3. Creating CBOR-Based Protocols
Data formats such as CBOR are often used in environments where there
is no format negotiation. A specific design goal of CBOR is to not
need any included or assumed schema: a decoder can take a CBOR item
and decode it with no other knowledge.
Of course, in real-world implementations, the encoder and the decoder
will have a shared view of what should be in a CBOR data item. For
example, an agreed-to format might be "the item is an array whose
first value is a UTF-8 string, second value is an integer, and
subsequent values are zero or more floating-point numbers" or "the
item is a map that has byte strings for keys and contains at least
one pair whose key is 0xab01".
This specification puts no restrictions on CBOR-based protocols. An
encoder can be capable of encoding as many or as few types of values
as is required by the protocol in which it is used; a decoder can be
capable of understanding as many or as few types of values as is
required by the protocols in which it is used. This lack of
restrictions allows CBOR to be used in extremely constrained
This section discusses some considerations in creating CBOR-based
protocols. It is advisory only and explicitly excludes any language
from RFC 2119 other than words that could be interpreted as "MAY" in
the sense of RFC 2119.
3.1. CBOR in Streaming Applications
In a streaming application, a data stream may be composed of a
sequence of CBOR data items concatenated back-to-back. In such an
environment, the decoder immediately begins decoding a new data item
if data is found after the end of a previous data item.
Not all of the bytes making up a data item may be immediately
available to the decoder; some decoders will buffer additional data
until a complete data item can be presented to the application.
Other decoders can present partial information about a top-level data
item to an application, such as the nested data items that could
already be decoded, or even parts of a byte string that hasn't
completely arrived yet.
Note that some applications and protocols will not want to use
indefinite-length encoding. Using indefinite-length encoding allows
an encoder to not need to marshal all the data for counting, but it
requires a decoder to allocate increasing amounts of memory while
waiting for the end of the item. This might be fine for some
applications but not others.
3.2. Generic Encoders and Decoders
A generic CBOR decoder can decode all well-formed CBOR data and
present them to an application. CBOR data is well-formed if it uses
the initial bytes, as well as the byte strings and/or data items that
are implied by their values, in the manner defined by CBOR, and no
extraneous data follows (Appendix C).
Even though CBOR attempts to minimize these cases, not all well-
formed CBOR data is valid: for example, the format excludes simple
values below 32 that are encoded with an extension byte. Also,
specific tags may make semantic constraints that may be violated,
such as by including a tag in a bignum tag or by following a byte
string within a date tag. Finally, the data may be invalid, such as
invalid UTF-8 strings or date strings that do not conform to
[RFC3339]. There is no requirement that generic encoders and
decoders make unnatural choices for their application interface to
enable the processing of invalid data. Generic encoders and decoders
are expected to forward simple values and tags even if their specific
codepoints are not registered at the time the encoder/decoder is
written (Section 3.5).
Generic decoders provide ways to present well-formed CBOR values,
both valid and invalid, to an application. The diagnostic notation
(Section 6) may be used to present well-formed CBOR values to humans.
Generic encoders provide an application interface that allows the
application to specify any well-formed value, including simple values
and tags unknown to the encoder.
3.3. Syntax Errors
A decoder encountering a CBOR data item that is not well-formed
generally can choose to completely fail the decoding (issue an error
and/or stop processing altogether), substitute the problematic data
and data items using a decoder-specific convention that clearly
indicates there has been a problem, or take some other action.
3.3.1. Incomplete CBOR Data Items
The representation of a CBOR data item has a specific length,
determined by its initial bytes and by the structure of any data
items enclosed in the data items. If less data is available, this
can be treated as a syntax error. A decoder may also implement
incremental parsing, that is, decode the data item as far as it is
available and present the data found so far (such as in an event-
based interface), with the option of continuing the decoding once
further data is available.
Examples of incomplete data items include:
o A decoder expects a certain number of array or map entries but
instead encounters the end of the data.
o A decoder processes what it expects to be the last pair in a map
and comes to the end of the data.
o A decoder has just seen a tag and then encounters the end of the
o A decoder has seen the beginning of an indefinite-length item but
encounters the end of the data before it sees the "break" stop
3.3.2. Malformed Indefinite-Length Items
Examples of malformed indefinite-length data items include:
o Within an indefinite-length byte string or text, a decoder finds
an item that is not of the appropriate major type before it finds
the "break" stop code.
o Within an indefinite-length map, a decoder encounters the "break"
stop code immediately after reading a key (the value is missing).
Another error is finding a "break" stop code at a point in the data
where there is no immediately enclosing (unclosed) indefinite-length
3.3.3. Unknown Additional Information Values
At the time of writing, some additional information values are
unassigned and reserved for future versions of this document (see
Section 5.2). Since the overall syntax for these additional
information values is not yet defined, a decoder that sees an
additional information value that it does not understand cannot
3.4. Other Decoding Errors
A CBOR data item may be syntactically well-formed but present a
problem with interpreting the data encoded in it in the CBOR data
model. Generally speaking, a decoder that finds a data item with
such a problem might issue a warning, might stop processing
altogether, might handle the error and make the problematic value
available to the application as such, or take some other type of
Such problems might include:
Duplicate keys in a map: Generic decoders (Section 3.2) make data
available to applications using the native CBOR data model. That
data model includes maps (key-value mappings with unique keys),
not multimaps (key-value mappings where multiple entries can have
the same key). Thus, a generic decoder that gets a CBOR map item
that has duplicate keys will decode to a map with only one
instance of that key, or it might stop processing altogether. On
the other hand, a "streaming decoder" may not even be able to
notice (Section 3.7).
Inadmissible type on the value following a tag: Tags (Section 2.4)
specify what type of data item is supposed to follow the tag; for
example, the tags for positive or negative bignums are supposed to
be put on byte strings. A decoder that decodes the tagged data
item into a native representation (a native big integer in this
example) is expected to check the type of the data item being
tagged. Even decoders that don't have such native representations
available in their environment may perform the check on those tags
known to them and react appropriately.
Invalid UTF-8 string: A decoder might or might not want to verify
that the sequence of bytes in a UTF-8 string (major type 3) is
actually valid UTF-8 and react appropriately.
3.5. Handling Unknown Simple Values and Tags
A decoder that comes across a simple value (Section 2.3) that it does
not recognize, such as a value that was added to the IANA registry
after the decoder was deployed or a value that the decoder chose not
to implement, might issue a warning, might stop processing
altogether, might handle the error by making the unknown value
available to the application as such (as is expected of generic
decoders), or take some other type of action.
A decoder that comes across a tag (Section 2.4) that it does not
recognize, such as a tag that was added to the IANA registry after
the decoder was deployed or a tag that the decoder chose not to
implement, might issue a warning, might stop processing altogether,
might handle the error and present the unknown tag value together
with the contained data item to the application (as is expected of
generic decoders), might ignore the tag and simply present the
contained data item only to the application, or take some other type
For the purposes of this specification, all number representations
for the same numeric value are equivalent. This means that an
encoder can encode a floating-point value of 0.0 as the integer 0.
It, however, also means that an application that expects to find
integer values only might find floating-point values if the encoder
decides these are desirable, such as when the floating-point value is
more compact than a 64-bit integer.
An application or protocol that uses CBOR might restrict the
representations of numbers. For instance, a protocol that only deals
with integers might say that floating-point numbers may not be used
and that decoders of that protocol do not need to be able to handle
floating-point numbers. Similarly, a protocol or application that
uses CBOR might say that decoders need to be able to handle either
type of number.
CBOR-based protocols should take into account that different language
environments pose different restrictions on the range and precision
number system treats all numbers as floating point, which may result
in silent loss of precision in decoding integers with more than 53
significant bits. A protocol that uses numbers should define its
expectations on the handling of non-trivial numbers in decoders and
A CBOR-based protocol that includes floating-point numbers can
restrict which of the three formats (half-precision, single-
precision, and double-precision) are to be supported. For an
integer-only application, a protocol may want to completely exclude
the use of floating-point values.
A CBOR-based protocol designed for compactness may want to exclude
specific integer encodings that are longer than necessary for the
application, such as to save the need to implement 64-bit integers.
There is an expectation that encoders will use the most compact
integer representation that can represent a given value. However, a
compact application should accept values that use a longer-than-
needed encoding (such as encoding "0" as 0b000_11101 followed by two
bytes of 0x00) as long as the application can decode an integer of
the given size.
3.7. Specifying Keys for Maps
The encoding and decoding applications need to agree on what types of
keys are going to be used in maps. In applications that need to
interwork with JSON-based applications, keys probably should be
limited to UTF-8 strings only; otherwise, there has to be a specified
mapping from the other CBOR types to Unicode characters, and this
often leads to implementation errors. In applications where keys are
numeric in nature and numeric ordering of keys is important to the
application, directly using the numbers for the keys is useful.
If multiple types of keys are to be used, consideration should be
given to how these types would be represented in the specific
programming environments that are to be used. For example, in
key of string "1". This means that, if integer keys are used, the
simultaneous use of string keys that look like numbers needs to be
avoided. Again, this leads to the conclusion that keys should be of
a single CBOR type.
Decoders that deliver data items nested within a CBOR data item
immediately on decoding them ("streaming decoders") often do not keep
the state that is necessary to ascertain uniqueness of a key in a
map. Similarly, an encoder that can start encoding data items before
the enclosing data item is completely available ("streaming encoder")
may want to reduce its overhead significantly by relying on its data
source to maintain uniqueness.
A CBOR-based protocol should make an intentional decision about what
to do when a receiving application does see multiple identical keys
in a map. The resulting rule in the protocol should respect the CBOR
data model: it cannot prescribe a specific handling of the entries
with the identical keys, except that it might have a rule that having
identical keys in a map indicates a malformed map and that the
decoder has to stop with an error. Duplicate keys are also
prohibited by CBOR decoders that are using strict mode
The CBOR data model for maps does not allow ascribing semantics to
the order of the key/value pairs in the map representation.
Thus, it would be a very bad practice to define a CBOR-based protocol
in such a way that changing the key/value pair order in a map would
change the semantics, apart from trivial aspects (cache usage, etc.).
(A CBOR-based protocol can prescribe a specific order of
serialization, such as for canonicalization.)
Applications for constrained devices that have maps with 24 or fewer
frequently used keys should consider using small integers (and those
with up to 48 frequently used keys should consider also using small
negative integers) because the keys can then be encoded in a single
3.8. Undefined Values
In some CBOR-based protocols, the simple value (Section 2.3) of
Undefined might be used by an encoder as a substitute for a data item
with an encoding problem, in order to allow the rest of the enclosing
data items to be encoded without harm.
3.9. Canonical CBOR
Some protocols may want encoders to only emit CBOR in a particular
canonical format; those protocols might also have the decoders check
that their input is canonical. Those protocols are free to define
what they mean by a canonical format and what encoders and decoders
are expected to do. This section lists some suggestions for such
If a protocol considers "canonical" to mean that two encoder
implementations starting with the same input data will produce the
same CBOR output, the following four rules would suffice:
o Integers must be as small as possible.
* 0 to 23 and -1 to -24 must be expressed in the same byte as the
* 24 to 255 and -25 to -256 must be expressed only with an
* 256 to 65535 and -257 to -65536 must be expressed only with an
* 65536 to 4294967295 and -65537 to -4294967296 must be expressed
only with an additional uint32_t.
o The expression of lengths in major types 2 through 5 must be as
short as possible. The rules for these lengths follow the above
rule for integers.
o The keys in every map must be sorted lowest value to highest.
Sorting is performed on the bytes of the representation of the key
data items without paying attention to the 3/5 bit splitting for
major types. (Note that this rule allows maps that have keys of
different types, even though that is probably a bad practice that
could lead to errors in some canonicalization implementations.)
The sorting rules are:
* If two keys have different lengths, the shorter one sorts
* If two keys have the same length, the one with the lower value
in (byte-wise) lexical order sorts earlier.
o Indefinite-length items must be made into definite-length items.
If a protocol allows for IEEE floats, then additional
canonicalization rules might need to be added. One example rule
might be to have all floats start as a 64-bit float, then do a test
conversion to a 32-bit float; if the result is the same numeric
value, use the shorter value and repeat the process with a test
conversion to a 16-bit float. (This rule selects 16-bit float for
positive and negative Infinity as well.) Also, there are many
representations for NaN. If NaN is an allowed value, it must always
be represented as 0xf97e00.
CBOR tags present additional considerations for canonicalization.
The absence or presence of tags in a canonical format is determined
by the optionality of the tags in the protocol. In a CBOR-based
protocol that allows optional tagging anywhere, the canonical format
must not allow them. In a protocol that requires tags in certain
places, the tag needs to appear in the canonical format. A CBOR-
based protocol that uses canonicalization might instead say that all
tags that appear in a message must be retained regardless of whether
they are optional.
3.10. Strict Mode
Some areas of application of CBOR do not require canonicalization
(Section 3.9) but may require that different decoders reach the same
(semantically equivalent) results, even in the presence of
potentially malicious data. This can be required if one application
(such as a firewall or other protecting entity) makes a decision
based on the data that another application, which independently
decodes the data, relies on.
Normally, it is the responsibility of the sender to avoid ambiguously
decodable data. However, the sender might be an attacker specially
making up CBOR data such that it will be interpreted differently by
different decoders in an attempt to exploit that as a vulnerability.
Generic decoders used in applications where this might be a problem
need to support a strict mode in which it is also the responsibility
of the receiver to reject ambiguously decodable data. It is expected
that firewalls and other security systems that decode CBOR will only
decode in strict mode.
A decoder in strict mode will reliably reject any data that could be
interpreted by other decoders in different ways. It will reliably
reject data items with syntax errors (Section 3.3). It will also
expend the effort to reliably detect other decoding errors
(Section 3.4). In particular, a strict decoder needs to have an API
that reports an error (and does not return data) for a CBOR data item
that contains any of the following:
o a map (major type 5) that has more than one entry with the same
o a tag that is used on a data item of the incorrect type
o a data item that is incorrectly formatted for the type given to
it, such as invalid UTF-8 or data that cannot be interpreted with
the specific tag that it has been tagged with
A decoder in strict mode can do one of two things when it encounters
a tag or simple value that it does not recognize:
o It can report an error (and not return data).
o It can emit the unknown item (type, value, and, for tags, the
decoded tagged data item) to the application calling the decoder
with an indication that the decoder did not recognize that tag or
The latter approach, which is also appropriate for non-strict
decoders, supports forward compatibility with newly registered tags
and simple values without the requirement to update the encoder at
the same time as the calling application. (For this, the API for the
decoder needs to have a way to mark unknown items so that the calling
application can handle them in a manner appropriate for the program.)
Since some of this processing may have an appreciable cost (in
particular with duplicate detection for maps), support of strict mode
is not a requirement placed on all CBOR decoders.
Some encoders will rely on their applications to provide input data
in such a way that unambiguously decodable CBOR results. A generic
encoder also may want to provide a strict mode where it reliably
limits its output to unambiguously decodable CBOR, independent of
whether or not its application is providing API-conformant data.
4. Converting Data between CBOR and JSON
This section gives non-normative advice about converting between CBOR
and JSON. Implementations of converters are free to use whichever
advice here they want.
It is worth noting that a JSON text is a sequence of characters, not
an encoded sequence of bytes, while a CBOR data item consists of
bytes, not characters.
4.1. Converting from CBOR to JSON
Most of the types in CBOR have direct analogs in JSON. However, some
do not, and someone implementing a CBOR-to-JSON converter has to
consider what to do in those cases. The following non-normative
advice deals with these by converting them to a single substitute
value, such as a JSON null.
o An integer (major type 0 or 1) becomes a JSON number.
o A byte string (major type 2) that is not embedded in a tag that
specifies a proposed encoding is encoded in base64url without
padding and becomes a JSON string.
o A UTF-8 string (major type 3) becomes a JSON string. Note that
JSON requires escaping certain characters (RFC 4627, Section 2.5):
quotation mark (U+0022), reverse solidus (U+005C), and the "C0
control characters" (U+0000 through U+001F). All other characters
are copied unchanged into the JSON UTF-8 string.
o An array (major type 4) becomes a JSON array.
o A map (major type 5) becomes a JSON object. This is possible
directly only if all keys are UTF-8 strings. A converter might
also convert other keys into UTF-8 strings (such as by converting
integers into strings containing their decimal representation);
however, doing so introduces a danger of key collision.
o False (major type 7, additional information 20) becomes a JSON
o True (major type 7, additional information 21) becomes a JSON
o Null (major type 7, additional information 22) becomes a JSON
o A floating-point value (major type 7, additional information 25
through 27) becomes a JSON number if it is finite (that is, it can
be represented in a JSON number); if the value is non-finite (NaN,
or positive or negative Infinity), it is represented by the
o Any other simple value (major type 7, any additional information
value not yet discussed) is represented by the substitute value.
o A bignum (major type 6, tag value 2 or 3) is represented by
encoding its byte string in base64url without padding and becomes
a JSON string. For tag value 3 (negative bignum), a "~" (ASCII
tilde) is inserted before the base-encoded value. (The conversion
to a binary blob instead of a number is to prevent a likely
numeric overflow for the JSON decoder.)
o A byte string with an encoding hint (major type 6, tag value 21
through 23) is encoded as described and becomes a JSON string.
o For all other tags (major type 6, any other tag value), the
embedded CBOR item is represented as a JSON value; the tag value
o Indefinite-length items are made definite before conversion.
