A CBOR Tag for Unprotected CWT Claims Sets
draft-birkholz-rats-uccs-02
RATS Working Group H. Birkholz
Internet-Draft Fraunhofer SIT
Intended status: Standards Track J. O'Donoghue
Expires: June 5, 2021 Qualcomm Technologies Inc.
N. Cam-Winget
Cisco Systems
C. Bormann
Universitaet Bremen TZI
December 02, 2020
A CBOR Tag for Unprotected CWT Claims Sets
draft-birkholz-rats-uccs-02
Abstract
CBOR Web Token (CWT, RFC 8392) Claims Sets sometimes do not need the
protection afforded by wrapping them into COSE, as is required for a
true CWT. This specification defines a CBOR tag for such unprotected
CWT Claims Sets (UCCS) and discusses conditions for its proper use.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 5, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Birkholz, et al. Expires June 5, 2021 [Page 1]
Internet-Draft Unprotected CWT Claims Sets December 2020
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Motivation and Requirements . . . . . . . . . . . . . . . . . 3
3. Characteristics of a Secure Channel . . . . . . . . . . . . . 4
3.1. UCCS and Remote ATtestation procedureS (RATS) . . . . . . 4
3.2. Privacy Preserving Channels . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
5.1. General Considerations . . . . . . . . . . . . . . . . . 6
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . . . . . . . . . . . 7
Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
A CBOR Web Token (CWT) as specified by [RFC8392] is always wrapped in
a CBOR Object Signing and Encryption (COSE, [RFC8152]) envelope.
COSE provides - amongst other things - the integrity protection
mandated by RFC 8392 and optional encryption for CWTs. Under the
right circumstances, though, a signature providing proof for
authenticity and integrity can be provided through the transfer
protocol and thus omitted from the information in a CWT without
compromising the intended goal of authenticity and integrity. If a
mutually Secured Channel is established between two remote peers, and
if that Secure Channel provides the required properties (as discussed
below), it is possible to omit the protection provided by COSE,
creating a use case for unprotected CWT Claims Sets. Similarly, if
there is one-way authentication, the party that did not authenticate
may be in a position to send authentication information through this
channel that allows the already authenticated party to authenticate
the other party.
This specification allocates a CBOR tag to mark Unprotected CWT
Claims Sets (UCCS) as such and discusses conditions for its proper
use in the scope of Remote ATtestation procedureS (RATS) and the
conveyance of Evidence from an Attester to a Verifier.
Show full document text