| rfc9942v1.txt | rfc9942.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) O. Steele | Internet Engineering Task Force (IETF) O. Steele | |||
| Request for Comments: 9942 Tradeverifyd | Request for Comments: 9942 Tradeverifyd | |||
| Category: Standards Track H. Birkholz | Category: Standards Track H. Birkholz | |||
| ISSN: 2070-1721 Fraunhofer SIT | ISSN: 2070-1721 Fraunhofer SIT | |||
| A. Delignat-Lavaud | A. Delignat-Lavaud | |||
| C. Fournet | C. Fournet | |||
| Microsoft | Microsoft | |||
| March 2026 | April 2026 | |||
| CBOR Object Signing and Encryption (COSE) Receipts | CBOR Object Signing and Encryption (COSE) Receipts | |||
| Abstract | Abstract | |||
| CBOR Object Signing and Encryption (COSE) Receipts prove properties | CBOR Object Signing and Encryption (COSE) Receipts prove properties | |||
| of a Verifiable Data Structure (VDS) to a verifier. Verifiable Data | of a Verifiable Data Structure (VDS) to a verifier. Verifiable Data | |||
| Structures and associated proof types enable security properties, | Structures and associated Proof Types enable security properties, | |||
| such as minimal disclosure, transparency, and non-equivocation. | such as minimal disclosure, transparency, and non-equivocation. | |||
| Transparency helps maintain trust over time and has been applied to | Transparency helps maintain trust over time and has been applied to | |||
| certificates, end-to-end encrypted messaging systems, and supply | certificates, end-to-end encrypted messaging systems, and supply | |||
| chain security. This specification enables concise transparency- | chain security. This specification enables concise transparency- | |||
| oriented systems by building on Concise Binary Object Representation | oriented systems by building on Concise Binary Object Representation | |||
| (CBOR) and COSE. The extensibility of the approach is demonstrated | (CBOR) and COSE. The extensibility of the approach is demonstrated | |||
| by providing CBOR encodings for Merkle inclusion and consistency | by providing CBOR encodings for Merkle inclusion and consistency | |||
| proofs. | proofs. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at line 99 ¶ | skipping to change at line 99 ¶ | |||
| Acknowledgements | Acknowledgements | |||
| Contributors | Contributors | |||
| Authors' Addresses | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| COSE Receipts are signed proofs that include metadata about certain | COSE Receipts are signed proofs that include metadata about certain | |||
| states of a Verifiable Data Structure (VDS) that are true when the | states of a Verifiable Data Structure (VDS) that are true when the | |||
| COSE Receipt was issued. COSE Receipts can include proofs that a | COSE Receipt was issued. COSE Receipts can include proofs that a | |||
| document is in a database (proof of inclusion), that a database is | document is in a database (proof of inclusion), that a database is | |||
| append only (proof of consistency), that a smaller set of statements | append-only (proof of consistency), that a smaller set of statements | |||
| are contained in a large set of statements (proof of disclosure, a | are contained in a large set of statements (proof of disclosure, a | |||
| special case of proof of inclusion), or that certain data is not yet | special case of proof of inclusion), or that certain data is not yet | |||
| present in a database (proof of non-inclusion). Different VDSs can | present in a database (proof of non-inclusion). Different VDSs can | |||
| produce different Verifiable Data structure Proofs (VDP). The | produce different Verifiable Data structure Proofs (VDP). The | |||
| combination of representations of various VDSs and VDP can | combination of representations of various VDSs and VDP can | |||
| significantly increase the burden for implementers and create | significantly increase the burden for implementers and create | |||
| interoperability challenges for transparency services. This document | interoperability challenges for transparency services. This document | |||
| describes how to convey VDS and associated VDP types in unified COSE | describes how to convey VDS and associated VDP types in unified COSE | |||
| envelopes. | envelopes. | |||
| skipping to change at line 124 ¶ | skipping to change at line 124 ¶ | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. New COSE Header Parameters | 2. New COSE Header Parameters | |||
| This document defines three new COSE header parameters, which are | This document defines three new COSE header parameters, which are | |||
| introduced up front in this section and elaborated on later in this | introduced up front in this section and elaborated on later in this | |||
| document. | document. | |||
| 394: A COSE header parameter named receipts with a value type of | 394: A COSE header parameter named "receipts" with a value type of | |||
| array where the array contains one or more COSE Receipts as | array where the array contains one or more COSE Receipts as | |||
| specified in this document. | specified in this document. | |||
| 395: A COSE header parameter named vds (for Verifiable Data | 395: A COSE header parameter named "vds" (for Verifiable Data | |||
| Structure), which conveys the algorithm identifier for a | Structure), which conveys the algorithm identifier for a | |||
| Verifiable Data Structure. Correspondingly, see Section 8.2.2.1 | Verifiable Data Structure. Correspondingly, see Section 8.2.2.1 | |||
| for a registry defining the integers used to identify Verifiable | for a registry defining the integers used to identify Verifiable | |||
| Data Structures. | Data Structures. | |||
| 396: A COSE header parameter named vdp (for Verifiable Data | 396: A COSE header parameter named "vdp" (for Verifiable Data | |||
| Structure Proofs), which conveys a map containing Verifiable Data | Structure Proofs), which conveys a map containing Verifiable Data | |||
| Structure Proofs organized by proof type. Correspondingly, see | Structure Proofs organized by Proof Type. Correspondingly, see | |||
| Section 8.2.2.2 for a registry defining the integers used to | Section 8.2.2.2 for a registry defining the integers used to | |||
| identify Verifiable Data Structure proof types. | identify Verifiable Data Structure Proof Types. | |||
| 3. Terminology | 3. Terminology | |||
| CDDL: Concise Data Definition Language (CDDL) is defined in | CDDL: Concise Data Definition Language (CDDL) is defined in | |||
| [RFC8610]. | [RFC8610]. | |||
| EDN: CBOR Extended Diagnostic Notation (EDN) is defined in | EDN: CBOR Extended Diagnostic Notation (EDN) is defined in | |||
| [RFC8949], where it is referred to as "diagnostic notation", and | [RFC8949], where it is referred to as "diagnostic notation", and | |||
| is revised in [CBOR-EDN]. | is revised in [CBOR-EDN]. | |||
| Verifiable Data Structure (VDS): A data structure that supports one | Verifiable Data Structure (VDS): A data structure that supports one | |||
| or more Verifiable Data Structure Proof Types. This property | or more Verifiable Data Structure Proof Types. This property | |||
| describes an algorithm used to maintain a Verifiable Data | describes an algorithm used to maintain a Verifiable Data | |||
| Structure, for example, a binary Merkle tree algorithm. | Structure, for example, a binary Merkle Tree algorithm. | |||
| Verifiable Data Structure Proofs (VDP): A data structure used to | Verifiable Data Structure Proofs (VDP): A data structure used to | |||
| convey proof types for proving different properties, such as | convey Proof Types for proving different properties, such as | |||
| authentication, inclusion, consistency, and freshness. Parameters | authentication, inclusion, consistency, and freshness. Parameters | |||
| can include multiple proofs of a given type or multiple types of | can include multiple proofs of a given type or multiple types of | |||
| proof (inclusion and consistency). | proof (inclusion and consistency). | |||
| Proof Type: A property that can be obtained by verifying a given | Proof Type: A property that can be obtained by verifying a given | |||
| proof over one or more entries in a Verifiable Data Structure. | proof over one or more entries in a Verifiable Data Structure. | |||
| For example, a VDS, such as a binary Merkle tree, can support | For example, a VDS, such as a binary Merkle Tree, can support | |||
| proofs of type "inclusion" where each proof confirms that a given | inclusion proofs where each proof confirms that a given entry is | |||
| entry is included in a Merkle root. | included in a Merkle Tree root. | |||
| Proof Value: An encoding of a Proof Type in CBOR [RFC8949]. | Proof Value: An encoding of a Proof Type in CBOR [RFC8949]. | |||
| Entry: An entry in a Verifiable Data Structure for which proofs can | Entry: An entry in a Verifiable Data Structure for which proofs can | |||
| be derived. | be derived. | |||
| Receipt: A COSE object, as defined in [RFC9052], containing the | Receipt: A COSE Single Signer Data Object, as defined in [RFC9052], | |||
| header parameters necessary to convey VDP for an associated VDS. | containing the header parameters necessary to convey one or more | |||
| VDP for an associated VDS. | ||||
| 4. Verifiable Data Structures in CBOR | 4. Verifiable Data Structures in CBOR | |||
| This section describes representations of Verifiable Data Structure | This section describes representations of Verifiable Data Structure | |||
| Proofs in [RFC8949]. For example, construction of a Merkle tree leaf | Proofs in [RFC8949]. For example, construction of a Merkle Tree leaf | |||
| or an inclusion proof from a leaf to a Merkle root might have several | or an inclusion proof from a leaf to a Merkle Tree root might have | |||
| different representations, depending on the Verifiable Data Structure | several different representations, depending on the Verifiable Data | |||
| used. Differences in representations are necessary to support | Structure used. Differences in representations are necessary to | |||
| efficient verification, unique security or privacy properties, and | support efficient verification, unique security or privacy | |||
| for compatibility with specific implementations. This document | properties, and for compatibility with specific implementations. | |||
| defines two extension points for enabling Verifiable Data Structures | This document defines two extension points for enabling Verifiable | |||
| with COSE and provides concrete examples for the structures and | Data Structures with COSE and provides concrete examples for the | |||
| proofs defined in Section 2.1.3 of [RFC9162] and Section 2.1.4 of | structures and proofs defined in Section 2.1.3 of [RFC9162] and | |||
| [RFC9162]. The design of these structures is influenced by the | Section 2.1.4 of [RFC9162]. The design of these structures is | |||
| conventions established for COSE Keys. | influenced by the conventions established for COSE Keys. | |||
| 4.1. Structures | 4.1. Structures | |||
| Similar to COSE Key Types [IANA.cose_header-parameters], different | Similar to COSE Key Types [IANA.cose_header-parameters], different | |||
| Verifiable Data Structures support different algorithms. | Verifiable Data Structures support different algorithms. | |||
| This document establishes a registry of Verifiable Data Structure | This document establishes a registry of Verifiable Data Structure | |||
| algorithms; see Section 8.2.2.1 for details. | algorithms; see Section 8.2.2.1 for details. | |||
| 4.2. Proofs | 4.2. Proofs | |||
| Similar to COSE Key Type Parameters [IANA.cose_header-parameters], as | Similar to COSE Key Type Parameters [IANA.cose_header-parameters], as | |||
| EC2 keys (1: 2) require and give meaning to specific parameters, such | EC2 keys (1: 2) require and give meaning to specific parameters, such | |||
| as -1 (crv), -2 (x), -3 (y), -4 (d), RFC9162_SHA256 (395: 1) supports | as -1 (crv), -2 (x), -3 (y), -4 (d), RFC9162_SHA256 (395: 1) supports | |||
| both (-1) inclusion and (-2) consistency proofs. | both (-1) inclusion and (-2) consistency proofs. | |||
| This document establishes a registry of Verifiable Data Structure | This document establishes a registry of Verifiable Data Structure | |||
| Proofs; see Section 8.2.2.2 for details. | Proofs; see Section 8.2.2.2 for details. | |||
| Proof types are specific to their associated "Verifiable Data | Proof Types are specific to their associated "Verifiable Data | |||
| Structure"; for example, different Merkle trees might support | Structure"; for example, different Merkle Trees might support | |||
| different representations of "inclusion proof" or "consistency | different representations of inclusion proof or consistency proof. | |||
| proof". Implementers should not expect interoperability across | Implementers should not expect interoperability across "Verifiable | |||
| "Verifiable Data Structures". Security analysis MUST be conducted | Data Structures". Security analysis MUST be conducted prior to | |||
| prior to migrating to new structures to ensure the new security and | migrating to new structures to ensure the new security and privacy | |||
| privacy assumptions are acceptable for the use case. | assumptions are acceptable for the use case. | |||
| 4.3. Usage | 4.3. Usage | |||
| This document registers a new COSE Header Parameter receipts (394) to | This document registers a new COSE header parameter "receipts" (394) | |||
| enable Receipts to be conveyed in the protected and unprotected | to enable Receipts to be conveyed in the protected and unprotected | |||
| headers of COSE Objects. | headers of Enveloped COSE Structures. | |||
| When the receipts header parameter is present, the verifier MUST | When the "receipts" header parameter is present, the verifier MUST | |||
| confirm that the associated Verifiable Data Structure and Verifiable | confirm that the associated Verifiable Data Structure and Verifiable | |||
| Data Structure Proofs match entries present in the registries | Data Structure Proofs match entries present in the registries | |||
| established in this specification, including values added in | established in this specification, including values added in | |||
| subsequent registrations. | subsequent registrations. | |||
| Receipts MUST be tagged as COSE_Sign1. | Receipts MUST be tagged as COSE_Sign1. | |||
| The following definition from [RFC8610] is provided: | The following definition from [RFC8610] is provided: | |||
| Signature_With_Receipt = #6.18(COSE_Sign1) | Signature_With_Receipt = /6.18(COSE_Sign1) | |||
| cose.label = int / text | cose-label = int / text | |||
| cose.values = any | cose-values = any | |||
| Protected_Header = { | Protected_Header = { | |||
| * cose.label => cose.values | * cose-label => cose-values | |||
| } | } | |||
| Unprotected_Header = { | Unprotected_Header = { | |||
| &(receipts: 394) => [+ bstr .cbor Receipt] | &(receipts: 394) => [+ bstr .cbor Receipt] | |||
| * cose.label => cose.values | * cose-label => cose-values | |||
| } | } | |||
| COSE_Sign1 = [ | COSE_Sign1 = [ | |||
| protected : bstr .cbor Protected_Header, | protected : bstr .cbor Protected_Header, | |||
| unprotected : Unprotected_Header, | unprotected : Unprotected_Header, | |||
| payload : bstr / nil, | payload : bstr / nil, | |||
| signature : bstr | signature : bstr | |||
| ] | ] | |||
| Receipt = Receipt_For_Inclusion / Receipt_For_Consistency | Receipt = Receipt_For_Inclusion / Receipt_For_Consistency | |||
| ; Note the proof formats shown here are for RFC9162_SHA256. | ; Note the proof formats shown here are for RFC9162_SHA256. | |||
| ; Other Verifiable Data Structures may have different proof formats. | ; Other Verifiable Data Structures may have different proof formats. | |||
| Receipt_For_Inclusion = #6.18(Signed_Inclusion_Proof) | Receipt_For_Inclusion = /6.18(Signed_Inclusion_Proof) | |||
| Signed_Inclusion_Proof = [ | Signed_Inclusion_Proof = [ | |||
| protected : bstr .cbor RFC9162_SHA256_Inclusion_Protected_Header | protected : bstr .cbor RFC9162_SHA256_Inclusion_Protected_Header, | |||
| unprotected : RFC9162_SHA256_Inclusion_Unprotected_Header | unprotected : RFC9162_SHA256_Inclusion_Unprotected_Header, | |||
| payload : bstr / nil | payload : bstr / nil, | |||
| signature : bstr | signature : bstr | |||
| ] | ] | |||
| RFC9162_SHA256_Inclusion_Protected_Header = { | RFC9162_SHA256_Inclusion_Protected_Header = { | |||
| &(alg: 1) => int | &(alg: 1) => int | |||
| &(vds: 395) => int | &(vds: 395) => int | |||
| * cose.label => cose.values | * cose-label => cose-values | |||
| } | } | |||
| RFC9162_SHA256_Inclusion_Unprotected_Header = { | RFC9162_SHA256_Inclusion_Unprotected_Header = { | |||
| &(vdp: 396) => RFC9162_SHA256_Verifiable_Inclusion_Proofs | &(vdp: 396) => RFC9162_SHA256_Verifiable_Inclusion_Proofs | |||
| * cose.label => cose.values | * cose-label => cose-values | |||
| } | } | |||
| RFC9162_SHA256_Verifiable_Inclusion_Proofs = { | RFC9162_SHA256_Verifiable_Inclusion_Proofs = { | |||
| &(inclusion-proof: -1) => RFC9162_SHA256_Inclusion_Proofs | &(inclusion-proof: -1) => RFC9162_SHA256_Inclusion_Proofs | |||
| } | } | |||
| RFC9162_SHA256_Inclusion_Proofs = [ + RFC9162_SHA256_Inclusion_Proof ] | RFC9162_SHA256_Inclusion_Proofs = [ + RFC9162_SHA256_Inclusion_Proof ] | |||
| RFC9162_SHA256_Inclusion_Proof = bstr .cbor [ | RFC9162_SHA256_Inclusion_Proof = bstr .cbor [ | |||
