IETF Logo Mail Archive

Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers

Laurence Lundblade <lgl@island-resort.com> Wed, 02 March 2022 18:33 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02E6C3A0ADC for <cose@ietfa.amsl.com>; Wed, 2 Mar 2022 10:33:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.591
X-Spam-Level:
X-Spam-Status: No, score=0.591 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URI_GOOGLE_PROXY=2.497] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXmyJTSazOCr for <cose@ietfa.amsl.com>; Wed, 2 Mar 2022 10:33:43 -0800 (PST)
Received: from p3plsmtpa12-10.prod.phx3.secureserver.net (p3plsmtpa12-10.prod.phx3.secureserver.net [68.178.252.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1C763A07CF for <cose@ietf.org>; Wed, 2 Mar 2022 10:33:43 -0800 (PST)
Received: from [192.168.1.4] ([75.80.148.139]) by :SMTPAUTH: with ESMTPA id PTnBnO2TY2U4xPTnCnxQwy; Wed, 02 Mar 2022 11:33:42 -0700
X-CMAE-Analysis: v=2.4 cv=RtQAkAqK c=1 sm=1 tr=0 ts=621fb886 a=qS/Wyu6Nw1Yro6yF1S+Djg==:117 a=qS/Wyu6Nw1Yro6yF1S+Djg==:17 a=48vgC7mUAAAA:8 a=7CQSdrXTAAAA:8 a=yMhMjlubAAAA:8 a=UqCG9HQmAAAA:8 a=62ntRvTiAAAA:8 a=rzPLFkrTAAAA:8 a=jU4qhlNgAAAA:8 a=JqEG_dyiAAAA:8 a=NEAV23lmAAAA:8 a=YQVVcTje3vvOc85BvGwA:9 a=QEXdDO2ut3YA:10 a=gcqIs3NtAAAA:20 a=rcABmfARAAAA:20 a=XCstEpA3AAAA:20 a=BUdZDkeYAAAA:20 a=PQt0tNhYAAAA:20 a=KBoZC752-WLHM56oFFkA:9 a=ljX2zSYFlEzJza9E:21 a=_W_S_7VecoQA:10 a=zwMyiIhdPRUA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=a-qgeE7W1pNrGK8U0ZQC:22 a=pToNdpNmrtiFLRE6bQ9Z:22 a=quyEJQOAdP_p053hOoeg:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <280EEA8E-67E4-4E7A-94A6-8C0A60048F81@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A4C469F8-6D0C-4530-AE27-524AEBAAD957"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Wed, 2 Mar 2022 10:33:41 -0800
In-Reply-To: <SJ0PR00MB10050EBE6EAB4E80584A31B9F5039@SJ0PR00MB1005.namprd00.prod.outlook.com>
Cc: Hannes Tschofenig <hannes.tschofenig@arm.com>, Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>, "cose@ietf.org" <cose@ietf.org>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
References: <SY4P282MB1274BCAC469DFE3B7284DFB29D039@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM> <DBBPR08MB5915A5EE40B555A4953E7BA0FA039@DBBPR08MB5915.eurprd08.prod.outlook.com> <SJ0PR00MB10050EBE6EAB4E80584A31B9F5039@SJ0PR00MB1005.namprd00.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfLYKeDgebuSFthlUqmLyNhecDWCAs7vbO/28i5rl2MhrHRBD9r5EN9GPxziNQ3A2my0Icc8Mq+Hu4wlUEIQ6Dw0+jfPLc9xffGy4GqACo6jMehbCZW0+ Ejz+sOPK9/Z9wiarMz9osSXZCQUhWzxuxfPxSi5cekdkJ3tBqJVccxBOkUWj2gp+eShStKVUFjdFxW0emmUv2hylXeDJ6HJF6Wby0Hm/0tb+AIGRlfAAkHbc 5O+6/xOIi7tLK1LY53pguj7k1lD86aJx7gnQjwxBZjY0l3aXoxy7o0x8zb/VacahlS32afyDM++xG3jfKK3ClaYRfMGH4yl7qOylE+oCpA2REawyLhvtzQqP mTnO5aLW
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/mKXeHs5GeuEyRMKjnHAfjkyC3a4>
Subject: Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2022 18:33:48 -0000

Makes sense to me. Helps out for the EAT claim named “profile” which gives information about the type of the token you might want before fully verifying it. Addresses an issue Anders brought up about the profile claim.

LL


> On Mar 2, 2022, at 9:34 AM, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
> 
> The use case is the same as that which motivated Section 5.3 of JWT “Replicating Claims as Header Parameters” https://datatracker.ietf.org/doc/html/rfc7519#section-5.3 <https://datatracker.ietf.org/doc/html/rfc7519#section-5.3> – encrypted CWTs for which you’d like to have unencrypted instances of particular claims to determine how to process the CWT prior to decrypting it.  Note that https://datatracker.ietf.org/doc/html/rfc7519#section-10.4 <https://datatracker.ietf.org/doc/html/rfc7519#section-10.4> explicitly registers the “iss”, “sub”, and “aud” claims as JWE header parameter values exactly for this purpose.
>  
> This draft defines a syntax for COSE to likewise enable the corresponding CWT claims to be passed in the clear in the COSE header, just as JWT claims can be replicated as JOSE header parameters when needed.
>  
>                                                                                   -- Mike
>  
> From: Hannes Tschofenig <Hannes.Tschofenig@arm.com> 
> Sent: Wednesday, March 2, 2022 12:21 AM
> To: Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>rg>; cose@ietf.org
> Cc: Mike Jones <Michael.Jones@microsoft.com>
> Subject: RE: Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
>  
> Hi Tobias, 
>  
> Could you say something about the use cases or provide an example of what you want to accomplish?
>  
> Ciao
> Hannes
>  
> From: COSE <cose-bounces@ietf.org <mailto:cose-bounces@ietf.org>> On Behalf Of Tobias Looker
> Sent: Wednesday, March 2, 2022 5:32 AM
> To: cose@ietf.org <mailto:cose@ietf.org>
> Cc: mbj@microsoft.com <mailto:mbj@microsoft.com>
> Subject: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
>  
> Hi All,
>  
> This is an email to introduce the newly submitted draft titled "CBOR Web Token (CWT) Claims in COSE Headers", the current abstract is as follows.
>  
> "This document describes how to include CBOR Web Token (CWT) claims in the header parameters of any COSE structure. This functionality helps to facilitate applications that wish to make use of CBOR Web Token (CWT) claims in encrypted COSE structures and/or COSE structures featuring detached signatures, while having some of those claims be available before decryption and/or without inspecting the detached payload."
>  
> https://datatracker.ietf.org/doc/draft-looker-cose-cwt-claims-in-headers/ <https://datatracker.ietf.org/doc/draft-looker-cose-cwt-claims-in-headers/>
>  
> As covered in the introduction of this draft, a similar mechanism already exists for JWT and we see value in providing a way to do the same with CWTs.
>  
> Thanks,
> 
>  <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>	
>  
> 
> Tobias Looker
> 
> MATTR
> CTO
> 
> +64 (0) 27 378 0461
> tobias.looker@mattr.global <mailto:tobias.looker@mattr.global>
>  <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>	
>  <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0>	
>  <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0>	
>  <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0>
> 
> This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
> 
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose

v2.8.7 | Report a Bug | By Email