Internet Engineering Task Force (IETF) L. Lundblade
Request for Comments: 9782 Security Theory LLC
Category: Standards Track H. Birkholz
ISSN: 2070-1721 Fraunhofer SIT
T. Fossati
Linaro
May 2025
Entity Attestation Token (EAT) Media Types
Abstract
The payloads used in Remote ATtestation procedureS (RATS) may require
an associated media type for their conveyance, for example, when the
payloads are used in RESTful APIs.
This memo defines media types to be used for Entity Attestation
Tokens (EATs).
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9782.
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction
1.1. Terminology
2. EAT Types
3. A Media Type Parameter for EAT Profiles
4. Examples
5. Security Considerations
6. IANA Considerations
6.1. +cwt Structured Syntax Suffix
6.1.1. Registry Contents
6.2. Media Types
6.3. application/eat+cwt Registration
6.4. application/eat+jwt Registration
6.5. application/eat-bun+cbor Registration
6.6. application/eat-bun+json Registration
6.7. application/eat-ucs+cbor Registration
6.8. application/eat-ucs+json Registration
6.9. CoAP Content-Format Registrations
7. References
7.1. Normative References
7.2. Informative References
Acknowledgments
Authors' Addresses
1. Introduction
Payloads used in Remote ATtestation procedureS (RATS) [RATS-ARCH] may
require an associated media type for their conveyance, for example,
when used in RESTful APIs (Figure 1).
.---------------. .----------. .----------.
| Relying Party | | Attester | | Verifier |
'-+-------------' '----+-----' '--------+-'
| | POST /verify |
| | EAT(Evidence) |
| +--------------------------->|
| | 200 OK |
| | EAT(Attestation Results) |
| || |
| | |
| | |
Figure 1: Conveying RATS Conceptual Messages in REST APIs Using EATs
This memo defines media types to be used for EAT payloads [EAT]
independently of the RATS Conceptual Message in which they manifest
themselves. The objective is to give protocol, API, and application
designers a number of readily available and reusable media types for
integrating EAT-based messages in their flows, e.g., when using HTTP
[BUILD-W-HTTP] or the Constrained Application Protocol (CoAP)
[REST-IoT].
1.1. Terminology
This document uses the terms and concepts defined in [RATS-ARCH].
2. EAT Types
Figure 2 illustrates the six EAT wire formats and how they relate to
each other. [EAT] defines four of them (CBOR Web Token (CWT), JSON
Web Token (JWT), and the detached EAT bundle in its JSON and CBOR
flavours), while [UCCS] defines the Unprotected CWT Claims Set (UCCS)
and Unprotected JWT Claims Sets (UJCS).
.-----.
.----+ UJCS |.
At the time of writing, this BCP comprises the following:
Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best
Current Practices", BCP 225, RFC 8725,
DOI 10.17487/RFC8725, February 2020,