Archive for the 'CBOR' Category

June 30, 2017
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing review comments

IETF logoThe Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address comments received since its initial publication. Changes were:

  • Tracked CBOR Web Token (CWT) Claims Registry updates.
  • Addressed review comments by Michael Richardson and Jim Schaad.
  • Added co-authors Ludwig Seitz, Göran Selander, Erik Wahlström, Samuel Erdtman, and Hannes Tschofenig.

Thanks for the feedback received to date!

The specification is available at:

An HTML-formatted version is also available at:

June 29, 2017
CBOR Web Token (CWT) specification addressing editorial comments

IETF logoA new CBOR Web Token (CWT) draft has been published that addresses editorial comments made by Carsten Bormann and Jim Schaad. All changes were editorial in nature.

The specification is available at:

An HTML-formatted version is also available at:

June 22, 2017
“Using RSA Algorithms with COSE Messages” specification approved for publication

IETF logoThe IESG approved the “Using RSA Algorithms with COSE Messages” specification for publication as an RFC today. A new version was published incorporating the IESG feedback. Thanks to Ben Campbell, Eric Rescorla, and Adam Roach for their review comments. No normative changes were made.

The specification is available at:

An HTML-formatted version is also available at:

June 15, 2017
“Using RSA Algorithms with COSE Messages” specification addressing IETF last call feedback

IETF logoA new version of the “Using RSA Algorithms with COSE Messages” specification has been published that addresses the IETF last call feedback received. Additional security considerations were added and the IANA Considerations instructions were made more precise. Thanks to Roni Even and Steve Kent for their useful reviews!

The specification is available at:

An HTML-formatted version is also available at:

June 5, 2017
CBOR Web Token (CWT) specification addressing WGLC feedback

IETF logoA new CBOR Web Token (CWT) draft has been published that addresses the Working Group Last Call (WGLC) feedback received. Changes were:

  • Say that CWT is derived from JWT, rather than CWT is a profile of JWT.
  • Used CBOR type names in descriptions, rather than major/minor type numbers.
  • Clarified the NumericDate and StringOrURI descriptions.
  • Changed to allow CWT claim names to use values of any legal CBOR map key type.
  • Changed to use the CWT tag to identify nested CWTs instead of the CWT content type.
  • Added an example using a floating-point date value.
  • Acknowledged reviewers.

Thanks to Samuel Erdtman for doing the majority of the editing for this draft. As always, people are highly encouraged to validate the examples.

The specification is available at:

An HTML-formatted version is also available at:

May 18, 2017
Clarified Security Considerations in Using RSA Algorithms with COSE Messages

IETF logoA slightly updated version of the “Using RSA Algorithms with COSE Messages” specification has been published in preparation for IETF last call. Changes were:

  • Clarified the Security Considerations in ways suggested by Kathleen Moriarty.
  • Acknowledged reviewers.

The specification is available at:

An HTML-formatted version is also available at:

April 20, 2017
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

IETF logoWith the CBOR Web Token (CWT) specification nearing completion, which provides the CBOR equivalent of JWTs, I thought that it was also time to introduce the CBOR equivalent of RFC 7800, “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)”, so that applications using CWTs will have a standard representation for proof-of-possession keys. I know that PoP keys are important to ACE applications, for instance. I therefore took RFC 7800 and produced the CBOR/CWT equivalent of it.

The specification is available at:

An HTML-formatted version is also available at:

April 13, 2017
CBOR Web Token (CWT) specification correcting inconsistencies in examples

IETF logoA revised CBOR Web Token (CWT) draft has been published that corrects inconsistencies in the examples. Thanks to Jim Schaad for validating the examples and pointing out the inconsistencies and to Samuel Erdtman for fixing them. As before, people are highly encouraged to validate the updated examples.

The specification is available at:

An HTML-formatted version is also available at:

March 9, 2017
Cleaner version of Using RSA Algorithms with COSE Messages specification

IETF logoI’ve published an updated version of the “Using RSA Algorithms with COSE Messages” specification with a number of editorial improvements. Changes were:

  • Reorganized the security considerations.
  • Flattened the section structure.
  • Applied wording improvements suggested by Jim Schaad.

The specification is available at:

An HTML-formatted version is also available at:

March 2, 2017
CBOR Web Token (CWT) with better examples and a CBOR tag

IETF logoA new CBOR Web Token (CWT) draft is available with completely rewritten and much more useful examples, thanks to Samuel Erdtman. There are now examples of signed, MACed, encrypted, and nested CWTs that use all of the defined claims (and no claims not yet defined). A CBOR tag for CWTs is now also defined. People are highly encouraged to review the new examples and validate them.

