The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address the Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz and Hannes Tschofenig for their work on resolving the issues raised.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications
The “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address feedback received since working group adoption. The one breaking change is changing the secp256k1 curve identifier for JOSE from “P-256K” to “secp256k1”, for reasons described by John Mattsson. The draft now also specifies that the SHA-256 hash function is to be used with “ES256K” signatures – a clarification due to Matt Palmer.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Cryptography & IETF & JSON & Specifications & W3C
I’m pleased to report that the IETF COSE Working Group has adopted the specification “COSE and JOSE Registrations for WebAuthn Algorithms”. An abstract of what it does is:
This specification defines how to use several algorithms with COSE [RFC8152] that are used by implementations of the W3C Web Authentication (WebAuthn) [WebAuthn] and FIDO2 Client to Authenticator Protocol (CTAP) [CTAP] specifications. These algorithms are to be registered in the IANA “COSE Algorithms” registry [IANA.COSE.Algorithms] and also in the IANA “JSON Web Signature and Encryption Algorithms” registry [IANA.JOSE.Algorithms], when not already registered there.
The algorithms registered are RSASSA-PKCS1-v1_5 with four different hash functions and signing with the secp256k1 curve. Note that there was consensus in the working group meeting not to work on registrations for the Elliptic Curve Direct Anonymous Attestation (ECDAA) algorithms “ED256” and “ED512”, both because of issues that have been raised with them and because they are not in widespread use.
The -01 version will address the review comments received on the mailing list from Jim Schaad and John Mattsson.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Cryptography & IETF & JSON & Specifications & W3C
The new COSE working group charter includes this deliverable:
4. Define the algorithms needed for W3C Web Authentication for COSE using draft-jones-webauthn-cose-algorithms and draft-jones-webauthn-secp256k1 as a starting point (Informational).
I have written draft-jones-cose-additional-algorithms, which combines these starting points into a single draft, which registers these algorithms in the IANA COSE registries. When not already registered, this draft also registers these algorithms for use with JOSE in the IANA JOSE registries. I believe that this draft is ready for working group adoption to satisfy this deliverable.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Cryptography & IETF & JSON & Specifications & W3C
The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address issues identified by Roman Danyliw while writing his shepherd review. Thanks to Samuel Erdtman for fixing an incorrect example.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications
Key ID confirmation method considerations suggested by Jim Schaad have been added to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Per discussions in the working group meeting in Bangkok, it’s now time for the shepherd review.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications
The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to addresses a few additional Working Group Last Call (WGLC) comments. All of the (few) changes were about improving the clarity of the exposition. I believe that this completes addressing the WGLC comments.
Thanks to Roman Danyliw for helping to categorize the remaining comments that needed to be addressed.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications
A new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published that addresses the Working Group Last Call (WGLC) comments received. Changes were:
Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing for this version and to Jim Schaad and Roman Danyliw for their review comments.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications
The “CBOR Web Token (CWT)” specification is now RFC 8392 – an IETF standard. The abstract for the specification is:
CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.
Special thanks to Erik Wahlström for starting this work and to Samuel Erdtman for doing most of the heavy lifting involved in creating correct and useful CBOR and COSE examples.
Next up – finishing “Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)”, which provides the CWT equivalent of “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” [RFC 7800].
No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications
The WebAuthn working group has published the “COSE Algorithms for Web Authentication (WebAuthn)” specification, which registers COSE algorithm identifiers for RSASSA-PKCS1-v1_5 signature algorithms with SHA-2 and SHA-1 hash algorithms. RSASSA-PKCS1-v1_5 with SHA-256 is used by several kinds of authenticators. RSASSA-PKCS1-v1_5 with SHA-1, while deprecated, is used by some Trusted Platform Modules (TPMs). See https://www.iana.org/assignments/cose/cose.xhtml#algorithms for the actual IANA registrations.
Thanks to John Fontana, Jeff Hodges, Tony Nadalin, Jim Schaad, Göran Selander, Wendy Seltzer, Sean Turner, and Samuel Weiler for their roles in registering these algorithm identifiers.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Cryptography & IETF & Specifications & W3C
One more clarification to the CBOR Web Token (CWT) specification has been made to address a comment by IESG member Adam Roach. This version is being sent to the RFC Editor in preparation for its publication as an RFC. The change was:
Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & IETF & Specifications
The CBOR Web Token (CWT) specification has been updated to address comments received from Internet Engineering Steering Group (IESG) members. Changes were:
Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & IETF & Specifications
The CBOR Web Token (CWT) specification has been updated to address IETF last call comments received to date, including GenArt, SecDir, Area Director, and additional shepherd comments. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & IETF & Specifications
A few local improvements have been made to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Changes were:
Thanks to Samuel Erdtman for sharing the editing.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications
The CBOR Web Token (CWT) specification has been updated to address the shepherd comments by Benjamin Kaduk. Changes were:
Thanks to Ben for his careful review of the specification!
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & IETF & Specifications
A new CBOR Web Token (CWT) draft has been published that applies a correction to an example. The full list of changes is:
application/cwt media type registration.Thanks to Samuel Erdtman for validating all the examples once more and finding the issue with the signed and encrypted example. Thanks to Benjamin Kaduk for pointing out additional improvements that could be applied from the second WGLC comments.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & IETF & Specifications
A new CBOR Web Token (CWT) draft has been published that addresses comments received during the second working group last call. Thanks to Hannes Tschofenig, Esko Dijk, Ludwig Seitz, Carsten Bormann, and Benjamin Kaduk for their feedback. All changes made were clarifications or formatting improvements.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & IETF & Specifications
Draft -01 of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification updates the examples to use CBOR diagnostic notation, thanks to Ludwig Seitz. A table summarizing the “cnf” names, keys, and value types was added, thanks to Samuel Erdtman. Finally, some of Jim Schaad’s feedback on -00 was addressed (with more to be addressed by the opening of IETF 100 in Singapore).
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications
A new CBOR Web Token (CWT) draft has been published that adds CBOR_Key values and Key IDs to examples. Thanks to Samuel Erdtman for working on the examples, as always. Thanks to Giridhar Mandyam for validating the examples!
I believe that it’s time to request publication, as there remain no known issues with the specification.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & IETF & Specifications
The initial working group draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been posted. It contains the same normative content as draft-jones-ace-cwt-proof-of-possession-01. The abstract of the specification is:
This specification describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800), but using CBOR and CWTs rather than JSON and JWTs.
I look forward to working with my co-authors and the working group to hopefully complete this quickly!
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications
