HTTP/2 200
date: Sat, 11 Oct 2025 10:10:23 GMT
content-type: application/rfc+xml; charset=utf-8
content-length: 9054
cf-ray: 98cd913af8e1c7d4-BLR
last-modified: Wed, 28 May 2025 04:57:06 GMT
etag: "c8e0-6362b03437c90-gzip"
accept-ranges: bytes
vary: Accept-Encoding
content-encoding: gzip
strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
cf-cache-status: DYNAMIC
set-cookie: __cf_bm=zCeYBfmMpSHh1e_nRyBIuuLpTSDT2G_OBS2wwinN_PQ-1760177423-1.0.1.1-nnLWKChmwBzi1sWSNL0EWdKsq8WtoB21ZNZ.6dWNWwFtQBaCXv2ZDt3cToVjAsqQTbPLjp2khQT1v2azjhT6Oc7I1R4B1IlmRc1tsXN.tAY; path=/; expires=Sat, 11-Oct-25 10:40:23 GMT; domain=.rfc-editor.org; HttpOnly; Secure; SameSite=None
server: cloudflare
alt-svc: h3=":443"; ma=86400
]>
Entity Attestation
Token (EAT) Media TypesSecurity Theory LLClgl@securitytheory.comFraunhofer Institute for Secure Information TechnologyRheinstrasse 75Darmstadt64295Germanyhenk.birkholz@ietf.contactLinarothomas.fossati@linaro.org
SEC
ratsEATmedia typeThe payloads used in Remote ATtestation procedureS (RATS) may require an
associated media type for their conveyance, for example, when the payloads are
used in RESTful APIs.This memo defines media types to be used for Entity Attestation Tokens (EATs).IntroductionPayloads used in Remote ATtestation procedureS (RATS) may require an
associated media type for their conveyance, for example, when used in RESTful
APIs ().Conveying RATS Conceptual Messages in REST APIs Using EATs|
| | 200 OK |
| | EAT(Attestation Results) |
| |<---------------------------+
| POST /auth | |
| EAT(Attestation Results) | |
|<---------------------------+ |
| 201 Created | |
+--------------------------->| |
| | |
| | |
]]>This memo defines media types to be used for EAT
payloads independently of the RATS Conceptual Message in which they
manifest themselves. The objective is to give protocol, API, and application
designers a number of readily available and reusable media types for
integrating EAT-based messages in their flows, e.g., when using HTTP
or the Constrained Application Protocol (CoAP) .TerminologyThis document uses the terms and concepts defined in .EAT Types illustrates the six EAT wire formats and how they relate to
each other. defines four of them (CBOR Web Token (CWT), JSON Web Token (JWT), and the detached EAT bundle in
its JSON and CBOR flavours), while defines the Unprotected CWT Claims Set (UCCS) and Unprotected JWT Claims Sets (UJCS).EAT TypesA Media Type Parameter for EAT ProfilesEAT is an open and flexible format. To improve interoperability, defines the concept of EAT profiles. Profiles are used to constrain
the parameters that producers and consumers of a specific EAT profile need to
understand in order to interoperate, e.g., the number and type of
claims, which serialisation format, the supported signature schemes, etc. EATs
carry an in-band profile identifier using the "eat_profile" claim (see
). The value of the "eat_profile" claim is either an
OID or a URI.The media types defined in this document include an optional "eat_profile"
parameter that can be used to mirror the "eat_profile" claim of the transported
EAT. Exposing the EAT profile at the API layer allows API routers to dispatch
payloads directly to the profile-specific processor without having to snoop
into the request bodies. This design also provides a finer-grained and
scalable type system that matches the inherent extensibility of EAT. The
expectation being that a certain EAT profile automatically obtains a media type
derived from the base (e.g., application/eat+cwt) by populating the
"eat_profile" parameter with the corresponding OID or URL.When the parameterised version of the EAT media type is used in HTTP (for
example, with the "Content-Type" and "Accept" headers) and the value is an
absolute URI (), the parameter-value () uses the quoted-string encoding, for example:application/eat+jwt; eat_profile="tag:evidence.example,2022"Instead, when the EAT profile is an OID, the token encoding
(i.e., without quotes) can be used. For example:application/eat+cwt; eat_profile=2.999.1.ExamplesThe example in illustrates the usage of EAT media types for
transporting attestation evidence as well as negotiating the acceptable format
of the attestation result.Example REST Verification API (request)The example in illustrates the usage of EAT media types for
transporting attestation results.Example REST Verification API (response)In both cases, a tag URI identifying the profile is carried as an
explicit parameter.Security ConsiderationsMedia types only provide clues to the processing application. The application
must verify that the received data matches the expected format, regardless of
the advertised media type, and stop further processing on failure. Failing to
do so could expose the user to security risks, such as privilege escalation
and cross-protocol attacks.The security considerations of and apply in full.When using application/eat-ucs+json and application/eat-ucs+cbor in particular, the reader should review , which contains a detailed discussion about the characteristics of a "Secure Channel" for conveyance of such messages.IANA Considerations+cwt Structured Syntax SuffixIANA has registered +cwt in the
"Structured Syntax Suffixes" registry in
the manner described in . +cwt can be used to indicate that the
media type is encoded as a CWT.Registry Contents
Name:
CBOR Web Token (CWT)
+suffix:
+cwt
References:
Encoding Considerations:
binary
Interoperability Considerations:
N/A
Fragment Identifier Considerations:
The syntax and semantics of fragment identifiers specified for +cwt SHOULD be
as specified for application/cwt. (At the time of publication, there
is no fragment identification syntax defined for application/cwt.)
Security Considerations:
See
Contact:
RATS WG mailing list (rats@ietf.org), or IETF Security Area (saag@ietf.org)
Author/Change Controller:
Remote ATtestation ProcedureS (RATS) Working Group.
The IETF has change control over this registration.
Media TypesIANA has registered the following media types in the
"Media Types" registry .
New Media Types
Name
Template
Reference
EAT CWT
application/eat+cwt
RFC 9782,
EAT JWT
application/eat+jwt
RFC 9782,
Detached EAT Bundle CBOR
application/eat-bun+cbor
RFC 9782,
Detached EAT Bundle JSON
application/eat-bun+json
RFC 9782,
EAT UCCS
application/eat-ucs+cbor
RFC 9782,
EAT UJCS
application/eat-ucs+json
RFC 9782,
application/eat+cwt Registration
Type name:
application
Subtype name:
eat+cwt
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
binary
Security considerations:
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat+jwt Registration
Type name:
application
Subtype name:
eat+jwt
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
8bit
Security considerations:
and
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat-bun+cbor Registration
Type name:
application
Subtype name:
eat-bun+cbor
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
binary
Security considerations:
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat-bun+json Registration
Type name:
application
Subtype name:
eat-bun+json
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
Same as
Security considerations:
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat-ucs+cbor Registration
Type name:
application
Subtype name:
eat-ucs+cbor
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
binary
Security considerations:
Sections and of
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
application/eat-ucs+json Registration
Type name:
application
Subtype name:
eat-ucs+json
Required parameters:
N/A
Optional parameters:
"eat_profile" (EAT profile in string format. OIDs must use the
dotted-decimal notation. The parameter value is case insensitive.)
Encoding considerations:
Same as
Security considerations:
Sections and of
Interoperability considerations:
N/A
Published specification:
RFC 9782
Applications that use this media type:
Attesters, Verifiers, Endorsers and Reference-Value providers, and Relying
Parties that need to transfer EAT payloads over HTTP(S), CoAP(S), and other
transports.
Fragment identifier considerations:
N/A
Person & email address to contact for further information:
RATS WG mailing list (rats@ietf.org)
Intended usage:
COMMON
Restrictions on usage:
none
Author/Change controller:
IETF
Provisional registration:
no
CoAP Content-Format RegistrationsIANA has registered the following Content-Format numbers in the "CoAP
Content-Formats" registry, within the "Constrained RESTful Environments
(CoRE) Parameters" registry group :
New Content-Formats
Content Type
Content Coding
ID
Reference
application/eat+cwt
-
263
RFC 9782
application/eat+jwt
-
264
RFC 9782
application/eat-bun+cbor
-
265
RFC 9782
application/eat-bun+json
-
266
RFC 9782
application/eat-ucs+cbor
-
267
RFC 9781
application/eat-ucs+json
-
268
RFC 9782
ReferencesNormative ReferencesThe Entity Attestation Token (EAT)Security Theory LLCMediatek USARed Hound Software, Inc.A Concise Binary Object Representation (CBOR) Tag for Unprotected CBOR Web Token Claims Sets (UCCS)
Fraunhofer SITQualcomm Technologies Inc.Cisco SystemsUniversität Bremen TZIStructured Syntax SuffixesIANAMedia TypesIANACoAP Content-FormatsIANAInformative ReferencesAcknowledgmentsThank you , , ,
, ,
, , , , ,
, ,
, and for your comments and suggestions.
