Entity Attestation Token (EAT) Media TypesSecurity Theory LLClgl@securitytheory.comFraunhofer Institute for Secure Information TechnologyRheinstrasse 75Darmstadt64295Germanyhenk.birkholz@ietf.contactLinarothomas.fossati@linaro.org
SEC
ratsEATmedia typeThe payloads used in Remote ATtestation procedureS (RATS) may require an
associated media type for their conveyance, for example, when the payloads are
used in RESTful APIs.This memo defines media types to be used for Entity Attestation Tokens (EATs).Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
. Introduction
. Terminology
. EAT Types
. A Media Type Parameter for EAT Profiles
. Examples
. Security Considerations
. IANA Considerations
. +cwt Structured Syntax Suffix
. Registry Contents
. Media Types
. application/eat+cwt Registration
. application/eat+jwt Registration
. application/eat-bun+cbor Registration
. application/eat-bun+json Registration
. application/eat-ucs+cbor Registration
. application/eat-ucs+json Registration
. CoAP Content-Format Registrations
. References
. Normative References
. Informative References
Acknowledgments
Authors' Addresses
IntroductionPayloads used in Remote ATtestation procedureS (RATS) may require an
associated media type for their conveyance, for example, when used in RESTful
APIs ().Conveying RATS Conceptual Messages in REST APIs Using EATs
.---------------. .----------. .----------.
| Relying Party | | Attester | | Verifier |
'-+-------------' '----+-----' '--------+-'
| | POST /verify |
| | EAT(Evidence) |
| +--------------------------->|
| | 200 OK |
| | EAT(Attestation Results) |
| |<---------------------------+
| POST /auth | |
| EAT(Attestation Results) | |
|<---------------------------+ |
| 201 Created | |
+--------------------------->| |
| | |
| | |
This memo defines media types to be used for EAT
payloads independently of the RATS Conceptual Message in which they
manifest themselves. The objective is to give protocol, API, and application
designers a number of readily available and reusable media types for
integrating EAT-based messages in their flows, e.g., when using HTTP
or the Constrained Application Protocol (CoAP) .TerminologyThis document uses the terms and concepts defined in .EAT Types illustrates the six EAT wire formats and how they relate to
each other. defines four of them (CBOR Web Token (CWT), JSON Web Token (JWT), and the detached EAT bundle in
its JSON and CBOR flavours), while defines the Unprotected CWT Claims Set (UCCS) and Unprotected JWT Claims Sets (UJCS).EAT Types
.-----.
.----+ UJCS |<-------------------------.
| '-----' |
| |
| .-----. |
+-----+ UCCS |<-----------------------. |
| '-----' | |
| | |
| .------. | |
+-----+ JWT |<------. | |
| '------' .--+---. | |
| | Crypto |<------. | |
| .------. '--+---' | | |
+-----+ CWT |<------' | | |
| '------' .---+-+-+----.
| | Claims-Set +--.
| .------. '---+---+----' |
+-----+ BUN-J |<------. | ^ | v
| '------' .--+---. | | | .------.
| | Bundle |<------' | | | Digest |
| .------. '--+---' | v '--+---'
+-----+ BUN-C |<------' ^ .---+----. |
| '------' | | submod |<---'
| | '--------'
v | ^
.--------------. | |
| Nested-Token +-----------------+------------'
'--------------'
.-------. .---------. .------.
Legend: | Process | | Wire Fmt | | CDDL |
'-------' '---------' '------'
A Media Type Parameter for EAT ProfilesEAT is an open and flexible format. To improve interoperability, defines the concept of EAT profiles. Profiles are used to constrain
the parameters that producers and consumers of a specific EAT profile need to
understand in order to interoperate, e.g., the number and type of
claims, which serialisation format, the supported signature schemes, etc. EATs
carry an in-band profile identifier using the "eat_profile" claim (see
). The value of the "eat_profile" claim is either an
OID or a URI.The media types defined in this document include an optional "eat_profile"
parameter that can be used to mirror the "eat_profile" claim of the transported
EAT. Exposing the EAT profile at the API layer allows API routers to dispatch
payloads directly to the profile-specific processor without having to snoop
into the request bodies. This design also provides a finer-grained and
scalable type system that matches the inherent extensibility of EAT. The
expectation being that a certain EAT profile automatically obtains a media type
derived from the base (e.g., application/eat+cwt) by populating the
"eat_profile" parameter with the corresponding OID or URL.When the parameterised version of the EAT media type is used in HTTP (for
example, with the "Content-Type" and "Accept" headers) and the value is an
absolute URI (), the parameter-value () uses the quoted-string encoding, for example:application/eat+jwt; eat_profile="tag:evidence.example,2022"Instead, when the EAT profile is an OID, the token encoding
(i.e., without quotes) can be used. For example:application/eat+cwt; eat_profile=2.999.1.ExamplesThe example in illustrates the usage of EAT media types for
transporting attestation evidence as well as negotiating the acceptable format
of the attestation result.Example REST Verification API (request)
NOTE: '\' line wrapping per RFC 8792
POST /challenge-response/v1/session/1234567890 HTTP/1.1
Host: verifier.example
Accept: application/eat+cwt; eat_profile="tag:ar4si.example,2021"
Content-Type: application/eat+cwt; \
eat_profile="tag:evidence.example,2022"
[ CBOR-encoded EAT w/ eat_profile="tag:evidence.example,2022" ]
The example in illustrates the usage of EAT media types for
transporting attestation results.Example REST Verification API (response)
NOTE: '\' line wrapping per RFC 8792
HTTP/1.1 200 OK
Content-Type: application/eat+cwt; \
eat_profile="tag:ar4si.example,2021"
[ CBOR-encoded EAT w/ eat_profile="tag:ar4si.example,2021" ]
In both cases, a tag URI identifying the profile is carried as an
explicit parameter.Security ConsiderationsMedia types only provide clues to the processing application. The application
must verify that the received data matches the expected format, regardless of
the advertised media type, and stop further processing on failure. Failing to
do so could expose the user to security risks, such as privilege escalation
and cross-protocol attacks.The security considerations of and apply in full.When using application/eat-ucs+json and application/eat-ucs+cbor in particular, the reader should review , which contains a detailed discussion about the characteristics of a "Secure Channel" for conveyance of such messages.IANA Considerations+cwt Structured Syntax SuffixIANA has registered +cwt in the
"Structured Syntax Suffixes" registry in
the manner described in . +cwt can be used to indicate that the
media type is encoded as a CWT.Registry Contents
Name:
CBOR Web Token (CWT)
+suffix:
+cwt
References:
Encoding Considerations:
binary
Interoperability Considerations:
N/A
Fragment Identifier Considerations:
The syntax and semantics of fragment identifiers specified for +cwt SHOULD be
as specified for application/cwt. (At the time of publication, there
is no fragment identification syntax defined for application/cwt.)
Security Considerations:
See
Contact:
RATS WG mailing list (rats@ietf.org), or IETF Security Area (saag@ietf.org)
Author/Change Controller:
Remote ATtestation ProcedureS (RATS) Working Group.
The IETF has change control over this registration.
Media TypesIANA has registered the following media types in the
"Media Types" registry .
New Media Types
Name
Template
Reference
EAT CWT
application/eat+cwt
RFC 9782,
EAT JWT
application/eat+jwt
RFC 9782,
Detached EAT Bundle CBOR
application/eat-bun+cbor
RFC 9782,
Detached EAT Bundle JSON
application/eat-bun+json
RFC 9782,
EAT UCCS
application/eat-ucs+cbor
RFC 9782,
EAT UJCS
application/eat-ucs+json
RFC 9782,
application/eat+cwt Registration
Type name:
application
Subtype name:
eat+cwt
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
binary
Security considerations:
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat+jwt Registration
Type name:
application
Subtype name:
eat+jwt
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
8bit
Security considerations:
and
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat-bun+cbor Registration
Type name:
application
Subtype name:
eat-bun+cbor
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
binary
Security considerations:
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat-bun+json Registration
Type name:
application
Subtype name:
eat-bun+json
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
Same as
Security considerations:
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat-ucs+cbor Registration
Type name:
application
Subtype name:
eat-ucs+cbor
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
binary
Security considerations:
Sections and of
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat-ucs+json Registration
Type name:
application
Subtype name:
eat-ucs+json
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
Same as
Security considerations:
Sections and of
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
CoAP Content-Format RegistrationsIANA has registered the following Content-Format numbers in the "CoAP
Content-Formats" registry, within the "Constrained RESTful Environments
(CoRE) Parameters" registry group :
New Content-Formats
Content Type
Content Coding
ID
Reference
application/eat+cwt
-
263
RFC 9782
application/eat+jwt
-
264
RFC 9782
application/eat-bun+cbor
-
265
RFC 9782
application/eat-bun+json
-
266
RFC 9782
application/eat-ucs+cbor
-
267
RFC 9781
application/eat-ucs+json
-
268
RFC 9782
ReferencesNormative ReferencesJSON Web Token Best Current PracticesJSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.CoAP Content-FormatsIANACBOR Web Token (CWT)CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.The Entity Attestation Token (EAT)Security Theory LLCMediatek USARed Hound Software, Inc.HTTP SemanticsThe Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.The JavaScript Object Notation (JSON) Data Interchange FormatJavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.Media TypesIANAMedia Type Specifications and Registration ProceduresThis document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice.Structured Syntax SuffixesIANAA Concise Binary Object Representation (CBOR) Tag for Unprotected CBOR Web Token Claims Sets (UCCS)Fraunhofer SITQualcomm Technologies Inc.Cisco SystemsUniversität Bremen TZIUniform Resource Identifier (URI): Generic SyntaxA Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]Informative ReferencesBuilding Protocols with HTTPApplications often use HTTP as a substrate to create HTTP-based APIs. This document specifies best practices for writing specifications that use HTTP to define new application protocols. It is written primarily to guide IETF efforts to define application protocols using HTTP for deployment on the Internet but might be applicable in other situations.This document obsoletes RFC 3205.Remote ATtestation procedureS (RATS) ArchitectureIn network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.Guidance on RESTful Design for Internet of Things SystemsEricssonSiemensThis document gives guidance for designing Internet of Things (IoT) systems that follow the principles of the Representational State Transfer (REST) architectural style. This document is a product of the IRTF Thing-to-Thing Research Group (T2TRG).Work in ProgressThe 'tag' URI SchemeThis document describes the "tag" Uniform Resource Identifier (URI) scheme. Tag URIs (also known as "tags") are designed to be unique across space and time while being tractable to humans. They are distinct from most other URIs in that they have no authoritative resolution mechanism. A tag may be used purely as an entity identifier. Furthermore, using tags has some advantages over the common practice of using "http" URIs as identifiers for non-HTTP-accessible resources. This memo provides information for the Internet community.AcknowledgmentsThank you , , ,
, ,
, , , , ,
, ,
, and for your comments and suggestions.Authors' AddressesSecurity Theory LLClgl@securitytheory.comFraunhofer Institute for Secure Information TechnologyRheinstrasse 75Darmstadt64295Germanyhenk.birkholz@ietf.contactLinarothomas.fossati@linaro.org