CBOR/COSE encoding/protocol

Annotation

CBOR (Concise Binary Object Representation) and COSE (CBOR Object Signing and Encryption) are widely adopted in several standards published by organizations like ISO, IETF, FIPS, and others. Below is a list of relevant standards where CBOR and COSE are specified or heavily utilized.

1. IETF Standards (RFCs)

The IETF is one of the primary adopters of CBOR and COSE, with many RFCs dedicated to their definition and application.

1.1. CBOR Standards

RFC 7049: Concise Binary Object Representation (CBOR) – The foundational specification for CBOR.
RFC 8949: Concise Binary Object Representation (CBOR) – Updates and replaces RFC 7049 with clarifications and enhancements.
RFC 8742: Using CBOR for Extensible Protocols – Guidelines for using CBOR in extensible protocols.

1.2. COSE Standards

RFC 8152: CBOR Object Signing and Encryption (COSE) – Defines COSE, a framework for signing, encryption, and message authentication.
RFC 9052: CBOR Object Signing and Encryption (COSE): Structures and Process – Updates and replaces RFC 8152.
RFC 8392: CBOR Web Token (CWT) – Defines a compact token format using CBOR and COSE.
RFC 9338: COSE and JOSE Algorithms – Registers cryptographic algorithms for COSE and JSON Object Signing and Encryption (JOSE).

Applications and Protocols Using CBOR/COSE

RFC 7252: The Constrained Application Protocol (CoAP) – Uses CBOR as a serialization format for IoT devices.
RFC 8927: Entity Attestation Token (EAT) – Uses CBOR for encoding and COSE for secure signing of attestation tokens.
RFC 9200: Concise Problem Details for CoAP APIs – Standardizes problem details using CBOR.

2. ISO Standards

ISO/IEC 18013-5: Mobile Driver's Licenses (mDL) – Uses CBOR for encoding data and COSE for securing mobile driver’s licenses.
ISO/IEC 23127-1: CBOR Object Signing and Encryption (COSE) – Aligns with IETF standards for interoperability in secure communications.
ISO/IEC 19790: Security Requirements for Cryptographic Modules – Includes COSE as a cryptographic standard for secure modules.

3. FIPS Standards

While FIPS itself does not directly define CBOR or COSE, these standards are referenced in FIPS-compliant systems due to their use of NIST-approved cryptographic algorithms:

FIPS 186-5: Digital Signature Standard (DSS) – Indirectly supports COSE when using CBOR for signing with compliant algorithms.
FIPS 140-3: Security Requirements for Cryptographic Modules – Cryptographic operations performed using COSE in CBOR-based applications must comply.

4. W3C Standards

Verifiable Credentials Data Model 1.1: Uses CBOR and COSE for encoding and signing credentials in constrained environments.
Web of Things (WoT): Incorporates CBOR in WoT Thing Description and COSE for secure interactions.

5. IEEE Standards

IEEE 802.15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs) – Uses CBOR for encoding in IoT-related communication protocols.
IEEE 1451: Smart Transducer Interface Standards – Employs CBOR for compact data encoding and COSE for secure messaging.

6. Additional Protocols and Frameworks

OMA LwM2M (Lightweight M2M): Uses CBOR for encoding data and COSE for security in IoT device management.
DID Core (Decentralized Identifiers): Includes support for CBOR and COSE for compact, secure identifier documents.
UAF (FIDO Universal Authentication Framework): Leverages CBOR and COSE for secure, lightweight authentication in constrained environments.
EUDI Framework: European Union Digital Identity Framework for digital documents.


˙