Internet-Draft | EAT Media Types | November 2024 |
Lundblade, et al. | Expires 7 May 2025 | [Page] |
- Workgroup:
- Remote ATtestation ProcedureS
- Internet-Draft:
- draft-ietf-rats-eat-media-type-12
- Published:
- Intended Status:
- Standards Track
- Expires:
EAT Media Types
Abstract
Payloads used in Remote Attestation Procedures may require an associated media type for their conveyance, for example when used in RESTful APIs.¶
This memo defines media types to be used for Entity Attestation Tokens (EAT).¶
Discussion Venues
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Remote ATtestation ProcedureS Working Group mailing list (rats@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/rats/.¶
Source for this draft and an issue tracker can be found at https://github.com/thomas-fossati/draft-eat-mt.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 May 2025.¶
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
1. Introduction
Payloads used in Remote Attestation Procedures [RATS-Arch] may require an associated media type for their conveyance, for example when used in RESTful APIs (Figure 1).¶
This memo defines media types to be used for Entity Attestation Token (EAT) [EAT] payloads independently of the RATS Conceptual Message in which they manifest themselves. The objective is to give protocol, API and application designers a number of readily available and reusable media types for integrating EAT-based messages in their flows, for example when using HTTP [BUILD-W-HTTP] or CoAP [REST-IoT].¶
1.1. Requirements Language
This document uses the terms and concepts defined in [RATS-Arch].¶
2. EAT Types
Figure 2 illustrates the six EAT wire formats and how they relate to each other. [EAT] defines four of them (CWT, JWT and Detached EAT Bundle in its JSON and CBOR flavours), whilst [UCCS] defines UCCS and UJCS.¶
3. A Media Type Parameter for EAT Profiles
EAT is an open and flexible format. To improve interoperability, Section 6 of [EAT] defines the concept of EAT profiles. Profiles are used to constrain
the parameters that producers and consumers of a specific EAT profile need to
understand in order to interoperate. For example: the number and type of
claims, which serialisation format, the supported signature schemes, etc. EATs
carry an in-band profile identifier using the eat_profile
claim (see
Section 4.3.2 of [EAT]). The value of the eat_profile
claim is either an
OID or a URI.¶
The media types defined in this document include an optional eat_profile
parameter that can be used to mirror the eat_profile
claim of the transported
EAT. Exposing the EAT profile at the API layer allows API routers to dispatch
payloads directly to the profile-specific processor without having to snoop
into the request bodies. This design also provides a finer-grained and
scalable type system that matches the inherent extensibility of EAT. The
expectation being that a certain EAT profile automatically obtains a media type
derived from the base (e.g., application/eat+cwt)
by populating the
eat_profile
parameter with the corresponding OID or URL.¶
When the parameterised version of the EAT media type is used in HTTP (for
example, with the "Content-Type" and "Accept" headers), and the value is an
absolute URI (Section 4.3 of [URI]), the parameter-value
(Appendix A of [HTTP]) uses the quoted-string
encoding, e.g.:¶
-
application/eat+jwt; eat_profile="tag:evidence.example,2022"
¶
Instead, when the EAT profile is an OID, the token
encoding (i.e., without
quotes) can be used, e.g.:¶
-
application/eat+cwt; eat_profile=2.999.1
.¶
4. Examples
The example in Figure 3 illustrates the usage of EAT media types for transporting attestation evidence as well as negotiating the acceptable format of the attestation result.¶
The example in Figure 4 illustrates the usage of EAT media types for transporting attestation results.¶
In both cases, a tag URI [TAG] identifying the profile is carried as an explicit parameter.¶
5. Security Considerations
