| RFC 9782 | EAT Media Types | May 2025 |
| Lundblade, et al. | Standards Track | [Page] |
The payloads used in Remote ATtestation procedureS (RATS) may require anassociated media type for their conveyance, for example, when the payloads areused in RESTful APIs.¶
This memo defines media types to be used for Entity Attestation Tokens (EATs).¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9782.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Payloads used in Remote ATtestation procedureS (RATS)[RATS-ARCH] may require anassociated media type for their conveyance, for example, when used in RESTfulAPIs (Figure 1).¶
This memo defines media types to be used for EATpayloads[EAT] independently of the RATS Conceptual Message in which theymanifest themselves. The objective is to give protocol, API, and applicationdesigners a number of readily available and reusable media types forintegrating EAT-based messages in their flows, e.g., when using HTTP[BUILD-W-HTTP] or the Constrained Application Protocol (CoAP)[REST-IoT].¶
This document uses the terms and concepts defined in[RATS-ARCH].¶
Figure 2 illustrates the six EAT wire formats and how they relate toeach other.[EAT] defines four of them (CBOR Web Token (CWT), JSON Web Token (JWT), and the detached EAT bundle inits JSON and CBOR flavours), while[UCCS] defines the Unprotected CWT Claims Set (UCCS) and Unprotected JWT Claims Sets (UJCS).¶
EAT is an open and flexible format. To improve interoperability,Section 6 of [EAT] defines the concept of EAT profiles. Profiles are used to constrainthe parameters that producers and consumers of a specific EAT profile need tounderstand in order to interoperate, e.g., the number and type ofclaims, which serialisation format, the supported signature schemes, etc. EATscarry an in-band profile identifier using the "eat_profile" claim (seeSection 4.3.2 of [EAT]). The value of the "eat_profile" claim is either anOID or a URI.¶
The media types defined in this document include an optional "eat_profile"parameter that can be used to mirror the "eat_profile" claim of the transportedEAT. Exposing the EAT profile at the API layer allows API routers to dispatchpayloads directly to the profile-specific processor without having to snoopinto the request bodies. This design also provides a finer-grained andscalable type system that matches the inherent extensibility of EAT. Theexpectation being that a certain EAT profile automatically obtains a media typederived from the base (e.g.,application/eat+cwt) by populating the"eat_profile" parameter with the corresponding OID or URL.¶
When the parameterised version of the EAT media type is used in HTTP (forexample, with the "Content-Type" and "Accept" headers) and the value is anabsolute URI (Section 4.3 of [URI]), theparameter-value (Appendix A of [HTTP]) uses thequoted-string encoding, for example:¶
application/eat+jwt; eat_profile="tag:evidence.example,2022"¶
Instead, when the EAT profile is an OID, thetoken encoding (i.e., without quotes) can be used. For example:¶
application/eat+cwt; eat_profile=2.999.1.¶
The example inFigure 3 illustrates the usage of EAT media types fortransporting attestation evidence as well as negotiating the acceptable formatof the attestation result.¶
NOTE: '\' line wrapping per RFC 8792POST /challenge-response/v1/session/1234567890 HTTP/1.1Host: verifier.exampleAccept: application/eat+cwt; eat_profile="tag:ar4si.example,2021"Content-Type: application/eat+cwt; \ eat_profile="tag:evidence.example,2022"[ CBOR-encoded EAT w/ eat_profile="tag:evidence.example,2022" ]
The example inFigure 4 illustrates the usage of EAT media types fortransporting attestation results.¶
NOTE: '\' line wrapping per RFC 8792HTTP/1.1 200 OKContent-Type: application/eat+cwt; \ eat_profile="tag:ar4si.example,2021"[ CBOR-encoded EAT w/ eat_profile="tag:ar4si.example,2021" ]
In both cases, a tag URI[TAG] identifying the profile is carried as anexplicit parameter.¶
Media types only provide clues to the processing application. The applicationmust verify that the received data matches the expected format, regardless ofthe advertised media type, and stop further processing on failure. Failing todo so could expose the user to security risks, such as privilege escalationand cross-protocol attacks.¶
The security considerations of[EAT] and[UCCS] apply in full.¶
When usingapplication/eat-ucs+json andapplication/eat-ucs+cbor in particular, the reader should reviewSection 3 of [UCCS], which contains a detailed discussion about the characteristics of a "Secure Channel" for conveyance of such messages.¶
+cwt Structured Syntax SuffixIANA has registered+cwt in the"Structured Syntax Suffixes" registry[STRUCT-SYNTAX] inthe manner described in[MEDIATYPES].+cwt can be used to indicate that themedia type is encoded as a CWT.¶
CBOR Web Token (CWT)¶
+cwt¶
binary¶
N/A¶
The syntax and semantics of fragment identifiers specified for+cwt SHOULD beas specified forapplication/cwt. (At the time of publication, thereis no fragment identification syntax defined forapplication/cwt.)¶
RATS WG mailing list (rats@ietf.org), or IETF Security Area (saag@ietf.org)¶
Remote ATtestation ProcedureS (RATS) Working Group.The IETF has change control over this registration.¶
IANA has registered the following media types in the"Media Types" registry[MEDIA-TYPES].¶
| Name | Template | Reference |
|---|---|---|
| EAT CWT | application/eat+cwt | RFC 9782,Section 6.3 |
| EAT JWT | application/eat+jwt | RFC 9782,Section 6.4 |
| Detached EAT Bundle CBOR | application/eat-bun+cbor | RFC 9782,Section 6.5 |
| Detached EAT Bundle JSON | application/eat-bun+json | RFC 9782,Section 6.6 |
| EAT UCCS | application/eat-ucs+cbor | RFC 9782,Section 6.7 |
| EAT UJCS | application/eat-ucs+json | RFC 9782,Section 6.8 |
application¶
eat+cwt¶
N/A¶
"eat_profile" (EAT profile in string format. OIDs must use thedotted-decimal notation. The parameter value is case insensitive.)¶
binary¶
N/A¶
RFC 9782¶
Attesters, Verifiers, Endorsers and Reference-Value providers, and RelyingParties that need to transfer EAT payloads over HTTP(S), CoAP(S), and othertransports.¶
N/A¶
RATS WG mailing list (rats@ietf.org)¶
COMMON¶
none¶
IETF¶
no¶
application¶
eat+jwt¶
N/A¶
"eat_profile" (EAT profile in string format. OIDs must use thedotted-decimal notation. The parameter value is case insensitive.)¶
8bit¶
N/A¶
RFC 9782¶
Attesters, Verifiers, Endorsers and Reference-Value providers, and RelyingParties that need to transfer EAT payloads over HTTP(S), CoAP(S), and othertransports.¶
N/A¶
RATS WG mailing list (rats@ietf.org)¶
COMMON¶
none¶
IETF¶
no¶
application¶
eat-bun+cbor¶
N/A¶
"eat_profile" (EAT profile in string format. OIDs must use thedotted-decimal notation. The parameter value is case insensitive.)¶
binary¶
N/A¶
RFC 9782¶
Attesters, Verifiers, Endorsers and Reference-Value providers, and RelyingParties that need to transfer EAT payloads over HTTP(S), CoAP(S), and othertransports.¶
N/A¶
RATS WG mailing list (rats@ietf.org)¶
COMMON¶
none¶
IETF¶
no¶
application¶
eat-bun+json¶
N/A¶
"eat_profile" (EAT profile in string format. OIDs must use thedotted-decimal notation. The parameter value is case insensitive.)¶
N/A¶
RFC 9782¶
Attesters, Verifiers, Endorsers and Reference-Value providers, and RelyingParties that need to transfer EAT payloads over HTTP(S), CoAP(S), and othertransports.¶
N/A¶
RATS WG mailing list (rats@ietf.org)¶
COMMON¶
none¶
IETF¶
no¶
application¶
eat-ucs+cbor¶
N/A¶
"eat_profile" (EAT profile in string format. OIDs must use thedotted-decimal notation. The parameter value is case insensitive.)¶
binary¶
N/A¶
RFC 9782¶
Attesters, Verifiers, Endorsers and Reference-Value providers, and RelyingParties that need to transfer EAT payloads over HTTP(S), CoAP(S), and othertransports.¶
N/A¶
RATS WG mailing list (rats@ietf.org)¶
COMMON¶
none¶
IETF¶
no¶
application¶
eat-ucs+json¶
N/A¶
"eat_profile" (EAT profile in string format. OIDs must use thedotted-decimal notation. The parameter value is case insensitive.)¶
N/A¶
RFC 9782¶
Attesters, Verifiers, Endorsers and Reference-Value providers, and RelyingParties that need to transfer EAT payloads over HTTP(S), CoAP(S), and othertransports.¶
N/A¶
RATS WG mailing list (rats@ietf.org)¶
COMMON¶
none¶
IETF¶
no¶
IANA has registered the following Content-Format numbers in the "CoAPContent-Formats" registry, within the "Constrained RESTful Environments(CoRE) Parameters" registry group[CORE-PARAMS]:¶
| Content Type | Content Coding | ID | Reference |
|---|---|---|---|
| application/eat+cwt | - | 263 | RFC 9782 |
| application/eat+jwt | - | 264 | RFC 9782 |
| application/eat-bun+cbor | - | 265 | RFC 9782 |
| application/eat-bun+json | - | 266 | RFC 9782 |
| application/eat-ucs+cbor | - | 267 | RFC 9781 |
| application/eat-ucs+json | - | 268 | RFC 9782 |
Thank youCarl Wallace,Carsten Bormann,Dave Thaler,Deb Cooley,Éric Vyncke,Francesca Palombini,Jouni Korhonen,Kathleen Moriarty,Michael Richardson,Murray Kucherawy,Orie Steele,Paul Howard,Roman Danyliw, andTim Hollebeek for your comments and suggestions.¶