The specification is available at:

An HTML-formatted version is also available at:

January 13, 2017
Media Type registration added to CBOR Web Token (CWT)

IETF logoThe CBOR Web Token (CWT) specification now registers the “application/cwt” media type, which accompanies the existing CoAP Content-Format ID registration for this media type. The description of nested CWTs, which uses this content type, was clarified. This draft also corrected some nits identified by Ludwig Seitz.

The specification is available at:

An HTML-formatted version is also available at:

December 31, 2016
Using RSA Algorithms with COSE Messages

IETF logoThe specification Using RSA Algorithms with COSE Messages defines encodings for using RSA algorithms with CBOR Object Signing and Encryption (COSE) messages. This supports use cases for the FIDO Alliance and others that need this functionality. Security Area Director Kathleen Moriarty has agreed to AD sponsorship of this specification. This specification incorporates text from draft-ietf-cose-msg-05 – the last COSE specification version before the RSA algorithms were removed.

The specification is available at:

An HTML-formatted version is also available at:

Review feedback is welcomed!

July 7, 2016
IANA Considerations added to CBOR Web Token (CWT)

IETF logoThe CBOR Web Token (CWT) specification now establishes the IANA CWT Claims registry and registers the CWT claims defined by the specification. The application/cwt CoAP content type is now also registered.

This version adds Samuel Erdtman as an editor in recognition of his already significant contributions to the specification.

The specification is available at:

An HTML-formatted version is also available at:

May 20, 2016
Initial ACE working group CBOR Web Token (CWT) specification

IETF logoWe have created the initial working group version of the CBOR Web Token (CWT) specification based on draft-wahlstroem-ace-cbor-web-token-00, with no normative changes. The abstract of the specification is:

CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. CWT is a profile of the JSON Web Token (JWT) that is optimized for constrained devices. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value.

Changes requested during the call for adoption will be published in the -01 version but we first wanted to publish a clean -00 working group draft.

The specification is available at:

An HTML-formatted version is also available at:

April 4, 2016
Using RSA Algorithms with COSE Messages

IETF logoI have published draft-jones-cose-rsa, which defines algorithm encodings and representations enabling RSA algorithms to be used for COSE messages. This addresses COSE Issue #21: Restore RSA-PSS and the “RSA” key type. The initial version of this specification incorporates text from draft-ietf-cose-msg-05 – the last COSE message specification version before the RSA algorithms were removed.

The specification is available at:

An HTML-formatted version is also available at:

December 4, 2015
CBOR Web Token (CWT) spec for the ACE working group

IETF logoAfter input from many interested people, IETF Security Area Director Kathleen Moriarty decided that the right place for the CBOR Web Token (CWT) work is the ACE working group. Today Erik Wahlström posted a new draft of the CBOR Web Token (CWT) specification that is intended for ACE.

This version of the spec references the JSON Web Token (JWT) claim definitions, rather than repeating them, and intentionally only includes equivalents of the claims defined by the JWT spec. Other CWT claims, including those needed by ACE applications, will be defined by other specs and registered in the CWT claims registry.

The specification is available at:

An HTML-formatted version is also available at:

November 12, 2015
CBOR Web Token (CWT)

IETF logoI know that some of you have been following the IETF’s work on the CBOR Object Signing and Encryption (COSE) Working group on creating a Concise Binary Object Representation (CBOR) equivalent of the JSON-based cryptographic data formats produced by the JSON Object Signing and Encryption (JOSE) Working group. I’m happy to announce that work has now started on a CBOR Web Token (CWT) specification: a CBOR mapping of the JSON Web Token (JWT) security token format that was built using the JOSE specifications. While I expect JSON and the JOSE/JWT specs to continue be used in most Web, PC, phone, tablet, cloud, and enterprise contexts, the COSE specs and now CWT are designed for use in constrained environments, such as those for some Internet of Things (IoT) devices.

Just as it was important to have a JSON-based security token format for applications using JSON, it will be important to have a CBOR-based security token format for applications using CBOR. CBOR Web Token (CWT) fills that role. Note that what is actually defined is a general cryptographically secured CBOR data structure, enabling CWTs to be used as general application payloads for CBOR-based applications.

The abstract of the specification is:

CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. CWT is a profile of the JSON Web Token (JWT) that is optimized for constrained devices. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value.

My thanks to Erik Wahlström and Hannes Tschofenig for helping to make this happen!

Finally, I’ll note that just as the suggested pronunciation of JWT is the same as the English word “jot”, the suggested pronunciation of CWT is the same as the English word “cot”. So welcome to “cots”!

The specification is available at:

An HTML formatted version is also available at: