rfc9679xml2.original.xml | rfc9679.xml | |||
---|---|---|---|---|
<?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="utf-8"?> | |||
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> | ||||
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.17 (Ruby 3. | ||||
0.2) --> | ||||
<!DOCTYPE rfc [ | <!-- pre-edited by ST 09/16/24 --> | |||
<!-- formatted by ST 10/07/24 --> | ||||
<!-- reference review by TH 10/07/24 --> | ||||
<!DOCTYPE rfc [ | ||||
<!ENTITY nbsp " "> | <!ENTITY nbsp " "> | |||
<!ENTITY zwsp "​"> | <!ENTITY zwsp "​"> | |||
<!ENTITY nbhy "‑"> | <!ENTITY nbhy "‑"> | |||
<!ENTITY wj "⁠"> | <!ENTITY wj "⁠"> | |||
]> | ]> | |||
<?rfc rfcedstyle="yes"?> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | |||
<?rfc tocindent="yes"?> | -ietf-cose-key-thumbprint-06" number="9679" updates="" obsoletes="" submissionTy | |||
<?rfc strict="yes"?> | pe="IETF" category="std" consensus="true" tocInclude="true" sortRefs="true" symR | |||
<?rfc comments="yes"?> | efs="true" version="3" xml:lang="en" > | |||
<?rfc inline="yes"?> | ||||
<?rfc text-list-symbols="-o*+"?> | ||||
<?rfc docmapping="yes"?> | ||||
<rfc ipr="trust200902" docName="draft-ietf-cose-key-thumbprint-06" category="std " consensus="true" tocInclude="true" sortRefs="true" symRefs="true"> | ||||
<front> | <front> | |||
<title abbrev="COSE Key Thumbprint">CBOR Object Signing and Encryption (COSE ) Key Thumbprint</title> | <title abbrev="COSE Key Thumbprint">CBOR Object Signing and Encryption (COSE ) Key Thumbprint</title> | |||
<seriesInfo name="RFC" value="9679"/> | ||||
<author initials="K." surname="Isobe" fullname="Kohei Isobe"> | <author initials="K." surname="Isobe" fullname="Kohei Isobe"> | |||
<organization>SECOM CO., LTD.</organization> | <organization>SECOM CO., LTD.</organization> | |||
<address> | <address> | |||
<email>isobekohei@gmail.com</email> | <email>isobekohei@gmail.com</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig"> | <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig"> | |||
<organization abbrev="H-BRS">University of Applied Sciences Bonn-Rhein-Sie g</organization> | <organization abbrev="H-BRS">University of Applied Sciences Bonn-Rhein-Sie g</organization> | |||
<address> | <address> | |||
<postal> | <postal> | |||
<country>Germany</country> | <country>Germany</country> | |||
</postal> | </postal> | |||
<email>hannes.tschofenig@gmx.net</email> | <email>hannes.tschofenig@gmx.net</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<author initials="O." surname="Steele" fullname="Orie Steele"> | <author initials="O." surname="Steele" fullname="Orie Steele"> | |||
<organization>Transmute</organization> | <organization>Transmute</organization> | |||
<address> | <address> | |||
<postal> | <postal> | |||
<country>United States</country> | <country>United States of America</country> | |||
</postal> | </postal> | |||
<email>orie@transmute.industries</email> | <email>orie@transmute.industries</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<date year="2024" month="October"/> | ||||
<area>SEC</area> | ||||
<workgroup>cose</workgroup> | ||||
<date year="2024" month="September" day="06"/> | <!-- [rfced] Please insert any keywords (beyond those that appear in | |||
the title) for use on https://www.rfc-editor.org/search. --> | ||||
<area>Security</area> | ||||
<workgroup>COSE</workgroup> | ||||
<keyword>Internet-Draft</keyword> | ||||
<abstract> | <abstract> | |||
<?line 69?> | ||||
<t>This specification defines a method for computing a hash value over a CBOR | <t>This specification defines a method for computing a hash value over a CBOR | |||
Object Signing and Encryption (COSE) Key. It specifies which fields within | Object Signing and Encryption (COSE) Key. It specifies which fields within | |||
the COSE Key structure are included in the cryptographic hash computation, | the COSE Key structure are included in the cryptographic hash computation, | |||
the process for creating a canonical representation of these fields, and how | the process for creating a canonical representation of these fields, and how | |||
to hash the resulting byte sequence. The resulting hash value, referred to | to hash the resulting byte sequence. The resulting hash value, referred to | |||
as a "thumbprint," can be used to identify or select the corresponding key.</t> | as a "thumbprint", can be used to identify or select the corresponding key.</t> | |||
</abstract> | </abstract> | |||
</front> | </front> | |||
<middle> | <middle> | |||
<?line 78?> | <section anchor="introduction"> | |||
<name>Introduction</name> | ||||
<section anchor="introduction"><name>Introduction</name> | <t>This specification defines a method for applying a cryptographic | |||
<t>This specification defines a method for applying a cryptographic | ||||
hash function to a CBOR Object Signing and Encryption (COSE) Key | hash function to a CBOR Object Signing and Encryption (COSE) Key | |||
structure <xref target="RFC9052"/>, resulting in a hash value known as a | structure <xref target="RFC9052"/>, resulting in a hash value known as a | |||
"thumbprint." To achieve this, the document specifies which fields | "thumbprint". To achieve this, the document specifies which fields | |||
in the COSE Key structure are included in the hash computation, the | in the COSE Key structure are included in the hash computation, the | |||
process for creating a canonical form of these fields, and how to | process for creating a canonical form of these fields, and how to | |||
hash the resulting byte sequence. One of the primary use cases for | hash the resulting byte sequence. One of the primary use cases for | |||
this thumbprint is as a naming scheme for identifying or selecting | this thumbprint is as a naming scheme for identifying or selecting | |||
the key, such as by using the COSE Key Thumbprint value as a "kid" | the key, such as by using the COSE Key Thumbprint value as a "kid" | |||
(key ID). Another key use case involves key derivation functions | (key ID). | |||
<!--[rfced] Section 1. We are having trouble understanding the meaning | ||||
of "along with other context" in the following sentence. Does | ||||
this refer to "other applications" or "different application | ||||
contexts" as mentioned elsewhere in the text? Please clarify. | ||||
Original: | ||||
Another key use case involves key derivation functions that use the | ||||
thumbprints of public keys from the endpoints, along with other | ||||
context, to derive a symmetric key. | ||||
--> | ||||
Another key use case involves key derivation functions | ||||
that use the thumbprints of public keys from the endpoints, along | that use the thumbprints of public keys from the endpoints, along | |||
with other context, to derive a symmetric key.</t> | with other context, to derive a symmetric key.</t> | |||
<t>This specification outlines how thumbprints of COSE Keys are generated | ||||
<t>This specification outlines how thumbprints of COSE Keys are generated | for both asymmetric and symmetric keys (see Sections <xref target="thumbprint" f | |||
for both asymmetric and symmetric keys (see <xref target="thumbprint"/> and | ormat="counter"/> and | |||
<xref target="required"/>). Additionally, it introduces a new CBOR Web Token | <xref target="required" format="counter"/>). Additionally, it introduces a new C | |||
(CWT) confirmation method, which is added to the IANA | BOR Web Token (CWT) confirmation method, which has been added to the IANA | |||
"CWT Confirmation Methods" registry established by <xref target="RFC8747"/>. | "CWT Confirmation Methods" registry established by <xref target="RFC8747"/>. | |||
For further details on the use of a confirmation claim in a CWT | For further details on the use of a confirmation claim in a CWT | |||
with a proof-of-possession key, refer to Section 3.1 of <xref target="RFC8747"/> | with a proof-of-possession key, refer to <xref target="RFC8747" sectionFormat="o | |||
.</t> | f" section="3.1"/>.</t> | |||
</section> | ||||
</section> | <section anchor="terminology"> | |||
<section anchor="terminology"><name>Terminology</name> | <name>Terminology</name> | |||
<t> | ||||
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | |||
"OPTIONAL" in this document are to be interpreted as described in | NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14> | |||
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, th | RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
ey appear in all | "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | |||
capitals, as shown here.</t> | be interpreted as | |||
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> | ||||
</section> | when, and only when, they appear in all capitals, as shown here. | |||
<section anchor="thumbprint"><name>COSE Key Thumbprint</name> | </t> | |||
<t>The thumbprint of a COSE Key MUST be computed as follows:</t> | ||||
<t><list style="numbers" type="1"> | </section> | |||
<t>Construct a COSE_Key structure (see Section 7 of <xref target="RFC9052"/>) | <section anchor="thumbprint"> | |||
containing | <name>COSE Key Thumbprint</name> | |||
only the required parameters representing the key as described in | <t>The thumbprint of a COSE Key <bcp14>MUST</bcp14> be computed as follows | |||
Section 4 of this document.</t> | :</t> | |||
<t>Apply the deterministic encoding described in Section 4.2.1 of <xref target | <ol spacing="normal" type="1"><li> | |||
="RFC8949"/> | <t>Construct a COSE_Key structure (see <xref target="RFC9052" | |||
to the representation constructed in step (1).</t> | sectionFormat="of" section="7"/>) containing only the required | |||
<t>Hash the bytes produced in step (2) with a cryptographic hash function H. | parameters representing the key as described in <xref | |||
target="required" format="default"/> of this document.</t> | ||||
</li> | ||||
<li> | ||||
<t>Apply the deterministic encoding described in <xref | ||||
target="RFC8949" sectionFormat="of" section="4.2.1"/> to the | ||||
representation constructed in step 1.</t> | ||||
</li> | ||||
<li> | ||||
<t>Hash the bytes produced in step 2 with a cryptographic hash functio | ||||
n H. | ||||
For example, SHA-256 <xref target="RFC6234"/> may be used as a hash function.</t > | For example, SHA-256 <xref target="RFC6234"/> may be used as a hash function.</t > | |||
</list></t> | </li> | |||
</ol> | ||||
<t>The details of this computation are further described in subsequent | <t>The details of this computation are further described in subsequent | |||
sections.</t> | sections.</t> | |||
<t>The SHA-256 hash algorithm <bcp14>MUST</bcp14> be supported; other algo | ||||
<t>The SHA-256 hash algorithm MUST be supported, other algorithms MAY be support | rithms <bcp14>MAY</bcp14> be supported.</t> | |||
ed.</t> | </section> | |||
<section anchor="required"> | ||||
</section> | <name>Required COSE Key Parameters</name> | |||
<section anchor="required"><name>Required COSE Key Parameters</name> | <t>Only the required parameters of a key's representation are used when | |||
<t>Only the required parameters of a key's representation are used when | ||||
computing its COSE Key Thumbprint value. This section summarizes the | computing its COSE Key Thumbprint value. This section summarizes the | |||
required parameters.</t> | required parameters.</t> | |||
<t>The "kty" (label: 1) element <bcp14>MUST</bcp14> be present for all key | ||||
<t>The "kty" (label: 1) element MUST be present for all key types, and the integ | types, and the integer | |||
er | value specified in the IANA "COSE Key Types" registry <bcp14>MUST</bcp14> be use | |||
value specified in the IANA COSE Key Types registry MUST be used. The tstr data | d. The tstr data | |||
type is not used with the kty element.</t> | type is not used with the "kty" element.</t> | |||
<t>Many COSE Key parameters are specific to the chosen key type. The follo | ||||
<t>Many COSE Key parameters are specific to the chosen key type. The following | wing | |||
subsections list the required parameters for commonly used key types.</t> | subsections list the required parameters for commonly used key types.</t> | |||
<section anchor="octet-key-pair-okp"> | ||||
<section anchor="octet-key-pair-okp"><name>Octet Key Pair (OKP)</name> | <name>Octet Key Pair (OKP)</name> | |||
<t>The required parameters for elliptic curve public keys that use the Oct | ||||
<t>The required parameters for elliptic curve public keys that use the OKP key t | et Key Pair (OKP) key type, | |||
ype, | ||||
such as X25519, are:</t> | such as X25519, are:</t> | |||
<ul spacing="normal"> | ||||
<li> | ||||
<t>"kty" (label: 1, data type: int, value: 1)</t> | ||||
</li> | ||||
<li> | ||||
<t>"crv" (label: -1, value: int)</t> | ||||
</li> | ||||
<li> | ||||
<t>"x" (label: -2, value: bstr)</t> | ||||
</li> | ||||
</ul> | ||||
<t>Further details are described in <xref target="RFC9053" sectionFormat | ||||
="of" section="7.1"/>.</t> | ||||
</section> | ||||
<section anchor="ecc"> | ||||
<t><list style="symbols"> | <name>Elliptic Curve Keys with X- and Y-Coordinate Pairs</name> | |||
<t>"kty" (label: 1, data type: int, value: 1)</t> | <t>The required parameters for elliptic curve public keys that use the " | |||
<t>"crv" (label: -1, value: int)</t> | EC2" (two coordinate elliptic curve) key type, such as NIST P-256, are:</t> | |||
<t>"x" (label: -2, value: bstr)</t> | <ul spacing="normal"> | |||
</list></t> | <li> | |||
<t>"kty" (label: 1, data type: int, value: 2)</t> | ||||
<t>Details can be found in Section 7.1 of <xref target="RFC9053"/>.</t> | </li> | |||
<li> | ||||
</section> | <t>"crv" (label: -1, data type: int)</t> | |||
<section anchor="ecc"><name>Elliptic Curve Keys with X- and Y-Coordinate Pair</n | </li> | |||
ame> | <li> | |||
<t>"x" (label: -2, data type: bstr)</t> | ||||
<t>The required parameters for elliptic curve public keys that use the EC2 key t | </li> | |||
ype, such | <li> | |||
as NIST P-256, are:</t> | <t>"y" (label: -3, data type: bstr)</t> | |||
</li> | ||||
<t><list style="symbols"> | </ul> | |||
<t>"kty" (label: 1, data type: int, value: 2)</t> | <t>Further details are described in <xref target="RFC9053" sectionFormat | |||
<t>"crv" (label: -1, data type: int)</t> | ="of" section="7.1"/>.</t> | |||
<t>"x" (label: -2, data type: bstr)</t> | <t>Note: <xref target="RFC9052"/> supports both compressed and uncompres | |||
<t>"y" (label: -3, data type: bstr)</t> | sed point | |||
</list></t> | ||||
<t>Details can be found in Section 7.1 of <xref target="RFC9053"/>.</t> | ||||
<t>Note: <xref target="RFC9052"/> supports both compressed and uncompressed poin | ||||
t | ||||
representations. For interoperability, implementations adhering to | representations. For interoperability, implementations adhering to | |||
this specification MUST use the uncompressed point representation. | this specification <bcp14>MUST</bcp14> use the uncompressed point representation . | |||
Therefore, the y-coordinate is expressed as a bstr. If an | Therefore, the y-coordinate is expressed as a bstr. If an | |||
implementation uses the compressed point representation, it | implementation uses the compressed point representation, it | |||
MUST first convert it to the uncompressed form for the purpose | <bcp14>MUST</bcp14> first convert it to the uncompressed form for the purpose | |||
of thumbprint calculation.</t> | of thumbprint calculation.</t> | |||
</section> | ||||
<section anchor="rsa-public-keys"> | ||||
<name>RSA Public Keys</name> | ||||
<t>The required parameters for an RSA public key are:</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<t>"kty" (label: 1, data type: int, value: 3)</t> | ||||
</li> | ||||
<li> | ||||
<t>"n" (label: -1, data type: bstr)</t> | ||||
</li> | ||||
<li> | ||||
<t>"e" (label: -2, data type: bstr)</t> | ||||
</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="symmetric-keys"> | ||||
<name>Symmetric Keys</name> | ||||
<t>The required parameters for a symmetric key are:</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<t>"kty" (label: 1, data type: int, value: 4)</t> | ||||
</li> | ||||
<li> | ||||
<t>"k" (label: -1, data type: bstr)</t> | ||||
</li> | ||||
</ul> | ||||
</section> | ||||
</section> | <!--[rfced] Sections 4.2 and 4.5. We updated the titles of these | |||
<section anchor="rsa-public-keys"><name>RSA Public Keys</name> | sections as shown below for clarity and consistency. Please | |||
review and let us know of any objections. | ||||
<t>The required parameters for an RSA public key are:</t> | ||||
<t><list style="symbols"> | ||||
<t>"kty" (label: 1, data type: int, value: 3)</t> | ||||
<t>"n" (label: -1, data type: bstr)</t> | ||||
<t>"e" (label: -2, data type: bstr)</t> | ||||
</list></t> | ||||
</section> | ||||
<section anchor="symmetric-keys"><name>Symmetric Keys</name> | ||||
<t>The required parameters for a symmetric key are:</t> | ||||
<t><list style="symbols"> | ||||
<t>"kty" (label: 1, data type: int, value: 4)</t> | ||||
<t>"k" (label: -1, data type: bstr)</t> | ||||
</list></t> | ||||
</section> | Original: | |||
<section anchor="hss-lms"><name>HSS-LMS</name> | 4.2. Elliptic Curve Keys with X- and Y-Coordinate Pair | |||
<t>The required parameters for HSS-LMS keys are:</t> | Current: | |||
4.2. Elliptic Curve Keys with X- and Y-Coordinate Pairs | ||||
<t><list style="symbols"> | Original: | |||
<t>"kty" (label: 1, data type: int, value: 5)</t> | 4.5. HSS-LMS | |||
<t>"pub" (label: -1, data type: bstr)</t> | ||||
</list></t> | ||||
</section> | Current: | |||
<section anchor="others"><name>Others</name> | 4.5. HSS-LMS Keys | |||
--> | ||||
<t>As other key type values are defined, the specifications | <section anchor="hss-lms"> | |||
defining them should be similarly consulted to determine which | <name>HSS-LMS Keys</name> | |||
<t>The required parameters for HSS-LMS keys are:</t> | ||||
<ul spacing="normal"> | ||||
<li> | ||||
<t>"kty" (label: 1, data type: int, value: 5)</t> | ||||
</li> | ||||
<li> | ||||
<t>"pub" (label: -1, data type: bstr)</t> | ||||
</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="others"> | ||||
<name>Others</name> | ||||
<t>As other key type values are defined, their defining specifications | ||||
should be similarly consulted to determine which | ||||
parameters, in addition to the "kty" element, are required.</t> | parameters, in addition to the "kty" element, are required.</t> | |||
</section> | ||||
</section> | ||||
<section anchor="miscellaneous-considerations"> | ||||
<name>Miscellaneous Considerations</name> | ||||
<section anchor="why-not-include-optional-cose-key-parameters"> | ||||
<name>Why Not Include Optional COSE Key Parameters?</name> | ||||
<t>Optional parameters of COSE Keys are intentionally not included in th | ||||
e | ||||
COSE Key Thumbprint computation so that their absence or presence | ||||
in the COSE Key does not alter the resulting value. | ||||
</section> | <!--[rfced] Section 5.1. Is the intended meaning that the digest is | |||
</section> | comprised of essential parameters rather than of any additional | |||
<section anchor="miscellaneous-considerations"><name>Miscellaneous Consideration | data that might accompany the key? Please let us know how we may | |||
s</name> | clarify this text. | |||
<section anchor="why-not-include-optional-cose-key-parameters"><name>Why Not Inc | Original: | |||
lude Optional COSE Key Parameters?</name> | The COSE Key Thumbprint is a digest of the essential | |||
parameters required to represent the key as a COSE | ||||
Key, rather than any additional data that might | ||||
accompany the key. | ||||
<t>Optional parameters of COSE Keys are intentionally not included in the | Perhaps: | |||
COSE Key Thumbprint computation so that their absence or presence | The COSE Key Thumbprint is a digest of essential parameters, | |||
in the COSE Key does not alter the resulting value. The COSE Key | rather than any additional data that might accompany the | |||
key, that are required to represent the key as a COSE Key. | ||||
--> | ||||
The COSE Key | ||||
Thumbprint is a digest of the essential parameters required to | Thumbprint is a digest of the essential parameters required to | |||
represent the key as a COSE Key, rather than any additional data | represent the key as a COSE Key, rather than any additional data | |||
that might accompany the key.</t> | that might accompany the key.</t> | |||
<t>By excluding optional parameters, the COSE Key Thumbprint consistentl | ||||
<t>By excluding optional parameters, the COSE Key Thumbprint consistently | y | |||
refers to the key itself, not to a key with additional attributes. | refers to the key itself, not to a key with additional attributes. | |||
Different application contexts may include various optional attributes | Different application contexts may include various optional attributes | |||
in the COSE Key structure. If these optional parameters were included | in the COSE Key structure. If these optional parameters were included | |||
in the thumbprint calculation, the resulting values could differ for | in the thumbprint calculation, the resulting values could differ for | |||
the same key depending on the attributes present. Including only the | the same key depending on the attributes present. Including only the | |||
required parameters ensures that the COSE Key Thumbprint remains | required parameters ensures that the COSE Key Thumbprint remains | |||
consistent for a given key, regardless of any additional attributes.</t> | consistent for a given key, regardless of any additional attributes.</t> | |||
<t>Different kinds of thumbprints could be defined by other specificatio | ||||
<t>Different kinds of thumbprints could be defined by other specifications | ns | |||
that might include some or all additional COSE Key parameters, if use | that might include some or all additional COSE Key parameters, if use | |||
cases arise where such different kinds of thumbprints would be useful.</t> | cases arise where such different kinds of thumbprints would be useful.</t> | |||
</section> | ||||
</section> | <section anchor="selection-of-hash-function"> | |||
<section anchor="selection-of-hash-function"><name>Selection of Hash Function</n | <name>Selection of Hash Function</name> | |||
ame> | <t>A specific hash function must be chosen by an application to compute | |||
<t>A specific hash function must be chosen by an application to compute | ||||
the hash value of the hash input. For instance, SHA-256 <xref target="RFC6234"/> | the hash value of the hash input. For instance, SHA-256 <xref target="RFC6234"/> | |||
may be used as the hash function. While SHA-256 is a good default | may be used as the hash function. While SHA-256 is a good default | |||
choice at the time of writing, the preferred hash function may evolve | choice at the time of writing, the preferred hash function may evolve | |||
as the cryptographic landscape develops.</t> | as the cryptographic landscape develops.</t> | |||
<t>In many cases, only the party that generates the key needs to be | ||||
<t>In many cases, only the party that generates the key needs to be | ||||
aware of the hash function used. For example, the key producer might | aware of the hash function used. For example, the key producer might | |||
use the thumbprint value as a "kid" (key ID). In such scenarios, the | use the thumbprint value as a "kid" (key ID). In such scenarios, the | |||
consumer of the "kid" treats it as an opaque value solely for key | consumer of the "kid" treats it as an opaque value solely for key | |||
selection.</t> | selection.</t> | |||
<t>However, when multiple parties are involved in reproducing and | ||||
<t>However, when multiple parties are involved in reproducing and | ||||
comparing the COSE Key Thumbprint, it is crucial that they know | comparing the COSE Key Thumbprint, it is crucial that they know | |||
and use the same hash function to ensure consistent results.</t> | and use the same hash function to ensure consistent results.</t> | |||
</section> | ||||
</section> | <section anchor="thumbprints-of-keys-not-in-cose-key-format"> | |||
<section anchor="thumbprints-of-keys-not-in-cose-key-format"><name>Thumbprints o | <name>Thumbprints of Keys Not in COSE Key Format</name> | |||
f Keys Not in COSE Key Format</name> | <t>Keys that are in other formats can be represented as COSE Keys. | |||
<t>Keys that are in other formats can be represented as COSE Keys. | ||||
Any party in possession of a key that is represented as a COSE Key can | Any party in possession of a key that is represented as a COSE Key can | |||
use the COSE Key Thumbprint.</t> | use the COSE Key Thumbprint.</t> | |||
</section> | ||||
<section anchor="relationship-to-digests-of-x509-values"> | ||||
<name>Relationship to Digests of X.509 Values</name> | ||||
</section> | <!--[rfced] Section 5.4. Is the intended meaning that the COSE Key | |||
<section anchor="relationship-to-digests-of-x509-values"><name>Relationship to D | Thumbprint values are computed on the COSE Key object rather than | |||
igests of X.509 Values</name> | on all parameters? Please let us know how we may clarify this | |||
sentence. | ||||
<t>COSE Key Thumbprint values are computed on the COSE Key object required to | Original: | |||
COSE Key Thumbprint values are computed on the COSE Key | ||||
object required to represent a key, rather than all | ||||
parameters of a COSE Key that the key is represented in. | ||||
Perhaps: | ||||
COSE Key Thumbprint values are computed on the COSE Key | ||||
object required to represent a key rather than on all | ||||
parameters of a COSE Key that the key is represented in. | ||||
--> | ||||
<t>COSE Key Thumbprint values are computed on the COSE Key object requir | ||||
ed to | ||||
represent a key, rather than all parameters of a COSE Key that the key is | represent a key, rather than all parameters of a COSE Key that the key is | |||
represented in. Thus, they are more analogous to applications that | represented in. Thus, they are more analogous to applications that | |||
use digests of X.509 Subject Public Key Info (SPKI) values, which are | use digests of X.509 Subject Public Key Info (SPKI) values, which are | |||
defined in Section 4.1.2.7 of <xref target="RFC5280"/>, than to applications tha t | defined in <xref target="RFC5280" sectionFormat="of" section="4.1.2.7"/>, than t o applications that | |||
use digests of complete certificate values, as the "x5t" (X.509 | use digests of complete certificate values, as the "x5t" (X.509 | |||
certificate SHA-1 thumbprint) <xref target="RFC9360"/> value defined for X.509 | certificate SHA-1 thumbprint) <xref target="RFC9360"/> value defined for X.509 | |||
certificate objects does. While logically equivalent to a digest of | certificate objects does. While logically equivalent to a digest of | |||
the SPKI representation of the key, a COSE Key Thumbprint is computed over | the SPKI representation of the key, a COSE Key Thumbprint is computed over | |||
the CBOR representation of that key, rather than over an ASN.1 | the CBOR representation of that key rather than over an ASN.1 | |||
representation of it.</t> | representation of it.</t> | |||
</section> | ||||
</section> | <section anchor="confirmation-method"> | |||
<section anchor="confirmation-method"><name>Confirmation Method</name> | <name>Confirmation Method</name> | |||
<t><xref target="RFC8747"/> introduces confirmation methods for use with | ||||
<t><xref target="RFC8747"/> introduced confirmation methods for use with CBOR | CWTs with the addition of the "cnf" claim. CWTs are defined in <xref target="RF | |||
Web Tokens (CWTs) with the addition of the "cnf" claim. CWTs have | C8392"/>. This specification adds a new | |||
been defined in <xref target="RFC8392"/>. This specification adds a new | ||||
confirmation method based on COSE Key Thumbprints.</t> | confirmation method based on COSE Key Thumbprints.</t> | |||
<t>The proof-of-possession key is identified using the "ckt" claim, | ||||
<t>The proof-of-possession key is identified using the "ckt" claim, | ||||
the COSE Key Thumbprint claim. This claim contains the value of | the COSE Key Thumbprint claim. This claim contains the value of | |||
the COSE Key Thumbprint encoded as a binary string. Instead of | the COSE Key Thumbprint encoded as a binary string. Instead of | |||
communicating the actual COSE Key only the thumbprint is conveyed. | communicating the actual COSE Key, only the thumbprint is conveyed. | |||
This approach assumes that the recipient is able to obtain the | This approach assumes that the recipient is able to obtain the | |||
identified COSE Key using the thumbprint contained in the "ckt" | identified COSE Key using the thumbprint contained in the "ckt" | |||
claim. In this approach, the issuer of a CWT declares that the | claim. In this approach, the issuer of a CWT declares that the | |||
presenter possesses a particular key and that the recipient | presenter possesses a particular key and that the recipient | |||
can cryptographically confirm the presenter's proof of possession | can cryptographically confirm the presenter's proof of possession | |||
of the key by including a "ckt" claim in the CWT.</t> | of the key by including a "ckt" claim in the CWT.</t> | |||
<t>The following example demonstrates the use of the "ckt" claim | <t>The following example demonstrates the use of the "ckt" claim | |||
in a CWT as part of the confirmation method (with line-breaks inserted | in a CWT as part of the confirmation method (with line breaks inserted | |||
for editorial reasons):</t> | for editorial reasons):</t> | |||
<figure><artwork><![CDATA[ | <!--[rfced] Section 5.5. We replaced "TBD" with the value "5" within | |||
the sourcecode per IANA's assignment. Please review and let us | ||||
know if the spacing is correct or if any updates are needed. | ||||
Current: | ||||
{ | ||||
/iss/ 1 : "coaps://as.example.com", | ||||
/aud/ 3 : "coaps://resource.example.org", | ||||
/exp/ 4 : 1361398824, | ||||
/cnf/ 8 : { | ||||
/ckt/ 5 : h'496bd8afadf307e5b08c64b0421bf9dc | ||||
01528a344a43bda88fadd1669da253ec' | ||||
} | ||||
} | ||||
--> | ||||
<sourcecode type=""><![CDATA[ | ||||
{ | { | |||
/iss/ 1 : "coaps://as.example.com", | /iss/ 1 : "coaps://as.example.com", | |||
/aud/ 3 : "coaps://resource.example.org", | /aud/ 3 : "coaps://resource.example.org", | |||
/exp/ 4 : 1361398824, | /exp/ 4 : 1361398824, | |||
/cnf/ 8 : { | /cnf/ 8 : { | |||
/ckt/ [[TBD1]] : h'496bd8afadf307e5b08c64b0421bf9dc | /ckt/ 5 : h'496bd8afadf307e5b08c64b0421bf9dc | |||
01528a344a43bda88fadd1669da253ec' | 01528a344a43bda88fadd1669da253ec' | |||
} | } | |||
} | }]]></sourcecode> | |||
]]></artwork></figure> | ||||
<t><xref target="IANA"/> registers the "ckt" claim and the confirmation method. | <t><xref target="IANA"/> registers the "ckt" claim and the confirmation method. | |||
The "ckt" claim is expected to be used in the "cnf" claim.</t> | The "ckt" claim is expected to be used in the "cnf" claim.</t> | |||
</section> | ||||
</section> | <section anchor="cose-key-thumbprint-uris"> | |||
<section anchor="cose-key-thumbprint-uris"><name>COSE Key Thumbprint URIs</name> | <name>COSE Key Thumbprint URIs</name> | |||
<t>This specification defines Uniform Resource Identifiers (URIs) | ||||
<t>This specification defines Uniform Resource Identifiers (URIs) | ||||
to represent a COSE Key Thumbprint value. The design follows | to represent a COSE Key Thumbprint value. The design follows | |||
the work of the JSON Web Key (JWK) Thumbprint URIs, specified | the work of JSON Web Key (JWK) Thumbprint URIs, as specified | |||
in <xref target="RFC9278"/>. This enables COSE Key Thumbprints to be used, | in <xref target="RFC9278"/>. This enables COSE Key Thumbprints to be used, | |||
for example, as key identifiers in contexts requiring URIs. | for example, as key identifiers in contexts requiring URIs. | |||
This specification defines a URI prefix indicating that the | This specification defines a URI prefix indicating that the | |||
portion of the URI following the prefix is a COSE Key Thumbprint.</t> | portion of the URI following the prefix is a COSE Key Thumbprint.</t> | |||
<t>The following URI prefix is defined to indicate that the portion | ||||
<t>The following URI prefix is defined to indicate that the portion | ||||
of the URI following the prefix is a COSE Key Thumbprint:</t> | of the URI following the prefix is a COSE Key Thumbprint:</t> | |||
<figure><artwork><![CDATA[ | <t indent="3">urn:ietf:params:oauth:ckt</t> | |||
urn:ietf:params:oauth:ckt | ||||
]]></artwork></figure> | ||||
<t>To make the hash algorithm being used explicit in a URI, the prefix | <t>To make the hash algorithm being used explicit in a URI, the prefix | |||
is followed by a hash algorithm identifier and a COSE Key Thumbprint | is followed by a hash algorithm identifier and a COSE Key Thumbprint | |||
value, each separated by a colon character to form a URI representing | value, each separated by a colon character to form a URI representing | |||
a COSE Key Thumbprint.</t> | a COSE Key Thumbprint.</t> | |||
<t>Hash algorithm identifiers used in COSE Key Thumbprint URIs <bcp14>MU | ||||
<t>Hash algorithm identifiers used in COSE Key Thumbprint URIs MUST be values | ST</bcp14> be values from the "Hash Name String" column in the IANA "Named Infor | |||
from the "Hash Name String" column in the IANA "Named Information | mation Hash Algorithm Registry" <xref target="IANA.Hash.Algorithms"/>. COSE Key | |||
Hash Algorithm Registry" <xref target="IANA.Hash.Algorithms"/>. COSE Key Thumbpr | Thumbprint URIs with hash algorithm identifiers not found in this registry are n | |||
int URIs | ot | |||
with hash algorithm identifiers not found in this registry are not | considered valid, and applications <bcp14>MUST</bcp14> detect and handle this | |||
considered valid and applications MUST detect and handle this | ||||
error, should it occur.</t> | error, should it occur.</t> | |||
<t>Since the URN is encoded as a string, the output of the COSE Key | ||||
<t>Since the URN is encoded as a string, the output of the COSE Key | Thumbprint computation described in <xref target="thumbprint"/> <bcp14>MUST</bcp | |||
Thumbprint computation described in <xref target="thumbprint"/> MUST be base64ur | 14> be base64url encoded without padding.</t> | |||
l | <t><xref target="RFC7515"/> specifies base64url encoding as follows:</t> | |||
encoded without padding.</t> | <!-- [Quote] --> | |||
<blockquote>Base64 encoding using the URL- and filename-safe character s | ||||
<t><xref target="RFC7515"/> specifies Base64url encoding as follows:</t> | et | |||
defined in Section <xref target="RFC4648" section="5" | ||||
<t>"Base64 encoding using the URL- and filename-safe character set | sectionFormat="bare"></xref> of RFC 4648 <xref target="RFC4648"/>, with all trai | |||
defined in Section 5 of RFC 4648 <xref target="RFC4648"/>, with all trailing '=' | ling '=' | |||
characters omitted and without the inclusion of any line breaks, | characters omitted (as permitted by <xref target="RFC7515" sectionFormat="of" se | |||
ction="3.2"/>) and without the inclusion of any line breaks, | ||||
whitespace, or other additional characters. Note that the base64url | whitespace, or other additional characters. Note that the base64url | |||
encoding of the empty octet sequence is the empty string. | encoding of the empty octet sequence is the empty string. | |||
(See Appendix C of <xref target="RFC7515"/> for notes on implementing base64url | (See <xref target="RFC7515" sectionFormat="of" section="C"/> for notes on implem | |||
encoding without padding.)"</t> | enting base64url | |||
encoding without padding.)</blockquote> | ||||
<t>The base64url encoding of the thumbprint shown in <xref target="example"/> is | <!-- [End of quote] --> | |||
shown below (with a line-break added for readability purposes).</t> | <t>The base64url encoding of the thumbprint shown in <xref target="examp | |||
le"/> is | ||||
<figure><artwork><![CDATA[ | shown below (with a line break added for readability purposes).</t> | |||
SWvYr63zB-WwjGSwQhv53AFSijRKQ72oj63RZp2iU-w | ||||
]]></artwork></figure> | ||||
<t>The full example of a COSE Key Thumbprint URI is shown below, again | ||||
with a line-break added.</t> | ||||
<figure><artwork><![CDATA[ | <t indent="3">SWvYr63zB-WwjGSwQhv53AFSijRKQ72oj63RZp2iU-w</t> | |||
urn:ietf:params:oauth:ckt:sha-256: | ||||
SWvYr63zB-WwjGSwQhv53AFSijRKQ72oj63RZp2iU-w | ||||
]]></artwork></figure> | ||||
</section> | <t>The full example of a COSE Key Thumbprint URI is shown below (with a | |||
</section> | line break added for readability).</t> | |||
<section anchor="example"><name>Example</name> | ||||
<t>This section demonstrates the COSE Key Thumbprint computation for the | <t indent="3">urn:ietf:params:oauth:ckt:sha-256:</t> | |||
following example COSE Key containing an ECC public key.</t> | <t indent="3">SWvYr63zB-WwjGSwQhv53AFSijRKQ72oj63RZp2iU-w</t> | |||
<t>For better readability, the example is first presented in CBOR diagnostic for | </section> | |||
mat (with | </section> | |||
<section anchor="example"> | ||||
<name>Example</name> | ||||
<t>This section demonstrates the COSE Key Thumbprint computation for the | ||||
following example COSE Key containing an Elliptic Curve Cryptography (ECC) publi | ||||
c key.</t> | ||||
<t>For better readability, the example is first presented in CBOR diagnost | ||||
ic format (with | ||||
the long line broken for display purposes only).</t> | the long line broken for display purposes only).</t> | |||
<figure><artwork><![CDATA[ | <sourcecode type="cbor"><![CDATA[ | |||
{ | { | |||
/ kty set to EC2 = Elliptic Curve Keys / | / kty set to EC2 = Elliptic Curve Keys / | |||
1:2, | 1:2, | |||
/ crv set to P-256 / | / crv set to P-256 / | |||
-1:1, | -1:1, | |||
/ public key: x-coordinate / | / public key: x-coordinate / | |||
-2:h'65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c0 | -2:h'65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c0 | |||
8551d', | 8551d', | |||
/ public key: y-coordinate / | / public key: y-coordinate / | |||
-3:h'1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd008 | -3:h'1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd008 | |||
4d19c', | 4d19c', | |||
/ kid is bstr, not used in COSE Key Thumbprint / | / kid is bstr, not used in COSE Key Thumbprint / | |||
2:h'1decade2facade3' | 2:h'1decade2facade3' | |||
} | }]]></sourcecode> | |||
]]></artwork></figure> | ||||
<t>The example above corresponds to the following CBOR encoding | <t>The example above corresponds to the following CBOR encoding | |||
(with link breaks added for display purposes only):</t> | (with link breaks added for display purposes only):</t> | |||
<figure><artwork><![CDATA[ | <sourcecode type="cbor"><![CDATA[ | |||
A50102200121582065EDA5A12577C2BAE829437FE338701A10AAA375E1BB5B5DE108D | A50102200121582065EDA5A12577C2BAE829437FE338701A10AAA375E1BB5B5DE108D | |||
E439C08551D2258201E52ED75701163F7F9E40DDF9F341B3DC9BA860AF7E0CA7CA7E9 | E439C08551D2258201E52ED75701163F7F9E40DDF9F341B3DC9BA860AF7E0CA7CA7E9 | |||
EECD0084D19C0258246D65726961646F632E6272616E64796275636B406275636B6C6 | EECD0084D19C0258246D65726961646F632E6272616E64796275636B406275636B6C6 | |||
16E642E6578616D706C65 | 16E642E6578616D706C65]]></sourcecode> | |||
]]></artwork></figure> | ||||
<t>Not all of the parameters from the example above are used in the COSE Key | <t>Not all of the parameters from the example above are used in the COSE K | |||
Thumbprint computation since the required parameters of an elliptic curve | ey | |||
Thumbprint computation because the required parameters of an elliptic curve | ||||
public key are (as listed in <xref target="ecc"/>) "kty", "crv", "x", and "y".</ t> | public key are (as listed in <xref target="ecc"/>) "kty", "crv", "x", and "y".</ t> | |||
<t>The resulting COSE Key structure, in CBOR diagnostic format with | ||||
line breaks added for better readability, with the minimum parameters | ||||
in the correct order are:</t> | ||||
<t>The resulting COSE Key structure, in CBOR diagnostic format with | <sourcecode type="cbor"><![CDATA[ | |||
line-breaks added for better readability, with the minimum parameters | ||||
in the correct order are.</t> | ||||
<figure><artwork><![CDATA[ | ||||
{ | { | |||
1:2, | 1:2, | |||
-1:1, | -1:1, | |||
-2:h'65eda5a12577c2bae829437fe338701a | -2:h'65eda5a12577c2bae829437fe338701a | |||
10aaa375e1bb5b5de108de439c08551d', | 10aaa375e1bb5b5de108de439c08551d', | |||
-3:h'1e52ed75701163f7f9e40ddf9f341b3d | -3:h'1e52ed75701163f7f9e40ddf9f341b3d | |||
c9ba860af7e0ca7ca7e9eecd0084d19c' | c9ba860af7e0ca7ca7e9eecd0084d19c' | |||
} | }]]></sourcecode> | |||
]]></artwork></figure> | ||||
<t>In CBOR encoding the result is (with line-breaks added for display | <t>In CBOR encoding, the result is (with line breaks added for display | |||
purposes only):</t> | purposes only):</t> | |||
<figure><artwork><![CDATA[ | <sourcecode type="cbor"><![CDATA[ | |||
A40102200121582065EDA5A12577C2BAE829437FE338701A10AAA375E1BB5B5DE | A40102200121582065EDA5A12577C2BAE829437FE338701A10AAA375E1BB5B5DE | |||
108DE439C08551D2258201E52ED75701163F7F9E40DDF9F341B3DC9BA860AF7E0 | 108DE439C08551D2258201E52ED75701163F7F9E40DDF9F341B3DC9BA860AF7E0 | |||
CA7CA7E9EECD0084D19C | CA7CA7E9EECD0084D19C]]></sourcecode> | |||
]]></artwork></figure> | ||||
<t>Using SHA-256, the resulting thumbprint is:</t> | ||||
<figure><artwork><![CDATA[ | <t>Using SHA-256, the resulting thumbprint is:</t> | |||
496bd8afadf307e5b08c64b0421bf9dc01528a344a43bda88fadd1669da253ec | ||||
]]></artwork></figure> | ||||
</section> | <sourcecode type=""><![CDATA[ | |||
<section anchor="security-considerations"><name>Security Considerations</name> | 496bd8afadf307e5b08c64b0421bf9dc01528a344a43bda88fadd1669da253ec]]></sourcecode> | |||
<t>A COSE Key Thumbprint will only uniquely identify a particular key if a | </section> | |||
<section anchor="security-considerations"> | ||||
<name>Security Considerations</name> | ||||
<t>A COSE Key Thumbprint will only uniquely identify a particular key if a | ||||
single unambiguous COSE Key representation for that key is defined and | single unambiguous COSE Key representation for that key is defined and | |||
used when computing the COSE Key Thumbprint.</t> | used when computing the COSE Key Thumbprint.</t> | |||
<t>A COSE Key Thumbprint will only uniquely identify a particular key if a | ||||
<t>A COSE Key Thumbprint will only uniquely identify a particular key if a | ||||
single unambiguous COSE Key representation for that key is defined and | single unambiguous COSE Key representation for that key is defined and | |||
used when computing the COSE Key Thumbprint. Key identifiers are not | used when computing the COSE Key Thumbprint. Key identifiers are not | |||
included in the thumbprint calculation (similarly to other optional | included in the thumbprint calculation (similarly to other optional | |||
parameters in the COSE_Key structure). If the inclusion | parameters in the COSE_Key structure). If the inclusion | |||
of specific optional parameters in the thumbprint calculation is important | of specific optional parameters in the thumbprint calculation is important | |||
for a particular application, this specification would not be suitable.</t> | for a particular application, this specification would not be suitable.</t> | |||
<t>While thumbprint values are useful for identifying legitimate keys, | ||||
<t>While thumbprint values are useful for identifying legitimate keys, | ||||
comparing thumbprint values is not a reliable means of excluding the | comparing thumbprint values is not a reliable means of excluding the | |||
use of particular keys (or transformations thereof). The reason is | use of particular keys (or transformations thereof). The reason is | |||
that an attacker may supply a key that is a transformation of a key | because an attacker may supply a key that is a transformation of a key | |||
in order to have it appear to be a different key. For instance, if | in order for it to appear as a different key. For instance, if | |||
a legitimate RSA key uses a modulus value N and an attacker supplies | a legitimate RSA key uses a modulus value N and an attacker supplies | |||
a key with modulus 3*N, the modified key would still work about 1/3 | a key with modulus 3*N, the modified key would still work about 1/3 | |||
of the time, but would appear to be a different key.</t> | of the time, but it would appear to be a different key.</t> | |||
<t>Producing thumbprints of symmetric keys needs to be done with care. Dev | ||||
<t>Producing thumbprints of symmetric keys needs to be done with care. Developer | elopers | |||
s | <bcp14>MUST</bcp14> ensure that the symmetric key has sufficient entropy to prev | |||
MUST ensure that the symmetric key has sufficient entropy to prevent | ent | |||
attackers to precompute tables of symmetric keys with their corresponding | attackers from precomputing tables of symmetric keys with their corresponding | |||
hash values. This can be prevented if the symmetric key is a randomly | hash values. This can be prevented if the symmetric key is a randomly | |||
selected key of at least 128 bit length. Thumbprints MUST NOT be used | selected key of at least a 128-bit length. Thumbprints <bcp14>MUST NOT</bcp14> b e used | |||
with passwords or other low-entropy secrets. If a | with passwords or other low-entropy secrets. If a | |||
developer is unable to determine whether all symmetric keys used in an | developer is unable to determine whether all symmetric keys used in an | |||
application have sufficient entropy, then thumbprints of symmetric keys | application have sufficient entropy, then thumbprints of symmetric keys | |||
MUST NOT be used. In general, using thumbprints of symmetric keys should | <bcp14>MUST NOT</bcp14> be used. In general, using thumbprints of symmetric keys | |||
only be used in special applications. In most other deployment scenarios | should | |||
only be used in special applications. In most other deployment scenarios, | ||||
it is more appropriate to utilize a different naming scheme for key | it is more appropriate to utilize a different naming scheme for key | |||
identifiers.</t> | identifiers.</t> | |||
</section> | ||||
<section anchor="IANA"> | ||||
<name>IANA Considerations</name> | ||||
</section> | <!--[rfced] Section 8. Since the term "COSE Key Thumbprint" is used | |||
<section anchor="IANA"><name>IANA Considerations</name> | throughout the document, would it be correct to update "COSE Key | |||
SHA-256 Thumbprint" to "SHA-256 COSE Key Thumbprint" or "COSE Key | ||||
<t>IANA is requested to add the following entry to the IANA "CWT Confirmation | Thumbprint SHA-256" for consistency? Please review and let us | |||
Methods" registry established by <xref target="RFC8747"/>:</t> | know your preference. | |||
<t><list style="symbols"> | ||||
<t>Confirmation Method Name: ckt</t> | ||||
<t>Confirmation Method Description: COSE Key SHA-256 Thumbprint</t> | ||||
<t>JWT Confirmation Method Name: jkt</t> | ||||
<t>Confirmation Key: [[TBD1]]</t> | ||||
<t>Confirmation Value Type(s): binary string</t> | ||||
<t>Change Controller: IETF</t> | ||||
<t>Specification Document(s): [[This document]]</t> | ||||
</list></t> | ||||
<t>Furthermore, IANA is requested to add a value to the IANA "OAuth URI" registr | ||||
y | ||||
established with <xref target="RFC6755"/>:</t> | ||||
<t><list style="symbols"> | Original: | |||
<t>URN: urn:ietf:params:oauth:ckt</t> | Confirmation Method Description: COSE Key SHA-256 Thumbprint | |||
<t>Common Name: COSE Key Thumbprint URI</t> | ||||
<t>Change controller: IETF</t> | ||||
<t>Specification Document: [[This document]]</t> | ||||
</list></t> | ||||
</section> | Perhaps A: | |||
<section anchor="acknowledgements"><name>Acknowledgements</name> | Confirmation Method Description: SHA-256 COSE Key Thumbprint | |||
--> | ||||
<t>We would like to thank the authors of <xref target="RFC7638"/> for their work | <t>IANA has added the following entry to the "CWT Confirmation | |||
on the | Methods" registry <xref target="IANA-CWT"/> established by <xref target="RFC8747 | |||
JSON Web Key (JWK) Thumbprint specification. This document applies JWK | "/>:</t> | |||
Thumbprints to COSE Key structures.</t> | <dl spacing="compact" newline="false"> | |||
<dt>Confirmation Method Name:</dt><dd>ckt</dd> | ||||
<dt>Confirmation Method Description:</dt><dd>COSE Key SHA-256 Thumbpri | ||||
nt</dd> | ||||
<dt>JWT Confirmation Method Name:</dt><dd>jkt</dd> | ||||
<dt>Confirmation Key:</dt><dd>5</dd> | ||||
<dt>Confirmation Value Type(s):</dt><dd>binary string</dd> | ||||
<dt>Change Controller:</dt><dd>IETF</dd> | ||||
<dt>Specification Document(s):</dt><dd>RFC 9679</dd> | ||||
</dl> | ||||
<t>Additionally, we would like to thank Carsten Bormann, Ilari Liusvaara, | <t>Furthermore, IANA has added a value to the "OAuth URI" registry <xref t | |||
Laurence Lundblade, Daisuke Ajitomi, Michael Richardson, Michael B. Jones, | arget="IANA-OAuth"/> | |||
Mallory Knodel, Joel Jaeggli, Derrell Piper, Patrik Fältström, Warren Kumari, | established by <xref target="RFC6755"/>:</t> | |||
Deb Cooley and Brendan Moran for their feedback.</t> | <dl spacing="compact" newline="false"> | |||
<dt>URN:</dt><dd>urn:ietf:params:oauth:ckt</dd> | ||||
<dt>Common Name:</dt><dd>COSE Key Thumbprint URI</dd> | ||||
<dt>Change Controller:</dt><dd>IETF</dd> | ||||
