[COSE] Re: RFC 9942 on CBOR Object Signing and Encryption (COSE) Receipts
Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 01 July 2026 05:15 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: cose@mail2.ietf.org
Delivered-To: cose@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4992010B5DFB3 for <cose@mail2.ietf.org>; Tue, 30 Jun 2026 22:15:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782882948; bh=nBT3rGOm819NnTVF4HDTGfn2V+sRKR3MOfdsrJB8Esc=; h=Date:Subject:To:References:From:In-Reply-To; b=TE38303KMNdCsG7edS+XeADP5O4EXGHUdhvH8Q7eW5V60yq0LBHisBTL/8uzob3gD pFYA3pC1hKmYbRrE9G9OSgousyBFTUm6Mb9dOJJgIoodgsA4lRzhYtfxM+Jk8/GA5s 0khKLkgQVGzos5OMu7Q7Wgr3h8j+6lYxsfhMc60I=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BHkUev6xNh_9 for <cose@mail2.ietf.org>; Tue, 30 Jun 2026 22:15:47 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D1DDD10B5DFAE for <cose@ietf.org>; Tue, 30 Jun 2026 22:15:47 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-473ba028d46so171407f8f.1 for <cose@ietf.org>; Tue, 30 Jun 2026 22:15:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782882947; x=1783487747; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=gs12/YyfiVgibiRilgA4oSvYrdnEZIFHvPFdmQkz0p8=; b=PkeWrHy9vKPyxVZJ0ROqAcNPc8RFSFuWuws+lk+dpit9nr+azr8QaY87mCaRxxkRoW txQREjNqwcNoAB9wSGatRX2RkhaCCs4crNEbgsion6HYyWkN4phOclibCzFPVKpqpQas +VTuqylxgi9iv+1a9L99uMgFPf6wVYI3V6CimXezSrIxKO94CULTBxtm2WYdX/7jyCUp ARke6o982Wp7p/lxCb1EdQwLNomt7sjN1oN3MFbKjQWFIxURgBQtkYUO1lKhZlnRYCWn c9oqSMRoj5XyGpG3bP2s2KjLUuJ7+CQK5RVYjhwco+Q4xhRsolr3Z2EZGfbqiQMT9SyY LT7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782882947; x=1783487747; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gs12/YyfiVgibiRilgA4oSvYrdnEZIFHvPFdmQkz0p8=; b=LurH+VypcoMThbmwu/5DFx7vYIYc9qGguSGUIDJF9m1s5VINwiDn/RkfKaN/Jx2DZx VAyUO8XZ6xLqC84zjLlro9f7UG3L0sX89ZcXelwDygEWCZ18ptyjo1xcpVxSozxHGaMH jmkW+LQRGFKLb/dMtVcRr144JEJ2mprOYDDIHJU1uxhOyi1Ko644BG/+frVBCLTFoEO8 t70qJRlFkICX8r1/BnoPalSEWtBMqS99Hl3cQ2pIqpF3OzsWIJI9TJz1CVnzbbW/WVZ7 u7S6MZT/wz51BQ4i/7HyfPl912m35rJSo1i7cHBWgugSgxqR+VWglWFnp8hXA4dlBI3O Jgww==
X-Gm-Message-State: AOJu0Yysa6/sPmtrtrQBW8nH40qq1hOXeIiS4kgUc5bp/7BORFKAEmTm 3heU+zwWJNT+2uoyDicwla8nQJl3xIWqfv3eLLGnD688y6mkVjzLb0bhjZFQGp7T
X-Gm-Gg: AfdE7cmk0t1i2VMWk9f1+fLhewy7SYXM/PorJmwdlu4kkXGHNAInnvS2LGMasn7mnf0 GW9NHqgz5rbZHnhj71fEeai3UqNiZTPSDuoxSshRq/nKB9jiT9rAVJnIhR5HF7KJoNSXNy/3nUq cZ7+KVs6vZ0/sJm8O6lnrQnAZL7rBb9OQ65hplqjD55Ufl/UzhdA2XRMJ1aff2oQxNhsVVNBhjU xVBnBTRY7wBTZ8DWUKDnSyggU8ee7p/0QfVKvRFgVnXE4JhhNfpLrN9iOM5I2Qj205y0xThR8kd U5oCa5ef0FrcLCJwFmFJnQ99g3v6q1JtIQVQa7R26kDK70w3jQwLYI0OFn/+k7mQ9ut60HWdaTX uhtYdVWlcS994TXEgG3ExVT1uN3vfgEgB5mvrTm8Pb1dpELcB+jfR7sh8J3an4cbtEejacUbK66 jowa5Jn4PHiExkqIdBQZeAVD+Z2eqfeuEN+AKHaCX3XAFsnPloJhx6+rM4fDK2rFPbSI+WlTxwW ZEKCEyc91m7p8vULhwk
X-Received: by 2002:a05:6000:1847:b0:46e:8226:96ba with SMTP id ffacd0b85a97d-47758326cfcmr105233f8f.13.1782882946819; Tue, 30 Jun 2026 22:15:46 -0700 (PDT)
Received: from ?IPV6:2a01:e0a:e1b:64b0:21be:d65d:c064:bc65? ([2a01:e0a:e1b:64b0:21be:d65d:c064:bc65]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-475641e4cdesm14508412f8f.13.2026.06.30.22.15.46 for <cose@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 30 Jun 2026 22:15:46 -0700 (PDT)
Message-ID: <71b8635a-4639-485c-83b4-7d1656953b5b@gmail.com>
Date: Wed, 01 Jul 2026 07:15:45 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: cose@ietf.org
References: <178285948391.11.14604467919400066829@rfc-editor.org>
Content-Language: en-US
From: Anders Rundgren <anders.rundgren.net@gmail.com>
In-Reply-To: <178285948391.11.14604467919400066829@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: TFW6HP6CCFX3HKYXK2QQSTYV6CCMI75F
X-Message-ID-Hash: TFW6HP6CCFX3HKYXK2QQSTYV6CCMI75F
X-MailFrom: anders.rundgren.net@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [COSE] Re: RFC 9942 on CBOR Object Signing and Encryption (COSE) Receipts