| tree_size: uint, | tree_size: uint, | |||
| leaf_index: uint, | leaf_index: uint, | |||
| inclusion_path: [ + bstr ] | inclusion_path: [ + bstr ] | |||
| ] | ] | |||
| Receipt_For_Consistency = #6.18(Signed_Consistency_Proof) | Receipt_For_Consistency = /6.18(Signed_Consistency_Proof) | |||
| Signed_Consistency_Proof = [ | Signed_Consistency_Proof = [ | |||
| protected : bstr .cbor RFC9162_SHA256_Consistency_Protected_Header, | protected : bstr .cbor RFC9162_SHA256_Consistency_Protected_Header, | |||
| unprotected : RFC9162_SHA256_Consistency_Unprotected_Header, | unprotected : RFC9162_SHA256_Consistency_Unprotected_Header, | |||
| payload : bstr / nil, ; Newer Merkle tree root | payload : bstr / nil, ; Newer Merkle Tree root | |||
| signature : bstr | signature : bstr | |||
| ] | ] | |||
| RFC9162_SHA256_Consistency_Protected_Header = { | RFC9162_SHA256_Consistency_Protected_Header = { | |||
| &(alg: 1) => int, | &(alg: 1) => int, | |||
| &(vds: 395) => int, | &(vds: 395) => int, | |||
| * cose.label => cose.values | * cose-label => cose-values | |||
| } | } | |||
| RFC9162_SHA256_Consistency_Unprotected_Header = { | RFC9162_SHA256_Consistency_Unprotected_Header = { | |||
| &(vdp: 396) => RFC9162_SHA256_Verifiable_Consistency_Proofs | &(vdp: 396) => RFC9162_SHA256_Verifiable_Consistency_Proofs | |||
| * cose.label => cose.values | * cose-label => cose-values | |||
| } | } | |||
| RFC9162_SHA256_Verifiable_Consistency_Proofs = { | RFC9162_SHA256_Verifiable_Consistency_Proofs = { | |||
| &(consistency-proof: -2) => RFC9162_SHA256_Consistency_Proofs | &(consistency-proof: -2) => RFC9162_SHA256_Consistency_Proofs | |||
| } | } | |||
| RFC9162_SHA256_Consistency_Proofs = [ + RFC9162_SHA256_Consistency_Proof ] | RFC9162_SHA256_Consistency_Proofs = [ + RFC9162_SHA256_Consistency_Proof ] | |||
| RFC9162_SHA256_Consistency_Proof = bstr .cbor [ | RFC9162_SHA256_Consistency_Proof = bstr .cbor [ | |||
| tree_size_1: uint, | tree_size_1: uint, | |||
| tree_size_2: uint, | tree_size_2: uint, | |||
| consistency_path: [ + bstr ] | consistency_path: [ + bstr ] | |||
| ] | ] | |||
| Figure 1: CDDL for a COSE Sign1 with Attached Receipts | Figure 1: CDDL for a COSE_Sign1 with Attached Receipts | |||
| The following informative EDN is provided: | The following informative EDN is provided: | |||
| / cose-sign1 / 18([ | / cose-sign1 / 18([ | |||
| / protected / <<{ | / protected / <<{ | |||
| / kid / 4 : h'bc297b51...e4edf0de', | / kid / 4 : h'bc297b51...e4edf0de', | |||
| / algorithm / 1 : -7, # ES256 | / algorithm / 1 : -7, / ES256 | |||
| }>>, | }>>, | |||
| / unprotected / { | / unprotected / { | |||
| / receipts / 394 : { | / receipts / 394 : { [ << ... >> ] | |||
| <</ cose-sign1 / 18([ | } | |||
| <</ cose-sign1 / 18([ | ||||
| / protected / <<{ | / protected / <<{ | |||
| / kid / 4 : h'abcdef12...34567890', | / kid / 4 : h'abcdef12...34567890', | |||
| / algorithm / 1 : -7, # ES256 | / algorithm / 1 : -7, / ES256 | |||
| / vds / 395 : 1, # RFC9162 SHA-256 | / vds / 395 : 1, / RFC9162 SHA-256 | |||
| }>>, | }>>, | |||
| / unprotected / { | / unprotected / { | |||
| / proofs / 396 : { | / proofs / 396 : { | |||
| / inclusion / -1 : [ | / inclusion / -1 : [ | |||
| <<[ | <<[ | |||
| / size / 9, / leaf / 8, | / size / 9, / leaf / 8, | |||
| / inclusion path / | / inclusion path / | |||
| h'7558a95f...e02e35d6' | h'7558a95f...e02e35d6' | |||
| ]>> | ]>> | |||
| ], | ], | |||
| }, | }, | |||
| }, | }, | |||
| / payload / null, | / payload / null, | |||
| / signature / h'02d227ed...ccd3774f' | / signature / h'02d227ed...ccd3774f' | |||
| ])>>, | ])>>, | |||
| <</ cose-sign1 / 18([ | <</ cose-sign1 / 18([ | |||
| / protected / <<{ | / protected / <<{ | |||
| / kid / 4 : h'abcdef12...34567890', | / kid / 4 : h'abcdef12...34567890', | |||
| / algorithm / 1 : -7, # ES256 | / algorithm / 1 : -7, / ES256 | |||
| / vds / 395 : 1, # RFC9162 SHA-256 | / vds / 395 : 1, / RFC9162 SHA-256 | |||
| }>>, | }>>, | |||
| / unprotected / { | / unprotected / { | |||
| / proofs / 396 : { | / proofs / 396 : { | |||
| / inclusion / -1 : [ | / inclusion / -1 : [ | |||
| <<[ | <<[ | |||
| / size / 6, / leaf / 5, | / size / 6, / leaf / 5, | |||
| / inclusion path / | / inclusion path / | |||
| h'9352f974...4ffa7ce0', | [ h'9352f974...4ffa7ce0', | |||
| h'54806f32...f007ea06' | h'54806f32...f007ea06' ] | |||
| ]>> | ]>> | |||
| ], | ], | |||
| }, | }, | |||
| }, | }, | |||
| / payload / null, | / payload / null, | |||
| / signature / h'36581f38...a5581960' | / signature / h'36581f38...a5581960' | |||
| ])>> | ])>> | |||
| }, | }, | |||
| }, | }, | |||
| / payload / h'0167c57c...deeed6d4', | / payload / h'0167c57c...deeed6d4', | |||
| skipping to change at line 398 ¶ | skipping to change at line 400 ¶ | |||
| 4.4. Profiles | 4.4. Profiles | |||
| New Verifiable Data Structures can require the definition of a | New Verifiable Data Structures can require the definition of a | |||
| profile. The payload in such definitions SHOULD be detached. | profile. The payload in such definitions SHOULD be detached. | |||
| Detached payloads force verifiers to recompute the root from the | Detached payloads force verifiers to recompute the root from the | |||
| proof and protect against implementation errors where the signature | proof and protect against implementation errors where the signature | |||
| is verified but the payload is incompatible with the proof. Profiles | is verified but the payload is incompatible with the proof. Profiles | |||
| of proof signatures that define additional protected header | of proof signatures that define additional protected header | |||
| parameters are encouraged to make their presence mandatory to ensure | parameters are encouraged to make their presence mandatory to ensure | |||