<dt>Specification Document(s):</dt><dd>RFC 9679</dd> | ||||
</dl> | ||||
</section> | </section> | |||
</middle> | </middle> | |||
<back> | <back> | |||
<references> | ||||
<name>References</name> | ||||
<references anchor="sec-normative-references"> | ||||
<name>Normative References</name> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | ||||
119.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
949.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
174.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
052.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
053.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
747.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
392.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
515.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
648.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
755.xml"/> | ||||
</references> | ||||
<references anchor="sec-informative-references"> | ||||
<name>Informative References</name> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
638.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
234.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
280.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
360.xml"/> | ||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
278.xml"/> | ||||
<reference anchor="IANA.Hash.Algorithms" target="https://www.iana.org/as | ||||
signments/named-information"> | ||||
<front> | ||||
<title>Named Information Hash Algorithm Registry</title> | ||||
<author> | ||||
<organization>IANA</organization> | ||||
</author> | ||||
<date/> | ||||
</front> | ||||
</reference> | ||||
<references title='Normative References' anchor="sec-normative-references"> | <reference anchor="IANA-CWT" target="https://www.iana.org/assignments/cwt"> | |||
<front> | ||||
<reference anchor="RFC2119"> | <title>CWT Confirmation Methods</title> | |||
<front> | <author> | |||
<title>Key words for use in RFCs to Indicate Requirement Levels</title> | <organization>IANA</organization> | |||
<author fullname="S. Bradner" initials="S." surname="Bradner"/> | </author> | |||
<date month="March" year="1997"/> | <date/> | |||
<abstract> | </front> | |||
<t>In many standards track documents several words are used to signify the | </reference> | |||
requirements in the specification. These words are often capitalized. This docu | ||||
ment defines these words as they should be interpreted in IETF documents. This d | ||||
ocument specifies an Internet Best Current Practices for the Internet Community, | ||||
and requests discussion and suggestions for improvements.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="14"/> | ||||
<seriesInfo name="RFC" value="2119"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC2119"/> | ||||
</reference> | ||||
<reference anchor="RFC8949"> | ||||
<front> | ||||
<title>Concise Binary Object Representation (CBOR)</title> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> | ||||
<date month="December" year="2020"/> | ||||
<abstract> | ||||
<t>The Concise Binary Object Representation (CBOR) is a data format whose | ||||
design goals include the possibility of extremely small code size, fairly small | ||||
message size, and extensibility without the need for version negotiation. These | ||||
design goals make it different from earlier binary serializations such as ASN.1 | ||||
and MessagePack.</t> | ||||
<t>This document obsoletes RFC 7049, providing editorial improvements, new | ||||
details, and errata fixes while keeping full compatibility with the interchange | ||||
format of RFC 7049. It does not create a new version of the format.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="STD" value="94"/> | ||||
<seriesInfo name="RFC" value="8949"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8949"/> | ||||
</reference> | ||||
<reference anchor="RFC8174"> | ||||
<front> | ||||
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> | ||||
<author fullname="B. Leiba" initials="B." surname="Leiba"/> | ||||
<date month="May" year="2017"/> | ||||
<abstract> | ||||
<t>RFC 2119 specifies common key words that may be used in protocol specif | ||||
ications. This document aims to reduce the ambiguity by clarifying that only UPP | ||||
ERCASE usage of the key words have the defined special meanings.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="14"/> | ||||
<seriesInfo name="RFC" value="8174"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8174"/> | ||||
</reference> | ||||
<reference anchor="RFC9052"> | ||||
<front> | ||||
<title>CBOR Object Signing and Encryption (COSE): Structures and Process</ti | ||||
tle> | ||||
<author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
<date month="August" year="2022"/> | ||||
<abstract> | ||||
<t>Concise Binary Object Representation (CBOR) is a data format designed f | ||||
or small code size and small message size. There is a need to be able to define | ||||
basic security services for this data format. This document defines the CBOR Obj | ||||
ect Signing and Encryption (COSE) protocol. This specification describes how to | ||||
create and process signatures, message authentication codes, and encryption usin | ||||
g CBOR for serialization. This specification additionally describes how to repre | ||||
sent cryptographic keys using CBOR.</t> | ||||
<t>This document, along with RFC 9053, obsoletes RFC 8152.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="STD" value="96"/> | ||||
<seriesInfo name="RFC" value="9052"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9052"/> | ||||
</reference> | ||||
<reference anchor="RFC9053"> | ||||
<front> | ||||
<title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title> | ||||
<author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
<date month="August" year="2022"/> | ||||
<abstract> | ||||
<t>Concise Binary Object Representation (CBOR) is a data format designed f | ||||
or small code size and small message size. There is a need to be able to define | ||||
basic security services for this data format. This document defines a set of alg | ||||
orithms that can be used with the CBOR Object Signing and Encryption (COSE) prot | ||||
ocol (RFC 9052).</t> | ||||
<t>This document, along with RFC 9052, obsoletes RFC 8152.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9053"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9053"/> | ||||
</reference> | ||||
<reference anchor="RFC8747"> | ||||
<front> | ||||
<title>Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)</title> | ||||
<author fullname="M. Jones" initials="M." surname="Jones"/> | ||||
<author fullname="L. Seitz" initials="L." surname="Seitz"/> | ||||
<author fullname="G. Selander" initials="G." surname="Selander"/> | ||||
<author fullname="S. Erdtman" initials="S." surname="Erdtman"/> | ||||
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/> | ||||
<date month="March" year="2020"/> | ||||
<abstract> | ||||
<t>This specification describes how to declare in a CBOR Web Token (CWT) ( | ||||
which is defined by RFC 8392) that the presenter of the CWT possesses a particul | ||||
ar proof-of-possession key. Being able to prove possession of a key is also some | ||||
times described as being the holder-of-key. This specification provides equivale | ||||
nt functionality to "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs | ||||
)" (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rat | ||||
her than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8747"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8747"/> | ||||
</reference> | ||||
<reference anchor="RFC8392"> | <reference anchor="IANA-OAuth" target="https://www.iana.org/assignments/oauth- | |||
<front> | parameters"> | |||
<title>CBOR Web Token (CWT)</title> | <front> | |||
<author fullname="M. Jones" initials="M." surname="Jones"/> | <title>OAuth URI</title> | |||
<author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/> | <author> | |||
<author fullname="S. Erdtman" initials="S." surname="Erdtman"/> | <organization>IANA</organization> | |||
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/> | </author> | |||
<date month="May" year="2018"/> | <date/> | |||
<abstract> | </front> | |||
<t>CBOR Web Token (CWT) is a compact means of representing claims to be tr | </reference> | |||
ansferred between two parties. The claims in a CWT are encoded in the Concise Bi | ||||
nary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) | ||||
is used for added application-layer security protection. A claim is a piece of | ||||
information asserted about a subject and is represented as a name/value pair con | ||||
sisting of a claim name and a claim value. CWT is derived from JSON Web Token (J | ||||
WT) but uses CBOR rather than JSON.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8392"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8392"/> | ||||
</reference> | ||||
<reference anchor="RFC7515"> | </references> | |||
<front> | </references> | |||
<title>JSON Web Signature (JWS)</title> | <section anchor="acknowledgements" numbered="false"> | |||
<author fullname="M. Jones" initials="M." surname="Jones"/> | <name>Acknowledgements</name> | |||
<author fullname="J. Bradley" initials="J." surname="Bradley"/> | ||||
<author fullname="N. Sakimura" initials="N." surname="Sakimura"/> | ||||
<date month="May" year="2015"/> | ||||
<abstract> | ||||
<t>JSON Web Signature (JWS) represents content secured with digital signat | ||||
ures or Message Authentication Codes (MACs) using JSON-based data structures. Cr | ||||
yptographic algorithms and identifiers for use with this specification are descr | ||||
ibed in the separate JSON Web Algorithms (JWA) specification and an IANA registr | ||||
y defined by that specification. Related encryption capabilities are described i | ||||
n the separate JSON Web Encryption (JWE) specification.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7515"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7515"/> | ||||