4.2. Converting from JSON to CBOR
All JSON values, once decoded, directly map into one or more CBOR
values. As with any kind of CBOR generation, decisions have to be
made with respect to number representation. In a suggested
o JSON numbers without fractional parts (integer numbers) are
represented as integers (major types 0 and 1, possibly major type
6 tag value 2 and 3), choosing the shortest form; integers longer
than an implementation-defined threshold (which is usually either
32 or 64 bits) may instead be represented as floating-point
implementation, its precision is already limited to 53 bits
o Numbers with fractional parts are represented as floating-point
values. Preferably, the shortest exact floating-point
representation is used; for instance, 1.5 is represented in a
16-bit floating-point value (not all implementations will be
capable of efficiently finding the minimum form, though). There
may be an implementation-defined limit to the precision that will
affect the precision of the represented values. Decimal
representation should only be used if that is specified in a
CBOR has been designed to generally provide a more compact encoding
than JSON. One implementation strategy that might come to mind is to
perform a JSON-to-CBOR encoding in place in a single buffer. This
strategy would need to carefully consider a number of pathological
cases, such as that some strings represented with no or very few
escapes and longer (or much longer) than 255 bytes may expand when
encoded as UTF-8 strings in CBOR. Similarly, a few of the binary
floating-point representations might cause expansion from some short
decimal representations (1.1, 1e9) in JSON. This may be hard to get
right, and any ensuing vulnerabilities may be exploited by an
5. Future Evolution of CBOR
Successful protocols evolve over time. New ideas appear,
implementation platforms improve, related protocols are developed and
evolve, and new requirements from applications and protocols are
added. Facilitating protocol evolution is therefore an important
design consideration for any protocol development.
For protocols that will use CBOR, CBOR provides some useful
mechanisms to facilitate their evolution. Best practices for this
are well known, particularly from JSON format development of JSON-
based protocols. Therefore, such best practices are outside the
scope of this specification.
However, facilitating the evolution of CBOR itself is very well
within its scope. CBOR is designed to both provide a stable basis
for development of CBOR-based protocols and to be able to evolve.
Since a successful protocol may live for decades, CBOR needs to be
designed for decades of use and evolution. This section provides
some guidance for the evolution of CBOR. It is necessarily more
subjective than other parts of this document. It is also necessarily
incomplete, lest it turn into a textbook on protocol development.
5.1. Extension Points
In a protocol design, opportunities for evolution are often included
in the form of extension points. For example, there may be a
codepoint space that is not fully allocated from the outset, and the
protocol is designed to tolerate and embrace implementations that
start using more codepoints than initially allocated.
Sizing the codepoint space may be difficult because the range
required may be hard to predict. An attempt should be made to make
the codepoint space large enough so that it can slowly be filled over
the intended lifetime of the protocol.
CBOR has three major extension points:
o the "simple" space (values in major type 7). Of the 24 efficient
(and 224 slightly less efficient) values, only a small number have
been allocated. Implementations receiving an unknown simple data
item may be able to process it as such, given that the structure
of the value is indeed simple. The IANA registry in Section 7.1
is the appropriate way to address the extensibility of this
o the "tag" space (values in major type 6). Again, only a small
part of the codepoint space has been allocated, and the space is
abundant (although the early numbers are more efficient than the
later ones). Implementations receiving an unknown tag can choose
to simply ignore it or to process it as an unknown tag wrapping
the following data item. The IANA registry in Section 7.2 is the
appropriate way to address the extensibility of this codepoint
o the "additional information" space. An implementation receiving
an unknown additional information value has no way to continue
parsing, so allocating codepoints to this space is a major step.
There are also very few codepoints left.
5.2. Curating the Additional Information Space
The human mind is sometimes drawn to filling in little perceived gaps
to make something neat. We expect the remaining gaps in the
codepoint space for the additional information values to be an
attractor for new ideas, just because they are there.
The present specification does not manage the additional information
codepoint space by an IANA registry. Instead, allocations out of
this space can only be done by updating this specification.
For an additional information value of n >= 24, the size of the
additional data typically is 2**(n-24) bytes. Therefore, additional
information values 28 and 29 should be viewed as candidates for
128-bit and 256-bit quantities, in case a need arises to add them to
the protocol. Additional information value 30 is then the only
additional information value available for general allocation, and
there should be a very good reason for allocating it before assigning
it through an update of this protocol.
6. Diagnostic Notation
CBOR is a binary interchange format. To facilitate documentation and
debugging, and in particular to facilitate communication between
entities cooperating in debugging, this section defines a simple
human-readable diagnostic notation. All actual interchange always
happens in the binary format.
Note that this truly is a diagnostic format; it is not meant to be
parsed. Therefore, no formal definition (as in ABNF) is given in
this document. (Implementers looking for a text-based format for
representing CBOR data items in configuration files may also want to
consider YAML [YAML].)
The diagnostic notation is loosely based on JSON as it is defined in
RFC 4627, extending it where needed.
The notation borrows the JSON syntax for numbers (integer and
floating point), True (>true<), False (>false<), Null (>null<), UTF-8
strings, arrays, and maps (maps are called objects in JSON; the
diagnostic notation extends JSON here by allowing any data item in
the key position). Undefined is written >undefined< as in
-Infinity, and NaN are written exactly as in this sentence (this is
allow them). A tagged item is written as an integer number for the
tag followed by the item in parentheses; for instance, an RFC 3339
(ISO 8601) date could be notated as:
or the equivalent relative time as
Byte strings are notated in one of the base encodings, without
padding, enclosed in single quotes, prefixed by >h< for base16, >b32<
for base32, >h32< for base32hex, >b64< for base64 or base64url (the
actual encodings do not overlap, so the string remains unambiguous).
For example, the byte string 0x12345678 could be written h'12345678',
b32'CI2FM6A', or b64'EjRWeA'.
Unassigned simple values are given as "simple()" with the appropriate
integer in the parentheses. For example, "simple(42)" indicates
major type 7, value 42.
6.1. Encoding Indicators
Sometimes it is useful to indicate in the diagnostic notation which
of several alternative representations were actually used; for
example, a data item written >1.5< by a diagnostic decoder might have
been encoded as a half-, single-, or double-precision float.
The convention for encoding indicators is that anything starting with
an underscore and all following characters that are alphanumeric or
underscore, is an encoding indicator, and can be ignored by anyone
not interested in this information. Encoding indicators are always
A single underscore can be written after the opening brace of a map
or the opening bracket of an array to indicate that the data item was
represented in indefinite-length format. For example, [_ 1, 2]
contains an indicator that an indefinite-length representation was
used to represent the data item [1, 2].
An underscore followed by a decimal digit n indicates that the
preceding item (or, for arrays and maps, the item starting with the
preceding bracket or brace) was encoded with an additional
information value of 24+n. For example, 1.5_1 is a half-precision
floating-point number, while 1.5_3 is encoded as double precision.
This encoding indicator is not shown in Appendix A. (Note that the
encoding indicator "_" is thus an abbreviation of the full form "_7",
which is not used.)
As a special case, byte and text strings of indefinite length can be
notated in the form (_ h'0123', h'4567') and (_ "foo", "bar").
7. IANA Considerations
IANA has created two registries for new CBOR values. The registries
are separate, that is, not under an umbrella registry, and follow the
rules in [RFC5226]. IANA has also assigned a new MIME media type and
an associated Constrained Application Protocol (CoAP) Content-Format
7.1. Simple Values Registry
IANA has created the "Concise Binary Object Representation (CBOR)
Simple Values" registry. The initial values are shown in Table 2.
New entries in the range 0 to 19 are assigned by Standards Action.
It is suggested that these Standards Actions allocate values starting
with the number 16 in order to reserve the lower numbers for
contiguous blocks (if any).
New entries in the range 32 to 255 are assigned by Specification
7.2. Tags Registry
IANA has created the "Concise Binary Object Representation (CBOR)
Tags" registry. The initial values are shown in Table 3.
New entries in the range 0 to 23 are assigned by Standards Action.
New entries in the range 24 to 255 are assigned by Specification
Required. New entries in the range 256 to 18446744073709551615 are
assigned by First Come First Served. The template for registration
o Data item
o Semantics (short form)
In addition, First Come First Served requests should include:
o Point of contact
o Description of semantics (URL)
This description is optional; the URL can point to something like
an Internet-Draft or a web page.
7.3. Media Type ("MIME Type")
The Internet media type [RFC6838] for CBOR data is application/cbor.
Type name: application
Subtype name: cbor
Required parameters: n/a
Optional parameters: n/a
Encoding considerations: binary
Security considerations: See Section 8 of this document
Interoperability considerations: n/a
Published specification: This document
Applications that use this media type: None yet, but it is expected
that this format will be deployed in protocols and applications.
Magic number(s): n/a
File extension(s): .cbor
Macintosh file type code(s): n/a
Person & email address to contact for further information:
Intended usage: COMMON
Restrictions on usage: none
Carsten Bormann <firstname.lastname@example.org>
The IESG <email@example.com>
7.4. CoAP Content-Format
Media Type: application/cbor
7.5. The +cbor Structured Syntax Suffix Registration
Name: Concise Binary Object Representation (CBOR)
Encoding Considerations: CBOR is a binary format.
Interoperability Considerations: n/a
Fragment Identifier Considerations:
The syntax and semantics of fragment identifiers specified for
+cbor SHOULD be as specified for "application/cbor". (At
publication of this document, there is no fragment identification
syntax defined for "application/cbor".)
The syntax and semantics for fragment identifiers for a specific
"xxx/yyy+cbor" SHOULD be processed as follows:
For cases defined in +cbor, where the fragment identifier resolves
per the +cbor rules, then process as specified in +cbor.
For cases defined in +cbor, where the fragment identifier does not
resolve per the +cbor rules, then process as specified in
For cases not defined in +cbor, then process as specified in
Security Considerations: See Section 8 of this document
Apps Area Working Group (firstname.lastname@example.org)
The Apps Area Working Group.
The IESG has change control over this registration.
8. Security Considerations
A network-facing application can exhibit vulnerabilities in its
processing logic for incoming data. Complex parsers are well known
as a likely source of such vulnerabilities, such as the ability to
remotely crash a node, or even remotely execute arbitrary code on it.
CBOR attempts to narrow the opportunities for introducing such
vulnerabilities by reducing parser complexity, by giving the entire
range of encodable values a meaning where possible.
Resource exhaustion attacks might attempt to lure a decoder into
allocating very big data items (strings, arrays, maps) or exhaust the
stack depth by setting up deeply nested items. Decoders need to have
appropriate resource management to mitigate these attacks. (Items
for which very large sizes are given can also attempt to exploit
integer overflow vulnerabilities.)
Applications where a CBOR data item is examined by a gatekeeper
function and later used by a different application may exhibit
vulnerabilities when multiple interpretations of the data item are
possible. For example, an attacker could make use of duplicate keys
in maps and precision issues in numbers to make the gatekeeper base
its decisions on a different interpretation than the one that will be
used by the second application. Protocols that are used in a
security context should be defined in such a way that these multiple
interpretations are reliably reduced to a single one. To facilitate
this, encoder and decoder implementations used in such contexts
should provide at least one strict mode of operation (Section 3.10).
CBOR was inspired by MessagePack. MessagePack was developed and
promoted by Sadayuki Furuhashi ("frsyuki"). This reference to
MessagePack is solely for attribution; CBOR is not intended as a
version of or replacement for MessagePack, as it has different design
goals and requirements.
The need for functionality beyond the original MessagePack
Specification became obvious to many people at about the same time
around the year 2012. BinaryPack is a minor derivation of
MessagePack that was developed by Eric Zhang for the binaryjs
project. A similar, but different, extension was made by Tim Caswell
for his msgpack-js and msgpack-js-browser projects. Many people have
contributed to the recent discussion about extending MessagePack to
separate text string representation from byte string representation.
The encoding of the additional information in CBOR was inspired by
the encoding of length information designed by Klaus Hartke for CoAP.
This document also incorporates suggestions made by many people,
notably Dan Frost, James Manger, Joe Hildebrand, Keith Moore, Matthew
Lepinski, Nico Williams, Phillip Hallam-Baker, Ray Polk, Tim Bray,
Tony Finch, Tony Hansen, and Yaron Sheffer.