Mike Jones: self-issued

We wrote the specification COSE and JOSE Registrations for WebAuthn Algorithms to create and register COSE and JOSE algorithm and elliptic curve identifiers for algorithms used by WebAuthn and CTAP2 that didn’t yet exist. I’m happy to report that all these registrations are now complete and the specification has progressed to the RFC Editor. Thanks to the COSE working group for supporting this work.

Search for WebAuthn in the IANA COSE Registry and the IANA JOSE Registry to see the registrations. These are now stable and can be used by applications, both in the WebAuthn/FIDO2 space and for other application areas, including decentralized identity (where the secp256k1 “bitcoin curve” is in widespread use).

The algorithms registered are:

• RS256 – RSASSA-PKCS1-v1_5 using SHA-256 – new for COSE
• RS384 – RSASSA-PKCS1-v1_5 using SHA-384 – new for COSE
• RS512 – RSASSA-PKCS1-v1_5 using SHA-512 – new for COSE
• RS1 – RSASSA-PKCS1-v1_5 using SHA-1 – new for COSE
• ES256K – ECDSA using secp256k1 curve and SHA-256 – new for COSE and JOSE

The elliptic curves registered are:

• secp256k1 – SECG secp256k1 curve – new for COSE and JOSE

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

The CBOR tags for the date representations defined by the “Concise Binary Object Representation (CBOR) Tags for Date” specification have been registered in the IANA Concise Binary Object Representation (CBOR) Tags registry. This means that they’re now ready for use by applications. In particular, the full-date tag requested for use by the ISO Mobile Driver’s License specification in the ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification” working group is now good to go.

FYI, I also updated the spec to incorporate a few editorial suggestions by Carsten Bormann. The new draft changed “positive or negative” to “unsigned or negative” and added an implementation note about the relationship to Modified Julian Dates. Thanks Carsten, for the useful feedback, as always!

It’s my sense that the spec is now ready for working group last call in the CBOR Working Group.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cbor-date-tag-01

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-cbor-date-tag-01.html

No Comments » Posted under CBOR & IETF & Specifications

IANA has registered the “secp256k1” elliptic curve in the JSON Web Key Elliptic Curve registry and the corresponding “ES256K” signing algorithm in the JSON Web Signature and Encryption Algorithms registry. This curve is widely used among blockchain and decentralized identity implementations.

The registrations were specified by the COSE and JOSE Registrations for WebAuthn Algorithms specification, which was created by the W3C Web Authentication working group and the IETF COSE working group because WebAuthn also allows the use of secp256k1. This specification is now in IETF Last Call. The corresponding COSE registrations will occur after the specification becomes an RFC.

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

This week we published updates to two IETF specifications that support the WebAuthn/FIDO2 ecosystem, as well as other uses, such as decentralized identity.

One is COSE and JOSE Registrations for WebAuthn Algorithms. It registers algorithm and elliptic curve identifiers for algorithms used by WebAuthn and FIDO2. The “secp256k1” curve being registered is also used for signing in some decentralized identity applications. The specification has completed the Area Director review and has been submitted to the IESG for publication.

The other is Registries for Web Authentication (WebAuthn). This creates IANA registries enabling multiple kinds of extensions to W3C Web Authentication (WebAuthn) implementations to be registered. This specification has completed IETF last call and is scheduled for review by the IESG.

Thanks to the COSE working group for their adoption of the algorithms specification, and to Ivaylo Petrov and Murray Kucherawy for their reviews of it. Thanks to Kathleen Moriarty and Benjamin Kaduk for their Area Director sponsorships of the registries specification and to Jeff Hodges for being primary author of it.

The specifications are available at:

• https://tools.ietf.org/html/draft-hodges-webauthn-registries-07
• https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-06

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

The IETF CBOR working group has adopted the specification Concise Binary Object Representation (CBOR) Tags for Date. The abstract of the specification is:

The Concise Binary Object Representation (CBOR, RFC 7049) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation.

In CBOR, one point of extensibility is the definition of CBOR tags. RFC 7049 defines two tags for time: CBOR tag 0 (RFC 3339 date/time string) and tag 1 (Posix “seconds since the epoch”). Since then, additional requirements have become known. This specification defines a CBOR tag for an RFC 3339 date text string, for applications needing a textual date representation without a time. It also defines a CBOR tag for days since the Posix epoch, for applications needing a numeric date representation without a time. It is intended as the reference document for the IANA registration of the CBOR tags defined.

The need for this arose for the ISO Mobile Driver’s License specification in the working group ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification”.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cbor-date-tag-00

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-cbor-date-tag-00.html

No Comments » Posted under CBOR & IETF & Specifications

I’m pleased to report that Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) is now RFC 8747. The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).

This is one of a series of specifications, including CWT [RFC 8392] – which mirrors JWT [RFC 7519], in which we are intentionally bringing functionality that is available in JSON to the CBOR and IoT world.

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

I have published the specification Concise Binary Object Representation (CBOR) Tag for Date to allocate a CBOR tag for RFC 3339 full-date values. While there’s already a tag for date-time values, there’s currently no tag allocated for full-date values – a date string without a time. The need for this arose for the ISO Mobile Driver’s License specification in the working group ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification”.

Thanks to Carsten Bormann for pointers on the best way to accomplish this.

The specification is available at:

• https://tools.ietf.org/html/draft-jones-cbor-date-tag-00

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-jones-cbor-date-tag-00.html

No Comments » Posted under CBOR & IETF & Specifications

The “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to add explanatory comments on design decisions made that were discussed on the mailing list that Jim Schaad requested be added to the draft.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-04

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-cose-webauthn-algorithms-04.html

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

I’m pleased to report that the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification is now technically stable and will shortly be an RFC – an Internet standard. Specifically, it has now progressed to the RFC Editor queue, meaning that the only remaining step before finalization is editorial due diligence. Thus, implementations can now utilize the draft specification with confidence that that breaking changes will not occur as it is finalized.

The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).

Thanks to the ACE working group for completing this important specification.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-11

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-11.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

The “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address working group last call (WGLC) feedback received. Thanks to J.C. Jones, Kevin Jacobs, Jim Schaad, Neil Madden, and Benjamin Kaduk for their useful reviews.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-02

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-cose-webauthn-algorithms-02.html

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

A new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published addressing the Gen-ART and SecDir review comments. Thanks to Christer Holmberg and Yoav Nir, respectively, for these useful reviews.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-09

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-09.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

A new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published to address the remaining Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz for doing the bulk of the editing for this version.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-08

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-08.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address the Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz and Hannes Tschofenig for their work on resolving the issues raised.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-07

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-07.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

The “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address feedback received since working group adoption. The one breaking change is changing the secp256k1 curve identifier for JOSE from “P-256K” to “secp256k1”, for reasons described by John Mattsson. The draft now also specifies that the SHA-256 hash function is to be used with “ES256K” signatures – a clarification due to Matt Palmer.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-01

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-cose-webauthn-algorithms-01.html

No Comments » Posted under CBOR & Cryptography & IETF & JSON & Specifications & W3C

I’m pleased to report that the IETF COSE Working Group has adopted the specification “COSE and JOSE Registrations for WebAuthn Algorithms”. An abstract of what it does is:

This specification defines how to use several algorithms with COSE [RFC8152] that are used by implementations of the W3C Web Authentication (WebAuthn) [WebAuthn] and FIDO2 Client to Authenticator Protocol (CTAP) [CTAP] specifications. These algorithms are to be registered in the IANA “COSE Algorithms” registry [IANA.COSE.Algorithms] and also in the IANA “JSON Web Signature and Encryption Algorithms” registry [IANA.JOSE.Algorithms], when not already registered there.

The algorithms registered are RSASSA-PKCS1-v1_5 with four different hash functions and signing with the secp256k1 curve. Note that there was consensus in the working group meeting not to work on registrations for the Elliptic Curve Direct Anonymous Attestation (ECDAA) algorithms “ED256” and “ED512”, both because of issues that have been raised with them and because they are not in widespread use.

The -01 version will address the review comments received on the mailing list from Jim Schaad and John Mattsson.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-00

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-cose-webauthn-algorithms-00.html

No Comments » Posted under CBOR & Cryptography & IETF & JSON & Specifications & W3C

The new COSE working group charter includes this deliverable:

4. Define the algorithms needed for W3C Web Authentication for COSE using draft-jones-webauthn-cose-algorithms and draft-jones-webauthn-secp256k1 as a starting point (Informational).

I have written draft-jones-cose-additional-algorithms, which combines these starting points into a single draft, which registers these algorithms in the IANA COSE registries. When not already registered, this draft also registers these algorithms for use with JOSE in the IANA JOSE registries. I believe that this draft is ready for working group adoption to satisfy this deliverable.

The specification is available at:

• https://tools.ietf.org/html/draft-jones-cose-additional-algorithms-00

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-jones-cose-additional-algorithms-00.html

No Comments » Posted under CBOR & Cryptography & IETF & JSON & Specifications & W3C

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address issues identified by Roman Danyliw while writing his shepherd review. Thanks to Samuel Erdtman for fixing an incorrect example.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-06

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-06.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

Key ID confirmation method considerations suggested by Jim Schaad have been added to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Per discussions in the working group meeting in Bangkok, it’s now time for the shepherd review.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-05

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-05.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to addresses a few additional Working Group Last Call (WGLC) comments. All of the (few) changes were about improving the clarity of the exposition. I believe that this completes addressing the WGLC comments.

Thanks to Roman Danyliw for helping to categorize the remaining comments that needed to be addressed.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-04

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-04.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

A new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published that addresses the Working Group Last Call (WGLC) comments received. Changes were:

• Addressed review comments by Jim Schaad — see https://www.ietf.org/mail-archive/web/ace/current/msg02798.html.
• Removed unnecessary sentence in the introduction regarding the use any strings that could be case-sensitive.
• Clarified the terms Presenter and Recipient.
• Clarified text about the confirmation claim.

Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing for this version and to Jim Schaad and Roman Danyliw for their review comments.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-03

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-03.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications