CBOR Web Token (CWT) draft addressing shepherd review comments

IETF logoThe CBOR Web Token (CWT) specification has been updated to address the shepherd comments by Benjamin Kaduk. Changes were:

  • Updated the RFC 5226 reference to RFC 8126.
  • Made the IANA registration criteria consistent across sections.
  • Stated that registrations for the limited set of values between -256 and 255 and strings of length 1 are to be restricted to claims with general applicability.
  • Changed the “Reference” field name to “Description of Semantics” in the CBOR Tag registration request.
  • Asked the RFC Editor whether it is possible to preserve the non-ASCII spellings of the names Erik Wahlström and Göran Selander in the final specification.

Thanks to Ben for his careful review of the specification!

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) draft correcting an example

IETF logoA new CBOR Web Token (CWT) draft has been published that applies a correction to an example. The full list of changes is:

  • Corrected the “iv” value in the signed and encrypted CWT example.
  • Mention CoAP in the application/cwt media type registration.
  • Changed references of the form “Section 4.1.1 of JWT <xref target="RFC7519"/>” to “Section 4.1.1 of <xref target="RFC7519"/>” so that rfcmarkup will generate correct external section reference links.
  • Updated Acknowledgements.

Thanks to Samuel Erdtman for validating all the examples once more and finding the issue with the signed and encrypted example. Thanks to Benjamin Kaduk for pointing out additional improvements that could be applied from the second WGLC comments.

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) addressing 2nd WGLC comments

IETF logoA new CBOR Web Token (CWT) draft has been published that addresses comments received during the second working group last call. Thanks to Hannes Tschofenig, Esko Dijk, Ludwig Seitz, Carsten Bormann, and Benjamin Kaduk for their feedback. All changes made were clarifications or formatting improvements.

The specification is available at:

An HTML-formatted version is also available at:

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec using CBOR diagnostic notation

IETF logoDraft -01 of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification updates the examples to use CBOR diagnostic notation, thanks to Ludwig Seitz. A table summarizing the “cnf” names, keys, and value types was added, thanks to Samuel Erdtman. Finally, some of Jim Schaad’s feedback on -00 was addressed (with more to be addressed by the opening of IETF 100 in Singapore).

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) specification adding CBOR_Key values and Key IDs to examples

IETF logoA new CBOR Web Token (CWT) draft has been published that adds CBOR_Key values and Key IDs to examples. Thanks to Samuel Erdtman for working on the examples, as always. Thanks to Giridhar Mandyam for validating the examples!

I believe that it’s time to request publication, as there remain no known issues with the specification.

The specification is available at:

An HTML-formatted version is also available at:

Initial Working Group Draft of Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

IETF logoThe initial working group draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been posted. It contains the same normative content as draft-jones-ace-cwt-proof-of-possession-01. The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800), but using CBOR and CWTs rather than JSON and JWTs.

I look forward to working with my co-authors and the working group to hopefully complete this quickly!

The specification is available at:

An HTML-formatted version is also available at:

“Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” is now RFC 8230

IETF logoThe “Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” specification is now RFC 8230 – an IETF standard. The abstract for the specification is:

The CBOR Object Signing and Encryption (COSE) specification defines cryptographic message encodings using Concise Binary Object Representation (CBOR). This specification defines algorithm encodings and representations enabling RSA algorithms to be used for COSE messages. Encodings are specified for the use of RSA Probabilistic Signature Scheme (RSASSA-PSS) signatures, RSA Encryption Scheme – Optimal Asymmetric Encryption Padding (RSAES-OAEP) encryption, and RSA keys.

Some of these values are already being used by the sixth working draft of the W3C Web Authentication specification. In addition, the WebAuthn specification defines algorithm values for RSASSA-PKCS1-v1_5 signatures, which are used by TPMs, among other applications. The RSASSA-PKCS1-v1_5 signature algorithm values should also be registered shortly.

Thanks to Kathleen Moriarty for her Area Director sponsorship of the specification!

CBOR Web Token (CWT) specification addressing all known issues

IETF logoA new CBOR Web Token (CWT) draft has been published that updates the diagnostic notation for embedded objects in the examples. Thanks to Samuel Erdtman for making these updates. Thanks to Carsten Bormann for reviewing the examples!

This addresses all known issues with the specification. I believe that it is now time to request publication.

The specification is available at:

An HTML-formatted version is also available at:

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing review comments

IETF logoThe Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address comments received since its initial publication. Changes were:
  • Tracked CBOR Web Token (CWT) Claims Registry updates.
  • Addressed review comments by Michael Richardson and Jim Schaad.
  • Added co-authors Ludwig Seitz, Göran Selander, Erik Wahlström, Samuel Erdtman, and Hannes Tschofenig.
Thanks for the feedback received to date! The specification is available at: An HTML-formatted version is also available at:

“Using RSA Algorithms with COSE Messages” specification addressing IETF last call feedback

IETF logoA new version of the “Using RSA Algorithms with COSE Messages” specification has been published that addresses the IETF last call feedback received. Additional security considerations were added and the IANA Considerations instructions were made more precise. Thanks to Roni Even and Steve Kent for their useful reviews! The specification is available at: An HTML-formatted version is also available at:

CBOR Web Token (CWT) specification addressing WGLC feedback

IETF logoA new CBOR Web Token (CWT) draft has been published that addresses the Working Group Last Call (WGLC) feedback received. Changes were:
  • Say that CWT is derived from JWT, rather than CWT is a profile of JWT.
  • Used CBOR type names in descriptions, rather than major/minor type numbers.
  • Clarified the NumericDate and StringOrURI descriptions.
  • Changed to allow CWT claim names to use values of any legal CBOR map key type.
  • Changed to use the CWT tag to identify nested CWTs instead of the CWT content type.
  • Added an example using a floating-point date value.
  • Acknowledged reviewers.
Thanks to Samuel Erdtman for doing the majority of the editing for this draft. As always, people are highly encouraged to validate the examples. The specification is available at: An HTML-formatted version is also available at:

Clarified Security Considerations in Using RSA Algorithms with COSE Messages

IETF logoA slightly updated version of the “Using RSA Algorithms with COSE Messages” specification has been published in preparation for IETF last call. Changes were:
  • Clarified the Security Considerations in ways suggested by Kathleen Moriarty.
  • Acknowledged reviewers.
The specification is available at: An HTML-formatted version is also available at:

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

IETF logoWith the CBOR Web Token (CWT) specification nearing completion, which provides the CBOR equivalent of JWTs, I thought that it was also time to introduce the CBOR equivalent of RFC 7800, “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)”, so that applications using CWTs will have a standard representation for proof-of-possession keys. I know that PoP keys are important to ACE applications, for instance. I therefore took RFC 7800 and produced the CBOR/CWT equivalent of it. The specification is available at: An HTML-formatted version is also available at:

CBOR Web Token (CWT) specification correcting inconsistencies in examples

IETF logoA revised CBOR Web Token (CWT) draft has been published that corrects inconsistencies in the examples. Thanks to Jim Schaad for validating the examples and pointing out the inconsistencies and to Samuel Erdtman for fixing them. As before, people are highly encouraged to validate the updated examples. The specification is available at: An HTML-formatted version is also available at:

Cleaner version of Using RSA Algorithms with COSE Messages specification

IETF logoI’ve published an updated version of the “Using RSA Algorithms with COSE Messages” specification with a number of editorial improvements. Changes were:

  • Reorganized the security considerations.
  • Flattened the section structure.
  • Applied wording improvements suggested by Jim Schaad.

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) with better examples and a CBOR tag

IETF logoA new CBOR Web Token (CWT) draft is available with completely rewritten and much more useful examples, thanks to Samuel Erdtman. There are now examples of signed, MACed, encrypted, and nested CWTs that use all of the defined claims (and no claims not yet defined). A CBOR tag for CWTs is now also defined. People are highly encouraged to review the new examples and validate them. The specification is available at: An HTML-formatted version is also available at:

Media Type registration added to CBOR Web Token (CWT)

IETF logoThe CBOR Web Token (CWT) specification now registers the “application/cwt” media type, which accompanies the existing CoAP Content-Format ID registration for this media type. The description of nested CWTs, which uses this content type, was clarified. This draft also corrected some nits identified by Ludwig Seitz. The specification is available at: An HTML-formatted version is also available at:

Using RSA Algorithms with COSE Messages

IETF logoThe specification Using RSA Algorithms with COSE Messages defines encodings for using RSA algorithms with CBOR Object Signing and Encryption (COSE) messages. This supports use cases for the FIDO Alliance and others that need this functionality. Security Area Director Kathleen Moriarty has agreed to AD sponsorship of this specification. This specification incorporates text from draft-ietf-cose-msg-05 – the last COSE specification version before the RSA algorithms were removed. The specification is available at: An HTML-formatted version is also available at: Review feedback is welcomed!

IANA Considerations added to CBOR Web Token (CWT)

IETF logoThe CBOR Web Token (CWT) specification now establishes the IANA CWT Claims registry and registers the CWT claims defined by the specification. The application/cwt CoAP content type is now also registered. This version adds Samuel Erdtman as an editor in recognition of his already significant contributions to the specification. The specification is available at: An HTML-formatted version is also available at: