]> CBOR Common Deterministic Encoding (CDE) Universität Bremen TZI
Postfach 330440 Bremen D-28359 Germany +49-421-218-63921 cabo@tzi.org
Applications and Real-Time CBOR CBOR (STD 94, RFC 8949) defines "Deterministically Encoded CBOR" in its Section 4.2, providing some flexibility for application specific decisions. To facilitate Deterministic Encoding to be offered as a selectable feature of generic encoders, the present document defines a CBOR Common Deterministic Encoding (CDE) that can be shared by a large set of applications with potentially diverging detailed requirements. It also defines the term "Basic Serialization", which stops short of the potentially more onerous requirements that make CDE fully deterministic, while employing most of its reductions of the variability needing to be handled by decoders. About This Document Status information for this document may be found at . Discussion of this document takes place on the Concise Binary Object Representation Maintenance and Extensions (CBOR) Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction CBOR (STD 94, RFC 8949) defines "Deterministically Encoded CBOR" in its Section 4.2, providing some flexibility for application specific decisions. To facilitate Deterministic Encoding to be offered as a selectable feature of generic encoders, the present document defines a CBOR Common Deterministic Encoding (CDE) that can be shared by a large set of applications with potentially diverging detailed requirements. It also defines the term "Basic Serialization", which stops short of the potentially more onerous requirements that make CDE fully deterministic, while employing most of its reductions of the variability needing to be handled by decoders.
Structure of This Document After introductory material (this introduction and ), defines the CBOR Common Deterministic Encoding (CDE). defines Concise Data Definition Language (CDDL) support for indicating the use of CDE. This is followed by the conventional sections for (), (), and (). For use as background material, introduces terminology for the layering of models used to describe CBOR. Instead of giving rise to the definition of application-specific, non-interoperable variants of CDE, this document identifies Application-level Deterministic Representation (ALDR) rules as a concept that is separate from CDE itself () and therefore out of scope for this document. ALDR rules are situated at the application-level, i.e., on top of the CDE, and address requirements on deterministic representation of application data that are specific to an application or a set of applications. ALDR rules are often provided as part of a specification for a CBOR-based protocol, or, if needed, can be provided by referencing a shared "ALDR ruleset" that is defined in a separate document. The informative provides brief checklists that implementers can use to check their CDE implementations. provides a checklist for implementing Preferred Serialization. introduces "Basic Serialization", a slightly more restricted form of Preferred Serialization that may be used by encoders to hit a sweet spot for maximizing interoperability with partial (e.g., constrained) CBOR decoder implementations. further restricts Basic Serialization to arrive at CDE. provides a few examples for CBOR data items in CDE encoding, as well as a few failing examples.
Conventions and Definitions The conventions and definitions of apply. provides additional discussion of the terms information model, data model, and serialization.
  • The term "CBOR Application" ("application" for short) is not explicitly defined in ; this document uses it in the same sense as it is used there, specifically for applications that use CBOR as an interchange format and use (often generic) CBOR encoders/decoders to serialize/ingest the CBOR form of their application data to be exchanged.
  • Similarly, "CBOR Protocol" is used as in for the protocol that governs the interchange of data in CBOR format for a specific application or set of applications.
  • "Representation" stands for the process, and its result, of building the representation format out of (information-model level) application data.
  • "Serialization" is used for the subset of this process, and its result, that represents ("serializes") data in CBOR generic data model form into encoded data items. "Encoding" is often used as a synonym when the focus is on that.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in () () when, and only when, they appear in all capitals, as shown here.
Encoding Choices in CBOR In many cases, CBOR provides more than one way to encode a data item, i.e., to serialize it into a sequence of bytes. This flexibility can provide convenience for the generator of the encoded data item, but handling the resulting variation can also put an onus on the decoder. In general, there is no single perfect encoding choice that is optimal for all applications. Choosing the right constraints on these encoding choices is one element of application protocol design. Having predefined sets of such choices is a useful way to reduce variation between applications, enabling generic implementations. Section of RFC 8949 provides a recommendation for a Preferred Serialization. This recommendation is useful for most CBOR applications, and it is a good choice for most applications. Its main constraint is to choose the shortest head (Section of RFC 8949 ) that preserves the value of a data item. Preferred Serialization allows indefinite length encoding (Section of RFC 8949 ), which does not express the length of a string, an array, or a map in its head. Supporting both definite length and indefinite length encoding is an additional onus on the decoder; many applications therefore choose not to use indefinite length encoding at all. We call Preferred Serialization with this additional constraint Basic Serialization. Basic Serialization is a common choice for applications that need to further reduce the variability that needs to be handled by decoders, potentially maximizing interoperability with partial (e.g., constrained) CBOR decoder implementations. These constraints still allow some variation. In particular, there is more than one serialization for data items that contain maps: The order of serialization of map entries is ignored in CBOR (as it is in JSON), so maps with more than one entry have all permutations of these entries as valid Basic Serializations. Deterministic Serialization builds on Basic Serialization by defining a common (namely, lexicographic) order for the entries in a map. For many applications, ensuring this common order is an additional onus on the generator that is not actually needed, so they do not choose Deterministic Serialization. However, if the objective is minimal effort for the consuming application, deterministic map ordering can be useful even outside the main use cases for Deterministic Serialization that are further discussed in . summarizes the increasingly restrictive sets of encoding choices that have been given names in this section. Constraints on the Serialization of CBOR
Set of Encoding Choices Most Important Constraint Applications
Preferred shortest "head" variant most
Basic + definite lengths only many
Deterministic ("CDE") + common map order specific
Note that the objective to have a deterministic serialization for a specific application data item can only be fulfilled if the application itself does not generate multiple different CBOR data items that represent that same (equivalent) application data item. We speak of the need for Application-level Deterministic Representation (ALDR), and we may want to aid achieving this by the application defining rules for ALDR (see also ). Where Deterministic Representation is not actually needed, application-level representation rules of course can still be useful to amplify the benefits of Preferred or Basic Serialization.