Media types only provide clues to the processing application. The application must verify that the received data matches the expected format, regardless of the advertised media type, and stop further processing on failure. Failing to do so could expose the user to security risks, such as privilege escalation and cross-protocol attacks.¶
The security consideration of [EAT] and [UCCS] apply in full.¶
In particular, when using application/eat-ucs+json
and application/eat-ucs+cbor
the reader should review Section 3 of [UCCS], which contains a detailed discussion about the characteristics of a "Secure Channel" for conveyance of such messages.¶
6. IANA Considerations
RFC Editor: please replace RFCthis with this RFC number and remove this note.¶
6.1. +cwt
Structured Syntax Suffix
IANA is requested to register the +cwt
structured syntax suffix in the
"Structured Syntax Suffixes" registry [IANA.media-type-structured-suffix] in
the manner described in [MediaTypes], which can be used to indicate that the
media type is encoded as a CWT.¶
6.1.1. Registry Contents
- Name:
-
CBOR Web Token (CWT)¶
- +suffix:
-
+cwt¶
- References:
- Encoding Considerations:
-
binary¶
- Interoperability Considerations:
-
N/A¶
- Fragment Identifier Considerations:
-
The syntax and semantics of fragment identifiers specified for +cwt SHOULD be as specified for
application/cwt
. (At publication of this document, there is no fragment identification syntax defined forapplication/cwt
.)¶ - Security Considerations:
- Contact:
-
RATS WG mailing list (rats@ietf.org), or IETF Security Area (saag@ietf.org)¶
- Author/Change Controller:
-
Remote ATtestation ProcedureS (RATS) Working Group. The IETF has change control over this registration.¶
6.2. Media Types
IANA is requested to add the following media types to the "Media Types" registry [IANA.media-types].¶
Name | Template | Reference |
---|---|---|
EAT CWT | application/eat+cwt | RFCthis, Section 6.3 |
EAT JWT | application/eat+jwt | RFCthis, Section 6.4 |
Detached EAT Bundle CBOR | application/eat-bun+cbor | RFCthis, Section 6.5 |
Detached EAT Bundle JSON | application/eat-bun+json | RFCthis, Section 6.6 |
EAT UCCS | application/eat-ucs+cbor | RFCthis, Section 6.7 |
EAT UJCS | application/eat-ucs+json | RFCthis, Section 6.8 |
6.3. application/eat+cwt Registration
- Type name:
-
application¶
- Subtype name:
-
eat+cwt¶
- Required parameters:
-
n/a¶
- Optional parameters:
-
"eat_profile" (EAT profile in string format. OIDs must use the dotted-decimal notation. The parameter value is case-insensitive.)¶
- Encoding considerations:
-
binary¶
- Security considerations:
- Interoperability considerations:
-
n/a¶
- Published specification:
-
RFCthis¶
- Applications that use this media type:
-
Attesters, Verifiers, Endorsers and Reference-Value providers, Relying Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other transports.¶
- Fragment identifier considerations:
-
n/a¶
- Person & email address to contact for further information:
-
RATS WG mailing list (rats@ietf.org)¶
- Intended usage:
-
COMMON¶
- Restrictions on usage:
-
none¶
- Author/Change controller:
-
IETF¶
- Provisional registration:
-
no¶
6.4. application/eat+jwt Registration
- Type name:
-
application¶
- Subtype name:
-
eat+jwt¶
- Required parameters:
-
n/a¶
- Optional parameters:
-
"eat_profile" (EAT profile in string format. OIDs must use the dotted-decimal notation. The parameter value is case-insensitive.)¶
- Encoding considerations:
-
8bit¶
- Security considerations:
- Interoperability considerations:
-
n/a¶
- Published specification:
-
RFCthis¶
- Applications that use this media type
-
Attesters, Verifiers, Endorsers and Reference-Value providers, Relying Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other transports.¶
- Fragment identifier considerations:
-
n/a¶
- Person & email address to contact for further information:
-
RATS WG mailing list (rats@ietf.org)¶
- Intended usage:
-
COMMON¶
- Restrictions on usage:
-
none¶
- Author/Change controller:
-
IETF¶
- Provisional registration:
-
no¶
6.5. application/eat-bun+cbor Registration
- Type name:
-
application¶
- Subtype name:
-
eat-bun+cbor¶
- Required parameters:
-
n/a¶
- Optional parameters:
-