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/ken480srMj-5811O9UQAcl0mPAw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Owner: <mailto:cose-owner@ietf.org>
List-Post: <mailto:cose@ietf.org>
List-Subscribe: <mailto:cose-join@ietf.org>
List-Unsubscribe: <mailto:cose-leave@ietf.org>
I guess I have been asleep since I haven't even heard about this work-item before... FWIW, I'm personally developing a e-receipt-scheme for the EU Wallet when used for payments. It has almost nothing in common with RFC 9942. The following are the most obvious differences: - e-Receipt type is given by a top-level tag in analogy with the rest of the payment-related messages. In my case object types are provided as URLs which is a de-facto standard outside of the CBOR community. - There is no "bstr" wrapping of e-receipt data; deterministically encoded CBOR is trivial to accomplish in current mobile phones. Embedded signatures does the rest. - Since creating a global root for e-receipts seems unrealistic, compatible receipts are supposed to include a URL to the public key. This URL must belong to the same domain as the payment request. That is, trust is leveraging the trust in the WebPKI. Anders Predecessor using JSON: https://cyberphone.github.io/doc/defensive-publications/signed-e-receipts.pdf On 2026-07-01 00:44, rfc-editor@rfc-editor.org wrote: > A new Request for Comments is now available in online RFC libraries. > > RFC 9942 > > Title: CBOR Object Signing and Encryption (COSE) Receipts > Author: O. Steele, > H. Birkholz, > A. Delignat-Lavaud, > C. Fournet > Status: Proposed Standard > Stream: IETF > Date: June 2026 > Mailbox: orie@or13.io, > henk.birkholz@ietf.contact, > antdl@microsoft.com, > fournet@microsoft.com > Pages: 20 > > > I-D Tag: draft-ietf-cose-merkle-tree-proofs-18 > > URL: https://www.rfc-editor.org/info/rfc9942 > > DOI: 10.17487/RFC9942 > > CBOR Object Signing and Encryption (COSE) Receipts prove properties of a Verifiable Data Structure (VDS) to a verifier. VDSs and associated Proof Types enable security properties, such as minimal disclosure, transparency, and non-equivocation. Transparency helps maintain trust over time and has been applied to certificates, end-to-end encrypted messaging systems, and supply chain security. This specification enables concise transparency-oriented systems by building on Concise Binary Object Representation (CBOR) and COSE. The extensibility of the approach is demonstrated by providing CBOR encodings for Merkle inclusion and consistency proofs. > > This document is a product of the CBOR Object Signing and Encryption Working Group of the IETF. > > STANDARDS TRACK: This document specifies an Internet Standards Track > protocol for the Internet community, and requests discussion and > suggestions for improvements. Distribution of this memo is unlimited. > > This announcement is sent to the IETF-Announce and rfc-dist lists. > To subscribe or unsubscribe, see > https://www.ietf.org/mailman/listinfo/ietf-announce > https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist > > For searching the RFC series, see https://www.rfc-editor.org/search/ > For downloading RFCs, see https://www.rfc-editor.org/series/rfc-download/ > > Requests for special distribution should be addressed to either the > author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless > specifically noted otherwise on the RFC itself, all RFCs are for > unlimited distribution. > > > The RFC Editor Team > > _______________________________________________ > COSE mailing list -- cose@ietf.org > To unsubscribe send an email to cose-leave@ietf.org
- [COSE] RFC 9942 on CBOR Object Signing and Encryp… rfc-editor
- [COSE] Re: RFC 9942 on CBOR Object Signing and En… Anders Rundgren
- [COSE] Re: RFC 9942 on CBOR Object Signing and En… Carsten Bormann