Skip to main content

Last Call Review of draft-ietf-cose-cwt-claims-in-headers-06

Request Review of draft-ietf-cose-cwt-claims-in-headers
Requested revision No specific revision (document currently at 10)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2023-10-20
Requested 2023-10-06
Authors Tobias Looker , Michael B. Jones
I-D last updated 2023-10-17
Completed reviews Artart Last Call review of -06 by Claudio Allocchio (diff)
Opsdir Last Call review of -07 by Gyan Mishra (diff)
Genart Last Call review of -06 by Ines Robles (diff)
Secdir Last Call review of -06 by Peter E. Yee (diff)
Iotdir Telechat review of -07 by Hannes Tschofenig (diff)
Assignment Reviewer Ines Robles
State Completed
Request Last Call review on draft-ietf-cose-cwt-claims-in-headers by General Area Review Team (Gen-ART) Assigned
Posted at
Reviewed revision 06 (document currently at 10)
Result Ready w/issues
Completed 2023-10-17
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at


Document: draft-ietf-cose-cwt-claims-in-headers-06
Reviewer: Ines Robles
Review Date: 2023-10-17
IETF LC End Date: 2023-10-20
IESG Telechat date: Not scheduled for a telechat


This document describes how to include CBOR Web Token (CWT) claims in the
header parameters of any COSE structure.

The document is well written, I have minor issues, nits indicated below.

Major issues: None

Minor issues:

1- Section 3: "Some of the registered CWT claims may contain privacy-sensitive
information. Therefore care must be taken when expressing CWT claims in COSE
headers." --> What kind of care?, there is some specific guidelines to follow?
could you add an example? or add some reference?

2- Section 4:

Detached Signatures: The security section does not delve into the security
considerations of using detached signatures. Since detached signatures are one
focus of the functionality, it might be helpful to discuss the security
implications specific to them.

Claims in Headers: Considering that some claims can be available before
decryption or without inspecting the payload, perhaps it would be nice to
discuss the risks associated with exposing claims in this manner, or add

Data Consistency: Is there a security angle to ensuring that claims present
both in the payload and header are identical, beyond just verification?.

It seems that these items are not included in the security considerations of
RFC 8392, What do you think?

Nits/editorial comments:

3- It would be nice to expand JWT the first time of use -> JSON Web Token (JWT)

4- It would be nice to have a caption for Table 1

5- Table 1: "TBD (requested assignment 13)", the 13 was assigned to kcwt, so
maybe suggest another value?

Thanks for this document,