Authentication (WebAuthn)

IETF logoThe new COSE working group charter includes this deliverable:

4. Define the algorithms needed for W3C Web Authentication for COSE using draft-jones-webauthn-cose-algorithms and draft-jones-webauthn-secp256k1 as a starting point (Informational).

I have written draft-jones-cose-additional-algorithms, which combines these starting points into a single draft, which registers these algorithms in the IANA COSE registries. When not already registered, this draft also registers these algorithms for use with JOSE in the IANA JOSE registries. I believe that this draft is ready for working group adoption to satisfy this deliverable.

The specification is available at:

An HTML-formatted version is also available at:

February 21, 2019
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec fixing nits

IETF logoThe Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address issues identified by Roman Danyliw while writing his shepherd review. Thanks to Samuel Erdtman for fixing an incorrect example.

The specification is available at:

An HTML-formatted version is also available at:

November 9, 2018
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec adding Key ID considerations

IETF logoKey ID confirmation method considerations suggested by Jim Schaad have been added to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Per discussions in the working group meeting in Bangkok, it’s now time for the shepherd review.

The specification is available at:

An HTML-formatted version is also available at:

November 6, 2018
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing additional WGLC comments

IETF logoThe Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to addresses a few additional Working Group Last Call (WGLC) comments. All of the (few) changes were about improving the clarity of the exposition. I believe that this completes addressing the WGLC comments.

Thanks to Roman Danyliw for helping to categorize the remaining comments that needed to be addressed.

The specification is available at:

An HTML-formatted version is also available at:

June 29, 2018
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing WGLC comments

IETF logoA new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published that addresses the Working Group Last Call (WGLC) comments received. Changes were:

Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing for this version and to Jim Schaad and Roman Danyliw for their review comments.

The specification is available at:

An HTML-formatted version is also available at:

May 8, 2018
“CBOR Web Token (CWT)” is now RFC 8392

IETF logoThe “CBOR Web Token (CWT)” specification is now RFC 8392 – an IETF standard. The abstract for the specification is:

CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.

Special thanks to Erik Wahlström for starting this work and to Samuel Erdtman for doing most of the heavy lifting involved in creating correct and useful CBOR and COSE examples.

Next up – finishing “Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)”, which provides the CWT equivalent of “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” [RFC 7800].

May 2, 2018
Additional RSA Algorithms for COSE Messages Registered by W3C WebAuthn

W3C logoThe WebAuthn working group has published the “COSE Algorithms for Web Authentication (WebAuthn)” specification, which registers COSE algorithm identifiers for RSASSA-PKCS1-v1_5 signature algorithms with SHA-2 and SHA-1 hash algorithms. RSASSA-PKCS1-v1_5 with SHA-256 is used by several kinds of authenticators. RSASSA-PKCS1-v1_5 with SHA-1, while deprecated, is used by some Trusted Platform Modules (TPMs). See https://www.iana.org/assignments/cose/cose.xhtml#algorithms for the actual IANA registrations.

Thanks to John Fontana, Jeff Hodges, Tony Nadalin, Jim Schaad, Göran Selander, Wendy Seltzer, Sean Turner, and Samuel Weiler for their roles in registering these algorithm identifiers.

The specification is available at:

An HTML-formatted version is also available at:

Next »