"eat_profile" (EAT profile in string format. OIDs must use the dotted-decimal notation. The parameter value is case-insensitive.)¶
- Encoding considerations:
-
binary¶
- Security considerations:
- Interoperability considerations:
-
n/a¶
- Published specification:
-
RFCthis¶
- Applications that use this media type:
-
Attesters, Verifiers, Endorsers and Reference-Value providers, Relying Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other transports.¶
- Fragment identifier considerations:
-
n/a¶
- Person & email address to contact for further information:
-
RATS WG mailing list (rats@ietf.org)¶
- Intended usage:
-
COMMON¶
- Restrictions on usage:
-
none¶
- Author/Change controller:
-
IETF¶
- Provisional registration:
-
no¶
6.6. application/eat-bun+json Registration
- Type name:
-
application¶
- Subtype name:
-
eat-bun+json¶
- Required parameters:
-
n/a¶
- Optional parameters:
-
"eat_profile" (EAT profile in string format. OIDs must use the dotted-decimal notation. The parameter value is case-insensitive.)¶
- Encoding considerations:
- Security considerations:
- Interoperability considerations:
-
n/a¶
- Published specification:
-
RFCthis¶
- Applications that use this media type
-
Attesters, Verifiers, Endorsers and Reference-Value providers, Relying Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other transports.¶
- Fragment identifier considerations:
-
n/a¶
- Person & email address to contact for further information:
-
RATS WG mailing list (rats@ietf.org)¶
- Intended usage:
-
COMMON¶
- Restrictions on usage:
-
none¶
- Author/Change controller:
-
IETF¶
- Provisional registration:
-
no¶
6.7. application/eat-ucs+cbor Registration
- Type name:
-
application¶
- Subtype name:
-
eat-ucs+cbor¶
- Required parameters:
-
n/a¶
- Optional parameters:
-
"eat_profile" (EAT profile in string format. OIDs must use the dotted-decimal notation. The parameter value is case-insensitive.)¶
- Encoding considerations:
-
binary¶
- Security considerations:
- Interoperability considerations:
-
n/a¶
- Published specification:
-
RFCthis¶
- Applications that use this media type:
-
Attesters, Verifiers, Endorsers and Reference-Value providers, Relying Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other transports.¶
- Fragment identifier considerations:
-
n/a¶
- Person & email address to contact for further information:
-
RATS WG mailing list (rats@ietf.org)¶
- Intended usage:
-
COMMON¶
- Restrictions on usage:
-
none¶
- Author/Change controller:
-
IETF¶
- Provisional registration:
-
no¶
6.8. application/eat-ucs+json Registration
- Type name:
-
application¶
- Subtype name:
-
eat-ucs+json¶
- Required parameters:
-
n/a¶
- Optional parameters:
-
"eat_profile" (EAT profile in string format. OIDs must use the dotted-decimal notation. The parameter value is case-insensitive.)¶
- Encoding considerations:
- Security considerations:
- Interoperability considerations:
-
n/a¶
- Published specification:
-
RFCthis¶
- Applications that use this media type
-
Attesters, Verifiers, Endorsers and Reference-Value providers, Relying Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other transports.¶
- Fragment identifier considerations:
-
n/a¶
- Person & email address to contact for further information:
-
RATS WG mailing list (rats@ietf.org)¶
- Intended usage:
-
COMMON¶
- Restrictions on usage:
-
none¶
- Author/Change controller:
-
IETF¶
- Provisional registration:
-
no¶
6.9. CoAP Content-Format Registrations
IANA is requested to register the following Content-Format numbers in the "CoAP Content-Formats" sub-registry, within the "Constrained RESTful Environments (CoRE) Parameters" Registry [IANA.core-parameters]:¶
Content-Type | Content Coding | ID | Reference |
---|---|---|---|
application/eat+cwt | - | TBD1 | RFCthis |
application/eat+jwt | - | TBD2 | RFCthis |
application/eat-bun+cbor | - | TBD3 | RFCthis |
application/eat-bun+json | - | TBD4 | RFCthis |
application/eat-ucs+cbor | - | TBD5 | RFCthis |
application/eat-ucs+json | - | TBD6 | RFCthis |
TBD1..6 are to be assigned from the space 256..9999.¶
8. References
8.1. Normative References
- [BCP225]
-
Best Current Practice 225, <https://www.rfc-editor.org/info/bcp225>.
At the time of writing, this BCP comprises the following:Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best Current Practices", BCP 225, RFC 8725, DOI 10.17487/RFC8725, , <https://www.rfc-editor.org/info/rfc8725>. - [CWT]
- Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, , <https://www.rfc-editor.org/rfc/rfc8392>.
- [EAT]
- Lundblade, L., Mandyam, G., O'Donoghue, J., and C. Wallace, "The Entity Attestation Token (EAT)", Work in Progress, Internet-Draft, draft-ietf-rats-eat-31, , <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-31>.
- [HTTP]
- Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, , <https://www.rfc-editor.org/rfc/rfc9110>.
- [IANA.core-parameters]
- IANA, "Constrained RESTful Environments (CoRE) Parameters", <https://www.iana.org/assignments/core-parameters>.
- [IANA.media-type-structured-suffix]
- IANA, "Structured Syntax Suffixes", <https://www.iana.org/assignments/media-type-structured-suffix>.
- [IANA.media-types]
- IANA, "Media Types", <https://www.iana.org/assignments/media-types>.
- [JSON]
- Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, , <https://www.rfc-editor.org/rfc/rfc8259>.
- [JWT]
- Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, , <https://www.rfc-editor.org/rfc/rfc7519>.
- [MediaTypes]
- Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, DOI 10.17487/RFC6838, , <https://www.rfc-editor.org/rfc/rfc6838>.
- [UCCS]
- Birkholz, H., O'Donoghue, J., Cam-Winget, N., and C. Bormann, "A CBOR Tag for Unprotected CWT Claims Sets", Work in Progress, Internet-Draft, draft-ietf-rats-uccs-12, , <https://datatracker.ietf.org/doc/html/draft-ietf-rats-uccs-12>.
- [URI]
- Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, , <https://www.rfc-editor.org/rfc/rfc3986>.
8.2. Informative References
- [BUILD-W-HTTP]
-
Best Current Practice 56, <https://www.rfc-editor.org/info/bcp56>.
At the time of writing, this BCP comprises the following:Nottingham, M., "Building Protocols with HTTP", BCP 56, RFC 9205, DOI 10.17487/RFC9205, , <https://www.rfc-editor.org/info/rfc9205>. - [RATS-Arch]
- Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote ATtestation procedureS (RATS) Architecture", RFC 9334, DOI 10.17487/RFC9334, , <https://www.rfc-editor.org/rfc/rfc9334>.
- [REST-IoT]
- Keränen, A., Kovatsch, M., and K. Hartke, "Guidance on RESTful Design for Internet of Things Systems", Work in Progress, Internet-Draft, draft-irtf-t2trg-rest-iot-15, , <https://datatracker.ietf.org/doc/html/draft-irtf-t2trg-rest-iot-15>.
- [TAG]
- Kindberg, T. and S. Hawke, "The 'tag' URI Scheme", RFC 4151, DOI 10.17487/RFC4151, , <https://www.rfc-editor.org/rfc/rfc4151>.
Acknowledgments
Thank you Carl Wallace, Carsten Bormann, Dave Thaler, Deb Cooley, Éric Vyncke, Francesca Palombini, Jouni Korhonen, Kathleen Moriarty, Michael Richardson, Murray Kucherawy, Orie Steele, Paul Howard, Roman Danyliw and Tim Hollebeek for your comments and suggestions.¶