CBOR Object Signing and Encryption G. D. Marco Internet-Draft independent Intended status: Standards Track J. Bradley Expires: 8 August 2024 Yubico 5 February 2024 COSE Header Parameter for Carrying OpenID Federation 1.0 Trust Chains draft-demarco-cose-header-federation-trust-chain-01 Abstract The CBOR Object Signing and Encryption (COSE) [RFC9053] message structure uses message headers to give references to elements that are needed for the security and verifiability of the message, such as algorithms and keys. OpenID Federation 1.0 [OIDC-FED] is a general purpose attestation mechanism to obtain verifiable metadata and cryptographic keys. This document defines a new COSE header parameter to identify and transport an OpenID Federation 1.0 Trust Chain. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-demarco-cose-header- federation-trust-chain/. Discussion of this document takes place on the CBOR Object Signing and Encryption Working Group mailing list (mailto:cose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at https://www.ietf.org/mailman/listinfo/cose/. Source for this draft and an issue tracker can be found at https://github.com/peppelinux/draft-demarco-cose-header-federation- trust-chain. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Marco & Bradley Expires 8 August 2024 [Page 1] Internet-Draft COSE Trust Chains February 2024 Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 8 August 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Audience Target audience/Usage . . . . . . . . . . . . . . . 3 5. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.1. Out of Scope . . . . . . . . . . . . . . . . . . . . . . 4 6. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 7. The Scope of Trust Chain COSE Header Parameter . . . . . . . 4 8. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 4 9. Trust Chain COSE Header Parameter . . . . . . . . . . . . . . 5 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 11. Normative References . . . . . . . . . . . . . . . . . . . . 5 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 Marco & Bradley Expires 8 August 2024 [Page 2] Internet-Draft COSE Trust Chains February 2024 1. Introduction The Internet Standards [RFC8152] and [RFC9052] defines how to transport symmetric keys in the COSE headers, and are extended by [RFC9360] to transport X.509 certificates for the requirements of identification and cryptographic key attestation of a third party. There are some cases where obtaining proof of a third party's identity through key attestation and cryptographic signature verification is not enough, cases where the solution requirements include attestation of metadata, proofs of compliance and policies. In these cases, it would be necessary to extend the X.509 certificates with policies, metadata and other information required by the interoperability schemes or by a trust framework. OpenID Federation 1.0 [OIDC-FED] allows the exchange of metadata, roles, trust marks, policies and public keys, in a secure way. OpenID Federation 1.0 [OIDC-FED] allows the construction of a trust infrastructure in which even X.509 certificates can be published within the Entity Statements that make up the federation Trust Chain. This flexibility allows an infrastructure based on OpenID Federation 1.0 to guarantee the security of the solutions, the historical verifiability of the signatures, and the revocation mechanisms without the requirement to implement CRL or OCSP technologies, where X.509 requires it. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Terminology The terms Trust Anchor, Intermediate, Trust Chain, Entity Statement, are defined in [OIDC-FED] and used in this specification. 4. Audience Target audience/Usage The audience of the document is implementers that require a high level of security for the exchange of metadata, cryptographic keys and policies. Marco & Bradley Expires 8 August 2024 [Page 3] Internet-Draft COSE Trust Chains February 2024 5. Scope This specification defines how a [OIDC-FED] Trust Chain is made available within the COSE headers. 5.1. Out of Scope The following items are out of scope for the current version of this document: * X.509 publication over a [OIDC-FED] Infrastructure, this can be achieved using x5c or x5u as defind in [RFC7517]. * Metadata schemas, OpenID Federation allows the definition of custom metadata schemas even for entities not belonging to OAuth 2.0 and OpenID ecosystems. 6. Terminology This specification uses the terms "Trust Chain", "Trust Anchor", "Intermediate", "Trust Mark" and "Entity Statement" as defined in [OIDC-FED]. 7. The Scope of Trust Chain COSE Header Parameter The use of OpenID Federation Trust Chain enables a trust infrastructure with full suites of Trust Anchors, Intermediates, status and revocation checking, Trust Marks and metadata policies that have been defined in [OIDC-FED]. The Concise Binary Object Representation (CBOR) key structures [RFC8949] and Header Parameters for Carrying and Referencing X.509 Certificates [RFC9360] that have been defined in COSE currently do not support all the properties made available in [OIDC-FED]. 8. Requirements If the application cannot establish trust to the cryptographic keys or metadata made available and verified within the Trust Chain, the public key and the metadata MUST NOT be used. When Trust Chain parameter is used, the parameter KID defined in [RFC9052] MUST be used. KID allows an efficient matching to the key to be used for signature verification. Marco & Bradley Expires 8 August 2024 [Page 4] Internet-Draft COSE Trust Chains February 2024 9. Trust Chain COSE Header Parameter The header parameter defined is trustchain, described below: trustchain: This header parameter contains an ordered array of strings, representing federation Entity Statements encoded as signed Json Web Tokens [RFC7519]. How the Entity Statements are ordered is defined in [OIDC-FED]. The trust mechanism used to process any Entity Statements is defined in [OIDC-FED]. The header parameter can be used in the following locations: COSE_Signature and COSE_Sign1 objects: In these objects, the parameters identify the Trust Chain to be used for obtaining the key needed for validating the signature, any needed metadata for interoperability purpose, any metadata policy and any required Trust Marks for administrative and technical compliances. The labels assigned to the header parameter can be found in Table 1. +=============+=======+=================+=====================+ | Name | Label | Value Type | Description | +=============+=======+=================+=====================+ | trustchain | 27 | COSE_TRUSTCHAIN | OpenID | | | | | Federation 1.0 | | | | | Trust Chain | +-------------+-------+-----------------+---------------------+ Table 1: TRUST CHAIN COSE Header Parameters Below is an equivalent Concise Data Definition Language (CDDL) description (see [RFC8610]) of the text above. COSE_TRUSTCHAIN = [ N * jws :bstr ] The variable N represents the number of Entity Statements that a Trust Chain contains. The contents of "bstr" are the bytes representing a signed JWT. 10. IANA Considerations TBD 11. Normative References Marco & Bradley Expires 8 August 2024 [Page 5] Internet-Draft COSE Trust Chains February 2024 [OIDC-FED] Hedberg, R., Jones, M. B., Solberg, A. Å., Bradley, J., De Marco, G., and V. Dzhuvinov, "OpenID Federation 1.0", n.d.. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015, . [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, . [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", RFC 8152, DOI 10.17487/RFC8152, July 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, June 2019, . [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020, . [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, August 2022, . Marco & Bradley Expires 8 August 2024 [Page 6] Internet-Draft COSE Trust Chains February 2024 [RFC9360] Schaad, J., "CBOR Object Signing and Encryption (COSE): Header Parameters for Carrying and Referencing X.509 Certificates", RFC 9360, DOI 10.17487/RFC9360, February 2023, . Acknowledgments TBD Authors' Addresses Giuseppe De Marco independent Email: demarcog83@gmail.com John Bradley Yubico Email: ve7jtb@ve7jtb.com Marco & Bradley Expires 8 August 2024 [Page 7]