Internet-Draft COSE Trust Chains September 2023
Marco Expires 4 March 2024 [Page]
CBOR Object Signing and Encryption
Intended Status:
Standards Track
G. D. Marco

COSE Header Parameter for Carrying OpenID Federation 1.0 Trust Chains


The CBOR Object Signing and Encryption (COSE) [RFC9053] message structure uses message headers to give references to elements that are needed for the security and verifiability of the message, such as algorithms and keys.

OpenID Connect Federation 1.0 [OIDC-FED] is a general purpose attestation mechanism to obtain verifiable metadata and cryptographic keys.

This document defines a new COSE header parameter to identify and transport an OpenID Federation 1.0 Trust Chain.

About This Document

This note is to be removed before publishing as an RFC.

Status information for this document may be found at

Discussion of this document takes place on the CBOR Object Signing and Encryption Working Group mailing list (, which is archived at Subscribe at

Source for this draft and an issue tracker can be found at

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 4 March 2024.

Table of Contents

1. Introduction

The Internet Standards [RFC8152] and [RFC9052] defines how to transport symmetric keys in the COSE headers, and are extended by [RFC9360] to transport X.509 certificates for the requirements of identification and cryptographic key attestation of a third party.

There are some cases where obtaining proof of a third party's identity through key attestation and cryptographic signature verification is not enough, cases where the solution requirements include attestation of metadata, proofs of compliance and policies.

In these cases, it would be necessary to extend the X.509 certificates with policies, metadata and other information required by the interoperability schemes or by a trust framework.

OpenID Connect Federation 1.0 [OIDC-FED] allows the exchange of metadata, roles, trust marks, policies and public keys, in a secure way.

OIDC Federation 1.0 [OIDC-FED] allows the construction of a trust infrastructure in which even X.509 certificates can be published within the Entity Statements that make up the federation Trust Chain. This flexibility allows an infrastructure based on OIDC Federation 1.0 to guarantee the security of the solutions, the historical verifiability of the signatures, and the revocation mechanisms without the requirement to implement CRL or OCSP technologies, where X.509 requires it.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Terminology

The terms Trust Anchor, Intermediate, Trust Chain, Entity Statement, are defined in [OIDC-FED] and used in this specification.

4. Audience Target audience/Usage

The audience of the document is implementers that require a high level of security for the exchange of metadata, cryptographic keys and policies.

5. Scope

This specification defines how a [OIDC-FED] Trust Chain is made available within the COSE headers.

5.1. Out of Scope

The following items are out of scope for the current version of this document:

  • X.509 publication over a [OIDC-FED] Infrastructure, this can be achieved using x5c or x5u as defind in [RFC7517].
  • Metadata schemas, OIDC Federation allows the definition of custom metadata schemas even for entities not belonging to OAuth2 and OpenID ecosystems.

6. Terminology

This specification uses the terms "Trust Chain", "Trust Anchor", "Intermediate", "Trust Mark" and "Entity Statement" as defined in [OIDC-FED].

7. The Scope of Trust Chain COSE Header Parameter

The use of OIDC Federation Trust Chain enables a trust infrastructure with full suites of Trust Anchors, Intermediates, status and revocation checking, Trust Marks and metadata policies that have been defined in [OIDC-FED].

The Concise Binary Object Representation (CBOR) key structures [RFC8949] and Header Parameters for Carrying and Referencing X.509 Certificates [RFC9360] that have been defined in COSE currently do not support all the properties made available in [OIDC-FED].

8. Requirements

If the application cannot establish trust to the cryptographic keys or metadata made available and verified within the Trust Chain, the public key and the metadata MUST NOT be used.

When Trust Chain parameter is used, the parameter KID defined in [RFC9052] MUST be used. KID allows an efficient matching to the key to be used for signature verification.

9. Trust Chain COSE Header Parameter

The header parameter defined is trustchain, described below:

trustchain: This header parameter contains an ordered array of strings, representing federation Entity Statements encoded as signed Json Web Tokens [RFC7519]. How the Entity Statements are ordered is defined in [OIDC-FED].

The trust mechanism used to process any Entity Statements is defined in [OIDC-FED].

The header parameter can be used in the following locations:

COSE_Signature and COSE_Sign1 objects: In these objects, the parameters identify the Trust Chain to be used for obtaining the key needed for validating the signature, any needed metadata for interoperability purpose, any metadata policy and any required Trust Marks for administrative and technical compliances.

The labels assigned to the header parameter can be found in Table 1.

 | Name        | Label | Value Type      | Description         |
 | trustchain  | 27    | COSE_TRUSTCHAIN | OpenID Connect      |
 |             |       |                 | Federation 1.0      |
 |             |       |                 | Trust Chain         |

           Table 1: TRUST CHAIN COSE Header Parameters

Below is an equivalent Concise Data Definition Language (CDDL) description (see [RFC8610]) of the text above.

COSE_TRUSTCHAIN = [ N * jws :bstr ]

The variable N represent the number of Entity Statements that a Trust Chain can contain. The contents of "bstr" are the bytes representing a JWS.

10. IANA Considerations


11. Normative References

Hedberg, R., Jones, M. B., Solberg, A. Å., Bradley, J., De Marco, G., and V. Dzhuvinov, "OpenID Connect Federation 1.0", n.d..
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <>.
Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, , <>.
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, , <>.
Schaad, J., "CBOR Object Signing and Encryption (COSE)", RFC 8152, DOI 10.17487/RFC8152, , <>.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <>.
Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, , <>.
Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, , <>.
Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, , <>.
Schaad, J., "CBOR Object Signing and Encryption (COSE): Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, , <>.
Schaad, J., "CBOR Object Signing and Encryption (COSE): Header Parameters for Carrying and Referencing X.509 Certificates", RFC 9360, DOI 10.17487/RFC9360, , <>.



Author's Address

Giuseppe De Marco