</reference> | ||||
<reference anchor="RFC4648"> | <t>We would like to thank the authors of <xref target="RFC7638"/> for | |||
<front> | their work on the JWK Thumbprint specification. This | |||
<title>The Base16, Base32, and Base64 Data Encodings</title> | document applies JWK Thumbprints to COSE Key structures.</t> | |||
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/> | <t>Additionally, we would like to thank <contact fullname="Carsten | |||
<date month="October" year="2006"/> | Bormann"/>, <contact fullname="Ilari Liusvaara"/>, <contact | |||
<abstract> | fullname="Laurence Lundblade"/>, <contact fullname="Daisuke Ajitomi"/>, | |||
<t>This document describes the commonly used base 64, base 32, and base 16 | <contact fullname="Michael Richardson"/>, <contact fullname="Michael | |||
encoding schemes. It also discusses the use of line-feeds in encoded data, use | B. Jones"/>, <contact fullname="Mallory Knodel"/>, <contact | |||
of padding in encoded data, use of non-alphabet characters in encoded data, use | fullname="Joel Jaeggli"/>, <contact fullname="Derrell Piper"/>, <contact | |||
of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t> | fullname="Patrik Fältström"/>, <contact fullname="Warren Kumari"/>, | |||
</abstract> | <contact fullname="Deb Cooley"/>, and <contact fullname="Brendan Moran"/> | |||
</front> | for their feedback.</t> | |||
<seriesInfo name="RFC" value="4648"/> | </section> | |||
<seriesInfo name="DOI" value="10.17487/RFC4648"/> | </back> | |||
</reference> | ||||
<reference anchor="RFC6755"> | <!-- [rfced] Please review each artwork element and let us know if any should | |||
<front> | be marked as sourcecode (or another element) instead. | |||
<title>An IETF URN Sub-Namespace for OAuth</title> | ||||
<author fullname="B. Campbell" initials="B." surname="Campbell"/> | ||||
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/> | ||||
<date month="October" year="2012"/> | ||||
<abstract> | ||||
<t>This document establishes an IETF URN Sub-namespace for use with OAuth- | ||||
related specifications. This document is not an Internet Standards Track specifi | ||||
cation; it is published for informational purposes.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6755"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6755"/> | ||||
</reference> | ||||
</references> | We updated <artwork> to <sourcecode> in Sections 5.5 and 6. Please confirm that | |||
this is correct. | ||||
<references title='Informative References' anchor="sec-informative-reference | In addition, please consider whether the "type" attribute of any sourcecode | |||
s"> | elements should be set and/or has been set correctly. | |||
<reference anchor="RFC7638"> | The current list of preferred values for "type" is available at | |||
<front> | <https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>. | |||
<title>JSON Web Key (JWK) Thumbprint</title> | If the current list does not contain an applicable type, feel free to | |||
<author fullname="M. Jones" initials="M." surname="Jones"/> | suggest additions for consideration. Note that it is also acceptable | |||
<author fullname="N. Sakimura" initials="N." surname="Sakimura"/> | to leave the "type" attribute not set. | |||
<date month="September" year="2015"/> | --> | |||
<abstract> | ||||
<t>This specification defines a method for computing a hash value over a J | ||||
SON Web Key (JWK). It defines which fields in a JWK are used in the hash computa | ||||
tion, the method of creating a canonical form for those fields, and how to conve | ||||
rt the resulting Unicode string into a byte sequence to be hashed. The resulting | ||||
hash value can be used for identifying or selecting the key represented by the | ||||
JWK that is the subject of the thumbprint.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7638"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7638"/> | ||||
</reference> | ||||
<reference anchor="RFC6234"> | <!-- [rfced] Please review whether any of the notes in this document | |||
<front> | should be in the <aside> element. It is defined as "a container for | |||
<title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title> | content that is semantically less important or tangential to the | |||
<author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/> | content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside) | |||
<author fullname="T. Hansen" initials="T." surname="Hansen"/> | . | |||
<date month="May" year="2011"/> | --> | |||
<abstract> | ||||
<t>Federal Information Processing Standard, FIPS</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6234"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6234"/> | ||||
</reference> | ||||
<reference anchor="RFC5280"> | <!-- [rfced] Abbreviations | |||
<front> | ||||
<title>Internet X.509 Public Key Infrastructure Certificate and Certificate | ||||
Revocation List (CRL) Profile</title> | ||||
<author fullname="D. Cooper" initials="D." surname="Cooper"/> | ||||
<author fullname="S. Santesson" initials="S." surname="Santesson"/> | ||||
<author fullname="S. Farrell" initials="S." surname="Farrell"/> | ||||
<author fullname="S. Boeyen" initials="S." surname="Boeyen"/> | ||||
<author fullname="R. Housley" initials="R." surname="Housley"/> | ||||
<author fullname="W. Polk" initials="W." surname="Polk"/> | ||||
<date month="May" year="2008"/> | ||||
<abstract> | ||||
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate re | ||||
vocation list (CRL) for use in the Internet. An overview of this approach and mo | ||||
del is provided as an introduction. The X.509 v3 certificate format is described | ||||
in detail, with additional information regarding the format and semantics of In | ||||
ternet name forms. Standard certificate extensions are described and two Interne | ||||
t-specific extensions are defined. A set of required certificate extensions is s | ||||
pecified. The X.509 v2 CRL format is described in detail along with standard and | ||||
Internet-specific extensions. An algorithm for X.509 certification path validat | ||||
ion is described. An ASN.1 module and examples are provided in the appendices. [ | ||||
STANDARDS-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="5280"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC5280"/> | ||||
</reference> | ||||
<reference anchor="RFC9360"> | a) We have added an expansion for the following abbreviation | |||
<front> | per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review | |||
<title>CBOR Object Signing and Encryption (COSE): Header Parameters for Carr | this and each expansion in the document carefully to ensure | |||
ying and Referencing X.509 Certificates</title> | correctness. | |||
<author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
<date month="February" year="2023"/> | ||||
<abstract> | ||||
<t>The CBOR Object Signing and Encryption (COSE) message structure uses re | ||||
ferences to keys in general. For some algorithms, additional properties are defi | ||||
ned that carry parameters relating to keys as needed. The COSE Key structure is | ||||
used for transporting keys outside of COSE messages. This document extends the w | ||||
ay that keys can be identified and transported by providing attributes that refe | ||||
r to or contain X.509 certificates.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9360"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9360"/> | ||||
</reference> | ||||
<reference anchor="RFC9278"> | Elliptic Curve Cryptography (ECC) | |||
<front> | ||||
<title>JWK Thumbprint URI</title> | ||||
<author fullname="M. Jones" initials="M." surname="Jones"/> | ||||
<author fullname="K. Yasuda" initials="K." surname="Yasuda"/> | ||||
<date month="August" year="2022"/> | ||||
<abstract> | ||||
<t>This specification registers a kind of URI that represents a JSON Web K | ||||
ey (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638. This enables | ||||
JWK Thumbprints to be used, for instance, as key identifiers in contexts requir | ||||
ing URIs.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9278"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9278"/> | ||||
</reference> | ||||
<reference anchor="IANA.Hash.Algorithms" target="https://www.iana.org/assignment | b) Section 4.2. We enclosed "EC2" with quote marks and included | |||
s/named-information"> | a brief description in parentheses (per RFC 9053) for readers. | |||
<front> | If this is not desired, please let us know. | |||
<title>Named Information Hash Algorithm Registry</title> | ||||
<author > | ||||
<organization></organization> | ||||
</author> | ||||
<date /> | ||||
</front> | ||||
</reference> | ||||
</references> | Original: | |||
The required parameters for elliptic curve public keys | ||||
that use the EC2 key type, such as NIST P-256, are: | ||||
</back> | Current: | |||
The required parameters for elliptic curve public keys | ||||
that use the "EC2" (two coordinate elliptic curve) key | ||||
type, such as NIST P-256, are: | ||||
--> | ||||
<!-- ##markdown-source: | <!-- [rfced] Please review the "Inclusive Language" portion of the online | |||
H4sIAAAAAAAAA9Vc63IbuZX+zyq+A1b+YSlL0rxTYlVqQ91ijW3JEeV1sqlU | Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> | |||
CuwGSYya3UyjKZnj0jzNPsO+QF5szwVAoynKnpnsn01NZSgSDRycy3euPc1m | and let us know if any changes are needed. | |||
s14rdJGosTg7vbkVN7MfVVSIqV6kOl0ImcbiIo3y7brQWSoOz26mF0findqK | ||||
u+VmNVvnOi3qNTmb5eoBdoBfn/0YZ1EqV7B/nMt50dSqmDejzKjmvdo2C7+w | ||||
2R7Wa5Es1CLLt2Nhirheq9f0Oh+LIt+Yottun7S7cFau5FhMVbTJdbGt1x6z | ||||
/H6RZ5s1H1+vwbbwXTwWV2mh8lQVzXM8GHczBdzn7zLJUiBnq0y9ttbjek2I | ||||
fB6p2BTbxH0vRJFF4Wedxiot/Dcmy4tczU35xXZV/bvIdVSuj7LVCp4vf9dp | ||||
otPgNPWlaCbaFE3YaJYlsLCZ/e7f8Sfg30qu1yANuxp4sCmWWY6UN3EF7gYP | ||||
vGuJK5PNFH/FPH+XLZUOv1YrqZOx0PjNPf74hwV+0wICeUGWwznTi7ObD8DP | ||||
