Thanks for the quick replies. Here is a more "spanning example", to highlight the achievable (and aligned with RFC8725) layering with JOSE... ... Then we can discuss how COSE should look different, if the BCP guidance would transfer or not...
GET /example/token/123 --accept application/jose ... https://www.iana.org/assignments/media-types/application/jose Response content type header is "application/jose", per the accept header, the response body is a JWT (encoded as a string)... base64url(JSON.stringify(header)).base64url(JSON.stringify(payload)).base64url(signature) In the decoded header, we see: typ: secevent+jwt ... https://www.iana.org/assignments/media-types/application/secevent+jwt cty: application/json (redundant because JWT claim set is always JSON, but preserved here to make a point) ... https://www.rfc-editor.org/rfc/rfc8417.html#section-2.2 ^ in the example above, the `cty` is less interesting than if it were to use a suffix of +json, like: https://www.iana.org/assignments/media-types/application/vnd.tableschema+json <break> Consider something similar for COSE, this is what I would expect: GET /example/token/123 --accept application/cose ... https://www.iana.org/assignments/media-types/application/cose Response content type header is "application/cose", per the accept header, the response body is a CWT. In the decoded protected header, we see: typ: swid+cwt ... (no suffix exists for +cwt yet) ... No example of an explicitly typed CWT is possible. cty: application/swid+cbor (for example... ) ... https://www.iana.org/assignments/media-types/application/swid+cbor <break> typ is for the "type of token" (saying JWT or CWT, is less helpful than using a specific subtype that relies on +jwt or +cwt suffix). cty is for the "type of payload" (saying JSON or CBOR, is less helpful than using a specific subtype that relies on +json or +cbor suffix). Per the JWT BCP, we want to explicitly type the tokens to avoid confusion: > Use explicit typing for different kinds of JWTs. Then the distinct "typ" values can be used to differentiate between the different kinds of JWTs. - https://datatracker.ietf.org/doc/html/rfc8725#name-use-mutually-exclusive-vali In COSE, we have no way to follow the guidance above, because there is no registered tag for `typ`. Regards, OS On Wed, Mar 15, 2023 at 7:39 AM Carsten Bormann <c...@tzi.org> wrote: > On 2023-03-15, at 13:33, Carsten Bormann <c...@tzi.org> wrote: > > > > RFC9277? > > Maybe: > > > Content-format-spec = Content-format-number / Content-format-string > Content-format-number = 0..65535 ; RFC 7252: CoAP Content-Formats registry > Content-format-string = text .abnf (“Content-Format-String” .det rfc9131) > > rfc9131 = ‘ > (Copy Figure 5 of RFC 9131 here) > ‘ > > would fit a CWT header better. > > Grüße, Carsten > > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
_______________________________________________ COSE mailing list COSE@ietf.org https://www.ietf.org/mailman/listinfo/cose
