Orie Steele and I have created a specification to add a
typ header parameter to COSE – something increasingly widely used in JOSE but currently missing in COSE. The introduction to the spec tells the story:
CBOR Object Signing and Encryption (COSE) [RFC9052] defines header parameters that parallel many of those defined by the JSON Object Signing and Encryption (JOSE) [RFC7515] [RFC7516] specifications. However, one way in which COSE does not provide equivalent functionality to JOSE is that it does not define an equivalent of the
typ(type) header parameter, which is used for declaring the type of the entire JOSE data structure. The security benefits of having
typ(type) are described in the JSON Web Token Best Current Practices [RFC8725], which recommends its use for “explicit typing” — using
typvalues to distinguish between different kinds of objects.
This specification adds the equivalent of the JOSE
typ(type) header parameter to COSE so that the benefits of explicit typing can be brought to COSE objects. The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter, allowing both integer CoAP Content-Formats [IANA.CoAP.ContentFormats] values and string Media Type [IANA.MediaTypes] values to be used.
The specification is available at:
We plan to socialize this specification at IETF 117 in San Francisco later this month.