VkO8vztv4ZmVo962xJ2JltlcpXoRnvdWpqkyz350CvK2eXo79efIVP8kUa/G | ||||
4lOqH1RuQKIim4vJep1oFYtppFUawX6nWZo2b4HatDnVym4aZZu0QF35o8pX | ||||
Mt1WLrgkQlqFJwTu+aUF2vDsLjctMS2USip8u8m1qnxdJfcul6lZbYoqUzN4 | ||||
6A+F+6kFKrNBNWAJB/TCZQu8XQHaTvJMM7hAARwgZby9POt2Oifu8/FJv/zc | ||||
GfXd55P2oBt87vk1o/7If+6d+DWjQWfgPveH/eMx2Vc63z17NOwdu8/Dbs+f | ||||
N+get/15vWH5uTvi9VeT60nrrTTL1iQBI9bFcmXGfHVhIebgGrgbg2XaUwFS | ||||
8AHhHxC3agFWkG8P3IMyXyiwo2VRrM34zZvHx8eWlqlsgUDeSGMAp8iw3qDc | ||||
4qYud7YbxMDksZjLxCi8cLPZBG2EE2REqnC31EaYtYr0XEdMUazmGpVYipUC | ||||
O4sFbIkGvN4UBImgW0Dyg0w2SmSgtfANQme99kuxE+y0cGfCOY9LHS0FfExi | ||||
+AO4oIH2YqlKOAVyN1GxyZUA9AOtjZJNDGzUqcBldEK2yOUaNmLimFq6ToP3 | ||||
WucZGJLhuwCE2qtEMs1SuHgicrXOlQFWMhPACuExoyxdDbrNMnuE3TI+A3eF | ||||
JzYJbTXbFkoY9Y8NGiygQ+XHkmEN+Hau8hyoLzIAMuTyQekEGgdIkZgpsTG0 | ||||
RGiEXT0HWMhh+wT5S3fOYA+zztIY9wfIbznhrnQcJyTqV+gB8iwG1pE6/HJh | ||||
A9wmW8ugkLn1Gt1kvklpS6RP/jq3iT7IyfLrV2vFT0+NgFkg1YqK3afZI3wF | ||||
JNZrAataB+IOjo+WWj0o4IkGGSFnwF1s0CJeUDA0efErlOuZOuG34De/p05o | ||||
hi8qEcn++0p0kyq7BaivXsl8i2oBhxhFJ6Nmg0BLnoBbI0YhiON+AP5qpYhI | ||||
p0f4tVcl+IOtAxSoIcwGuASPz/AYXFdhUxnSWLmw7t7rGKDqEDYQV+dHLTFJ | ||||
M3gsxx09scDLhyx5AKLx21jl+oGVzymSQSpkQQ/goeWNDDJgvZklYNnwMFw7 | ||||
z1a0RqXxOsMVwFUIaOAiCB2CT4+yFCOKBmoonQfkYogCOp7zTq0X7CHbFAkZ | ||||
BImpSofjhSFNWahU5QCuEKchg2dwMvDEn4GirpxoxKFRqPXlrk9PuKxe+/o1 | ||||
B6FrQIWnJ+RhHGskRiYJiEWDWK0dk52m6pFt7rOagQncKzDtw7PPd0d467l2 | ||||
foXNuWGVHxUjjhlSkHvoq8Cc4DFxFj71gZ4yB6CU7IeEgqAR2G+W8DBoBhkt | ||||
utinJ2DhJVx8vsmJ57EqIAoARrHhoCyBZ7JKVZRIvWITh7OtzCSiczZvwj/r | ||||
zIByG1xKOkloiURPFUNOr9XBbatkINbdQRCk0yzJFlsWLWm1wFDYiIMPn6Z3 | ||||
Bw3+t7i+oc+3F3/6dHV7cY6fp28n79/7D7wC+DN9e/PpvV2An8pHIT78cHF9 | ||||
zk/Dt2Lnqw+Tvxw0WLoHNx/vrm6uJ+8PGFRAFh6kUJHgdjO0EYjWwQVhZASm | ||||
FSsT5XpGQFSvnZ59FJ0+3xpjI1Ac5gDEQ/D5calSBpcsTbb2TxDCFpFcyZwY | ||||
niSYX6x1AaFAA48wSwRWEJ2yLNxn619fBerqGBsgDonYP0jsnSkLmHyTeZYk | ||||
2aOhcKvTQnVjxLXP/b2KwWQjTtgjL2p2E6TioGUpARdGpXhdxlC2H7GWOQRC | ||||
wEpTenSHZagPO6wVtI07r89wGwiIONNtUUTOJ8W4OWgaWAfYNQB1Ri64sqnf | ||||
r9UN1RUC2acnOtBa4U7METnW8C6mUGtx2DkiGnotjhTxMXQTBm0GISFY2j0S | ||||
1p72hETeab9tEQlouuqLXK0TCEpA65vdwZDpxKAXlGoltz4QIayvbNNyuuDN | ||||
3nIu8JWk3SU8BAwymxm7OYhBDTPL+B0dMXSe9JGx0y2zWa8h+1SAbQz2fokR | ||||
YHWVJVaxb512eEX9WKrJ11cefHH1zbdUirQd1Oi12ZUdXpVYhcYHhubDZQ2+ | ||||
40UnioEiuiCrL2azAi+vf1KGo4w9JHguHdwX2wNxmMiZgtSrcyTAoxOkOD5Z | ||||
8jigSxLS/mK7VjYMwSsi5iwUxBHs0V3E5IMf9BIB8fhw6RjcOXhrDngL+B7z | ||||
DQjU8CB0OhANWLagYpIRQoprSaW7fIDMtTwj4DVy1PlmZzCQzMKd/FX4WAYY | ||||
ggTSK1YngdWEFwVpU5oVAQgR6NnDOvNK3IAdFlZZdC4Ob959PHLMf2lLlSR6 | ||||
jbgQbXKIOcLApRLgwF7+wAaSzZHXn7uDQeekgVcnuGzuSrlB7KXHxii9BqsR | ||||
yp9WR/lDubrZ8T/DUl7wJfi563/GfJDudm6N2SYhc8jYK4A2CuAMc27nfV+J | ||||
C3fzM7o5RUkk8z83Sd3+0jzLwBXrFCImZujXVyqKnv6vOHpx1i05SqEsZVfX | ||||
V6CkHxFOfgtXuy9wtbp8L2eDJZa7sCY4tNnbt+Y3S+A6wyw/cJUOAw0HpohH | ||||
gAeE5bAhgHj5BYXRCDYhoJkWeQiKSrI1BLoznegCw1H0GCu/DMJKwGDysJnN | ||||
R6oBNcGEk9Lzc3dwtEXaAFFflivO57bNqFQc2F198RdBp4SMa4krwGVA3Spt | ||||
eKqx2fI3D8UYG4AICYVIFVADHPGDygsMvS3wVAin3A6VkzKzTQ5BK4A1OUAP | ||||
75ADRptEelcJJnI7nYiPrL9oHt/TfFAAfKLU+N+gwD3Wu/RF9S11U31Pf+kO | ||||
U5/R/KIrVDOg33CBPhN3/70LEHFvp9Pm+w/T71FllzGI/HqSBkwSyOUXEXWD | ||||
MQpxamJEmRuTg6Qd2dNxHSZmna9YEDxLP9oodoVx+yaJKc7RK53IHFwYho6b | ||||
pOAEz4WoipO/eq1kQINSAZtfOuXmm1unTDjpeWcDqA/aRIDEMlXZxlAIr2NM | ||||
fpk8uufn5VYACokrLqCImzWnsPtirv+gQMstqMZX1SQb8Sd1uTBFEzsFmnpt | ||||
X3AVBqEmY08Bi8HrSAgQ0khhDYQhIFLPS0Jxpjh0kcDSfKdI4wO38gHUt0oN | ||||
RsR6AYmzq94gbMAtqnf16onA6QEpTFTKxAoSYUmqAzcB+UHEJH2NwEVceMeV | ||||
XiyB6gjvj6vsZiTFU4i7viDvqAT0nPmNF+s9qFwQTAF1yRZJnSP5VneQVAhx | ||||
VTJvEMeoJEiJN2UiJZWyABiYQVKIAda5nsMmlABjqyPy+Q9WbQylHlbOwO5c | ||||
o9J5isuNvlHLI5fAtbc9VxWPKij1+W32w3djn/wxz0EjjOkirhgHFgkn2CrX | ||||
WnFx1tZDSrJdZN6ytsKLOOvYG/NDlmngTsbr8V4p5diFQXMsxWVBeKEflK+n | ||||
LGQeJ1i6xFymqkgVEYVCutdpbDO8siAWORSy0IXVIca3XfgKVNNJ1WQrskFM | ||||
TAIK9uQBgFhz9ORYvDAEltogsKEEKW6Ov03moyMT9phvEueMp1wA5Uo/ZdaX | ||||
NrMlqC4zj2ryvNqAVc98IgJXRnsMdBj03xY/WCHCXsm8rCjrFJa4EAvbstH+ | ||||
LLxe20nD/Q4+EQfk1UmZNRP8LLIsRrlI0Flg3DLTEWoga7leES2PkDOD6jVs | ||||
fdm1JXbuC6crKt5SOP283QI+ITaRXKMaPKgkW7PuXOGjoF0ks0ZZpwG5FlvW | ||||
Y1c/NR5HUqViw+UwOO0R8T/kmSeKM85KAcNtYYsiOatbvfa8ovysei3K4vVV | ||||
yioFzi5F2DG22k/edQW7WnL4uQLr/gaDRNwMFGkt/7GxTh0UPFFwZzTAe2p7 | ||||
OH0j9rzNHoFbeYOqBaBUgCxwDeKOVs7zEdvJz6F3wHvZ1gqXF2T+jRo9l43B | ||||
SAEP0e845NhSOwW4i0mA5Q1h1rPGDmNOgP0WAn1+fFctjpPLviYHXRJ0Sc1I | ||||
fOCdz9j4chYquFvp0x3vBlnZfSwAZ07SrdUeeDgoE7uSDG+uze4eQXUywhzB | ||||
3XoP01rCReqKod8s9Rp5cU7enK7559agfSL+k3wArn6xtMNS9IXQbMdTZdww | ||||
eyEIkBatQ6ef7EZKwc28YyB3bIKtSIFaAskzriYMdK0y7HcB5GYLdK7otUsQ | ||||
Y0Exq+Ldq083THmZyVA7WxxOP767OrJ3d20HOMpGr7uF0U6r2yrLu9hbxy4g | ||||
3fQXEYOMTYAVAoy9YGej/OEWqQ6+DAowb6IbbCZYiGDZCUDhyKbOvSGQYS3Y | ||||
kY0mvGcLFqChWBH4yyAM7MTuHxg+yhX2oYguCwNCdgvIrP0tZ5a83OvifXkV | ||||
FepB2ZiDmkH79gKdeKZG3LBPxWR63ersJv34mC6cge9pDOEvQeulbEzF+5pP | ||||
nG6h4CgY5CEB37UyArtW5qgsDfq8xMFslM4PuGXUwnaRAZRCRzRTKhWBVjFF | ||||
vZPu05MrqFZKELCvbZwRlO+SKWbSsIXu4XlZcH2hR4VCsc1VrJyWndOD6L6w | ||||
1Dd25hnC2JpvR1Rzc8y2OFiFXeTw8gbUgfDVEJ1ilxinbtIF+jNAbhnT81jt | ||||
3KTEEkughEg5jLm8ky52NC59UFtKBYlKsM08k1SwRKcYRKU5MH2tlc2BZgm1 | ||||
trIZ3ob9aMAnf2rJsKKSceBTZSWamAmXYG5d2TaaI4X9vwZ62EdTcxE0BJaH | ||||
YTO27RkUc+dBqKNKbhfDfU7NuTq+eyeMP9Nq8EOGbhXKRVG8/WvD6kLda68u | ||||
tkbEKD1zKQ5PDgTa4u4Md/DK52vcLuSB262oXeQjKNtw3VE9Sm6YH6AheFO3 | ||||
aJ8lHJItYgO8OYPo5t5gdKpy3+RWYKBZrmlcRho4/4iKJz///DP1lL7yzNEb | ||||
kMQb0RFjICSTNLYkTcsSjpN22FulhXITvxG9cCFwMNvkkfLLs3zhl6sv6zei | ||||
D8s7vWGnd3J83O27nwAq3ohj+MnSgF/dF2/EX/96d3re+dvf4Jfl6/7JcBYf | ||||
y7mM5732SA1m7eNo2J+1+93ObH4SR+7R8H/tDjgn2ev3Zb83i+XxMTwdd4bD | ||||
k1h2Bz0VvbYPcWPvyTIDYRK7J4CR3DChlLkqGt+G2SOJlm3yhFpBtU8V2SKP | ||||
ywm8gZRY6fB7D1p8ur0y35kE+pRqKnDeWkmIK2e1cIVD3OCIhqDCaOWbDS7U | ||||
VZxTc51gxjKcW3Wq+MP05prGGXCLwx8+vzvapblRNqdIo9ldd0fHHvIhYgfE | ||||
2dtrMwG/GlaRXeIgeShFB3fUQSWC4zO0O6Si9Z0RKlhDmZT+ApvEJdZ6+Mny | ||||
0L/h8tKwXRqGD5v9PN0DB+GRxjtFHBxjAlQJZfZ0j0K/+vjQ1jd5OsZR5jHF | ||||
pGac4UzuGNTVG8BdBingvSrzt7KVO1N4IqkvqDREejTjwgxsBJSAqN38ANcX | ||||
5O5OpdzImvaSbdubDaHQaxmFFBduvyhLsPK0lDgQyaMmpP0szHCEAJKmF2Xy | ||||
9iWqjDfSl6zR91EfbE7hJ5wOaFecGBVTcugHSO1mlVbas89HSi05e2ZKBYPS | ||||
7pAq2tDLYEEu4UW2c53Ut6nILfsWMWYa8LMtScUKEx24puYmVCXIJy5g4RoH | ||||
Q3BKDv4v4bm+ek3leQbJsi18g7JkUbTJifNTjdVcVudrwsgwHuJAiFUq2xQQ | ||||
OTvb21u6DcvGlXmFnaEtJzIMHIf9TZ4AifZY5BacBJ42Rs/e8hEzjh9jW85P | ||||
JZ66h8shkp1pmQNeUv5exkqfbt9zX3UOaQeO/jaNnKtAjw1Oeu/JvAbIACBH | ||||
4Ag0wyh+wuSLK7aQZkJQoRM86fXvX2P1yO4JeddKF4VtIbqL8hwBBDI+G4dE | ||||
HSMIwREEAC7kghCkrCXWuAB77dRGWfUrT4BECjuZJWbtcphqpbaovlrjtDx1 | ||||
6d3MpNAm+M2GwfXa4VQpHOHBiuwXcebTTisTdAigpopm13wPkQYy9xy/K+Gj | ||||
A4fKs+cStbQGoS1PXZFOWSeEeRQoOf8wUyB+G4fJIBKz43tIKvwZ23as6z4a | ||||
HhIi5J1+fvhLPuz9dNr8/PjjH6ePf1o+DHqTy6n+8fbdn0bd7Mdh7/a/1l39 | ||||
qflYYjX6lA2I3kWX1fJCFROQyQGx4EMXEofUXqC5pOxFnzE2S4nFy/Fvo/6V | ||||
uLBkf33leFoGOVbxn8XL3+sb2QYvxgu7sXdZUfLjaJhTX5ydBe1aujcWKWeq | ||||
QIsMxMaA5HZDH0dt57Bkw1l9rOUizWjSjOGdNYMjKJx6dZaGCTVRHGuzTmSp | ||||
GJTVBdpRBuk0iQMwgS4Ppyd+v3eG4w2v7oy7LtKGHOjBPUeTFW5NszPu+EUl | ||||
H8biS9jCd4u74+Xr4UDFciA73cFoFHVnUh13T/q90Vz1esejdkd22lLK3mig | ||||
OrPZYDaIVad9HKt+7yRq12vHg0Enfr33wO2+A3twYEcNuioeDWDzzrA3H81P | ||||
VL8dx/OTea/fmfXi6GQmj4dtOR+pdiRH8I86USqK2+3jeq0fd06i8sB7cGMg | ||||
Ouz1Nso5pxc8vSUCL92BvFTGqjuX+K8e5Q9PFUt0iiFn2UM46u+bbqVGkpY4 | ||||
tAGgc/nbvUXfADb2a0YZ000G7U672223O93O4LjbHg4uzieDCQnnrHs6uWDh | ||||
XF6wcCad9mQyAeFcdE5PB6eD8wsQznm9dgHiOWujcM67XdynczHoXpw7nl+O | ||||
Lk8u+u3z88uTS+D5ae/87OR0AjyfXI4u2meTEfxzcQLbXJydA9f75x3YDffp | ||||
D8+Hg1F3eDLsDPvDy2GvezHswt+d4cWwPzqBz4Nhb3jab7tPw7NhvUa/wsrB | ||||
6BhWno/a8O3AM/uaWryJH7IP5gT8mHlFFn7Kb6fx+GIUYXx48tI4Yboz4gRZ | ||||
QmXiQxxKnmVzkQhOTT0dcdO+wcNJDRw/4rG+g+2BzxLKnuXzBmnjGxjDEBNW | ||||
AUot2gdmvoCHY7GrzSq4ou+tkhZDbAdmic7fzhyTHBiQHMJ4FPlFCOEz9m9A | ||||
RQAUvwgE/J7fQAPGgnqtNNyrtGqMQdcYYeJ5ZeWZZaLkXzDN/r9ommAIYJz/ | ||||
kmnWa844Q9P01/9EoaltQu62zCsFxfJa3yvHfK/0EgQA7n3YPbMpk72A/KjR | ||||
7mn6M9UQPCbb8lWrZxVBPceXj/CGCY6CydVMLzY0CeN23qmjc+zA9fcwL6fm | ||||
nR8TDl6qe6kjRbr4//wO9HeYMfq0cPdlq/0DGOKwnHPCgjKlD26qIxxuClG5 | ||||
+lrBkZsHKVMVKoP4Lv++IZFvE4Vl/xWWVCRWGHjQImB5kNw2xJ6xSB5LwLCB | ||||
5tU1vmTDmMidpN2GtXG+B8L0Zy90JZBwF3qF0Q4OtTWqDeLdjexYtgSBJ5rK | ||||
9CslU/JG5YAQRb62pFzVJMAy1Ax8zdeXHCiizlU2P3KvPmJ1mNIa7vmmOFwi | ||||
o3vszEMMgsOpyXancSt3NvWtXXIi7Djo5UtwxLpwr7ZwaU+GYyD4hunOaIWe | ||||
Y/km4BOOVtp31OjlxyzegF7Yfss11ycCoolgepM5mG5yD/V+d82IB19wd4Pf | ||||
PEIJg18FI6ViJ4QQkDZ23vR8BQ5HMRpiBt/y4u9cCbXjox8E2Hk5bedds2CW | ||||
QsRZaltwETpecc6TGuSeqZRhe/0+665ObS7xXaHNHFSXejsKe35rMkXAiwdq | ||||
jTg+Gfut7VKKgmuyz8lzIYPOq6+y2tciWVNdW4xnA+xhiBbzPVSSAoH+xNkq | ||||
8fMWVhSoSAVIX0KS1ekei5nGv9JFsWxVysTu7TBfXLdJ7Voawy+S+fIFxN9N | ||||
xwlIMXNVGB5DxqqLZS/StEldIyycylRcAgHN2OGLCy5xUiEcKyKlfy4EUrv0 | ||||
26pgZRxcixpoPH6TNHxR6VvaxJU30Ft0NkHngTANJ8eCUh7tvsqw2V3wiz/r | ||||
JNvyK7lurgYsmkyexxCwiwdHU7E6E+BMEv1TVf+fv8/KsFA6FTuoym+sVGIA | ||||
8fUVdWIoSMOfNZf1lbGdFAgqdrIq5O42fFVSPHtTErj6K16VtCPGezrqVN8d | ||||
Cyqc719wToXINf+HF7x/deNeYZm7KX7Y/z6nPeTHPYe8w3zZNcme/UpzLvTi | ||||
z6E5Glfby7R4KdOFwmdAHZNE5WNxdXF3iT9NK+7u3L5PR9vAceE7dnhuvXbJ | ||||
74mtaPD/RTlJi9AV2dxMNmCkn26vSlnUa6EwyIi/fv03HKsbDQZeHp9ur8ff | ||||
bGUgO/AlIcvAlypiASuigBXf4QUs2MuJV2IS4ZRWouIFVSIpjP2srJNI9L29 | ||||
v4Q0nxr59J9DMWVZc9g7tmVNhljutdkm/LebbZUoxQJw+bYqO0FQs3dhxkuo | ||||
/zzFZJusvsz8uP8WZzLHGTNxir4/hYjpCoINLd7rjXmQIBWIaN5L2BKT6feb | ||||
NJ4lMgY1OZfabGCfyY+6yFa6IT7oaClVIm7x34DXGHy5705b4gdwhBgdfQBi | ||||
MlDkd2kWK4DAHzL4/QepFosENjnHQUiA5o96jSN6HyWo+724/Od/J/iC2z// | ||||
Z9UQnyUsAePZ4Ot6DXxrZwaakiV2euAUfozBa33IwCEFcpiDU56BowTG/C+x | ||||
7bnGeUgAAA== | ||||
Note that our script did not flag any words in particular, but this should | ||||
still be reviewed as a best practice. | ||||
--> | --> | |||
</rfc> | </rfc> | |||
End of changes. 117 change blocks. | ||||
784 lines changed or deleted | 527 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |