Internet-Draft | D-CBOR | August 2023 |
Rundgren | Expires 15 February 2024 | [Page] |
This document describes a deterministic encoding scheme for CBOR intended for usage in high-end computing platforms like mobile phones, Web browsers, and Web servers. In addition to enhancing interoperability, deterministic encoding can also support cryptographic operations like signing CBOR data items. Using this specification, the latter can achieved without wrapping such data in byte strings or depend on non-standard canonicalization procedures.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 15 February 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
This specification introduces a deterministic encoding scheme for data expressed in the CBOR [RFC8949] format. This scheme is subsequently referred to as D‑CBOR.¶
Note that this document is not on the IETF standards track. However, a conformant implementation is supposed to adhere to the specified behavior for security and interoperability reasons.¶
[RFC8949] supports a number of deterministic encoding options that are mutually incompatible, like Rule 1-3 in Section 4.2.2. This complicates large scale rollout of applications using deterministic CBOR encoding.¶
The primary objective of D‑CBOR is providing an interoperable CBOR profile for high-end computing platforms like mobile phones, Web browsers, and Web servers. However, D‑CBOR also enables performing digital signatures over "raw" (unwrapped) CBOR data items since signatures depend on a unified representation of the data to be signed. In addition, D‑CBOR permits decoded CBOR data to be subjected to simple and secure transformation and reencoding operations.¶
The deterministic encoding scheme described in this document is characterized by being bidirectional also when CBOR is provided in diagnostic notation (Section 8 of [RFC8949]), making D‑CBOR comparatively easy to understand, debug, and implement.¶
Note that this specification retains full compatibility with [RFC8949].¶
See also [I-D.mcnally-deterministic-cbor] which represents an alternative approach to deterministic encoding.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The deterministic encoding scheme used by D‑CBOR builds on Section 4.2 of [RFC8949]. However, to achieve a fixed and bidirectional representation of numbers, Rule 2 in Section 4.2.2 MUST also be adhered to. Also see Appendix A.¶
Occurrences of unknown or malformed CBOR data itmes MUST be rejected.¶
Map keys MUST only be compared and sorted based on their bytewise lexicographic order of their deterministic encoding.¶
For applications that depend on deterministic reencoding of CBOR data items,
compliant decoder implementations MUST be able to recreate such data
in its original form. This means for example that the string component
of date items (tag 0
) MUST be preserved "as is" in order
to maintain consistency.¶
The optional numerical extensions described in Section 3.4.4. of [RFC8949] MUST be treated as distinct data items as well as not be subjected to any transformations at the encoding level.¶
A compliant D‑CBOR implementation SHOULD as a minimum support the following CBOR data items:¶
Data Item | Encoding |
---|---|
integer
|
Major type 0 and 1
|
bignum
|
0xc2 and 0xc3
|
floating point
|
0xf9 , 0xfa and 0xfb
|
byte string
|
Major type 2
|
text string
|
Major type 3
|
false
|
0xf4
|
true
|
0xf5
|
null
|
0xf6
|
array
|
Major type 4
|
map
|
Major type 5
|
tag
|
Major type 6
|
See also Appendix B.¶
This document has no IANA actions.¶
This specification inherits all the security considerations of CBOR [RFC8949].¶
Applications that exploit the uniqueness of deterministic encoding should verify that the used decoder actually flags incorrectly formatted CBOR data items.¶
This section is normative.¶
The following sub sections hold examples of numbers expressed in diagnostic notation (Section 8 of [RFC8949]) and their hexadecimal counterparts when using D‑CBOR encoding.¶
Note that the values and encodings are supposed to work in both directions.¶
The following table holds a set of integers highlighting the
selection between integer
and bignum
data items.¶
Value | Encoding |
---|---|
0
|
00
|
-1
|
20
|
23
|
17
|
24
|
1818
|
-24
|
37
|
-25
|
3818
|
255
|
18ff
|
256
|
190100
|
-256
|
38ff
|
-257
|
390100
|
65535
|
19ffff
|
65536
|
1a00010000
|
1099511627775
|
1b000000ffffffffff
|
18446744073709551615
|
1bffffffffffffffff
|
18446744073709551616
|
c249010000000000000000
|
-18446744073709551616
|
3bffffffffffffffff
|
-18446744073709551617
|
c349010000000000000000
|
The following table holds the set of dedicated IEEE 754 values.
Note that NaN
"signaling" MUST be flagged as an error.¶
Value | Encoding |
---|---|
0.0
|
f90000
|
-0.0
|
f98000
|
Infinity
|
f97c00
|
-Infinity
|
f9fc00
|
NaN
|
f97e00
|
The following table holds a set of "ordinary" IEEE 754 values including some edge cases. Note that subnormal floating point values MUST be supported.¶
Value | Encoding |
---|---|
-5.960464477539062e-8
|
fbbe6fffffffffffff
|
-5.9604644775390625e-8
|
f98001
|
-5.960464477539064e-8
|
fbbe70000000000001
|
-5.960465188081798e-8
|
fab3800001
|
0.00006097555160522461
|
f903ff
|
65504.0
|
f97bff
|
65504.00390625
|
fa477fe001
|
65536.0
|
fa47800000
|
10.559998512268066
|
fa4128f5c1
|
10.559998512268068
|
fb40251eb820000001
|
3.4028234663852886e+38
|
fa7f7fffff
|
3.402823466385289e+38
|
fb47efffffe0000001
|
1.401298464324817e-45
|
fa00000001
|
1.1754942106924411e-38
|
fa007fffff
|
5.0e-324
|
fb0000000000000001
|
-1.7976931348623157e+308
|
fbffefffffffffffff
|
This section is informative.¶
Note that even if an application does not support (or need)
bignum
or floating point
data items,
you can still use D-CBOR since a strict subset is upwardly
compatible with full-blown implementations.
Low-end platforms typically also restrict CBOR map
keys to
integer
and text string
data items.
Since these issues are application specific, they are out of scope
for this specification.¶
This section is informative.¶
Reference implementations that conform to this specification include:¶
This section is informative.¶
The following online tools enable testing D‑CBOR without installing any software:¶
[[ This section to be removed by the RFC Editor before publication as an RFC ]]¶
Version 00:¶
Version 01:¶
Version 02:¶
Version 03:¶
Version 04-00:¶
Version 01:¶
Version 02:¶
Version 03:¶
Version 04:¶
Version 05:¶
Version 05:¶