The IESG has approved the following document: - 'CBOR Object Signing and Encryption (COSE)' (draft-ietf-cose-msg-24.txt) as Proposed Standard This document is the product of the CBOR Object Signing and Encryption Working Group. The IESG contact persons are Stephen Farrell and Kathleen Moriarty. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-cose-msg/ Technical Summary This specification describes how to create and process signatures, message authentication codes and encryption using the Concise Binary Object Representation (CBOR, RFC7049) for serialization. The specification additionally specifies how to represent cryptographic keys using CBOR. This specification is a Standards Track RFC describing a solution component analogous to the JSON Web suite of security RFCs 7515-7518 (JOSE WG), but using the CBOR encoding format. Working Group Summary The document was developed by the COSE working group based on requirements from constrained device/IoT community (CORE/ACE WGs) and on the experience of developing the JSON Web security suite of RFCs (JOSE/OAuth WGs). There is a small dedicated team of people interested in this work, and reviews has been performed mainly by these people. One category of issues has been on generic message format vs dedicated formats optimized for certain constrained settings. This was resolved with a small set of dedicated formats complementing the generic formats. Another category of issues has been on the deviations from JOSE or omission of legacy crypto not suitable for constrained devices. There has been some contention by individuals of how individual review comments were addressed. There are no substained objections on any issues relating to this draft. The current open issues are related to additional algorithm and is out of scope for this draft. Document Quality The draft records the status of known implementations of the protocol defined by this specification (based on RFC 7942). Three implementations currently maintained by the author are referenced, in Java, C# and C (https://github.com/cose-wg). Ongoing work on a JavaScript implementation has been announced. Implementations optimized for constrained platforms are requested by different companies and is in progress. The SecDir review was performed by Steve Kent and was thorough. While something could always be missed, Steve has experience with crypto applications, so his review should alleviate concerns mentioned in the shepherd write up about a security review. Changes from this review are in GitHub: https://github.com/cose-wg/cose-spec Personnel The document shepherd is Göran Selander. The responsible Area Director is Kathleen Moriarty. IANA Note This draft creates the following registries with expert review required and with specification required only where noted: 16.2: COSE Header Parameters registry, with specification (specification, standards track specification, or just expert review) required depending on the value of the 'label' requested. 16.3 COSE Header Algorithm Parameters registry 16.4. COSE Algorithms Registry, with specification required (specification, standards track specification, or just expert review) required depending on the integer 'value' requested. 16.5. COSE Key Common Parameters registry, with specification (specification, standards track specification, or just expert review) required depending on the value of the 'label' requested. 16.6. COSE Key Type Parameters registry 16.7. COSE Key Type registry 16.8. COSE Elliptic Curve Parameters registry, with specification (specification, standards track specification, or just expert review) required depending on the integer 'value' requested. This draft also adds entries to the following registries: 16.1: Assigns Tags from the "CBOR Tags" registry 16.9: Adds two entries to the "Media Types" registry 16.10: Adds entries to the "CoAP Content-Format" registry RFC Editor Note 3 references will need to be updated during the editing process: - draft-moriarty-pkcs5-v2dot1 is currently in the RFC Editor Queue as RFC-to-be 8018 - draft-moriarty-pkcs1 has been published as RFC 8017 - draft-selander-ace-object-security has been adopted in CoRE and replaced by draft-ietf-core-object-security.