| that claims are processed with their intended semantics. One way to | that claims are processed with their intended semantics. One way to | |||
| include this information in the COSE structure is use of the typ | include this information in the COSE structure is use of the "typ" | |||
| (type) Header Parameter; see [RFC9596] and the similar guidance | (type) header parameter; see [RFC9596] and the similar guidance | |||
| provided in [RFC9597]. | provided in [RFC9597]. | |||
| 4.4.1. Registration Requirements | 4.4.1. Registration Requirements | |||
| Each Verifiable Data Structure specification applying for inclusion | Each Verifiable Data Structure specification applying for inclusion | |||
| in this registry MUST define how to encode the Verifiable Data | in this registry MUST define how to encode the Verifiable Data | |||
| Structure identifier and its proof types in CBOR. Each specification | Structure identifier and its Proof Types in CBOR. Each specification | |||
| MUST define how to produce and consume the supported proof types. | MUST define how to produce and consume the supported Proof Types. | |||
| See Section 5 as an example. | See Section 5 as an example. | |||
| Where a specification supports a choice of hash algorithm, a separate | Where a specification supports a choice of hash algorithm, a separate | |||
| IANA registration must be made for each supported algorithm. For | IANA registration must be made for each supported algorithm. For | |||
| example, to provide support for SHA256 and SHA3_256 with Merkle | example, to provide support for SHA256 and SHA3_256 with Merkle | |||
| Inclusion Proofs and Merkle Consistency Proofs defined, respectively, | inclusion proofs and Merkle consistency proofs defined, respectively, | |||
| in Section 2.1.3 of [RFC9162] and Section 2.1.4 of [RFC9162], both | in Section 2.1.3 of [RFC9162] and Section 2.1.4 of [RFC9162], both | |||
| "RFC9162_SHA256" and "RFC9162_SHA3_256" require entries in the | "RFC9162_SHA256" and "RFC9162_SHA3_256" require entries in the | |||
| relevant IANA registries. This document only defines | relevant IANA registries. This document only defines | |||
| "RFC9162_SHA256". | "RFC9162_SHA256". | |||
| 5. RFC9162_SHA256 | 5. RFC9162_SHA256 | |||
| This section defines how the data structure described in Section 2.1 | This section defines how the data structure described in Section 2.1 | |||
| of [RFC9162] is mapped to the terminology defined in this document, | of [RFC9162] is mapped to the terminology defined in this document, | |||
| using [RFC8949] and [RFC9053]. | using [RFC8949] and [RFC9053]. | |||
| skipping to change at line 436 ¶ | skipping to change at line 438 ¶ | |||
| The integer identifier for this Verifiable Data Structure is 1. The | The integer identifier for this Verifiable Data Structure is 1. The | |||
| string identifier for this Verifiable Data Structure is | string identifier for this Verifiable Data Structure is | |||
| "RFC9162_SHA256", a Merkle Tree where SHA256 is used as the hash | "RFC9162_SHA256", a Merkle Tree where SHA256 is used as the hash | |||
| algorithm (see Table 2). See Section 2.1.1 of [RFC9162] for a | algorithm (see Table 2). See Section 2.1.1 of [RFC9162] for a | |||
| complete description of this Verifiable Data Structure. | complete description of this Verifiable Data Structure. | |||
| 5.2. Inclusion Proof | 5.2. Inclusion Proof | |||
| See Section 2.1.3.1 of [RFC9162] for a complete description of this | See Section 2.1.3.1 of [RFC9162] for a complete description of this | |||
| Verifiable Data Structure Proof type. | Verifiable Data Structure Proof Type. | |||
| The CBOR representation of an inclusion proof for RFC9162_SHA256 is: | The CBOR representation of an inclusion proof for RFC9162_SHA256 is: | |||
| inclusion-proof = bstr .cbor [ | inclusion-proof = bstr .cbor [ | |||
| ; tree size at current Merkle root | ; tree size at current Merkle Tree root | |||
| tree-size: uint | tree-size: uint | |||
| ; index of leaf in tree | ; index of leaf in tree | |||
| leaf-index: uint | leaf-index: uint | |||
| ; path from leaf to current Merkle root | ; path from leaf to current Merkle Tree root | |||
| inclusion-path: [ + bstr ] | inclusion-path: [ + bstr ] | |||
| ] | ] | |||
| Figure 3: CBOR-Encoded Inclusion Proof for RFC9162_SHA256 | Figure 3: CBOR-Encoded Inclusion Proof for RFC9162_SHA256 | |||
| The term leaf-index is used for alignment with the use established in | The term leaf-index is used for alignment with the use established in | |||
| Section 2.1.3.2 of [RFC9162]. | Section 2.1.3.2 of [RFC9162]. | |||
| Note that [RFC9162] defines inclusion proofs only for leaf nodes, and | Note that [RFC9162] defines inclusion proofs only for leaf nodes, and | |||
| that: | that: | |||
| | If leaf_index is greater than or equal to tree_size, then fail the | | If leaf_index is greater than or equal to tree_size, then fail the | |||
| | proof verification. | | proof verification. | |||
| The identifying index of a leaf node is relative to all nodes in the | The identifying index of a leaf node is relative to all nodes in the | |||
| tree size for which the proof was obtained. | tree size for which the proof was obtained. | |||
| 5.2.1. Receipt of Inclusion | 5.2.1. Receipt of Inclusion | |||
| In a signed inclusion proof, the payload is the Merkle tree root that | In a signed proof, the payload is the Merkle Tree root that | |||
| corresponds to the log at size tree-size. The protected header for | corresponds to the log at size tree-size. The protected header for | |||
| an RFC9162_SHA256 inclusion proof signature is: | an RFC9162_SHA256 inclusion proof signature is: | |||
| protected-header-map = { | protected-header-map = { | |||
| &(alg: 1) => int | &(alg: 1) => int | |||
| &(vds: 395) => int | &(vds: 395) => int | |||
| * cose-label => cose-value | * cose-label => cose-value | |||
| } | } | |||
| Figure 4: Protected Header for a Receipt of Inclusion | Figure 4: Protected Header for a Receipt of Inclusion | |||
| skipping to change at line 509 ¶ | skipping to change at line 511 ¶ | |||
| Figure 5: A Verifiable Data Structure Proofs in an Unprotected Header | Figure 5: A Verifiable Data Structure Proofs in an Unprotected Header | |||
| vdp (label: 396): REQUIRED. Verifiable Data Structure Proofs. | vdp (label: 396): REQUIRED. Verifiable Data Structure Proofs. | |||
| Value type: Map. | Value type: Map. | |||
| inclusion-proof (label: -1): REQUIRED. Inclusion proofs. Value | inclusion-proof (label: -1): REQUIRED. Inclusion proofs. Value | |||
| type: Array of bstr. | type: Array of bstr. | |||
| The payload of an RFC9162_SHA256 inclusion proof signature is the | The payload of an RFC9162_SHA256 inclusion proof signature is the | |||
| Merkle tree hash as defined in [RFC9162]. | Merkle Tree hash as defined in [RFC9162]. | |||
| An EDN example for a Receipt containing an inclusion proof for | An EDN example for a Receipt containing an inclusion proof for | |||
| RFC9162_SHA256 with a detached payload (see Section 4.4) is: | RFC9162_SHA256 with a detached payload (see Section 4.4) is: | |||
| / cose-sign1 / 18([ | / cose-sign1 / 18([ | |||
| / protected / <<{ | / protected / <<{ | |||
| / algorithm / 1 : -7, # ES256 | / algorithm / 1 : -7, / ES256 | |||
| / vds / 395 : 1, # RFC9162 SHA-256 | / vds / 395 : 1, / RFC9162 SHA-256 | |||
| }>>, | }>>, | |||
| / unprotected / { | / unprotected / { | |||
| / proofs / 396 : { | / proofs / 396 : { | |||
| / inclusion / -1 : [ | / inclusion / -1 : [ | |||
| <<[ | <<[ | |||
| / size / 20, / leaf / 17, | / size / 20, / leaf / 17, | |||
| / inclusion path / | / inclusion path / | |||
| h'fc9f050f...221c92cb', | [ h'fc9f050f...221c92cb', | |||
| h'bd0136ad...6b28cf21', | h'bd0136ad...6b28cf21', | |||
| h'd68af9d6...93b1632b' | h'd68af9d6...93b1632b' ] | |||
| ]>> | ]>> | |||
| ], | ], | |||
| }, | }, | |||
| }, | }, | |||
| / payload / null, | / payload / null, | |||
| / signature / h'de24f0cc...9a5ade89' | / signature / h'de24f0cc...9a5ade89' | |||
| ]) | ]) | |||
| Figure 6: Receipt of Inclusion | Figure 6: Receipt of Inclusion | |||
| The VDS in the protected header is necessary to understand the | The VDS in the protected header is necessary to understand the | |||
| inclusion proof structure in the unprotected header. | inclusion proof structure in the unprotected header. | |||
| The inclusion proof and signature are verified in order. First, the | The inclusion proof and signature are verified in order. First, the | |||
| verifier applies the inclusion proof to a possible entry (set member) | verifier applies the inclusion proof to a possible entry (set member) | |||
| bytes. If this process fails, the inclusion proof may have been | bytes. If this process fails, the inclusion proof may have been | |||
| tampered with. If this process succeeds, the result is a Merkle | tampered with. If this process succeeds, the result is a Merkle Tree | |||
| root, which in the attached as the COSE Sign1 payload. Second, the | root, which in the attached as the COSE_Sign1 payload. Second, the | |||
| verifier checks the signature of the COSE Sign1. If the resulting | verifier checks the signature of the COSE_Sign1. If the resulting | |||
| signature can be verified, the Receipt has proved inclusion of the | signature can be verified, the Receipt has proved inclusion of the | |||
| entry in the Verifiable Data Structure. If the resulting signature | entry in the Verifiable Data Structure. If the resulting signature | |||
| cannot be verified, the signature may have been tampered with. | cannot be verified, the signature may have been tampered with. | |||
| 5.3. Consistency Proof | 5.3. Consistency Proof | |||
| See Section 2.1.4.1 of [RFC9162] for a complete description of this | See Section 2.1.4.1 of [RFC9162] for a complete description of this | |||
| Verifiable Data Structure Proof type. | Verifiable Data Structure Proof Type. | |||
| The cbor representation of a consistency proof for RFC9162_SHA256 is: | The cbor representation of a consistency proof for RFC9162_SHA256 is: | |||
| consistency-proof = bstr .cbor [ | consistency-proof = bstr .cbor [ | |||
| ; older Merkle root tree size | ; older Merkle Tree size | |||
| tree-size-1: uint | tree-size-1: uint | |||
| ; newer Merkle root tree size | ; newer Merkle Tree size | |||
| tree-size-2: uint | tree-size-2: uint | |||
| ; path from older Merkle root to newer Merkle root. | ; path from older Merkle Tree to newer Merkle Tree | |||
| consistency-path: [ + bstr ] | consistency-path: [ + bstr ] | |||
| ] | ] | |||
| Figure 7: CBOR-Encoded Consistency Proof for RFC9162_SHA256 | Figure 7: CBOR-Encoded Consistency Proof for RFC9162_SHA256 | |||
| 5.3.1. Receipt of Consistency | 5.3.1. Receipt of Consistency | |||
| In a signed consistency proof, the newer Merkle tree root (proven to | In a signed consistency proof, the newer Merkle Tree root (proven to | |||
| be consistent with an older Merkle tree root), is an attached payload | be consistent with an older Merkle Tree root) is a detached payload | |||
| and corresponds to the log at size tree-size-2. | and corresponds to the log at size tree-size-2. | |||
| The protected header for an RFC9162_SHA256 consistency proof | The protected header for an RFC9162_SHA256 consistency proof | |||
| signature is: | signature is: | |||
| protected-header-map = { | protected-header-map = { | |||
| &(alg: 1) => int | &(alg: 1) => int | |||
| &(vds: 395) => int | &(vds: 395) => int | |||
| * cose-label => cose-value | * cose-label => cose-value | |||
| } | } | |||
| skipping to change at line 617 ¶ | skipping to change at line 619 ¶ | |||
