]> COSE Header parameter for RFC 3161 Time-Stamp Tokens Fraunhofer SIT
Rheinstrasse 75 Darmstadt 64295 Germany henk.birkholz@sit.fraunhofer.de
Linaro
thomas.fossati@linaro.org
Microsoft
UK Maik.Riechert@microsoft.com
Security COSE Internet-Draft RFC 3161 provides a method for timestamping a message digest to prove that the message was created before a given time. This document defines a CBOR Signing And Encrypted (COSE) header parameter that can be used to combine COSE message structures used for signing (i.e., COSE_Sign and COSE_Sign1) with existing RFC 3161-based timestamping infrastructure. Discussion Venues Source for this draft and an issue tracker can be found at .
Introduction RFC 3161 provides a method to timestamp a message digest to prove that it was created before a given time. This document defines a new COSE header parameter that carries the TimestampToken (TST) output of RFC 3161, thus allowing existing and widely deployed trust infrastructure to be used with COSE structures used for signing (COSE_Sign and COSE_Sign1).
Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Modes of use There are two different modes of composing COSE protection and timestamping.
Timestamp then COSE (TTC) shows the case where a datum is first digested and submitted to a TSA to be timestamped. A signed COSE message is then built as follows:
  • The obtained timestamp token is added to the protected headers,
  • The original datum becomes the payload of the signed COSE message.
Timestamp, then COSE (TTC) payload Sig_structure COSE_Sign/COSE_Sign1 TSA TST | Sig_structure +---->| COSE_Sign/COSE_Sign1 | '----+----' '---------------' '----------------------' | ^ | .---. | | | | .-----. | '--->| TSA +---->| TST +---' | | '-----' '---' ]]>
The message imprint sent to the TSA () MUST be the hash of the payload field of the COSE signed object.
COSE then Timestamp (CTT) shows the case where the signature(s) field of the signed COSE object is digested and submitted to a TSA to be timestamped. The obtained timestamp token is then added back as an unprotected header into the same COSE object.
COSE, then Timestamp (CTT) COSE_Sign/COSE_Sign1 TST signatures/signature TSA | TSA +---' | | '---' ]]>
In this context, timestamp tokens are similar to a countersignature made by the TSA.
RFC 3161 Time-Stamp Tokens COSE Header Parameters The two modes described in and use different inputs into the timestamping machinery, and consequently create different kinds of binding between COSE and TST. To clearly separate their semantics two different COSE header parameters are defined as described in the following subsections.
3161-ttc The 3161-ttc COSE protected header parameter MUST be used for the mode described in . The 3161-ttc protected header is defined as follows:
  • Name: 3161-ttc
  • Label: TBD
  • Value Type: bstr
  • Value Registry:
  • Description: RFC 3161 timestamp token
  • Reference: of RFCthis
The content of the byte string are the bytes of the DER-encoded RFC 3161 TimeStampToken structure.
3161-ctt The 3161-ctt COSE unprotected header parameter MUST be used for the mode described in . The message imprint sent in the request to the TSA MUST be either:
  • the hash of the signature field of the COSE_Sign1 message.
  • the hash of the signatures field of the COSE_Sign message.
In either case, to minimize dependencies, the hash algorithm SHOULD be the same as the algorithm used for signing the COSE message. This may not be possible if the timestamp token has been obtained outside the processing context in which the COSE object is assembled. The 3161-ctt unprotected header is defined as follows:
  • Name: 3161-ctt
  • Label: TBD
  • Value Type: bstr
  • Value Registry:
  • Description: RFC 3161 timestamp token
  • Reference: of RFCthis
Timestamp Processing RFC 3161 timestamp tokens use CMS as signature envelope format. provides the details about signature verification, and provides the details specific to timestamp token validation. The payload of the signed timestamp token is the TSTInfo structure defined in , which contains the message imprint that was sent to the TSA. The hash algorithm is contained in the message imprint structure, together with the hash itself. As part of the signature verification, the receiver MUST make sure that the message imprint in the embedded timestamp token matches either the payload or the signature fields, depending on the mode of use. provides an example that illustrates how timestamp tokens can be used to verify signatures of a timestamped message when utilizing X.509 certificates.
Security Considerations The security considerations made in as well as those of apply.
IANA Considerations IANA is requested to add the two COSE header parameters described in to the "COSE Header Parameters" subregistry of the registry.
References Normative References Cryptographic Message Syntax (CMS) This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK] Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) This document describes the format of a request sent to a Time Stamping Authority (TSA) and of the response that is returned. It also establishes several security-relevant requirements for TSA operation, with regards to processing requests to generate responses. [STANDARDS-TRACK] CBOR Object Signing and Encryption (COSE): Structures and Process Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. CBOR Object Signing and Encryption (COSE) IANA Informative References CBOR Object Signing and Encryption (COSE): Countersignatures Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. CBOR Object Signing and Encryption (COSE) defines a set of security services for CBOR. This document defines a countersignature algorithm along with the needed header parameters and CBOR tags for COSE. This document updates RFC 9052.