CBOR Common Deterministic Encoding (CDE) This specification defines the CBOR Common Deterministic Encoding (CDE) based on the Core Deterministic Encoding Requirements defined for CBOR in Section of RFC 8949 . Note that this specific set of requirements is elective — in principle, other variants of deterministic encoding can be defined (and have been, now being phased out, as detailed in Section of RFC 8949 ). In many applications of CBOR today, deterministic encoding is not used at all, as its restriction of choices can create some additional performance cost and code complexity. 's "Core Deterministic Encoding Requirements" are designed to provide well-understood and easy-to-implement rules while maximizing coverage, i.e., the subset of CBOR data items that are fully specified by these rules, and also placing minimal burden on implementations. As discussed in , CDE combines the constraints of Preferred Serialization with a constraint added by Basic Serialization and another constraint added by CDE itself. While many CBOR implementations do set out to provide Preferred Serialization, there is less of a practical requirement to fully conform, as generic CBOR decoders do not normally check for Preferred Serialization. However, an application that relies on deterministic representation, during ingestion of an encoded CBOR data item will often need to employ a "CDE-checking decoder", i.e., a CBOR decoder configured to also check that all CDE constraints are satisfied (see also ). Here, small deviations from CDE, including deviations from Preferred Serialization, turn into interoperability problems; hence the additional attention of the present document on these constraints.
CDE Constraints from Preferred Serialization Section of RFC 8949 picks up on the interaction of extensibility (CBOR tags) and deterministic encoding. CBOR itself uses some tags to increase the range of its basic generic data types, e.g., tags 2/3 extend the range of basic major types 0/1 in a seamless way. Section of RFC 8949 recommends handling this transition the same way as with the transition between different integer representation lengths in the basic generic data model, i.e., by mandating the Preferred Serialization for all integers (Section of RFC 8949 ; see also and ).
  1. By adopting the encoding constraints from Preferred Serialization, CDE turns this recommendation into a mandate: Integers that can be represented by basic major type 0 and 1 are encoded using the deterministic encoding defined for them, and integers outside this range are encoded using the Preferred Serialization (Section of RFC 8949 ) of tag 2 and 3 (i.e., no leading zero bytes).
Most tags capture more specific application semantics and therefore may be harder to define a deterministic encoding for. While the deterministic encoding of their tag internals is often covered by the Core Deterministic Encoding Requirements, the mapping of diverging platform application data types onto the tag contents may require additional attention to perform it in a deterministic way; see for more explanation as well as examples. As the CDE would continually need to address additional issues raised by the registration of new tags, this specification recommends that new tag registrations address deterministic encoding in the context of CDE. Note that not in all cases the tag's deterministic encoding constraints will be confined to its definition of Preferred Serialization. A particularly difficult field to obtain deterministic encoding for is floating point numbers, partially because they themselves are often obtained from processes that are not entirely deterministic between platforms. See for more details. Section of RFC 8949 presents a number of choices that needed to be made to obtain the CBOR Common Deterministic Encoding (CDE). Here, CDE entirely recurs to Preferred Serialization and does not itself define any additional constraints. However, this BCP responds to a perceived need to clarify some of the Preferred Serialization constraints. Specifically, CDE specifies (in the order of the bullet list at the end of Section of RFC 8949 ):
  1. Besides the mandated use of Preferred Serialization, there is no further specific action for the two different zero values, e.g., an encoder that is asked by an application to represent a negative floating point zero will generate 0xf98000.
  2. There is no attempt to mix integers and floating point numbers, i.e., all floating point values are encoded as the preferred floating-point representation that accurately represents the value, independent of whether the floating point value is, mathematically, an integral value (choice 2 of the second bullet).
  3. Apart from finite and infinite numbers, floating point values include NaN (not a number) values . In CDE, there is no special handling of NaN values, except a clarification that the Preferred Serialization rules also apply to NaNs (with zero or non-zero payloads), using the canonical encoding of NaNs as defined in Section 6.2.1 of . Specifically, this means that shorter forms of encodings for a NaN are used when that can be achieved by only removing trailing zeros in the NaN payload (example serializations are available in ). Further clarifying a "should"-level statement in Section 6.2.1 of , the CBOR encoding always uses a leading bit of 1 in the significand to encode a quiet NaN; the use of signaling NaNs by application protocols is NOT RECOMMENDED but when presented by an application these are encoded by using a leading bit of 0. Typically, most applications that employ NaNs in their storage and communication interfaces will only use a single NaN value, quiet, non-negative NaN with payload 0, which therefore deterministically encodes as 0xf97e00.
  4. There is no special handling of subnormal values.
  5. CDE does not presume equivalence of basic floating point values with floating point values using other representations (e.g., tag 4/5). Such equivalences and related deterministic representation rules can be added at the ALDR level if desired, e.g., by stipulating additional equivalences and deterministically choosing exactly one representation for each such equivalence, and by restricting in general the set of data item values actually used by an application.
The main intent here is to preserve the basic generic data model, so applications (in their ALDR rules or by referencing a separate ALDR ruleset document, see ) can make their own decisions within that data model. E.g., an application's ALDR rules can decide that it only ever allows a single NaN value that would be encoded as 0xf97e00, so a CDE implementation focusing on this application would not even need to provide processing for other NaN values. Basing the definition of both CDE and ALDR rules on the generic data model of CBOR also means that there is no effect on the Concise Data Definition Language (CDDL) , except where the data description is documenting specific encoding decisions for byte strings that carry embedded CBOR (see ).
Additional CDE Constraint from Basic Serialization In addition to the encoding constraints from Preferred Serialization, CDE adds the constraint of not using indefinite length encoding from Basic Serialization. In many encoders, the use of indefinite length encoding is controlled by its configuration and can simply be switched off. Some encoders turn to indefinite length encoding for arrays and maps with 256 or more elements/entries, to use the slightly smaller serialization size indefinite length encoding offers for these cases. Since leaving out support for indefinite length encoding is a common form of partial implementation, this may reduce interoperability. (Indefinite length encoding may also be used conditionally to avoid having to compute the total size ahead of time if the platform uses some form of chunking.) As CDE uses definite length encoding exclusively, such behavior needs to be turned off for CDE.
Additional CDE Constraint from CDE Itself In line with Section of RFC 8949 , CDE adds the constraint of map ordering to those from Basic Serialization. In some implementations, where platform representations of maps preserve ordering, this can be achieved using a generic CBOR encoder by pre-ordering all maps to be encoded, as long as that generic encoder also preserves the ordering in maps. In implementations without these properties, a specialized CBOR encoder may need to be employed. Map ordering is a deterministic encoding constraint specific to maps, major type 5, that goes beyond maps' constraints for preferred serialization. In the definition of a tag being employed, there may also be some deterministic encoding constraints that are not covered by the tag's constraints for Preferred Serialization (see ).
CDDL support CDDL defines the structure of CBOR data items at the data model level; it enables being specific about the data items allowed in a particular place. It does not specify encoding, but CBOR protocols can specify the use of CDE (or simply Basic Serialization). For instance, it allows the specification of a floating point data item as "float16"; this means the application data model only foresees data that can be encoded as binary16. Note that specifying "float32" for a floating point data item enables all floating point values that can be represented as binary32; this includes values that can also be represented as binary16 and that will be so represented in Basic Serialization. defines control operators to indicate that the contents of a byte string carries a CBOR-encoded data item (.cbor) or a sequence of CBOR-encoded data items (.cborseq). CDDL specifications may want to specify that the data items should be encoded in Common CBOR Deterministic Encoding. The present specification adds two CDDL control operators that can be used for this. The control operators .cde and .cdeseq are exactly like .cbor and .cborseq except that they also require the encoded data item(s) to be encoded according to CDE. For example, a byte string of embedded CBOR that is to be encoded according to CDE can be formalized as: More importantly, if the encoded data item also needs to have a specific structure, this can be expressed by the right-hand side (instead of using the most general CDDL type any here). (Note that the .cdeseq control operator does not enable specifying different deterministic encoding requirements for the elements of the sequence. If a use case for such a feature becomes known, it could be added, or the CBOR sequence could be constructed with .join ().) Obviously, specifications that document ALDR rules can define related control operators that also embody the processing required by those ALDR rules, and are encouraged to do so.
Security Considerations The security considerations in Section of RFC 8949 apply. The use of deterministic encoding can mitigate issues arising out of the use of non-preferred serializations specially crafted by an attacker. However, this effect only accrues if the decoder actually checks that deterministic encoding was applied correctly. More generally, additional security properties of deterministic encoding can rely on this check being performed properly.
IANA Considerations RFC Editor: please replace RFCXXXX with the RFC number of this RFC and remove this note. This document requests IANA to register the contents of into the registry "" of the registry group: New control operators to be registered
Name Reference
.cde [RFCXXXX]
.cdeseq [RFCXXXX]
References Normative References Concise Binary Object Representation (CBOR) The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. IEEE Standard for Floating-Point Arithmetic IEEE Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. Concise Data Definition Language (CDDL) IANA Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References CBOR Extended Diagnostic Notation (EDN) Universität Bremen TZI This document formalizes and consolidates the definition of the Extended Diagnostic Notation (EDN) of the Concise Binary Object Representation (CBOR), addressing implementer experience. Replacing EDN's previous informal descriptions, it updates RFC 8949, obsoleting its Section 8, and RFC 8610, obsoleting its Appendix G. It also specifies and uses registry-based extension points, using one to support text representations of epoch-based dates/times and of IP addresses and prefixes. // (This cref will be removed by the RFC editor:) The present // revision (–16) addresses the first half of the WGLC comments, // except for the issues around the specific way how to best achieve // pluggable ABNF grammars for application-extensions. It is // intended for use as a reference document for the mid-WGLC CBOR WG // interim meeting on 2025-01-08. CBOR: On Deterministic Encoding and Representation Universität Bremen TZI CBOR (STD 94, RFC 8949) defines "Deterministically Encoded CBOR" in its Section 4.2. The present document provides additional information about use cases, deployment considerations, and implementation choices for Deterministic Encoding and Representation. dCBOR: A Deterministic CBOR Application Profile Blockchain Commons Blockchain Commons Universität Bremen TZI Security Theory LLC The purpose of determinism is to ensure that semantically equivalent data items are encoded into identical byte streams. CBOR (RFC 8949) defines "Deterministically Encoded CBOR" in its Section 4.2, but leaves some important choices up to the application developer. The CBOR Common Deterministic Encoding (CDE) Internet Draft builds on this by specifying a baseline for application profiles that wish to implement deterministic encoding with CBOR. The present document provides an application profile "dCBOR" that can be used to help achieve interoperable deterministic encoding based on CDE for a variety of applications wishing an even narrower and clearly defined set of choices. On Numbers in CBOR Universität Bremen TZI The Concise Binary Object Representation (CBOR), as defined in STD 94 (RFC 8949), is a data representation format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. Among the kinds of data that a data representation format needs to be able to carry, numbers have a prominent role, but also have inherent complexity that needs attention from protocol designers and implementers of CBOR libraries and of the applications that use them. This document gives an overview over number formats available in CBOR and some notable CBOR tags registered, and it attempts to provide information about opportunities and potential pitfalls of these number formats. // This is a rather drafty initial revision, pieced together from // various components, so it has a higher level of redundancy than // ultimately desired. Unicode Normalization Forms Unicode Standard Annex CBOR Web Token (CWT) CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON. Concise Binary Object Representation (CBOR) Tags for Time, Duration, and Period The Concise Binary Object Representation (CBOR, RFC 8949) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. In CBOR, one point of extensibility is the definition of CBOR tags. RFC 8949 defines two tags for time: CBOR tag 0 (RFC 3339 time as a string) and tag 1 (POSIX time as int or float). Since then, additional requirements have become known. The present document defines a CBOR tag for time that allows a more elaborate representation of time, as well as related CBOR tags for duration and time period. This document is intended as the reference document for the IANA registration of the CBOR tags defined. CBOR Object Signing and Encryption (COSE) Key Thumbprint This specification defines a method for computing a hash value over a CBOR Object Signing and Encryption (COSE) Key. It specifies which fields within the COSE Key structure are included in the cryptographic hash computation, the process for creating a canonical representation of these fields, and how to hash the resulting byte sequence. The resulting hash value, referred to as a "thumbprint", can be used to identify or select the corresponding key. CBOR Object Signing and Encryption (COSE): Structures and Process Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. CBOR Object Signing and Encryption (COSE): Countersignatures Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. CBOR Object Signing and Encryption (COSE) defines a set of security services for CBOR. This document defines a countersignature algorithm along with the needed header parameters and CBOR tags for COSE. This document updates RFC 9052. The I-JSON Message Format I-JSON (short for "Internet JSON") is a restricted profile of JSON designed to maximize interoperability and increase confidence that software can process it successfully with predictable results. Concise Data Definition Language (CDDL): Additional Control Operators for the Conversion and Processing of Text The Concise Data Definition Language (CDDL), standardized in RFC 8610, provides "control operators" as its main language extension point. RFCs have added to this extension point in both an application-specific and a more general way. The present document defines a number of additional generally applicable control operators for text conversion (bytes, integers, printf-style formatting, and JSON) and for an operation on text. Modern Network Unicode Universität Bremen TZI BCP18 (RFC 2277) has been the basis for the handling of character- shaped data in IETF specifications for more than a quarter of a century now. It singles out UTF-8 (STD63, RFC 3629) as the “charset” that MUST be supported, and pulls in the Unicode standard with that. Based on this, RFC 5198 both defines common conventions for the use of Unicode in network protocols and caters for the specific requirements of the legacy protocol Telnet. In applications that do not need Telnet compatibility, some of the decisions of RFC 5198 can be cumbersome. The present specification defines “Modern Network Unicode” (MNU), which is a form of RFC 5198 Network Unicode that can be used in specifications that require the exchange of plain text over networks and where just mandating UTF-8 may not be sufficient, but there is also no desire to import all of the baggage of RFC 5198. As characters are used in different environments, MNU is defined in a one-dimensional (1D) variant that is useful for identifiers and labels, but does not use a structure of text lines. A 2D variant is defined for text that is a sequence of text lines, such as plain text documents or markdown format. Additional variances of these two base formats can be used to tailor MNU to specific areas of application.
Information Model, Data Model and Serialization This appendix is informative. For a good understanding of this document, it is helpful to understand the difference between an information model, a data model and serialization. A three-layer model of information representation
  Abstraction Level Example Standards Implementation Representation
Information Model Top level; conceptual The temperature of something    
Data Model Realization of information in data structures and data types A floating-point number representing the temperature CDDL API input to CBOR encoder library, output from CBOR decoder library
Serialization Actual bytes encoded for transmission Encoded CBOR of a floating-point number CBOR Encoded CBOR in memory or for transmission
CBOR does not provide facilities for expressing information models. They are mentioned here for completeness and to provide some context. CBOR defines a palette of basic data items that can be grouped into data types such as the usual integer or floating-point numbers, text or byte strings, arrays and maps, and certain special "simple values" such as Booleans and null. Extended data types may be constructed from these basic types. These basic and extended types are used to construct the data model of a CBOR protocol. One notation that is often used for describing the data model of a CBOR protocol is CDDL . The various types of data items in the data model are serialized per RFC 8949 to create encoded CBOR data items.
Data Model, Encoding Variants and Interoperability with Partial Implementations In contrast to JSON, CBOR-related documents explicitly discuss the data model separately from its serialization. Both JSON and CBOR allow variation in the way some data items can be serialized:
  • In JSON, the number 1 can be serialized in several different ways (1, 0.1e1, 1.0, 100e-2) — while it may seem obvious to use 1 for this case, this is less clear for 1000000000000000000000000000000 vs. 1e+30 or 1e30. (As its serialization also doubles as a human-readable interface, JSON also allows the introduction of blank space for readability.) The lack of an agreed data model for JSON led to the need for a complementary specification documenting an interoperable subset .
  • The CBOR standard addresses constrained environments, both by being concise and by limiting variation, but also by conversely allowing certain data items in the data model to be serialized in multiple ways, which may ease implementation on low-resource platforms. On the other hand, constrained environments may further save resources by only partially implementing the decoder functionality, e.g., by not implementing all those variations.
To deal with this encoding variation provided for certain data items, CBOR defines a Preferred Serialization (Section of RFC 8949 ). Partial CBOR implementations are more likely to interoperate if their encoder uses Preferred Serialization and the decoder implements decoding at least the Preferred Serialization as well. A specific protocol for a constrained application may specify restrictions that allow, e.g., some fields to be of fixed length, guaranteeing interoperability even with partial implementations optimized for this application. Another encoding variation is provided by indefinite-length encoding for strings, arrays, and maps, which enables these to be streamed without knowing their length upfront (Section of RFC 8949 ). For applications that do not perform streaming of this kind, variation can be reduced (and often performance improved) by only allowing definite-length encoding. The present document coins the term Basic Serialization for combining definite-length-only with preferred encoding, further reducing the variation that a decoder needs to deal with. The Common Deterministic Encoding, CDE, finally combines basic serialization with a deterministic ordering of entries in a map (). Partial implementations of a representation format are quite common in embedded applications. Protocols for embedded applications often reduce the footprint of an embedded JSON implementation by explicitly restricting the breadth of the data model, e.g., by not using floating point numbers with 64 bits of precision or by not using floating point numbers at all. These data-model-level restrictions do not get in the way of using complete implementations ("generic encoders/decoders", Section of RFC 8949 ). (Note that applications may need to complement deterministic encoding with decisions on the deterministic representation of application data into CBOR data items, see .) The increasing constraints on encoding (unconstrained, preferred, basic, CDE) are orthogonal to data-model-level data definitions as provided by . To be useful in all applications, these constraints have been defined for all possible data items, covering the full range of values offered by CBOR's data types. This ensures that these serialization constraints can be applied to any CBOR protocol, without requiring protocol-specific modifications to generic encoder/decoder implementations.
Application-level Deterministic Representation This appendix is informative. CBOR application protocols are agreements about how to use CBOR for a specific application or set of applications. For a CBOR protocol to provide deterministic representation, both the encoding and application layer must be deterministic. While CDE ensures determinism at the encoding layer, requirements at the application layer may also be necessary. Application protocols make representation decisions in order to constrain the variety of ways in which some aspect of the information model could be represented in the CBOR data model for the application. For instance, there are several CBOR tags that can be used to represent a time stamp (such as tag 0, 1, 1001), each with some specific properties. Application protocols that need to represent a timestamp typically choose a specific tag and further constrain its use where necessary (e.g., tag 1001 was designed to cover a wide variety of applications ). Where no tag is available, the application protocol can design its own format for some application data. Even where a tag is available, the application data can choose to use its definitions without actually encoding the tag (e.g., by using its content in specific places in an "unwrapped" form). Another source of application layer variability comes from the variety of number types CBOR offers. For instance, the number 2 can be represented as an integer, float, big number, decimal fraction and other. Most protocols designs will just specify one number type to use, and that will give determinism, but here’s an example specification that doesn’t: Applications that require Deterministic Representation, and that derive CBOR data items from application data without maintaining a record of which choices are to be made when representing these application data, generally make rules for these choices as part of the application protocol. In this document, we speak about these choices as Application-level Deterministic Representation Rules (ALDR rules for short). CDE provides for encoding commonality between different applications of CBOR once these application-level choices have been made. It can be useful for an application or a group of applications to document their choices aimed at deterministic representation of application data in a general way, constraining the set of data items handled (exclusions, e.g., no compressed point representations) and defining further mappings (reductions, e.g., conversions to uncompressed form) that help the application(s) get by with the exclusions. This can be done in the application protocol specification (as in ) or as a separate document. ALDR rules (including rules specified in a ALDR ruleset document) enable simply using implementations of the common CDE; they do not "fork" CBOR in the sense of requiring distinct generic encoder/decoder implementations for each application. An implementation of specific ALDR rules combined with a CDE implementation produces well-formed, deterministically encoded CBOR according to , and existing generic CBOR decoders will therefore be able to decode it, including those that check for Deterministic Encoding ("CDE-checking decoders", see also ). Similarly, generic CBOR encoders will be able to produce valid CBOR that can be ingested by an implementation that enforces an application's ALDR rules if the encoder was handed data model level information from an application that simply conformed to those ALDR rules. Please note that the separation between standard CBOR processing and the processing required by the ALDR rules is a conceptual one: Instead of employing generic encoders/decoders, both ALDR rule processing and standard CBOR processing can be combined into a specialized encoder/decoder specifically designed for a particular set of ALDR rules. ALDR rules are intended to be used in conjunction with an application, which typically will naturally use a subset of the CBOR generic data model, which in turn influences which subset of the ALDR rules is used by the specific application (in particular if the application simply references a more general ALDR ruleset document). As a result, ALDR rules themselves place no direct requirement on what minimum subset of CBOR is implemented. For instance, a set of ALDR rules might include rules for the processing of floating point values, but there is no requirement that implementations of that set of ALDR rules support floating point numbers (or any other kind of number, such as arbitrary precision integers or 64-bit negative integers) when they are used with applications that do not use them.
Implementers' Checklists This appendix is informative. It provides brief checklists that implementers can use to check their implementations. It uses language, specifically the keyword MUST, to highlight the specific items that implementers may want to check. It does not contain any normative mandates. This appendix is informative. Notes:
  • This is largely a restatement of parts of Section of RFC 8949 . The purpose of the restatement is to aid the work of implementers, not to redefine anything. Preferred Serialization Encoders as well as CDE Encoders and CDE-checking Decoders have certain properties that are expressed using keywords in this appendix.
  • Duplicate map keys are never valid in CBOR at all (see list item "Major type 5" in Section of RFC 8949 ) no matter what sort of serialization is used. Of the various strategies listed in Section of RFC 8949 , detecting duplicates and handling them as an error instead of passing invalid data to the application is the most robust one; achieving this level of robustness is a mark of quality of implementation.
  • Preferred serialization and CDE only affect serialization. They do not place any requirements, exclusions, mappings or such on the data model level. ALDR rules such as the ALDR ruleset defined by dCBOR are different as they can affect the data model by restricting some values and ranges.
  • CBOR decoders in general (as opposed to "CDE-checking decoders" specifically advertised as supporting CDE) are not required to check for preferred serialization or CDE and reject inputs that do not fulfill their requirements. However, in an environment that employs deterministic encoding, employing non-checking CBOR decoders negates many of its benefits. Decoder implementations that advertise "support" for preferred serialization or CDE need to check the encoding and reject input that is not encoded to the encoding specification in use. Again, ALDR rules such as those in dCBOR may pose additional requirements, such as requiring rejection of non-conforming inputs. If a generic decoder needs to be used that does not "support" CDE, a simple (but somewhat clumsy) way to check its input for proper CDE encoding is to re-encode the decoded data with CDE and check for bit-to-bit equality with the original input.
Preferred Serialization In the following, the abbreviation "ai" will be used for the 5-bit additional information field in the first byte of an encoded CBOR data item, which follows the 3-bit field for the major type.
Preferred Serialization Encoders
  1. Shortest-form encoding of the argument MUST be used for all major types. Major type 7 is used for floating-point and simple values; floating point values have its specific rules for how the shortest form is derived for the argument. The shortest form encoding for any argument that is not a floating point value is:
    • 0 to 23 and -1 to -24 MUST be encoded in the same byte as the major type.
    • 24 to 255 and -25 to -256 MUST be encoded only with an additional byte (ai = 0x18).
    • 256 to 65535 and -257 to -65536 MUST be encoded only with an additional two bytes (ai = 0x19).
    • 65536 to 4294967295 and -65537 to -4294967296 MUST be encoded only with an additional four bytes (ai = 0x1a).
  2. If floating-point numbers are emitted, the following apply:
    • The length of the argument indicates half (binary16, ai = 0x19), single (binary32, ai = 0x1a) and double (binary64, ai = 0x1b) precision encoding. If multiple of these encodings preserve the precision of the value to be encoded, only the shortest form of these MUST be emitted. That is, encoders MUST support half-precision and single-precision floating point.
    • Infinites and NaNs, and thus NaN payloads, MUST be supported, to the extent possible on the platform. As with all floating point numbers, Infinites and NaNs MUST be encoded in the shortest of double, single or half precision that preserves the value:
      • Positive and negative infinity and zero MUST be represented in half-precision floating point.
      • For NaNs, the value to be preserved includes the sign bit, the quiet bit, and the NaN payload (whether zero or non-zero). The shortest form is obtained by removing the rightmost N bits of the payload, where N is the difference in the number of bits in the significand (mantissa representation) between the original format and the shortest format. This trimming is performed only (preserves the value only) if all the rightmost bits removed are zero. (This means that a double or single quiet NaN that has a zero NaN payload will always be represented in a half-precision quiet NaN.)
  3. If tags 2 and 3 are supported, the following apply:
    • Positive integers from 0 to 2^64 - 1 MUST be encoded as a type 0 integer.
    • Negative integers from -(2^64) to -1 MUST be encoded as a type 1 integer.
    • Leading zeros MUST NOT be present in the byte string content of tag 2 and 3.
    (This also applies to the use of tags 2 and 3 within other tags, such as 4 or 5.)
Decoders and Preferred Serialization There are no special requirements that CBOR decoders need to meet to be what could be called a "Preferred Serialization Decoder". Partial decoder implementations that want to accept at least Preferred Serialization need to pay attention to at least the following requirements:
  1. Decoders MUST accept shortest-form encoded arguments (see Section of RFC 8949 ).
  2. If arrays or maps are supported, both definite-length and indefinite-length arrays or maps MUST be accepted.
  3. If text or byte strings are supported, both definite-length and indefinite-length text or byte strings MUST be accepted.
  4. If floating-point numbers are supported, the following apply:
    • Half-precision values MUST be accepted.
    • Double- and single-precision values SHOULD be accepted; leaving these out is only foreseen for decoders that need to work in exceptionally constrained environments.
    • If double-precision values are accepted, single-precision values MUST be accepted.
    • Infinites and NaNs, and thus NaN payloads, MUST be accepted and presented to the application (not necessarily in the platform number format, if that doesn't support those values).
  5. If big numbers (tags 2 and 3) are supported, type 0 and type 1 integers MUST be accepted where a tag 2 or 3 would be accepted. Leading zero bytes in the tag content of a tag 2 or 3 MUST be ignored.
Basic Serialization Basic Serialization further restricts Preferred Serialization by not using indefinite length encoding. A CBOR encoder can choose to employ Basic Serialization in order to reduce the variability that needs to be handled by decoders, potentially maximizing interoperability with partial (e.g., constrained) CBOR decoder implementations.
Basic Serialization Encoders The Basic Serialization Encoder requirements are identical to the Preferred Serialization Encoder requirements, with the following additions:
  1. If maps or arrays are emitted, they MUST use definite-length encoding (never indefinite-length).
  2. If text or byte strings are emitted, they MUST use definite-length encoding (never indefinite-length).
Decoders and Basic Serialization There are no special requirements that CBOR decoders need to meet to be what could be called a "Basic Serialization Decoder". Partial decoder implementations that want to accept at least Basic Serialization need to pay attention to the requirements for partial decoder implementations that accept Preferred Serialization, with the following relaxations from the items and of :
  1. If arrays or maps are supported, definite-length arrays or maps MUST be accepted.
  2. If text or byte strings are supported, definite-length text or byte strings MUST be accepted.
CDE
CDE Encoders
  1. CDE encoders MUST only emit CBOR that fulfills the basic serialization rules ().
  2. CDE encoders MUST sort maps by the CBOR representation of the map key. The sorting is byte-wise lexicographic order of the encoded map key data items.
  3. CDE encoders MUST generate CBOR that fulfills basic validity (Section of RFC 8949 ). Note that this includes not emitting duplicate keys in a major type 5 map as well as emitting only valid UTF-8 in major type 3 text strings. Note also that CDE does NOT include a requirement for Unicode normalization ; contains some rationale that went into not requiring routine use of Unicode normalization processes.
CDE-checking Decoders The term "CDE-checking Decoder" is a shorthand for a CBOR decoder that advertises supporting CDE (see the start of this appendix).
  1. CDE-checking decoders MUST follow the rules for decoders that accept Basic Serialization () and MUST check the input for keeping the Basic Serialization constraints.
  2. CDE-checking decoders MUST check for ordering map keys and for basic validity of the CBOR encoding (see Section of RFC 8949 , which includes a check against duplicate map keys and invalid UTF-8).
To be called a CDE-checking decoder, it MUST NOT present to the application a decoded data item that fails one of these checks (except maybe via special diagnostic channels with no potential for confusion with a correctly CDE-decoded data item).
Encoding Examples The following three tables provide examples of CDE-encoded CBOR data items, each giving Diagnostic Notation (EDN ), the encoded data item in hexadecimal, and a comment. Implementers that want to use these examples as test input may be interested in the file example-table-input.csv in the github repository cbor-wg/draft-ietf-cbor-cde.
Integer Value Examples Integer Value Examples
EDN CBOR (hex) Comment
0 00 Smallest unsigned immediate int
-1 20 Largest negative immediate int
23 17 Largest unsigned immediate int
-24 37 Smallest negative immediate int
24 1818 Smallest unsigned one-byte int
-25 3818 Largest negative one-byte int
255 18ff Largest unsigned one-byte int
-256 38ff Smallest negative one-byte int
256 190100 Smallest unsigned two-byte int
-257 390100 Largest negative two-byte int
65535 19ffff Largest unsigned two-byte int
-65536 39ffff Smallest negative two-byte int
65536 1a00010000 Smallest unsigned four-byte int
-65537 3a00010000 Largest negative four-byte int
4294967295 1affffffff Largest unsigned four-byte int
-4294967296 3affffffff Smallest negative four-byte int
4294967296 1b0000000100000000 Smallest unsigned eight-byte int
-4294967297 3b0000000100000000 Largest negative eight-byte int
18446744073709551615 1bffffffffffffffff Largest unsigned eight-byte int
-18446744073709551616 3bffffffffffffffff Smallest negative eight-byte int
18446744073709551616 c249010000000000000000 Smallest unsigned bigint
-18446744073709551617 c349010000000000000000 Largest negative bigint
Floating Point Value Examples Floating Point Value Examples
EDN CBOR (hex) Comment
0.0 f90000 Zero
-0.0 f98000 Negative zero
Infinity f97c00 Infinity
-Infinity f9fc00 -Infinity
NaN f97e00 NaN
NaN f97e01 NaN with non-zero payload
5.960464477539063e-8 f90001 Smallest positive 16-bit float (subnormal)
0.00006097555160522461 f903ff Largest positive subnormal 16-bit float
0.00006103515625 f90400 Smallest non-subnormal positive 16-bit float
65504.0 f97bff Largest positive 16-bit float
1.401298464324817e-45 fa00000001 Smallest positive 32-bit float (subnormal)
1.1754942106924411e-38 fa007fffff Largest positive subnormal 32-bit float
1.1754943508222875e-38 fa00800000 Smallest non-subnormal positive 32-bit float
3.4028234663852886e+38 fa7f7fffff Largest positive 32-bit float
5.0e-324 fb0000000000000001 Smallest positive 64-bit float (subnormal)
2.225073858507201e-308 fb000fffffffffffff Largest positive subnormal 64-bit float
2.2250738585072014e-308 fb0010000000000000 Smallest non-subnormal positive 64-bit float
1.7976931348623157e+308 fb7fefffffffffffff Largest positive 64-bit float
-0.0000033333333333333333 fbbecbf647612f3696 Arbitrarily selected number
10.559998512268066 fa4128f5c1 -"-
10.559998512268068 fb40251eb820000001 Next in succession
295147905179352830000.0 fa61800000 268 (diagnostic notation truncates precision)
2.0 f94000 Number without a fractional part
-5.960464477539063e-8 f98001 Largest negative subnormal 16-bit float
-5.960464477539062e-8 fbbe6fffffffffffff Adjacent to largest negative subnormal 16-bit float
-5.960464477539064e-8 fbbe70000000000001 -"-
-5.960465188081798e-8 fab3800001 -"-
0.0000609755516052246 fb3f0ff7ffffffffff Adjacent to largest subnormal 16-bit float
0.000060975551605224616 fb3f0ff80000000001 -"-
0.000060975555243203416 fa387fc001 -"-
0.00006103515624999999 fb3f0fffffffffffff Adjacent to smallest 16-bit float
0.00006103515625000001 fb3f10000000000001 -"-
0.00006103516352595761 fa38800001 -"-
65503.99999999999 fb40effbffffffffff Adjacent to largest 16-bit float
65504.00000000001 fb40effc0000000001 -"-
65504.00390625 fa477fe001 -"-
1.4012984643248169e-45 fb369fffffffffffff Adjacent to smallest subnormal 32-bit float
1.4012984643248174e-45 fb36a0000000000001 -"-
1.175494210692441e-38 fb380fffffbfffffff Adjacent to largest subnormal 32-bit float
1.1754942106924412e-38 fb380fffffc0000001 -"-
1.1754943508222874e-38 fb380fffffffffffff Adjacent to smallest 32-bit float
1.1754943508222878e-38 fb3810000000000001 -"-
3.4028234663852882e+38 fb47efffffdfffffff Adjacent to largest 32-bit float
3.402823466385289e+38 fb47efffffe0000001 -"-
Failing Examples Failing Examples
EDN CBOR (hex) Comment
{"b":0,"a":1} a2616200616101 Incorrect map key ordering
[4, 5] 98020405 Array length not in preferred encoding
255 1900ff Integer not in preferred encoding
-18446744073709551617 c34a00010000000000000000 Bigint with leading zero bytes
10.5 fa41280000 Not in preferred encoding
NaN fa7fc00000 Not in preferred encoding
65536 c243010000 Integer value too small for bigint
(_ h'01', h'0203') 5f4101420203ff Indefinite length encoding
(Not CBOR) f818 Simple values 24..31 not in use
(Not CBOR) fc Reserved (ai = 28..30)
Examples for Preferred Serialization of Integers This appendix looks at the set of encoded CBOR data items that represent the integer number 1. Preferred Serialization chooses one of them (0x01), which is then always used to encode the number. The CDE encoding constraints include those of preferred serialization. A CDE-checking decoder checks that no other serialization is being used in the encoded data item being decoded. Serializations of integer number 1
Serialization of integer number 1 Preferred?
0x01 yes (shortest mt0)
0x1801, 0x190001, 0x1a00000001, 0x1b0000000000000001 no (mt0, but not shortest argument)
0xc24101 no (could use mt0)
0xc2420001, 0xc243000001, etc. no (could use mt0, uses leading zeros)
0xc25f41004101ff, and similar no (could use mt0, uses leading zeros)
For the integer number 100000000000000000000 (1 with 20 decimal zeros), the only basic serialization is: (Note that, in addition to this serialization, there are multiple serializations that would also count as preferred serializations, as the preferred serialization constraint by itself does not exclude indefinite length encoding of the byte string that is the content of tag 2.)
List of Tables
  1. Constraints on the Serialization of CBOR
  2. New control operators to be registered
  3. A three-layer model of information representation
  4. Integer Value Examples
  5. Floating Point Value Examples
  6. Failing Examples
  7. Serializations of integer number 1
Acknowledgments An early version of this document was based on the work of and as documented in , which serves as an example for an ALDR ruleset document. We would like to explicitly acknowledge that this work has contributed greatly to shaping the concept of a CBOR Common Deterministic Encoding and the use of ALDR rules/rulesets on top of that. proposed adding . provided most of the initial text that turned into .
Contributors Security Theory LLC
lgl@securitytheory.com
Laurence provided most of the text that became and .