| * cose-label => cose-value | * cose-label => cose-value | |||
| } | } | |||
| vdp (label: 396): REQUIRED. Verifiable Data Structure Proofs. | vdp (label: 396): REQUIRED. Verifiable Data Structure Proofs. | |||
| Value type: Map. | Value type: Map. | |||
| consistency-proof (label: -2): REQUIRED. Consistency proofs. Value | consistency-proof (label: -2): REQUIRED. Consistency proofs. Value | |||
| type: Array of bstr. | type: Array of bstr. | |||
| The payload of an RFC9162_SHA256 consistency proof signature is: The | The payload of an RFC9162_SHA256 consistency proof signature is: The | |||
| newer Merkle tree hash as defined in [RFC9162]. | newer Merkle Tree hash as defined in [RFC9162]. | |||
| An EDN example for a Receipt containing a consistency proof for | An EDN example for a Receipt containing a consistency proof for | |||
| RFC9162_SHA256 with a detached payload (see Section 4.4) is: | RFC9162_SHA256 with a detached payload (see Section 4.4) is: | |||
| / cose-sign1 / 18([ | / cose-sign1 / 18([ | |||
| / protected / <<{ | / protected / <<{ | |||
| / algorithm / 1 : -7, # ES256 | / algorithm / 1 : -7, / ES256 | |||
| / vds / 395 : 1, # RFC9162 SHA-256 | / vds / 395 : 1, / RFC9162 SHA-256 | |||
| }>>, | }>>, | |||
| / unprotected / { | / unprotected / { | |||
| / proofs / 396 : { | / proofs / 396 : { | |||
| / consistency / -2 : [ | / consistency / -2 : [ | |||
| <<[ | <<[ | |||
| / old / 20, / new / 104, | / old / 20, / new / 104, | |||
| / consistency path / | / consistency path / | |||
| h'e5b3e764...c4a813bc', | h'e5b3e764...c4a813bc', | |||
| h'87e8a084...4f529f69', | h'87e8a084...4f529f69', | |||
| h'f712f76d...92a0ff36', | h'f712f76d...92a0ff36', | |||
| skipping to change at line 654 ¶ | skipping to change at line 656 ¶ | |||
| / signature / h'94469f73...52de67a1' | / signature / h'94469f73...52de67a1' | |||
| ]) | ]) | |||
| Figure 9: Example Consistency Receipt | Figure 9: Example Consistency Receipt | |||
| The VDS in the protected header is necessary to understand the | The VDS in the protected header is necessary to understand the | |||
| consistency proof structure in the unprotected header. | consistency proof structure in the unprotected header. | |||
| The signature and consistency proof are verified in order. | The signature and consistency proof are verified in order. | |||
| First, the verifier checks the signature on the COSE Sign1. If the | First, the verifier checks the signature on the COSE_Sign1. If the | |||
| verification fails, the consistency proof is not checked. Second, | verification fails, the consistency proof is not checked. Second, | |||
| the consistency proof is checked by applying a previous inclusion | the consistency proof is checked by applying a previous inclusion | |||
| proof to the consistency proof. If the verification fails, the | proof to the consistency proof. If the verification fails, the | |||
| append only property of the Verifiable Data Structure is not assured. | append-only property of the Verifiable Data Structure is not assured. | |||
| This approach is specific to RFC9162_SHA256; different Verifiable | This approach is specific to RFC9162_SHA256; different Verifiable | |||
| Data Structures may not support consistency proofs. It is | Data Structures may not support consistency proofs. It is | |||
| recommended that implementations return a single boolean result for | recommended that implementations return a single boolean result for | |||
| Receipt-verification operations to reduce the chance of accepting a | Receipt-verification operations to reduce the chance of accepting a | |||
| valid signature over an invalid consistency proof. | valid signature over an invalid consistency proof. | |||
| 6. Privacy Considerations | 6. Privacy Considerations | |||
| The privacy considerations section of [RFC9162] and [RFC9053] apply | The privacy considerations section of [RFC9162] and [RFC9053] apply | |||
| to this document. | to this document. | |||
| skipping to change at line 791 ¶ | skipping to change at line 793 ¶ | |||
| * Point squatting should be discouraged. Reviewers are encouraged | * Point squatting should be discouraged. Reviewers are encouraged | |||
| to get sufficient information for registration requests to ensure | to get sufficient information for registration requests to ensure | |||
| that the usage is not going to duplicate one that is already | that the usage is not going to duplicate one that is already | |||
| registered and that the point is likely to be used in deployments. | registered and that the point is likely to be used in deployments. | |||
| * Specifications are required for all point assignments. early | * Specifications are required for all point assignments. early | |||
| allocation is permissible, see Section 2 of [RFC7120]. | allocation is permissible, see Section 2 of [RFC7120]. | |||
| * It is not permissible to assign points in COSE Verifiable Data | * It is not permissible to assign points in COSE Verifiable Data | |||
| Structure Algorithms for which no corresponding COSE Verifiable | Structure algorithms for which no corresponding COSE Verifiable | |||
| Data Structure Proofs entry exists, and vice versa. | Data Structure Proofs entry exists, and vice versa. | |||
| * The change controller for related registrations of structures and | * The change controller for related registrations of structures and | |||
| proofs should be the same. | proofs should be the same. | |||
| 8.2.2. Templates and Initial Contents | 8.2.2. Templates and Initial Contents | |||
| 8.2.2.1. COSE Verifiable Data Structure Algorithms Registry | 8.2.2.1. COSE Verifiable Data Structure Algorithms Registry | |||
| Registration Template: | Registration Template: | |||
| skipping to change at line 845 ¶ | skipping to change at line 847 ¶ | |||
| Registry Contents | Registry Contents | |||
| 8.2.2.2. COSE Verifiable Data Structure Proofs Registry | 8.2.2.2. COSE Verifiable Data Structure Proofs Registry | |||
| Registration Template: | Registration Template: | |||
| Verifiable Data Structure: | Verifiable Data Structure: | |||
| This value used identifies the related Verifiable Data | This value used identifies the related Verifiable Data | |||
| Structure. | Structure. | |||
| Name: | Name: | |||
| This is a descriptive name for the proof type that enables | This is a descriptive name for the Proof Type that enables | |||
| easier reference to the item. | easier reference to the item. | |||
| Label: | Label: | |||
| This is the value used to identify the Verifiable Data | This is the value used to identify the Verifiable Data | |||
| Structure Proof type. | Structure Proof Type. | |||
| CBOR Type: | CBOR Type: | |||
| This contains the CBOR type for the value portion of the label. | This contains the CBOR type for the value portion of the label. | |||
| Description: | Description: | |||
| This field contains a brief description of the proof type. | This field contains a brief description of the Proof Type. | |||
| Reference: | Reference: | |||
| This contains a pointer to the public specification for the | This contains a pointer to the public specification for the | |||
| proof type. | Proof Type. | |||
| Change Controller: | Change Controller: | |||
| For Standards Track RFCs, list the "IETF". For others, give | For Standards Track RFCs, list the "IETF". For others, give | |||
| the name of the responsible party. Other details (e.g., postal | the name of the responsible party. Other details (e.g., postal | |||
| address, email address, home page URI) may also be included. | address, email address, home page URI) may also be included. | |||
| +==========+===========+=====+=====+===========+==========+=========+ | +==========+===========+=====+=====+===========+==========+=========+ | |||
| |Verifiable|Name |Label|CBOR |Description|Change |Reference| | |Verifiable|Name |Label|CBOR |Description|Change |Reference| | |||
| |Data | | |Type | |Controller| | | |Data | | |Type | |Controller| | | |||
| |Structure | | | | | | | | |Structure | | | | | | | | |||
| +==========+===========+=====+=====+===========+==========+=========+ | +==========+===========+=====+=====+===========+==========+=========+ | |||
| |1 |inclusion |-1 |array|Proof of |IETF |RFC 9942,| | |1 |inclusion |-1 |array|Proof of |IETF |RFC 9942,| | |||
| | |proofs | |(of |inclusion | |Section | | | |proofs | |(of |inclusion | |Section | | |||
| | | | |bstr)| | |5.2 | | | | | |bstr)| | |5.2 | | |||
| +----------+-----------+-----+-----+-----------+----------+---------+ | +----------+-----------+-----+-----+-----------+----------+---------+ | |||
| |1 |consistency|-2 |array|Proof of |IETF |RFC 9942,| | |1 |consistency|-2 |array|Proof of |IETF |RFC 9942,| | |||
| | |proofs | |(of |append only| |Section | | | |proofs | |(of |append-only| |Section | | |||
| | | | |bstr)|property | |5.3 | | | | | |bstr)|property | |5.3 | | |||
| +----------+-----------+-----+-----+-----------+----------+---------+ | +----------+-----------+-----+-----+-----------+----------+---------+ | |||
| Table 3: COSE Verifiable Data Structure Proofs Initial Registry | Table 3: COSE Verifiable Data Structure Proofs Initial Registry | |||
| Contents | Contents | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| skipping to change at line 933 ¶ | skipping to change at line 935 ¶ | |||
| <https://www.rfc-editor.org/info/rfc9596>. | <https://www.rfc-editor.org/info/rfc9596>. | |||
| [RFC9597] Looker, T. and M.B. Jones, "CBOR Web Token (CWT) Claims in | [RFC9597] Looker, T. and M.B. Jones, "CBOR Web Token (CWT) Claims in | |||
| COSE Headers", RFC 9597, DOI 10.17487/RFC9597, June 2024, | COSE Headers", RFC 9597, DOI 10.17487/RFC9597, June 2024, | |||
| <https://www.rfc-editor.org/info/rfc9597>. | <https://www.rfc-editor.org/info/rfc9597>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [CBOR-EDN] Bormann, C., "CBOR Extended Diagnostic Notation (EDN)", | [CBOR-EDN] Bormann, C., "CBOR Extended Diagnostic Notation (EDN)", | |||
| Work in Progress, Internet-Draft, draft-ietf-cbor-edn- | Work in Progress, Internet-Draft, draft-ietf-cbor-edn- | |||
| literals-20, 2 March 2026, | literals-21, 30 March 2026, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-cbor- | <https://datatracker.ietf.org/doc/html/draft-ietf-cbor- | |||
| edn-literals-20>. | edn-literals-21>. | |||
| [RFC7120] Cotton, M., "Early IANA Allocation of Standards Track Code | [RFC7120] Cotton, M., "Early IANA Allocation of Standards Track Code | |||
| Points", BCP 100, RFC 7120, DOI 10.17487/RFC7120, January | Points", BCP 100, RFC 7120, DOI 10.17487/RFC7120, January | |||
| 2014, <https://www.rfc-editor.org/info/rfc7120>. | 2014, <https://www.rfc-editor.org/info/rfc7120>. | |||
| [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| <https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
| skipping to change at line 1004 ¶ | skipping to change at line 1006 ¶ | |||
| Rheinstrasse 75 | Rheinstrasse 75 | |||
| 64295 Darmstadt | 64295 Darmstadt | |||
| Germany | Germany | |||
| Email: henk.birkholz@ietf.contact | Email: henk.birkholz@ietf.contact | |||
| Antoine Delignat-Lavaud | Antoine Delignat-Lavaud | |||
| Microsoft | Microsoft | |||
| United Kingdom | United Kingdom | |||
| Email: antdl@microsoft.com | Email: antdl@microsoft.com | |||
| Cedric Fournet | Cédric Fournet | |||
| Microsoft | Microsoft | |||
| United Kingdom | United Kingdom | |||
| Email: fournet@microsoft.com | Email: fournet@microsoft.com | |||
| End of changes. 63 change blocks. | ||||
| 100 lines changed or deleted | 102 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||